Upload
dinhkhanh
View
223
Download
3
Embed Size (px)
Citation preview
_________________________________________________________ Table of Contents 1
A GLOBAL SUMMARYOF THE
COMMON BODYOF KNOWLEDGE 2006
Principal ResearchersPriscilla A. Burnaby, PhD, CPA
Susan Hass, CPAMohammad J. Abdolmohammadi, DBA, CPA
Rob Melville, PhD, MIIA, FIIAMarco Allegrini, PhD, CPA
Giuseppe D’Onza, PhDLeen Paape, PhD, RA, RO, CIA
Gerrit Sarens, PhDMarinda M. Marais, M Com Auditing, CIA
Elmarie Sadler, DCompt CAHoudini Fourie, M Tech: Internal Auditing
Barry J. Cooper, PhDPhilomena Leung, PhD
William L. Taylor, CPA, CGFMChairman, CBOK Steering Committee
2 CGAP Examination Study Guide ___________________________________________
DisclosureCopyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 MaitlandAvenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United Statesof America. No part of this publication may be reproduced, stored in a retrieval system, or transmittedin any form by any means — electronic, mechanical, photocopying, recording, or otherwise —without prior written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document isintended to provide information, but is not a substitute for legal or accounting advice. The IIARFdoes not provide such advice and makes no warranty as to any legal or accounting results throughits publication of this document. When legal or accounting issues arise, professional assistanceshould be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprisesthe full range of existing and developing practice guidance for the profession. The IPPF providesguidance to internal auditors globally and paves the way to world-class internal auditing.
The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring,disseminating, and promoting research and knowledge resources to enhance the development andeffectiveness of the internal auditing profession.
ISBN 978-0-89413-611-507538 12/07First Printing
________________________________________________________________ Contents iii
The Institute of Internal Auditors Research Foundation
CONTENTS
Acknowledgments ........................................................................................................................ ix
Chapter 1: Introduction ............................................................................................................. 1CBOK 2006 ............................................................................................................................ 1Overview ................................................................................................................................. 1CBOK 2006 - Benefits to the Profession ............................................................................... 3Prior IIA CBOK Studies ......................................................................................................... 4Project Teams ......................................................................................................................... 5CBOK 2006 Questionnaires .................................................................................................... 6Clustering for Groups ............................................................................................................ 10Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires .......................... 12Appendix 1-B: Clustering of Groups and Number of Responses .......................................... 19
Chapter 2: A Worldwide Picture of the Internal Audit Activity ......................................... 25Introduction ........................................................................................................................... 25Survey Demographics Summary ........................................................................................... 26Compliance with Internal Auditing Standards ...................................................................... 29Staffing and Professional Development ................................................................................ 43Internal Auditor Skills ............................................................................................................ 44Internal Auditor Competencies and Knowledge Areas ......................................................... 48Emerging Roles of the Internal Audit Activity ....................................................................... 53Summary ............................................................................................................................... 58
Chapter 3: Survey Demographics .......................................................................................... 61Introduction ........................................................................................................................... 61Staff Levels of Respondents ................................................................................................. 63IIA Membership .................................................................................................................... 64Age of the Respondents ........................................................................................................ 67Highest Level of Formal Education ....................................................................................... 70Professional Qualifications .................................................................................................... 76Areas of Professional Experience ......................................................................................... 80Years of Existence of IAA and Years of CAE Experience .................................................. 81Types of Organizations .......................................................................................................... 86Service Providers of Internal Audit Services ........................................................................ 89Age of Organizations ............................................................................................................ 90
iv A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Industry Classification(s) ....................................................................................................... 91Geographical Area Served by Organization .......................................................................... 96Appendix 3 ............................................................................................................................ 99
Chapter 4: The Professional Practices Framework .......................................................... 105Introduction ......................................................................................................................... 105CBOK 2006 Survey Questions Related to the Standards .................................................. 107Use of the Standards in Whole or in Part .......................................................................... 108Compliance with the Standards ...........................................................................................110Adequacy of the Guidance Provided by the Standards .......................................................115Use of and Adequacy of the Guidance Provided by the Practice Advisories ...................... 118Reasons for Not Complying with the Standards ................................................................ 121Quality Assurance and Improvement Program ................................................................... 128Compliance with The IIA’s Code of Ethics ......................................................................... 146Appendix 4-A: The IIA’s Standards, Practice Advisories, and
Glossary to the Standards as of September 2006 ........................................................ 147Appendix 4-B ...................................................................................................................... 165
Chapter 5: Current Status of the Internal Audit Activity ................................................. 183Introduction ......................................................................................................................... 183The IAA’s Relationship within the Organization ................................................................. 184Relationship with the Audit Committee ............................................................................... 191External Relationships - Legislation Affecting Internal Auditing ......................................... 192Organizations’ and CAEs’ Perceptions About the IAA ...................................................... 194Methods Used to Measure the Value Added by the IAA ................................................... 197Internal Audit Activity ......................................................................................................... 200Managing the Internal Audit Activity .................................................................................. 202Creating the Audit Plan ....................................................................................................... 204Allocation of IAAs’ Time .................................................................................................... 207Performing the Engagement - The Use of Tools ................................................................ 214Current Usage of Audit Tools and Techniques ................................................................... 216Predictive Changes in the Use of Audit Tools and Techniques
Over the Next Three Years .......................................................................................... 227Resolution of Major Differences ......................................................................................... 233Reporting of Findings .......................................................................................................... 235Monitoring Corrective Action .............................................................................................. 237Summary ............................................................................................................................. 239Appendix 5 .......................................................................................................................... 240
________________________________________________________________ Contents v
The Institute of Internal Auditors Research Foundation
Chapter 6: Staffing and Professional Development ........................................................... 251Introduction ......................................................................................................................... 251Staffing ................................................................................................................................ 252Service Providers ................................................................................................................ 259Continuing Professional Development ................................................................................. 266Summary ............................................................................................................................. 271Appendix 6 .......................................................................................................................... 272
Chapter 7: Internal Audit Skills ........................................................................................... 279Introduction ......................................................................................................................... 279Technical Skills .................................................................................................................... 281Behavioral Skills .................................................................................................................. 289Summary ............................................................................................................................. 299Appendix 7 .......................................................................................................................... 300
Chapter 8: Internal Auditor Competencies ........................................................................ 305Introduction ......................................................................................................................... 305Competencies ...................................................................................................................... 307Areas of Knowledge ........................................................................................................... 323Summary ............................................................................................................................. 331Appendix 8 .......................................................................................................................... 332
Chapter 9: Emerging Roles of Internal Audit Activities .................................................. 339Introduction ......................................................................................................................... 339Years That the IAA and Organizations Have Existed ........................................................ 340Changing Emphasis on Types of Audits .............................................................................. 344Emerging Roles in Organizations’ Activities ........................................................................ 346Organizational Environment and Key Activities of the IAA ............................................... 352Summary ............................................................................................................................. 357
Chapter 10: Research Method and Literature Review ................................................... 359Research Method ................................................................................................................ 359
Project Teams ............................................................................................................... 359Pilot Test and Literature Review .................................................................................. 361CBOK 2006 Questionnaires ......................................................................................... 363Clustering for Groups .................................................................................................... 364
vi A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Literature Review ............................................................................................................... 367Introduction ................................................................................................................... 367Prior IIA CBOK Studies .............................................................................................. 367North American Literature Review on Internal Auditing ............................................. 372
Summary ............................................................................................................................. 379Asia Pacific Literature Review on Internal Auditing .......................................................... 380European Literature Review on Internal Auditing ............................................................... 390South African Literature Review on Internal Auditing ........................................................ 398Appendix 10-A: Pre-scope Questionnaire for CBOK ........................................................ 406Appendix 10-B: Topical Areas That Are Addressed in Past and Current
IIA CBOK Studies ....................................................................................................... 418Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire ................................... 421
The William G. Bishop III, CIA, Memorial Fund Contributors .................................................. 455The IIA Research Foundation Chairman’s Circle ..................................................................... 458The IIA Research Foundation Board of Trustees ..................................................................... 459The IIA Research Foundation Board of Research and Education Advisors ............................ 460
_________________________________________________________ Table of Contents 7
The Institute of Internal Auditors Research Foundation
DEDICATION
This research is dedicated to the memory ofWilliam G. Bishop III, CIA
William G. Bishop III, CIA, served as president of The Institute of Internal Auditors (IIA) fromSeptember 1992 until his untimely death in March 2004. With a motto of “I’m proud to be aninternal auditor,” he strived to make internal auditing a truly global profession. He was the drivingforce behind the rapid growth of The IIA to over 120,000 members in approximately 100 countries.Bill Bishop advocated quality research for the enhancement of the stature and practice of internalauditing. To help enhance the future of this profession, it is vital for the profession to document theevolution of the similarities and differences in the Common Body of Knowledge (CBOK) of internalauditing worldwide.
8 A Global Summary of the Common Body of Knowledge 2006 — Preview Edition ______
The Institute of Internal Auditors Research Foundation
_________________________________________________________ Acknowledgments ix
The Institute of Internal Auditors Research Foundation
ACKNOWLEDGMENTS
With a project of this magnitude and importance, there are literally thousands of people who havecontributed to the successful completion of the Common Body of Knowledge (CBOK) 2006 researchreport. I would like to start by thanking William Taylor, chair of the CBOK Steering Committee,who was the heart of the project. His goal was to make sure that this report honored the memoryof William G. Bishop III, CIA, past president of The Institute of Internal Auditors (IIA) who wasthe driving force behind the rapid growth of The IIA to over 120,000 members in approximately100 countries. At The IIA, the entire staff provided guidance and input. Special thanks to JeffreySwerdlow, PMP, chair of the CBOK Oversight Committee and the director of project managementfor The IIA Research Foundation. He worked tirelessly to keep the project on time and performednumerous duties such as monitoring the translations of the questionnaires into 16 additional languages,keeping all of us on track, and coordinating the many needs and demands of those involved at TheIIA and on the research teams. It is a true tribute to his skills that this expansive project wascompleted on time with such a quality product. Two other key people on The IIA staff that I wouldlike to recognize are Donna Batten, director of Global Audit Information Network (GAIN), andSylvia Boyd, director of affiliate relations. Both were instrumental in the success of the project. Iwould also like to thank all the IIA members who participated by completing the pilot study, thequestionnaires, and editing the text.
Team Americas was truly blessed with four wonderful graduate research assistants. On the firstphase of the project, Lisa Hsi was instrumental with the literature review, development of thequestionnaires, and creation of a database for the affiliates. After Lisa graduated, we were fortunateto hire Diana Tien. She helped with data cleansing, completing the report for the affiliates, andtransferring the data into tables. Yi Zhou worked on the tables and the editing process to make surethat all the references and numbers were correct in the text. On the final phase of writing thereport, Shubin Liang converted tables into figures. From Bentley’s Academic Technology Center,Maria Skaletsky and Gaurav Shah helped with the many software packages needed to completethis product.
The cooperation and sharing among the three research teams made this project a truly collaborativeeffort. On the two occasions when we had summits, we all agreed it was extremely exciting andexhilarating to have so many professors who selected internal auditing as their primary field ofteaching and research together in one room. As team coordinators, Barry Cooper and Rob Melvilledid a great job getting participants for the pilot study and working with local affiliates. All themembers of both teams made significant contributions to the research project.
x A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
I saved the members of my team to thank last. Both Mohammad (Ali) Abdolmohammadi andSusan Hass made significant contributions to the planning and construction of the CBOK 2006. Alidid a hero’s job on the data cleansing and analysis. He worked tirelessly to provide data for thetables. Susan Hass and I did most of the work on the development of the questionnaires, datapresentation for the tables, writing many of the chapters, and editing the other teams’ contributionsto the final text. Each did an extraordinary job under a great deal of pressure. Audrey Gramling andRichard Cleary contributed in a consulting capacity.
This report owes its contents to thousands of IIA members all over the world, each of whomcontributed to The IIA’s Common Body of Knowledge 2006. Thank you all!
Priscilla A. Burnaby, PhD, CPAProfessor of AccountancyBentley CollegeWaltham, MA, USACoordinator of CBOK 2006
_________________________________________________________ Acknowledgments xi
The Institute of Internal Auditors Research Foundation
It has been my pleasure to be the chair of the CBOK Steering Committee and The William G.Bishop III, CIA, Memorial Fund from which this project was funded. As a former IIA chair of theboard, I recognize the importance of this project as we seek to further understand our profession,how it is practiced throughout the world, and how we will continue to add value to our organizationsin the future.
Completing this project has been a monumental accomplishment. We were fortunate to have atremendously talented group of IIA committees, volunteers, and IIA staff working with us. I wouldlike to personally thank several people and groups without whom this project would not have beenpossible.
The IIA Research Foundation Board of Trustees provided sound guidance and advice throughoutthe project. Their input, feedback, and suggestions ensured that the project lived up to its expectations.A special thank you goes to Roderick Winters, CIA, president of The Research Foundation andvice chair of The IIA Board. Rod provided a great deal of support to this project and truly establishedthe vision for what we accomplished.
The CBOK Steering Committee was an active participant throughout the project. This committeeprovided valuable guidance and overall direction to the project. I am proud that the Steering Committeeis comprised of individuals from throughout the world. Members of the Steering Committee areJackie Cain, Phil Tarling, Warren Hersch, Sri Ramamoorti, Urton Anderson, Louis Vaurs, ChrisMcRostie, Thijs Smit, Charity Prentice, and Jeffrey Swerdlow.
The Research Foundation’s Board of Research and Education Advisors (BREA) played a criticalrole throughout the project. This extremely dedicated committee is responsible for reviewing allproposals received and reviewing all research and educational products produced by The ResearchFoundation. Throughout the course of the project, BREA provided valuable opinions and helped toshape the format of the complete research report. Bob Foster has been the chair of BREA duringthis project and has contributed immensely to our success.
Considering the importance of this project, we wanted to ensure that we received a wide variety ofinput and feedback. To this end, we recruited almost 100 volunteers from all of The IIA’s internationalcommittees to review and provide feedback on the early first drafts of the complete researchreport. The reviewers provided us with candid and valuable feedback which helped shape thereport. To manage a review effort of this magnitude, six members of BREA graciously volunteeredtheir time to act as review team leaders. Thomas Clooney, Susan Driver, Don Espersen, DanGould, Raj Muthu Venkatachalam, and Mark Radde deserve special recognition for performingthis vital role.
xii A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Dominique Vincenti, CIA, chief advocacy officer of The IIA and executive director of The ResearchFoundation, dedicated a great deal of her time to the project. Dominique was able to bring herbackground as a CAE to the project. She provided feedback and leadership at all stages of theproject and her contribution was critical to its success.
Jeffrey Swerdlow, PMP, director of project management for The Research Foundation, was theprimary reason the project was completed on time and within budget. He proved that managingsuch an expansive project required participation from not only all worldwide affiliates and membersbut also the knowledge leaders of The IIA and staff. His overall plans and programs requiredparticipation from many interested groups and he performed in an exemplary manner, truly indicatingthat a project of this magnitude requires not only audit leaders, but a dedicated and professionalproject manager.
I would be remiss if I did not thank each and every person and organization that donated to TheWilliam G. Bishop III, CIA, Memorial Fund. This fund underwrote the cost of CBOK 2006. Thanksto the generous donations we received, CBOK was funded to ensure a top quality result.
William L. Taylor, CPA, CGFMFormer IIA Chair of the BoardMcLean, Virginia, U.S.A.CBOK Steering Committee Chair
_____________________________________________________ Chapter 1: Introduction 1
The Institute of Internal Auditors Research Foundation
CHAPTER 1INTRODUCTION
CBOK 2006
The Common Body of Knowledge (CBOK) 2006 study is part of an ongoing global researchprogram funded by The Institute of Internal Auditors Research Foundation (IIARF) to broaden theunderstanding of how internal auditing is practiced throughout the world. The overall purpose ofthe CBOK 2006 project is to develop the most comprehensive database ever to capture a currentview of the global state of the internal audit profession. The database contains information aboutcompliance with The Institute of Internal Auditors’ (IIA) International Standards for theProfessional Practice of Internal Auditing (Standards), the state of the internal audit activity(IAA), staffing, skills, competencies, and the emerging roles of the IAA. Some information wascollected about the influences of cultural and legal factors about the development and practice ofinternal auditing around the world. The objective is to establish a baseline for comparison when theCBOK study is repeated in the future. The database will be updated to understand the evolution ofglobal internal audit practices. Future studies will build upon this baseline, allowing for comparison,analysis, and trending.
Overview1
The objectives of this chapter are to introduce CBOK 2006, provide a brief overview of pastCBOK studies, review actions taken to perform the study, and to explain how the groupings ofchapters and affiliates were determined. Within the United States and Canada, local groups of TheIIA’s members are called chapters. Affiliates are independent organizations outside North Americathat provide services to members in their geographic locations. IIA affiliates are now referred toas “chapters and institutes.” This change officially took place after the CBOK 2006 survey wasconducted. It was approved by The IIA’s Board of Directors on July 14, 2007, for implementationon January 1, 2008. For this reason, the use of “affiliates” is maintained throughout the CBOK2006 report.
1The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue ofManagerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher ofMAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “Areview of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby,“The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
2 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
At the core of the CBOK 2006 study were three surveys sent to internal auditors worldwide togather information concerning how they comply with the Standards, how their IAAs function, andemerging roles of the IAA. One survey was sent to chief audit executives (CAEs), another to allother levels of internal auditing Practitioners, and a third to the leadership of The IIA’s affiliates.Since the Standards were first promulgated, internal auditors have had the opportunity to applythem to create a high level of standardization resulting in best practices for internal auditorsworldwide. While the Standards provide a unifying mechanism for enhancing value and consistencyacross diverse legal and economic environments, research suggests that cultural, legal, and economicdifferences influence the practice of internal auditing in each country. The CBOK 2006 study hasproduced a body of data for the continuing study of the evolution of the global practice of internalauditing.
As discussed in The IIARF’s Competency Framework for Internal Auditing: An Overview,core competencies change over time (McIntosh, 1999). Some of the major factors influencingthese changes are the needs of organizations, technology, and the complexity of business transactionsand systems. CBOK 2006 adds to this body of literature and expands the scope by extending thepopulation surveyed to the entire international membership of The IIA. To include current practicesand explore emerging roles for the profession, CBOK 2006 added several topical areas that werenot included in prior CBOK studies. In Chapter 10, Appendix 10-B lists the topics studied in thecurrent and past CBOK studies. As described below in The IIA’s 1999 definition of internal auditing,CBOK 2006 uses the expanded scope of the IAA as the basis for its focus.
The IIA’s 1999 vision for the future task force recommended that the new Professional PracticesFramework should be “a more comprehensive and elastic framework.” Based on thisrecommendation, the task force provided the following definition of internal auditing which wasadopted by The IIA’s Board of Directors in June 1999:
Internal auditing is an independent, objective assurance and consulting activity designed toadd value and improve an organization’s operations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control, and governance processes.
The expanded definition of internal auditing includes consulting activities and value-added servicesfor evaluation and improvement of the effectiveness of the risk management and governanceprocesses. Since the CBOK 2006 questionnaires were sent out in September 2006, all referencesto The IIA’s Standards are as of that date.
_____________________________________________________ Chapter 1: Introduction 3
The Institute of Internal Auditors Research Foundation
The expansion of the internal audit scope has necessitated that internal auditors continuously developnew skills and learn new audit tools and technologies. There is very little information about thecurrent state of skills, tools, and technologies used on engagements in existing internal auditingliterature. The CBOK 2006 database includes the skills, tools, and techniques respondents indicateare necessary for internal auditors currently, and in the future, to perform their jobs and enhanceaudit efficiency and effectiveness. It also identifies emerging roles that The IIA will need to addressin support of its members and the profession. The resulting CBOK 2006 database and researchreport can be used to improve the understanding of the current state of internal audit practices,anticipate the use of new skills, tools, and technologies, and promote the enhancement ofstandardization and performance of internal auditing worldwide.
Chapter 2 provides a brief summary of selected CBOK 2006 data. Chapters 3 through 9 providedetails of all the data collected in total from all respondents and by staff level and/or by groups asapplicable. Chapter 10 contains the process used to collect the data and a detailed literature reviewof previously published articles about internal auditing around the world.
CBOK 2006 - Benefits to the Profession
The Standards have three purposes: educating internal auditors about the role and responsibilitiesof internal auditing, providing a basis for measuring performance, and improving the practice ofinternal auditing. Internal auditing is performed in diverse economic and cultural environmentswithin organizations that vary in purpose, size, and structure. These differences affect compliancewith the Standards. CBOK 2006 identifies some of these diverse environments and groups culturallysimilar chapters and affiliates together. The groups’ usage of the Standards and the scope of theIAA are then compared.
The information gathered in CBOK 2006 can be useful in many different ways. For example, theresults of the study can be used as a resource, reference, or comparison mechanism by internalauditors and other stakeholders of the internal audit profession. Where there is a need for knowledgeand skills to be enhanced, the CBOK 2006 results can be used as a guide for The IIA to developcontinuing education materials so their members can acquire and then implement the appropriateknowledge and skills in their work.
CBOK results can also provide useful information when periodically updating the competencyframework. The IIA has expressed interest in conducting CBOK studies at regular intervals in thefuture to provide a mechanism for comparison and improvement. The CBOK 2006 results willcontribute to future internal audit Standards and practices as well as identify important newknowledge and skills to be included in the CIA exam. The results can also be utilized during anIAA’s self-assessment program and/or the completion of external quality assessments.
4 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Prior IIA CBOK Studies
The IIA has sponsored four prior CBOK studies. Table 1-1 compares the number of participatingcountries and usable questionnaire responses used in each CBOK study. While all prior CBOKstudies were only conducted in English, CBOK 2006 translated the questionnaires into 16 additionallanguages.
Table 1-1Comparison of CBOK’s Number of Countries
and Number of Respondents
CBOK Year Number of Number of UsableNumber Countries Respondents
I 1972 1 75II 1985 2 340III 1991 2 1,163IV 1999 21 136V 2006 91 9,366
CBOK 2006 is the first study that invited The IIA’s entire worldwide membership to participate.The participation of members from 91 countries and 9,366 usable respondents makes CBOK 2006the most comprehensive study in The IIA’s history.
_____________________________________________________ Chapter 1: Introduction 5
The Institute of Internal Auditors Research Foundation
Project Teams
The research team was comprised of three international teams that were selected from the responsesto the CBOK Request for Proposals. Based on the location of the selected research teams, theinternational affiliates and North American chapters were broken down into three broad geographicalareas. Table 1-2 lists the members of the three CBOK 2006 teams.
Table 1-2Research Teams
Teams General Areasof Responsibilities
Lead Team• Priscilla A. Burnaby (Bentley College, United States) - North, Central, and
Project Coordinator and Team Coordinator South America and• Susan Hass (Simmons College, United States) the Caribbean• Mohammad J. Abdolmohammadi (Bentley College,
United States)• Rob Melville (Cass Business School, United Kingdom) - Europe and Africa
Team Coordinator• Marco Allegrini and Giuseppe D’Onza
(University of Pisa, Italy)• Leen Paape (Erasmus University, Netherlands)• Gerrit Sarens (University of Ghent, Belgium)• Marinda M. Marais (University of South Africa)• Elmarie Sadler (University of South Africa)• Houdini Fourie (Tshwane University of
Technology, South Africa)• Barry J. Cooper (Deakin University, Australia) - Asia and Pacific
Team Coordinator• Philomena Leung (Deakin University, Australia)
6 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
CBOK 2006 Questionnaires
To gain an understanding of what had been published about internal auditing and to develop aninventory of questions to use as a basis for developing the global CBOK 2006 questionnaires, anextensive literature review was conducted. Each team prepared a literature review for their generalareas of responsibility. Based on this work, the teams then prepared a pilot study to poll membersabout the types of questions that should be included in the final survey. The three literature reviewsand the results of the pilot study can be found in the CBOK 2006 issue of Managerial AuditingJournal (MAJ), Volume 21, Issue 8, published in October 2006. A summary is included in Chapter10 of this research report. Based on the results of the pilot study, the survey questions were refinedand finalized. The CBOK Steering Committee decided that the surveys should take a respondentapproximately 40 minutes to complete. As a result, it was decided to create three CBOK 2006questionnaires:
1. Affiliates: The IIA is fortunate to have numerous affiliates around the world that provideservices to their geographic area in cooperation with The IIA headquarters. This questionnaireasked affiliate leaders questions about regulatory and cultural differences affecting the applicationof ethics and The IIA Standards in their area. One questionnaire was sent to each participatingaffiliate.
2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest positionwithin the organization responsible for the internal audit activity (IAA). Data on the status ofthe IAA within the organization, application of the Standards, skills needed at each staff level,and emerging audit roles were collected from CAEs worldwide.
3. Practitioners: For purposes of this study, Practitioners are all other internal auditors who arenot CAEs. Data about the application of the Standards, how an audit is performed, skill setsneeded, and the emerging role of internal auditing were collected from internal auditorsworldwide.
The three detailed questionnaires developed by the CBOK 2006 teams were subjected to carefulscrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, thequestionnaires were reviewed by a group of over 100 internal auditors worldwide to ensurecompleteness and validity. Based on their comments, the final questionnaires were developed inEnglish. The IIA translated them into 16 additional languages for the convenience of The IIAmembership (Arabic, Bulgarian, Czech, Simplified Chinese, Unsimplified Chinese, French, German,Indonesian, Italian, Japanese, Polish, Portuguese, Russian, Spanish, Swedish, and Turkish). Thecombined CAE and Practitioner questionnaires are in Appendix 10-C in Chapter 10.
_____________________________________________________ Chapter 1: Introduction 7
The Institute of Internal Auditors Research Foundation
In September 2006, using the survey software Perseus, the CAE and Practitioner questionnaireswere distributed electronically to members outside North America by participating internationalaffiliates and by IIA headquarters to members within North America. The questionnaire to affiliateleadership was distributed by The IIA in December 2006. The Glossary in Appendix 1-A wasprovided with the questionnaires so respondents could reference definitions of key terms andwords. This glossary is a combination of the glossary from The IIA’s Professional PracticesFramework dated January 2005 and other key words used in the questionnaires.
Number of Respondents
The total number of responses to the CAE and Practitioner questionnaires was 15,028. Afterconsultation with an independent statistical expert, responses were determined to be not useablefor reasons such as a blank reply or the respondent did not answer enough questions on importantsections such as the use and application of the Standards. Upon completion of this process, 9,366useable responses remained. This results in an overall 7.3% response from the 127,735 IIA membersas of September 30, 2006. Due to some affiliates not participating and some members who haveopted not to receive e-mail from The IIA, the invitation to participate in the survey was sent toapproximately 99,000 members resulting in an estimated 9.5% response rate.
Table 1-3 indicates the chapters (United States, Canada, and Caribbean) and affiliates (organizationsaround the world that serve their geographical area) listed on The IIA’s Web site as of September2006 and notes the number that participated in this study for each one. A total of 133 United Stateschapters, all of the Canadian chapters, and 7 of the Caribbean chapters had at least one memberwho participated in CBOK 2006. Eighty-three affiliates had at least one usable CAE or Practitionerresponse. Forty-six affiliate leaders returned the CBOK Affiliate questionnaire by the January 15,2007, cutoff date for data collection.
8 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 1-3Number of Participating Chapters and Affiliates
Area Number of 1 or More Usable Number ofChapters/Affiliates* Responses from Affiliates that
Chapters/Affiliates Returned CBOKAffiliate
Questionnaire
U.S.A. 143 133 Not ApplicableCanada 11 11 Not ApplicableCaribbean 9 7 Not Applicable
IIA Affiliates 94 83 46
*Tallied from The IIA’s Web site
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those that participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners.
_____________________________________________________ Chapter 1: Introduction 9
The Institute of Internal Auditors Research Foundation
Below is a list of all the affiliates, the United States, Canada, and Caribbean chapters, from whichone or more usable responses were received. Please note that the individual chapters within theUnited States and Canada from which responses were received are not listed here.
AlgeriaArgentinaArubaAustraliaAustriaAzerbaijanBahamasBangladeshBarbadosBelgiumBermudaBoliviaBotswanaBrazilBulgariaCameroonCanadaChileChinaChinese TaiwanColombiaCongo-KinshasaCosta RicaCyprusCzech RepublicDenmarkDominican RepublicEcuadorEgyptEstoniaEthiopia
FinlandFranceGermanyGhanaGreeceGuatemalaHong Kong, ChinaIcelandIndiaIndonesiaIsraelItalyJamaicaJapanKenyaKoreaLatviaLebanonLithuaniaLuxembourgMalawiMalaysiaMexicoNetherlandsNew ZealandNicaraguaNigeriaNorwayOmanPakistan-IslamabadPakistan-Karachi
Pakistan-LahorePanamaParaguayPeruPhilippinesPolandPortugalPuerto RicoQatarRomaniaRussia-MoscowSingaporeSloveniaSouth AfricaSpainSri LankaSwedenSwitzerlandThailandTrinidad and TobagoTunisiaTurkeyUgandaUkraineUnited Arab EmiratesUnited Kingdom andIrelandUnited States of AmericaVenezuelaZambiaZimbabwe
10 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Clustering for Groups
As data was collected from numerous affiliates and chapters, a methodology was sought to combinethem into groups for the comparison of responses. Clustering literature was reviewed for plausibleways to combine affiliates and chapters by cultural classification. Hofstede (1980; 1983) introducedthis concept and proposed a number of dimensions to classify 50 countries into cultural clusters.Expanding on Hofstede’s work, House et al. (2004) classified 62 societies into various culturalclusters.
Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62societies was insufficient for complete classification of the CBOK 2006 participants. By usingadditional information from the Central Intelligence Agency World Fact Book (2006), language(s)spoken in the affiliate’s geographical area, geographical location, and discussions with The IIAstaff and leadership, the affiliates and chapters were classified into 12 groups. Respondents whodid not indicate membership in a specific affiliate or chapter were clustered into a 13th group thatwas included in statistical summaries for the aggregate results but not in discussions of affiliate orchapter cultural cluster group results. Appendix 1-B lists the 13 groups used for the discussion ofresponses for CBOK 2006. WHENEVER GROUPS ARE MENTIONED IN THE TEXT TODETERMINE WHICH CHAPTERS OR AFFILIATES ARE IN EACH GROUP, PLEASEREFER TO EITHER APPENDIX 1-B OR THE INSIDE BACK COVER OF THIS REPORT.
_____________________________________________________ Chapter 1: Introduction 11
The Institute of Internal Auditors Research Foundation
References
1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body ofknowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,”Managerial Auditing Journal 21 8, 2006, pp. 811-821.
2. CIA World Fact Book, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.3. Hofstede, G, Culture’s consequences: International differences in work-related values
(London, UK: Sage), 1980.4. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B.
Deregowski, S. Dziurawiec and R.C. Annis (Eds.), Explications in Cross-CulturalPsychology, Swets and Zeitling, 1983.
5. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: SagePublications), 2004.
6. McIntosh, E.R, Competency Framework for Internal Auditing: An Overview (AltamonteSprings, FL: The Institute of Internal Auditors Research Foundation), 1999.
7. The Institute of Internal Auditors, A Vision for the Future: Professional Practices Frameworkfor Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors ResearchFoundation), 1999.
8. The Institute of Internal Auditors, Professional Practices Framework (Altamonte Springs, FL:The Institute of Internal Auditors Research Foundation), 2005.
12 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APPENDIX 1-AGLOSSARY OF TERMS SENT WITH
CBOK 2006 QUESTIONNAIRES
Add ValueValue is provided by improving opportunities to achieve organizational objectives, identify operationalimprovement, and/or reducing risk exposure through both assurance and consulting services.
Adequate ControlPresent if management has planned and organized (designed) in a manner that provides reasonableassurance that the organization’s risks have been managed effectively and that the organization’sgoals and objectives will be achieved efficiently and economically.
Advisory RoleA position having or exercising the power to advise and function purely as a consultative role.
Assurance ServicesAn objective examination of evidence for the purpose of providing an independent assessment onrisk management, control, or governance processes for the organization. Examples may includefinancial, performance, compliance, system security, and due diligence engagements.
Audit CommitteeAn audit committee assists the board of directors in discharging its responsibilities with respect tothe accounting policies, internal controls, and financial reporting of the entity.
Balanced ScorecardA concept for measuring a company’s activities in terms of its vision, strategies, and performancemeasures. It gives managers a comprehensive view of the performance of a business. It balancesa financial perspective with customer, internal process, and learning and growth perspectives.
BoardA board is an organization’s governing body, such as a board of directors, supervisory board, headof an agency or legislative body, board of governors or trustees of a nonprofit organization, or anyother designated body of the organization, including the audit committee, to whom the chief auditexecutive may functionally report.
_____________________________________________________ Chapter 1: Introduction 13
The Institute of Internal Auditors Research Foundation
CharterThe charter of the internal audit activity is a formal written document that defines the activity’spurpose, authority, and responsibility. The charter should (a) establish the internal audit activity’sposition within the organization; (b) authorize access to records, personnel, and physical propertiesrelevant to the performance of engagements; and (c) define the scope of internal audit activities.
Chief Audit Executive (CAE)Top position within the organization responsible for internal audit activities. Normally, this would bethe internal audit director. In the case where internal audit activities are obtained from outsideservice providers, the chief audit executive is the person responsible for overseeing the servicecontract and the overall quality assurance of these activities, reporting to senior management andthe board regarding internal audit activities, and follow-up of engagement results. The term alsoincludes such titles as general auditor, chief internal auditor, and inspector general.
Code of EthicsThe Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the professionand practice of internal auditing, and rules of conduct that describe behavior expected of internalauditors. The Code of Ethics applies to both parties and entities that provide internal audit services.The purpose of the Code of Ethics is to promote an ethical culture in the global profession ofinternal auditing.
ComplianceConformity and adherence to policies, plans, procedures, laws, regulations, contracts, or otherrequirements.
Conflict of InterestAny relationship that is or appears to be not in the best interest of the organization. A conflict ofinterest would prejudice an individual’s ability to perform his or her duties and responsibilitiesobjectively.
Consulting ServicesAdvisory and related client service activities, the nature and scope of which are agreed with theclient and which are intended to add value and improve an organization’s governance, riskmanagement, and control processes without the internal auditor assuming management responsibility.Examples include counsel, advice, facilitation, and training.
14 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Continuous MonitoringContinuous monitoring is an ongoing systematic process for acquiring, analyzing, and reporting onbusiness information to identify and respond to operational business risks.
Contract Audit StaffAudit staff that has been hired to perform specific internal audit projects. Members of the contractaudit staff are not employed as permanent audit staff at the organization.
ControlAny action taken by management, the board, and other parties to manage risk and increase thelikelihood that established objectives and goals will be achieved. Management plans, organizes, anddirects the performance of sufficient actions to provide reasonable assurance that objectives andgoals will be achieved.
Control EnvironmentThe attitude and actions of the board and management regarding the significance of control withinthe organization. The control environment provides the discipline and structure for the achievementof the primary objectives of the system of internal control. The control environment includes thefollowing elements:
• Integrity and ethical values• Management’s philosophy and operating style• Organizational structure• Assignment of authority and responsibility• Human resource policies and practices• Competence of personnel
Control ProcessesThe policies, procedures, and activities that are part of a control framework, designed to ensurethat risks are contained within the risk tolerance established by the risk management process.
Control Self-assessmentCSA is a process through which internal control effectiveness is examined and assessed. Theobjective is to provide reasonable assurance that all business objectives will be met.
Co-sourcingWorking with external professionals to meet requirements for the organization’s audit plan andobtaining value-added solutions from the cooperative effort.
_____________________________________________________ Chapter 1: Introduction 15
The Institute of Internal Auditors Research Foundation
Corporate GovernanceThe set of processes, customs, policies, laws, and institutions affecting the way a corporation isdirected, administered, or controlled.
Emerging MarketIs a term used to refer to markets in newly industrialized or developing countries with capitalmarkets at early stages of institutional development.
EngagementA specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasksor activities designed to accomplish a specific set of related objectives.
Engagement ObjectivesBoard statements developed by internal auditors that define intended engagement accomplishments.
Engagement Work ProgramA document that lists the procedures to be followed during an engagement, designed to achieve theengagement plan.
Enterprise Risk Management (ERM)A continuous process that establishes risk management objectives and develops tolerances andlimits for all the enterprise’s significant risks.
Environmental SustainabilityIn compliance with International Standard for Environmental Management System (ISO 14001certified).
External Quality Assurance ReviewExternal assessment should be conducted at least once every five years by a qualified, independentreviewer or review team from outside the organization.
External Service ProviderA person or firm, outside of the organization, who has special knowledge, skill, and experience in aparticular discipline.
16 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
FraudAny illegal acts characterized by deceit, concealment, or violation of trust. These acts are notdependent upon the application of threat of violence or of physical force. Frauds are perpetratedby parties and organizations to obtain money, property, or services; to avoid payment or loss ofservices; or to secure personal or business advantage.
Global Audit Information Network (GAIN)The information network enables organizations to compare their audit department’s size, experience,expertise, and other metrics against the aggregated averages of similar-sized organizations in theirindustry.
GovernanceThe combination of processes and structures implemented by the board in order to inform, direct,manage, and monitor the activities of the organization toward the achievement of its objectives.
ImpairmentsImpairments to individual objectivity and organizational independence may include personal conflictof interest, scope limitations, restrictions on access to records, personnel, and properties, andresource limitations (funding).
IndependenceThe freedom from conditions that threaten objectivity or the appearance of objectivity. Such threatsto objectivity must be managed at the individual auditor, engagement, functional, and organizationallevels.
Information Risk AssessmentAssessment of information threats and opportunities to ensure proper controls are in place tominimize the risks to the organization’s information assets.
Internal Audit Activity or Internal Audit FunctionA department, division, team of consultants, or other practitioner(s) that provides independent,objective assurance and consulting services designed to add value and improve an organization’soperations. The internal audit activity helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of risk management,control, and governance processes.
_____________________________________________________ Chapter 1: Introduction 17
The Institute of Internal Auditors Research Foundation
Internal Quality Assurance ReviewInternal assessments include: ongoing reviews of the performance of the internal audit activity andperiodic reviews performed through self-assessment or by other persons within the organizationwith knowledge of internal auditing practices and the Standards.
Knowledge Management SystemA distributed system in organizations supporting creation, capture, storage, and dissemination ofexpertise and information.
Management EffectivenessThe metrics used to evaluate management effectiveness include: leadership, delegation, motivation,return on investment, return on assets, and return on equity.
ManagerA manager is normally an advanced senior rank position.
Managerial AccountingThe branch of accounting that uses both historical and estimated data in providing information thatmanagement uses in conducting daily operations in planning future operations, and in developingoverall business strategies.
ObjectivityAn unbiased mental attitude that allows internal auditors to perform engagements in such a mannerthat they have an honest belief in their work product and that no significant quality compromisesare made. Objectivity requires internal auditors not to subordinate their judgment on audit mattersto that of others.
PartnerThis is the highest professional rank in an accounting firm. By achieving this rank, a partner isadmitted as a co-owner of the firm.
Residual RiskThe risk remaining after management takes action to reduce the impact and likelihood of an adverseevent, including control activities in responding to a risk.
18 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
RiskThe possibility of an event occurring that will have an impact on the achievement of objectives.Risk is measured in terms of impact and likelihood.
Risk ManagementA process to identify, assess, manage, and control potential events or situations to provide reasonableassurance regarding the achievement of the organization’s objectives.
Semi-governmentThe semi-government sector comprises the corporations, statuary boards, authorities, and statebanks under the central government.
ShouldThe use of the word “should” in the Standards represents a mandatory obligation.
StaffThe position of a staff accountant (also called assistant) is the entry-level position.
StandardA professional pronouncement promulgated by the Internal Auditing Standards Board that delineatesthe requirements for performing a broad range of internal audit activities, and for evaluating internalaudit performance.
Total Quality Management (TQM)Total Quality Management is a management approach that emphasizes superior quality in all aspectsof the company’s operations. It is an ongoing process that utilizes synergistic relationships to exercisecontinuous improvement and self evaluation.
_____________________________________________________ Chapter 1: Introduction 19
The Institute of Internal Auditors Research Foundation
APPENDIX 1-BCLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or Primary IIA Usable PercentageChapter Language(s) Members Responses of MembersGroup Spoken 9/30/06 12-15-06
Group 1**Aruba English 8 4 50.0**Bahamas English 59 3 5.1**Barbados English 70 17 24.3**Bermuda English 73 5 6.9**Canada French/English 5,255 430 8.2**Jamaica English 327 17 5.2**Trinidad and English 169 13 7.7Tobago**Puerto Rico Spanish 386 17 4.4*United States English 54,686 3,139 5.7of AmericaTotal 61,033 3,645 6.0Group 2*+Australia English 2,602 177 6.8*+New Zealand English 486 38 7.8Total 3,088 215 7.0Group 3**+South Africa English 4874 464 9.5*+UK and Ireland English 7185 271 3.8Total 12,059 735 6.1Group 4*China Chinese 2,248 62 2.8*+Chinese Taiwan Chinese 3,144 239 7.6*+Hong Kong, English 375 6 1.6China*+Japan Japanese 2,053 66 3.2*Korea Korean 557 1 0.2Total 8,377 374 4.5
*House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership, and Organizations: TheGLOBE Study of 62 Societies (Thousand Oaks, CA: Sage Publications), 2004.**Classification by Team Americas in consultation with The IIA, world map, and CIA World Factbook, https://www.cia.gov/cia/publications/factbook/fields/2145.html+Responded to the Affiliate CBOK questionnaire.
20 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APPENDIX 1-B (Cont.)CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or Primary IIA Usable PercentageChapter Language(s) Members Responses of MembersGroup Spoken 9/30/06 12-15-06
Group 5**+Azerbaijan Azari/Russian 133 1 0.8**+Bulgaria Bulgarian 357 71 19.9**+Cyprus Greek/Turkish 276 30 10.9**Czech Republic Czech/English 886 166 18.7**Estonia Estonian 135 16 11.9*+Greece Greek 456 80 17.5**Latvia Latvian 123 1 0.8**+Lithuania Lithuanian 130 3 2.3*Poland Polish 520 69 13.3**Romania Romanian 214 42 19.6*+Russia-Moscow Russian 492 129 26.2*+Slovenia Slovenian 15 1 6.7*Ukraine Ukrainian 25 2 8Total 3,762 611 16.2Group 6*+Austria German 277 84 30.3**+Belgium English/French/Dutch 1,154 102 8.8*+Germany German 1,728 131 7.6*+Luxembourg French/English 325 1 0.3*+Netherlands Dutch 1,741 112 6.4*Switzerland German/French 305 33 10.8Total 5,530 463 8.4
_____________________________________________________ Chapter 1: Introduction 21
The Institute of Internal Auditors Research Foundation
APPENDIX 1-B (Cont.)CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or Primary IIA Usable PercentageChapter Language(s) Members Responses of MembersGroup Spoken 9/30/06 12-15-06
Group 7*+Argentina Spanish 562 57 10.1*+Bolivia Spanish 215 8 3.7*+Brazil Portuguese 1,358 97 7.1**Chile Spanish 33 4 12.1*+Colombia Spanish 432 94 21.8*Costa Rica Spanish 186 40 21.5**+Dominican Republic Spanish 213 3 1.4*Ecuador Spanish 531 7 1.3*Guatemala Spanish 75 4 5.3*+Mexico Spanish 842 91 10.8**+Nicaragua Spanish 136 6 4.4**Panama Spanish 69 6 8.7**Paraguay Spanish 114 3 2.6**+Peru Spanish 328 72 22.0*+Venezuela Spanish 376 36 9.6Total 5,470 528 9.7Group 8*+France French 2,937 235 8.0*+Israel Hebrew 1,028 4 0.4*+Italy Italian 2,531 456 18.0*Portugal Portuguese 375 84 22.4*+Spain Spanish 1,556 249 16.0Total 8,427 1,028 12.2Group 9**Algeria French 45 4 8.9*Egypt Arabic/English 61 4 6.6**+Lebanon Arabic/English 105 13 12.4**Oman Arabic/English 176 5 2.8**+Qatar Arabic/English 233 8 3.4**Tunisia Arabic/French 306 2 0.7*+Turkey Turkish 554 80 14.4**United Arab Emirates English 349 16 4.6Total 1,829 132 7.2
22 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APPENDIX 1-B (Cont.)CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or Primary IIA Usable PercentageChapter Language(s) Members Responses of MembersGroup Spoken 9/30/06 12-15-06
Group 10*+Denmark Danish 390 3 0.8*+Finland Finnish 584 43 7.4**Iceland Icelandic 100 3 3.0**+Norway Norwegian 662 45 6.8*+Sweden Swedish 542 52 9.6Total 2,278 146 6.4Group 11**Bangladesh English 116 1 0.9*India English 2,795 57 2.0*Indonesia Indonesian/English 654 11 1.7*+Malaysia English 2,150 60 2.8**Pakistan - Karachi English 172 3 1.7**Pakistan –Islamabad English 186 3 1.61**Pakistan - Lahore English 339 1 0.3*+Philippines English 1,280 5 0.4**+Singapore English 1,343 74 5.5**+Sri Lanka Sinhala/English 50 6 12.0*+Thailand Thai 1,446 29 2.0Total 10,531 250 2.4Group 12**Botswana English 134 1 0.8**Cameroon French 161 1 0.6**+Congo-Kinshasa French 37 1 2.7**Ethiopia English 288 16 5.7**Ghana English 57 2 3.5**Kenya English 589 4 0.7**+Malawi English 169 1 0.6*Nigeria English 48 4 8.3**+Uganda English 117 13 11.1*Zambia English 63 2 3.2*Zimbabwe English 557 3 0.5Total 2,220 48 2.2
_____________________________________________________ Chapter 1: Introduction 23
The Institute of Internal Auditors Research Foundation
APPENDIX 1-B (Cont.)CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or Primary IIA Usable PercentageChapter Language(s) Members Responses of MembersGroup Spoken 9/30/06 12-15-06
Group 13Not Classified – 1,191respondent did notspecify affiliate orchapter
Affiliates that did 3,131not participateTotal Membership 127,735 9,366 7.3Less members that werenot sent an invitationto participate:Membership of affiliates (3,131)that did not participateEleven affiliates with (2,098)only one response(2,109 members –11 respondents)39% of U.S. members (21,328)who have opted not toreceive e-mail fromThe IIA (54,686 x .39 =21,328)39% of Canadian (2.049)members who have optednot to receive e-mailfrom The IIA(5,255 x .39 = 2,049)Total estimated 99,129 9,366 9.5membership that wassent an invitation toparticipate and estimatedresponse rate
24 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 25
The Institute of Internal Auditors Research Foundation
CHAPTER 2A WORLDWIDE PICTURE OF THE
INTERNAL AUDIT ACTIVITY
Introduction
Who would have thought that internal auditors would be described by the media as rock stars?The current demand for qualified internal auditors is greater than the supply. Business scandalsaround the world have not only reminded organization fiduciaries and management of theirresponsibilities in the areas of governance, control, and risk management, but have also resulted inincreased legislation and regulation. The internal audit activity (IAA) has become a necessary ormandatory activity in organizations around the world. Some organizations are over 100 years oldwith large, well established IAAs, while many younger companies are just starting to develop andutilize their IAAs. Regardless of the size, type, or age of an organization, the role of internalauditing is evolving into a value-added activity that helps an organization manage its risks and takeadvantage of opportunities to improve. With the increase in scope of audit responsibility since1999, the IAA must act to monitor the adequacy and effectiveness of management’s internalcontrol framework and contribute to the integrity of corporate governance, risk assessment, andthe financial, operating, and IT systems.
Since 1941, The IIA has grown tremendously. Between June 2003 and September 2006, The IIA’smembership grew from 82,645 members to 127,735 members, a 54.6% increase in just over threeyears. The November 2006 IIA Insight stated that there are members in 165 countries and territories.Also, as of September 2006 there are 6,000 new Certified Internal Auditors (CIAs) for a total of60,000 CIAs worldwide. There are 90 countries with CIA exam sites.
What do internal auditors really need to know to perform their jobs with due care and to add valueto their organizations? This CBOK 2006 research report summarizes the information gatheredfrom respondents around the world regarding the current state of the internal auditing profession.It identifies the attributes of an effective IAA; internal auditor skills, competencies, and knowledge;internal audit tools and techniques; and emerging roles of the IAA. This informs the profession andthose who benefit from its activities and services as well as serving as a basis for educating andtesting the competence of those who enter and want to succeed in the profession.
26 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Since the CAE and Practitioner CBOK 2006 questionnaires were released in September 2006,adherence to The IIA’s International Standards for the Professional Practice of InternalAuditing (Standards) as of September 2006 provides the basis for this study. The overall purposeof the CBOK 2006 project is to develop the most comprehensive database ever to capture acurrent view of the global state of the internal audit profession. The database will be updated torecognize the evolution of global internal audit practices. Future studies will build upon this baseline,allowing for comparison, analysis, and trending.
The major topics covered in this chapter are a summary of the demographics of respondents andtheir organizations, compliance with the Standards, current status of the IAA, staffing andprofessional development, internal auditor skills, internal auditor competencies and knowledge,internal audit tools and techniques, and the emerging roles of the IAA.
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those who participated in the survey answered all of the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of all respondents: both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose positions are not captured bythe traditional job titles included in the survey. They may be members of the IAA, employed byservice providers, or in organizations where their titles are less traditional but with duties withininternal auditing.
Survey Demographics Summary
The following is a brief summary of the demographics of the respondents and their organizations.Detailed tables and a discussion of the demographics are presented in Chapter 3. Respondents’
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 27
The Institute of Internal Auditors Research Foundation
represent the following staff levels: CAEs (26.5%), Audit Managers (22.8%), Audit Seniors/Supervisors (25.2%), Audit Staff (18.2%), and Others (7.3%).
Duration of Respondents’ IIA and/or Affiliate Membership and Respondents’ Age
Survey results indicate that 58.6% of respondents have been members of The IIA for five years orless, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or moreyears. Although distribution of the original survey instrument was only to IIA members, 6.9% ofthe respondents indicated they are not members of The IIA.
When asked about their age, respondents indicated 3.5% are 25 years old or under, 27.8% arebetween 26 and 34 years old, 34.8% are between the ages of 35 and 44, and 24.2% are between45 and 54 years old. Only 9.3% are 55-64 years old and .4% are older than 65. The largestpercentage of Audit Managers (41.5%) is between 35 and 44 years old.
Highest Level of Formal Education and Academic Major
Thirty-eight point one percent of the respondents have obtained their bachelor’s (undergraduate)degree in business, and 28.9% have obtained a master’s (graduate) degree in business. Fourteenpoint three percent have a bachelor’s degree in a non-business subject and 9.4% have a master’sdegree in a non-business field. There appears to be no pronounced relationship between therespondent’s highest level of education and their current position in the IAA. It also appears thatfor most respondents, a bachelor’s degree or comparable level of education is necessary to enterthe profession.
The top six academic majors of respondents are accounting (55.8%), general business/management(27%), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%) (NOTE:since respondents could mark all that apply, percentages exceed 100%). A higher percentage ofCAEs (60.0%) and Audit Managers (59.9%) have an accounting major than members of the AuditStaff (45.0%).
Professional Qualification(s) and Area(s) of Professional Experience
There are many professional organizations that have qualifying tests and certifications for thoseemployed in accounting and auditing. Survey respondents were asked about their own qualifications.More than one-third (39.4%) of the respondents have a specific certification in internal auditingand about one-fourth (26.7%) of the respondents have a certification in public accounting/charteredaccountancy. A much smaller number of respondents have certifications in information systemsauditing (10.2%), management/general accounting (5.4%), and fraud examination (5.3%). Internal
28 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
auditing is the most common certification for respondents followed by public accounting/charteredaccountancy. The possession of additional qualifications appears more common as individualsmove up in the IAA.
The five areas in which respondents have the most business experience are internal auditing (6.1years), management (5.4 years), accounting (5.3 years), other professional experience (4.9 years),and finance (4.4 years). This pattern is consistent for those currently employed by service providers,privately held (non-listed) companies, publicly traded (listed) companies, and public sector. Serviceproviders, for the purpose of this study, are defined as those who work on a contractual basis to aidorganizations with assurance and consulting engagements. The not-for-profit sector respondentsindicated less overall work experience.
Years of Existence of IAA and Years of CAE Experience
The largest numbers of respondents work for IAAs that have been in existence for 0-5 years(28.4%) and another 21% of the respondents work for IAAs that have been in existence for 6-10years. A total of 13.8% of respondents’ organizations have IAAs that have been in existence for31 or more years. This is a very positive development for internal auditing as it shows that growthhas accelerated in the past 10 years. Given the corporate governance issues and regulatorydevelopments in recent years, this could be a reflection of the recognition by organizations andtheir boards of the need for internal auditing.
When CAEs were asked about their years of experience as a CAE, more than half (56%) indicatedthey had been a CAE for 5 years or less and one-fourth of CAE respondents have between 6 and10 years of CAE experience. Nineteen percent of CAE respondents have more than 10 years ofexperience in this position.
Organization Type, Service Providers, and Industry Classifications
When asked about their current employers, 38% of all respondents indicate that they work for apublicly traded (listed) company, while 19.5% work for a privately held (non-listed) company.Twenty-three percent of all respondents currently work in the public sector. Ten point five percentof the respondents work for a service provider or as a consultant. Internal auditing is performed bymembers of the IAA as well as by external service providers.
The survey population covered a broad range of industries. Since the respondents were asked toselect all industries that applied to their organization, the total of industries selected is greater than100%. The top 10 industries indicated by respondents are: banking/financial services/credit union(24.5%), other (13.9%), manufacturing (13.4%), financial, accounting, and/or business services
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 29
The Institute of Internal Auditors Research Foundation
(11.1%), insurance (9.3%), utilities (7.9%), education (7.0%), communication/telecommunication(7.0%), healthcare (6.4%), and retail/wholesale (6.2%).
Geographical Areas and Legislation Affecting Internal Auditing
Recognizing that organizations operate differently, in part based on the locations they service, datawas collected on geographical areas served by the respondents’ organizations. Of the respondents,39.2% indicate that their employer operates on an international/multinational scale, while 29.1% ofemployers operate on a national scale. The remaining 31.7% operate on a local, state/provincial, orregional basis.
In the CBOK Affiliate questionnaire, affiliate leaders were asked about local and federal regulationsand legislation affecting the profession of internal auditing. Of the 46 affiliates that responded, 36(78%) indicate that their countries have legislation or regulations that affect the internal auditingprofession in the public sector. In most of these affiliates, financial entities, banks, and insurancecompanies are subject to legislation that prescribes the establishment of, or the role of, internalauditing in an organization. The United States and Canada also have legislation affecting internalauditing.
In 22 (61%) of the 36 affiliates where legislation or regulation affecting internal auditing exists,The IIA affiliate had an influence on the final form of the legislation or regulation. Those IIAaffiliates that assisted in the development of the legislation or regulations took part in the discussionsor provided input through participation in committees, work groups, and conferences. IIA affiliatesalso regularly issue their own opinions on drafts of local and national laws and regulations. Thepublication of position papers and articles reflecting their members’ ideas and opinions is a commonmethod of participation in the evolution of local and national laws and regulations.
Compliance with Internal Auditing Standards
Most of the participants in this study indicate that their IAAs are using the Standards and PracticeAdvisories. They also believe that the guidance provided to them by the Standards and PracticeAdvisories is adequate. Standards 1300, Quality Assurance and Improvement Program, and 2600,Resolution of Management’s Acceptance of Risk, received lower adequacy responses indicatingthat more or clearer guidance may be appropriate in the fields of quality assurance and improvementand resolution of management’s acceptance of risk. The respondents are using these two standardsto a lesser extent when compared to the other standards. Overall, the guidance provided by theAttribute Standards is perceived by respondents to be better than that provided in the PerformanceStandards.
30 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Respondents at all staff levels indicate that 81.9% of their IAAs use the Standards in whole or inpart. In Figure 2-1, CAEs report the highest level of usage (85.1%) of the Standards by their IAA,while all other respondents report usage between 72.2% and 84.3.
Figure 2-1Organizations’ Use of the Standards in Whole or in Part by Staff Level
All Respondents (8,647) in Percentages
The most common reasons given by those respondents whose IAA does not adhere to the Standardsare:
• Inadequate IAA staff (12.6%).• Management of organization does not think it adds value (12.2%).• Too time-consuming to comply with the Standards (12.2%).
Percentage of Respondents
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 31
The Institute of Internal Auditors Research Foundation
• Compliance not supported by management of organization (11.9%).• Superseded by local/government regulations/standards (10.7%).
Quality Assurance and Improvement Programs
To supplement the research on compliance with the Standards, respondents were asked specificquestions about their compliance with Standards 1300, 1311, and 1312 which require quality assuranceand improvement programs, internal quality assessments, and external quality assessments. Standard1300 requires the CAE to “develop and maintain a quality assurance and improvement programthat covers all aspects of the internal audit activity and continuously monitors its effectiveness.”
The level of compliance is lowest for Standard 1300, Quality Assurance and Improvement Program.Approximately one-third of the respondents currently have a quality assurance and improvementprogram in accordance with Standard 1300. Approximately one-third of the respondents have hadan internal assessment. One-third has never had an internal assessment. Almost one quarter of therespondents do not plan to have a quality assurance and improvement program in place within thenext 12 months in accordance with Standard 1300, although approximately one-third of therespondents have such a program currently in place. Forty percent indicate that no externalassessment has been performed.
Less than 50% of the respondents indicate that their quality assessment and improvement programsinclude certain activities to monitor the effectiveness of these programs as suggested by PA1300-1, Quality Assurance and Improvement Program. Monitoring activities most often includeengagement supervision and checklists to provide assurance that proper audit processes are followed.Approximately 30% of the respondents indicate that compliance with The IIA’s Standards orCode of Ethics are explicitly monitored as part of these activities.
According to Standard 1311, Internal Assessments, the IAA should adopt a process to monitor andassess the overall effectiveness of the quality program. The process should include both internaland external assessments. There is no formal requirement mentioned in the standard regarding thefrequency of the self-assessment, only that it be ongoing. The respondents were requested toindicate when their IAAs were last subject to a formal internal assessment. Of those responding,23.6% have had an internal review within the last 12 months and an additional 8.7% had an internalreview within the last five years. The CAE respondents indicated that 47.4% of their IAAs havenever had an internal assessment.
According to Standard 1312, External Assessments, the IAA should have an external assessmentat least once every five years by a qualified, independent reviewer or review team external to the
32 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
organization. All IAAs that existed on January 1, 2002, when this standard became effectiveshould have had an external assessment performed by January 1, 2007. Of all respondents, 39.7%have never had an external assessment. When analyzing this response by staff level, 53.7% ofCAE respondents indicate that their organizations have not been subject to a formal externalquality assessment and are not in compliance with Standard 1312. Note in Figure 2-2 that 28.4% ofthe respondents’ IAAs are five years old or less. This could be the reason why some of the IAAshave not had an external assessment.
Compliance with The IIA’s Code of Ethics
As The IIA’s Code of Ethics must be followed by all those that provide internal auditing services,affiliate leaders were asked whether they required their members to follow The IIA’s Code ofEthics. Forty-six affiliate leaders responded to this question and all answered in the affirmativeexcept for one which adopted a local version. When the affiliate leaders were asked how theyhandled ethical complaints against their members, the wide variety of responses ranged from theuse of an ethics or disciplinary committee to action being left to the affiliate’s full board of directors.
Current Status of the Internal Audit Activity
The IAA adds value in multiple ways. It helps the organization achieve its goals by providingsuggestions for improvements to vital systems, processes, and procedures. The IAA helps ensurethat controls are in place to provide safety and security for transactions and activities. Consultingservices assist management in planning for the future and addressing difficult strategic and operationalissues. The IAA is vital to the success and health of any organization operating today.
Some parts of the world are just starting to recognize the importance of internal auditing andbeginning to develop the internal auditing activity. Many IAAs are small or have been in existencefor less than five years. Newer IAAs and/or those with smaller audit staffs may not have sufficientstaff or personnel with all of the necessary skills and competencies to meet the needs of theirorganizations. Depending upon priorities and availability of resources, some audits or audit skillsmay need to be outsourced.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 33
The Institute of Internal Auditors Research Foundation
Years That the IAA and the Organization Have Existed
To gain a perspective on the length of time respondents’ organizations have had IAAs, Figure 2-2lists the number of years the respondents’ IAAs have been in existence. The largest number ofrespondents work for IAAs that have been in existence for 0-5 years (28.4%). Another 21% ofthe respondents work for IAAs that have been in existence for 6-10 years. Respondents indicatethat 13.8% work in IAAs that have been in existence for 31 or more years. Given the corporategovernance issues and regulatory developments in recent years, the large number of newer IAAscould be a reflection of the recognition by organizations of the need for the IAA and the need toconduct audits in these areas. A new IAA could also be the result of a corporate merger oracquisition. Although a newer IAA may not be as developed or have the same level of experienceor expertise as a more mature one, a younger department does not necessarily equate to a weak orunskilled department.
Figure 2-2Number of Years the IAA Has Existed in the Organization
All Respondents (7,747) in Percentages
0-5 Years28.4%
41+ Years8.1%
31-40 Years5.7%
21-30 Years14.1%
11-20 Years22.7%6-10 Years
21.0%
34 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Figure 2-3 reports how long respondents’ organizations have been in existence. A separate correlationtest performed by the researchers confirms that there is a relationship between how long anorganization has been in existence and how long the organization has had an IAA. Older companiestend to have established IAAs longer than younger companies.
Figure 2-3Number of Years Organizations Have Existed
All Respondents (8,165) in Percentages
IAA’s Relationships within the Organization
Relationship with the Audit/Oversight Committee
To maintain independence, the IAA should have a charter approved by the audit committee of itsgoverning board. An internal audit charter is required by The IIA’s Attribute Standard 1000, Purpose,Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal Audit Charter. Thecharter provides the power from which the IAA can insist that they have the authority to conduct
0-5 Years7.2%
6-10 Years10.5%
11-20 Years14.0%
21-30 Years9.3%
31-40 Years8.0%
41+ Years51.0%
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 35
The Institute of Internal Auditors Research Foundation
the audits deemed necessary. The survey confirms that this practice is generally the case in themajority of IAAs with 72.3% of the respondents indicating their organization has an internal auditcharter. IAAs without a charter may be less empowered from the audit customers’ perspective.
The reporting relationships of the respondent CAEs are generally in accordance with the Standardsand Practice Advisories. There is also a high level of input by the audit committee in the appointmentand performance evaluation of CAEs. In the majority of cases, CAEs are reporting to the auditcommittee of the board and/or to a member of senior management. The survey did not allow theCAE to indicate a dual reporting relationship as recommended by The IIA. Dual reporting allowsthe IAA to build organizational independence while also serving senior management.
Practice Advisory 2060-2, Relationship with the Audit Committee, defines the IAA’s and the auditcommittee’s relationship. As noted in Table 2-1, CAEs confirm that an audit/oversight committeeexists in 72.6% of their organizations. The CAE’s relationship with the audit committee chairpersonis very important. Of the respondent CAEs with audit committees, 63.2% meet regularly with theaudit committee chair in addition to regular audit committee meetings. It is notable that of thosethat have audit committees, 91.3% of CAEs believe they have appropriate access to the auditcommittee. Public sector IAAs often do not have an audit committee structure in their organizations.
Table 2-1CAE’s Relationship with Audit/Oversight Committee
CAE Respondents Percentage of Yes Responses
Question Total Respondents YesPercent of
Total Responses
Is there an audit/oversightcommittee in your organization? 2,315 72.6Does the CAE meet with theaudit/oversight committeechairperson in addition to theregularly scheduled meetings? 1,669 63.2Does the CAE believe thathe/she has appropriate accessto the audit committee? 1,671 91.3
36 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Organizations’ and CAEs’ Perceptions of the IAA
A set of general questions asked all respondents to rank their perceptions about how their IAA isperceived by their organization. All respondents were asked to rank their level of agreement withthe statements in Table 2-2 on a scale of 1 to 5 from Strongly Disagree (1) to Strongly Agree (5).The mean response for each question was calculated for the four levels of audit staff respondingto the survey.
Table 2-2Relationship of IAA to the Organization
All Respondents in Means*
CAE Audit Manager Audit Senior/ Audit StaffStatement (Mean of (Mean of 2,033 Supervisor (Mean of 1,626
2,374 Responses) (Mean of 2,251 Responses)Responses) Responses)
Your internal audit activity is an 4.45 4.34 4.25 4.10independent objective assuranceand consulting activity.Your internal audit activity adds 4.41 4.32 4.26 4.20value.Internal audit brings a systematic 4.03 3.99 3.98 3.95approach to evaluate theeffectiveness of risk management.Your internal audit activity brings 4.35 4.27 4.21 4.11a systematic approach to evaluatethe effectiveness of internal controls.Your internal audit activity brings a 3.80 3.73 3.71 3.74systematic approach to evaluate theeffectiveness of governanceprocesses.Your internal audit activity 4.10 4.05 3.96 3.88proactively examines importantfinancial matters, risks, andinternal controls.Your internal audit activity is an 4.10 4.04 3.97 3.91integral part of the governanceprocess by providing reliableinformation to management.
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 37
The Institute of Internal Auditors Research Foundation
Table 2-2 (Cont.)Relationship of IAA to the Organization
All Respondents in Means*
CAE Audit Manager Audit Senior/ Audit StaffStatement (Mean of (Mean of 2,033 Supervisor (Mean of 1,626
2,374 Responses) (Mean of 2,251 Responses)Responses) Responses)
The way our internal audit activity 3.52 3.81 3.66 3.51adds value to the governanceprocess is through direct accessto the audit committee.Your internal audit activity has 4.07 3.97 3.86 3.75sufficient status in the organizationto be effective.Independence is a key factor for 4.46 4.40 4.32 4.29your internal audit activity to addvalue.Objectivity is a key factor for 4.58 4.47 4.42 4.36your internal audit activity to addvalue.Your internal audit activity is 4.30 4.17 4.08 3.99credible within your organization.Compliance with The IIA’s 3.86 3.90 3.89 3.90International Standards for theProfessional Practice of InternalAuditing is a key factor for yourinternal audit activity to add valueto the governance process.Compliance with The IIA’s Code 4.03 4.04 3.98 3.99of Ethics is a key factor for yourinternal audit activity to add valueto the governance process.
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
With the majority of means above 4.0, respondents, who are all members of the IAA giving theiropinion about how others see the IAA, indicate that they believe their organizations perceive thatIAAs are independent, objective, add value, and effectively evaluate internal controls. There isless certainty among respondents concerning their perceptions about the effectiveness of the IAA’sapproach to risk management and evaluation of the effectiveness of governance processes. These
38 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
two areas are specifically addressed in the 1999 definition of internal auditing. Respondents’perceptions indicate strong support for the IAA’s independence, objectivity, and credibility. Whilethe IAA appears to be highly credible within the organization, there is less agreement aboutcompliance with The IIA’s Standards and Code of Ethics.
Statements with means around 4.0 indicate respondents’ agreement that the IAA has an effectiveapproach to risk management; is proactive in looking at important financial matters, risks, andinternal controls; has sufficient status in the organization; and compliance with The IIA’s Code ofEthics is a key factor for the IAA to add value to its organization.
The statements ranked under 4.0 but above 3.5 indicate respondents have less support for thestatements about effectiveness in the evaluation of corporate governance and compliance with theStandards. Overall, the perceptions by the respondents provide a very positive view of the IAAwithin their organizations.
Methods Used to Measure the Value Added by the IAA
The responses to the questions about the methods used to measure the value added to the organizationby the IAA show a variety of methods being used. These include self-assessment and assessmentby others in the organization. The measures used include acceptance of recommendations (51.4%),auditee (customer) surveys (34.6%), and the number of management requests (26.8%). Relianceby the external auditors on the IAA is also used as a value indicator (33.5%). No formal measurementof value added exists in 32.6% of respondents’ IAAs.
Internal Audit Activity
Managing the IAA
Standard 2000 requires that the CAE, “should effectively manage the internal audit activity toensure it adds value to the organization.” These activities include administrative activities such asdeveloping an audit plan and assigning audit tasks. Performance Standard 2200 states, “Internalauditors should develop and record a plan for each engagement, including the scope, objectives,timing, and resource allocations.” Over 91.5% of all respondents believe that their IAA performsthese administrative tasks.
Creating the Audit Plan
Eighty-one point three percent of respondents follow Practice Advisories PA 2010-2, Linking theAudit Plan to Risk and Exposures, and PA 2040-1, Policies and Procedures, indicating that most
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 39
The Institute of Internal Auditors Research Foundation
IAAs use a proper planning process. Of the organizations served by the IAA, 73.3% have acorporate ethics policy/code of conduct. Internal audit risk assessments are performed by 69.5%of the respondents. In the IAA, 63.0% have an internal audit operating manual/policy statement.These are all positive indicators of effective internal audit processes.
To comply with IIA Standard 2010, Planning, the IAA should create an audit plan using a risk-based technique. Respondents indicate that 95.6% of their IAAs create a plan for their auditactivities at least annually, while 36.4% plan or revise their intentions multiple times a year. The useof risk-based methodology to determine the audit plan is required by IIA Performance Standard2010 and elaborated in Practice Advisory PA 2010-1, Planning. Of CAE respondents, 86.7% userisk-based techniques in audit planning. When preparing their audit plans, requests from managementare an additional consideration used by 73.1% of CAEs.
Scope of Work and Who Performs the Audits
The definition of internal auditing and Standard 2100 includes three broad areas of responsibilityfor IAAs “to evaluate and contribute to the improvement of risk management, control, and governanceprocesses.” The respondents were asked what percentage of the audits their IAAs performed andwhat percent are outsourced or done by other departments in the organization. The IAA performs85.6% of the internal audits, 79.1% of the operational auditing, 56.3% of the investigations of fraudand irregularities, and 56% of the financial audits. IAAs also perform 47.1% of the ethics auditsand 48.5% of the management effectiveness audits.
Other types of work performed include control framework monitoring and development (58.9%)and compliance with corporate governance and regulatory code requirements (51.4%). Informationrisk assessment (47.5%), internal control testing and evaluation engagements (70.8%), and enterpriserisk management (37.6%) are also performed by the IAA to determine what areas may need to bemade more effective and efficient.
The three largest audit areas that are outsourced/co-sourced outside the IAA are financial auditing(27.2%), information technology department assessment (18.8%), and quality/ISO audits (14.1%).The three areas where fewer audits are performed by the IAA are social and sustainability audits(40%), quality/ISO audits (32.5%), and ethics audits (27.4).
Risk management work performed within organizations includes business viability assessments,enterprise risk management support and information risk assessment. The majority of businessviability assessments are performed by other departments within the organization (51.6%). IAAsperform 24.6% of these audits while 16.8% of the respondents report that these audits are notperformed at all. For enterprise risk management assessment activities, IAAs perform 37.6% of
40 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
these activities, other departments within the organization perform 43.6%, and 6.5% of theseactivities are co-sourced or outsourced. In the area of information risk assessment, the IAA performs47.5% of the activities and other departments perform 30.9%.
Practice Advisory 2120.A1-1, Assessing and Reporting on Control Processes, states that testing“compliance with laws, regulations, and contracts” is part of the IAA’s study and evaluation ofinternal controls. Two areas where the IAA performs compliance activities are compliance withcompany privacy policies (43.1%) and health, safety, and environment (22.1%).
The definition of internal auditing includes consulting in its scope of acceptable audit activities.Areas of consulting included in the study indicate that 11.3% of the activities for corporate takeovers/mergers are performed by IAAs while 50.4% are handled by other departments in the organization.The IAA provides 46.2% of the support for external auditors, while other departments provide28.1% and co-sourced or outsourced work accounts for 14% of the activities required. Projectmanagement activities are performed mainly by other departments (58.3%) with 27.7% of theseactivities provided by the IAA. Both the IAA and other departments in the organization provide39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
Performing the Engagement
The demands on the IAA and its staff are increasing as the significance and usefulness of thework of the IAA become better known and valued. This can strain the resources of most IAAs asthey enhance their presence in the organization. The use of tools and techniques helps the auditorsuccessfully plan, monitor progress, document, analyze data, complete the audit, and determine themagnitude of audit findings. The objective for this area of the study was to determine which toolsthe IAA finds necessary for internal auditors to successfully perform their engagements.
The tools and techniques included in this survey were identified by reviewing the Standards andPractice Advisories, internal auditing literature, past CBOK studies, and the current CBOK’s pilotstudy. Based on this review, 16 tools and techniques were identified as being important for the IAAand its staff when performing the audit. Some tools/techniques are in the area of audit administration(planning or managing) while others relate to helping internal auditors perform their engagements(analyzing data or statistical sampling). Respondents could not add to or amend the list that wasincluded in the CBOK 2006 survey. The respondents were asked to indicate which listed tools andtechniques their IAAs currently use or plan to use in the next three years by rating all the tools/techniques listed on a five point scale: 1, Not Used, through 5, Extensively Used. Results areshown in Table 2-3, indicating the ranking of response means by position in the IAA.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 41
The Institute of Internal Auditors Research Foundation
The results in Table 2-3 show that that all respondents, regardless of their position, almost uniformlyrank the same three tools as most used by the IAA. Other electronic communications was thehighest ranked tool. Risk-based audit planning uniformly ranked second with a mean approximatelyone-half a percentage point less than that of electronic communications. Other than electroniccommunications (e.g., Internet, e-mail) and risk-based audit planning, only analytical review has amean above 3.00 for all respondents. These three tools match the core tasks of the IAA: planning,documenting fieldwork, and communication. Documentation and communication can be verylabor intensive when completed without technological support. As such, it is appropriate that theIAA would have first invested and developed tools in these areas.
Table 2-3Extent the IAA Currently Uses Audit Tools and Techniques
All Respondents by Rank*
Tools/Techniques Overall CAE Audit Audit Senior/ Audit OtherManager Supervisor Staff
Other electronic communication 1 1 1 1 1 1(e.g., Internet, e-mail)Risk-based audit planning 2 2 2 2 2 2Analytical review 3 3 4 3/4 4 3Electronic workpapers 4 4 3 3/4 3 4Statistical sampling 5 5 6 5 5 5Computer-assisted audit 6 6 5 6 6 6techniquesFlowchart software 7 8 7 7 8/9 7/8Benchmarking 8 7 8 9/10 11 7/8Process mapping application 9 9 9 8 8/9 10Control self-assessment 10 11 10 9/10 10 9Data mining 11 10 11 12 12 12Continuous/real-time auditing 12 12 13 11 7 11The IIA’s quality assessment 13 13 12 14 14 14review toolsBalanced scorecard or similar 14 14 14 13 15 15frameworkTotal quality management 15 15 15 15 13 13techniquesProcess modeling software 16 16 16 16 16 16
*In some cases the rankings were tied. For example, rankings of Benchmarking and Control self-assessment at the AuditSenior/Supervisor level were tied.
42 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Process modeling software is a tool that is generally not used (ranked 16 of 16) by the respondents.Based on ranks and means, other tools and techniques not currently used by many respondents aretotal quality management techniques, the balanced scorecard, the IIA’s quality assessment reviewtools, continuous/real-time auditing, data mining, and control self-assessment.
Respondents were also asked to indicate their planned use of the listed tools and techniques in thenext three years. Results show that in the next three years a higher number of CAEs and Practitionerswill extensively use the listed tools and techniques, more than they presently do. Significant increasesin usage were indicated for risk-based audit planning and computer-assisted audit techniques.Increased usage was also noted for The IIA’s quality assessment review tools, process modelingsoftware, the balanced scorecard or similar frameworks, continuous real-time auditing, data mining,and control self-assessment.
These findings are very important since these are the tools and techniques suggested by theStandards, practice advisories, and best practices.
Resolution of Major Differences
Practice Advisory 2410-1, Communication Criteria, suggests, “As part of the internal auditor’sdiscussions with the engagement client, the internal auditor should try to obtain agreement on theresults of the engagement and on a plan of action to improve operations, as needed.” CAErespondents were asked to indicate at what points in the audit process major differences areresolved. Several categories could be selected by each respondent indicating major issue resolutionin multiple phases of the audit process. Of those responding, 44.5% usually resolve major differencesduring audit fieldwork and 45.2% usually resolve them during the audit reporting phase. Thirty-twopoint four percent sometimes resolve audit issues during planning, while 28.5% indicated thatresolution rarely happens during the planning stage.
Reporting of Findings
Standard 2440, Disseminating Results, states, “The chief audit executive should communicateresults to the appropriate parties.” The majority of the respondents agree that the responsibility ofreporting audit findings rests with the CAE. CAEs believe they should report the findings alone(75.1%) or jointly with the client (10.3%), while Audit Managers indicate they should report thefindings alone (28.2%) or with the client (9.4%).
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 43
The Institute of Internal Auditors Research Foundation
Monitoring Corrective Action
In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain asystem to monitor the disposition of results communicated to management.” Standard 2500.A1goes on to require “a follow-up process to monitor and ensure that management actions have beeneffectively implemented or that senior management has accepted the risk of not taking action.” Ofthe respondents in varying positions in the IAA, 37.5% to 54.5% believe that both the internalauditor and client together have the primary responsibility to monitor adoption of needed correctiveaction. From 25.8% to 35.7% of the respondents indicated that the internal auditor has the primaryresponsibility. The majority of respondents indicated that their organizations have some formalmonitoring system. With the exception of the Other respondents (8.5%), only 2.0% to 3.4% indicatedthey had no formal follow-up procedures. Although these results indicate that this responsibility isoften shared with management, the Standards state that the CAE is responsible for monitoringcorrective action.
Staffing and Professional Development
Staffing
In most organizations, in-house internal auditors cover over 90% of the work. Publicly listedcompanies average the highest in-house audits with 95.4% coverage. Despite the opportunity foroutsourcing and co-sourcing, most organizations are conducting their internal audits with in-housestaff. Consultants are the largest group of service providers for IAAs. Thirty-three percent ofCAEs indicated that their budget for co-sourcing and outsourcing will increase in the next threeyears.
The survey responses indicate that most respondents’ IAAs are relatively small operations interms of staffing but that staff is skewed to more experienced internal auditors. In 44% of theorganizations, there are only two to five general Audit Staff members. The two main methodsCAEs use to cover staff vacancies are reduction in areas of coverage (30.7%) and co-sourcingwith internal audit service providers (28.7%).
44 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Continuing Professional Development and Certification in Internal Auditing
The IIA requires 80 hours of continuing professional development (CPD) every two years. TheIIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to“enhance their knowledge, skills, and other competencies through continuing professionaldevelopment.” Respondents were asked how many hours of formal training they received over thelast 36 months or while they have been working in their IAA if less than 3 years. Training includes,but is not limited to, seminars, conferences, workshops, and in-house information sessions providedby either the respondent’s organization or other organizations.
The range in hours of formal training reported is from none to more than 240 hours. There is anexpectation that all respondents would have taken at least 120 hours of CPD over the prior three-year period. Of the CAEs, 48.2% achieved or exceeded 120 hours of CPD. Another 16.4% of theCAEs attained the 80-119 hour level of CPD. The percentages of respondents at the other stafflevels that achieved 120 or more hours of formal training are: 49.1% for Audit Managers, 42.4%for Audit Seniors/Supervisors, 35.5% for Audit Staff, and 34.1% for Others.
Compliance with the Standards mandates 40 hours of CPD annually. In some parts of the world,due to the small size of the internal auditor population, it may be difficult to find the continuingprofessional development needed to upgrade skills. There are many ways that IAAs can obtainCPD for their staff even if funding or scarcity of local CPD courses are a concern. With the useof the Internet, members can attend online conferencing events provided by The IIA, downloadIIA position statements, and research online how to perform such activities as control self-assessment.The IIA has monographs and other materials on multiple topics to aid in training internal auditors.
Of the respondents, 39.4% have a certification in internal auditing (e.g., CIA, MIIA), and aboutone-fourth of the respondents have a certification in public accounting/chartered accountancy.Possession of additional certification appears more common as individuals progress professionallyin the IAA.
Internal Auditor Skills
Since the scope of audit responsibilities outlined in the definition of internal auditing expanded in1999, the types of audits and consulting activities performed by IAAs have increased. Skills usedby internal auditors have evolved and changed to meet the challenges of performing these newtypes of audits.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 45
The Institute of Internal Auditors Research Foundation
Standard 1220, Due Professional Care, requires internal auditors to “apply the care and skill expectedof a reasonably prudent and competent internal auditor.” The objective for this question is todetermine the behavioral and technical skills necessary for internal auditors to successfully performtheir jobs at their position in the IAA. Recognizing the evolutionary nature of the profession, thefollowing two sections summarize the skills internal auditors are currently expected to possess asthey perform their roles.
All respondents were provided a list of technical and behavioral skills developed from the Standardsand Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK2006 pilot survey . Respondents were unable to amend or change the list of skills provided. CAEswere asked to identify the five most important technical and behavioral skills they and their staffneed to possess in order to be successful at their position in the IAA. Practitioners were asked toindicate the importance of the listed skills to perform their work at their current staff position byranking the skills on a scale of 1 (minimally important) to 5 (very important). As a guide whenanswering the survey questions, respondents were given the following definition of technical skills:“using terminology or subject matter in a particular field.” Behavioral skills were defined in thesurvey as “actions towards others measured by commonly accepted standards and managementof one’s own actions.”
Technical Skills
CAEs believe that understanding the business and risk analysis are skills that are most importantfor themselves. There is no individual technical skill that is highly rated by CAE respondents for allstaff levels in the IAA. Technical skills that are considered more important for the Audit Staff butless critical for CAEs are identifying types of controls, use of information technology, statisticalsampling, and data collection and analysis. Other skills, such as forensic skill/fraud awareness, riskanalysis, and negotiating, are considered more important for CAEs and not as vital for the AuditStaff or Audit Seniors/Supervisors.
As shown in Table 2-4, when reviewing the mean ranking of technical skills by Practitioners, theconsistency in rankings among the three traditional staff levels (Audit Manager, Audit Senior/Supervisor, and Audit Staff) is very noticeable. The decreasing importance of certain skills as oneachieves higher levels in the IAA is indicated for some technical skills, but the direction of thechange is more significant than the magnitude of the decrease. Statistical sampling and data collectionand analysis have the largest changes between professional ranks.
46 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 2-4Importance to Respondent of Technical Skills to Perform Work
Practitioner Respondents by Means*
Technical Skills Audit Audit AuditManager Senior/ Staff
Supervisor
Data collection and analysis 4.1 4.3 4.4Financial analysis 3.8 3.9 3.7Forensic skills/fraud awareness 3.6 3.6 3.6Identifying types of controls 4.3 4.2 4.1(e.g., preventative, detective)Interviewing 4.3 4.3 4.3ISO/quality knowledge 2.9 2.9 3.0Negotiating 3.7 3.6 3.5Research skills 3.9 4.0 4.0Risk analysis 4.4 4.3 4.2Statistical sampling 3.2 3.3 3.5Total quality management 2.9 2.9 3.0Understanding the business 4.5 4.4 4.3Use of information technology 4.1 4.1 4.1
*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
Behavioral Skills
The results show that CAEs and Practitioners almost uniformly consider confidentiality and objectivityamong the five most important behavioral skills. The CAEs’ responses for other behavioral skillsindicate a difference among the skills needed based on the professional levels analyzed (CAE,Audit Manager, Audit Senior/Supervisor, and Audit Staff). While leadership is considered the mostimportant skill that CAEs should possess, CAEs indicate that for the Audit Staff, interpersonalskills and being a team player are most important. From the CAE’s perspective, when viewing theimportance of behavioral skills across the array of hierarchical positions in the IAA, leadership,governance and ethics sensitivity, and staff management show a trend of increasing importance.As one progresses to higher levels of professional responsibility and status, being considered ateam player and being able to work independently decline in importance.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 47
The Institute of Internal Auditors Research Foundation
Practitioners were asked to indicate the importance of the same 12 behavioral skills for performingtheir work at their current position in the organization. Respondents indicated importance on ascale of 1 (minimally important) to 5 (very important). Analysis broken up into three professionallevels (Audit Manager, Audit Senior/Supervisor, and Audit Staff) is shown in Table 2-5. As indicatedby a mean of 4.0 and above, practitioners consider almost all the behavioral skills listed to beimportant to perform their work at their current position in the IAA.
Table 2-5Importance of Behavioral Skills to Perform Work
Practitioner Respondents by Mean*
Behavioral Skills Audit Audit AuditManager Senior/ Staff
Supervisor
Confidentiality 4.8 4.8 4.7Facilitating 4.1 4.0 3.9Governance and ethics sensitivity 4.4 4.3 4.3Interpersonal skills 4.6 4.5 4.5Leadership 4.3 4.1 3.9Objectivity 4.8 4.8 4.7Relationship building 4.4 4.4 4.3Staff management 4.1 3.8 3.5Team building 4.2 4.0 3.9Team player 4.3 4.2 4.2Work well with all levels of management 4.6 4.6 4.5Working independently 4.2 4.2 4.2
*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
No one person can possess all the behavioral and technical skills needed by the IAA to perform thedifferent types of audits and consulting engagements necessary to fulfill all the needs of theorganization. Although many of the staff can be generalists, IAAs may need to hire specialists and/or outsource audits as needed.
48 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Internal Auditor Competencies and Knowledge Areas
Competency and knowledge areas are essential for the success of an individual internal auditor,the completion of an audit, and the overall success of the IAA. Standard 1210, Proficiency, requiresthe “internal audit activity collectively should possess or obtain the knowledge…and othercompetencies needed to perform its responsibilities.” Standard 1230, Continuing ProfessionalDevelopment, indicates that these competencies and knowledge areas must be continually updatedand current. Internal auditors at all levels need to obtain and develop a range of competencies andknowledge areas that enable them to perform their work effectively and enable the IAA to functionproperly.
Competencies
Competencies range from generally applicable individual skills such as time management andpresentation skills to qualities that are specific to internal auditors such as the ability to promote theIAA within the organization. Internal auditors also must have different competencies for satisfactoryperformance at various hierarchical positions in the IAA. As a guide for respondents, competencieswere defined in the survey as “skills essential to perform certain tasks.” The importance ofcompetencies is highlighted since it is one of four principles in The IIA’s Code of Ethics. The Codeof Ethics states that competency is when “internal auditors apply the knowledge, skills, andexperience needed in the performance of internal auditing services.” Respondents were unable toamend or add to the list of competencies that was given.
CAEs were asked to identify the five most important competencies they need to possess in orderto be successful as the leader of their IAA. They were also asked to identify the five most importantcompetencies that Audit Managers, Audit Seniors/Supervisors, and Audit Staff each need to performtheir jobs.
As shown in Table 2-6, CAEs commonly indicated as their most important competency the abilityto promote the IAA within the organization. This is consistent with the Standards. Standard 2000,Managing the Internal Audit Activity, states that the CAE “should effectively manage the internalaudit activity to ensure it adds value to the organization.” CAEs view the ability to be analytical andcommunicate as the most important competencies for Audit Seniors/Supervisors and the AuditStaff. Based on the CAEs’ responses, writing and analytical skills decline in importance as oneadvances in positional responsibility and status.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 49
The Institute of Internal Auditors Research Foundation
Table 2-6Most Important Competencies by Staff Level
CAE Respondents (2,092 ) in Percentages
Competencies CAE Audit Audit AuditManager Senior/ Staff
Supervisor
Ability to promote the internal audit activity within 78.1 28.3 10.9 9.3the organizationAnalytical (ability to work through an issue) 24.9 31.5 47.7 63.9Change management 34.7 20.4 7.6 4.1Communication 60.3 46.7 43.2 51.9Conceptual thinking 38.0 20.7 16.1 17.8Conflict resolution 41.2 35.3 20.2 7.2Critical thinking 31.3 26.3 31.0 43.9Foreign language skills 13.4 10.8 8.1 12.4Keeping up to date with professional changes in 41.3 31.0 22.9 22.5opinions, standards, and regulationsOrganization skills 30.3 27.9 22.0 20.9Presentation skills 37.4 25.5 15.5 13.0Problem identification and solution 21.6 23.8 34.5 47.0Project planning and management 24.7 35.7 24.3 7.1Report development 13.0 23.0 27.3 22.1Time management 15.8 18.7 28.2 40.2Training and developing staff 30.1 38.2 20.9 2.6Understanding complex information systems 12.4 14.9 16.1 16.3Writing skills 23.6 24.2 32.0 51.0
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
50 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 2-7Importance of Competencies to Perform Work
Practitioner Respondents in Means*
Competencies Audit Audit AuditManager Senior/ Staff
Supervisor
Ability to promote the internal audit activity 4.32 4.15 4.11within the organizationAnalytical (ability to work through an issue) 4.52 4.53 4.45Change management 4.03 3.89 3.72Communication 4.61 4.59 4.54Conceptual thinking 4.33 4.29 4.25Conflict resolution 4.27 4.24 4.13Critical thinking 4.48 4.43 4.36Foreign language skills 2.59 2.54 2.66Keeping up to date with professional changes 4.05 4.01 4.02in opinions, standards, and regulationsOrganization skills 4.15 4.13 4.13Presentation skills 4.13 4.03 4.02Problem identification and solution 4.50 4.48 4.44Project planning and management 4.13 4.02 3.84Report development 4.31 4.27 4.19Time management 4.26 4.25 4.21Training and developing staff 4.06 3.74 3.56Understanding complex information systems 3.79 3.73 3.65Writing skills 4.49 4.47 4.39
*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and4,735.
Practitioners, when asked to indicate the importance of the eighteen competencies to their own jobperformance at their current position in the organization, considered almost all of the competenciesequally important across the positional levels in the IAA. This is indicated by only marginal differencesacross staff levels in the means on Table 2-7. CAEs appear to be viewing competencies appropriatefor a positional level from a department manager’s perspective, while Practitioners appear to viewa variety of competencies necessary for their success.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 51
The Institute of Internal Auditors Research Foundation
Knowledge Areas
This section looks at 19 areas of knowledge to determine which are important to internal auditorsfor the satisfactory performance of their job in the IAA. As indicated in Table 2-8, Practitionerswere asked to indicate the importance of these 19 areas of knowledge to perform their work attheir current position in their organization on a scale of 1 (minimally important) to 5 (very important).They were unable to amend or add to the list. Knowledge of auditing is overwhelmingly rankedfirst for Practitioner respondents at all levels, and Ethics is ranked second by all levels except forAudit Seniors/Supervisors where it is ranked third. Other knowledge areas consistently ranked inthe top five for all Practitioner respondents are internal auditing standards, technical knowledge foryour industry, and fraud awareness. There is an overall consistency of means for knowledge areasat all staff levels.
52 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 2-8Importance of Areas of Knowledge to Perform Work
Practitioner Respondents in Means*
Areas of Knowledge Audit Audit AuditManager Senior/ Staff
Supervisor
Accounting 3.83 3.77 3.71Auditing 4.68 4.66 4.61Business law and government regulation 3.68 3.70 3.68Business management 3.75 3.60 3.53Changes to professional standards 3.71 3.64 3.68Enterprise risk management 3.85 3.74 3.71Ethics 4.21 4.18 4.26Finance 3.70 3.68 3.64Fraud awareness 4.00 3.93 3.91Governance 3.95 3.80 3.77Human resource management 3.44 3.23 3.15Internal auditing standards 4.19 4.19 4.24Information technology 3.85 3.84 3.79Managerial accounting 3.35 3.30 3.27Marketing 2.70 2.60 2.64Organization culture 3.91 3.79 3.82Organizational systems 3.75 3.76 3.78Strategy and business policy 3.73 3.61 3.60Technical knowledge for your industry 3.97 3.92 3.96
*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and4,751.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 53
The Institute of Internal Auditors Research Foundation
Emerging Roles of the Internal Audit Activity
Changing Emphasis on Types of Audits
This section focuses on the anticipated changes in the demand for general types of audits that willbe performed by the IAA in the next three years. The definition of internal auditing in The IIA’s1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,acknowledges the importance of assurance services and consulting engagements in the areas ofrisk management, governance, and controls. With this expansion of scope, audits are expected tobe performed by IAAs in these three areas. In order to assess the amount of staff, their requiredcompetencies, and the skills needed in the near future, the profession needs to anticipate changesin the demand for the IAA’s services. The IAA also must consider changes in their organizations’risk maturity profiles and stakeholder requirements. Table 2-9 shows the opinions of all respondentsto the question about whether they perceive the general types of audits performed by the IAA willincrease, decrease, or stay the same over the next three years.
Table 2-9Anticipated Changes in Types of Audits to Be Performed
Within the Next Three YearsAll Respondents in Percentages
Activity Total Increase Decrease Stay the TotalResponses Same Percent
Risk management 6,728 79.5 2.3 18.2 100.0Governance 6,704 63.2 4.0 32.8 100.0Regulatory compliance 6,698 46.9 11.7 41.4 100.0Operational auditing 6,715 46.2 14.7 39.1 100.0Review of financial processes 6,724 43.5 14.6 41.9 100.0
54 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Of respondents, 79.5% predict that the greatest increase in the type of audits performed in the nextthree years will be for risk management and 63.2% predict an increase in governance audits. Theincrease in these types of audits will need to be reflected in the IAA’s internal audit plan, resourcesallocated, and in the audit staff’s competencies. For many of the respondents, reviews of financialprocesses (43.5%), regulatory compliance (46.9%), and operational auditing (46.2%) show increases.Some respondents anticipate that less time will be spent on operational audits (14.7%), review offinancial processes (14.6%), and regulatory compliance audits (11.7%).
IAAs’ Emerging Roles in Organizations’ Activities
To gain an understanding of what roles IAAs have and will have in various types of activitiesperformed within the organization, respondents were provided with a list of important tasksperformed by organizations. They were asked to indicate if their IAA currently has a role in thearea, if the IAA will likely have a role in the next three years, or if it is unlikely that the IAA willhave a role. Role was defined as being within the IAA’s scope of work. The list was created byreviewing internal auditing literature and from the CBOK 2006 pilot survey. An overview of allresponses is shown in Table 2-10.
The respondents’ IAAs do some type of work in many of the areas listed. The four highest-ratedareas where respondents indicate that their IAAs currently perform audits are fraud prevention(69% of respondents), risk management (66.6%), regulatory compliance assessment monitoring(64%), and corporate governance (52.2%). Areas where respondents’ IAAs currently have lessdeveloped roles are globalization (15.3%), environmental sustainability (14%), and emerging markets(11.5%). For areas where there is no current IAA involvement, respondents indicate that 17.7% to38.1% of their IAAs plan some engagements in the next three years. Areas where the IAA’scurrent involvement is low and is expected to remain low are executive compensation (45.4%),environmental sustainability (39.9%), emerging markets (39.5%), globalization (35.2%), intellectualproperty and knowledge assessment (35.1%), and mergers and acquisitions (30.8%).
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 55
The Institute of Internal Auditors Research Foundation
Table 2-10Emerging Roles of the IAA
Total Responses in Percentages
Roles Total Currently Likely to Have Unlikely to Not TotalRespon- Have a Role a Role Within Have a Role Applicable
dents the Next 3Years
Alignment of strategy 6,500 23.1 35.2 30.1 11.6 100.0and performancemeasures (e.g., BalancedScorecard)Benchmarking 6,476 28.6 35.7 26.0 9.7 100.0Corporate governance 6,511 52.2 31.2 11.4 5.2 100.0Corporate social 6,415 23.6 31.6 33.8 11.0 100.0responsibilityDevelop training and 6,522 46.6 34.4 15.3 3.7 100.0education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 6,490 34.0 26.1 29.0 10.9 100.0Evidential issues 6,385 39.8 23.9 23.5 12.8 100.0Emerging markets 6,426 11.5 22.5 39.5 26.5 100.0Environmental sustainability 6,436 14.0 24.7 39.9 21.4 100.0Executive compensation 6,429 16.0 17.7 45.4 20.9 100.0Fraud prevention/detection 6,530 69.0 22.9 5.7 2.4 100.0Globalization 6,431 15.3 21.1 35.2 28.4 100.0Intellectual property and 6,391 19.2 28.4 35.1 17.3 100.0knowledge assessmentIT management assessment 6,453 46.1 32.2 16.8 4.9 100.0Knowledge management 6,387 26.1 38.1 26.9 8.9 100.0systems development reviewMergers and acquisitions 6,437 18.4 23.7 30.8 27.1 100.0Project management 6,410 39.8 27.6 25.1 7.5 100.0Provide training to the 6,436 31.2 34.4 21.7 12.7 100.0audit committeeRegulatory compliance 6,442 64.0 23.0 9.2 3.8 100.0assessment monitoringRisk management 6,509 66.6 25.5 5.6 2.3 100.0Strategic frameworks 6,407 27.0 36.8 27.7 8.5 100.0
56 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Changing Legal Environment, Organization Systems, and Role of the IAA
Table 2-11 captures CAE and Audit Manager respondents’ agreement with statements about theirorganizations and their IAA. The question asked if a statement currently applies, is likely to applywithin the next three years, or will not apply in the foreseeable future. The respondents indicatethat 61.2% of the IAAs currently reside in countries that have mandatory laws or regulations thatrequire organizations to have an IAA and 13.1% anticipate their countries will have such requirementsin the next three years. Corporate governance codes are complied with in 67.7% of the organizationswith 22.7% of the respondents’ organizations anticipating compliance with corporate governancecodes in the next three years. In 70.5% of the respondents’ organizations, there is an internalcontrol framework and 24.3% indicate that their organizations will have a framework in the nextthree years. Assurance audits receive more emphasis than consulting services in 71.5% of theorganizations.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 57
The Institute of Internal Auditors Research Foundation
Table 2-11How Statements Apply to Your Organization
CAEs’ and Audit Managers’ Agreement with Statements in Percentages
Statement Number of Currently Likely to Will Not Not TotalRespondents Applies Apply Apply in the Applicable
Within the ForeseeableNext 3 FutureYears
Internal auditing is required 3,464 61.2 13.1 12.9 12.8 100by law or regulation wherethe organization is based.Internal auditors in the 3,445 28.9 32.7 30.3 8.1 100organization have anadvisory role in strategydevelopmentThe organization complies 3,447 67.7 22.7 4.3 5.3 100with a corporate governancecode.The organization has 3,443 70.5 24.3 3.5 1.7 100implemented an internalcontrol framework.The organization has 3,423 25.6 43.9 20.6 9.9 100implemented a knowledgemanagement systemThe internal audit activity 3,424 34.0 32.3 18.5 15.2 100has provided training toaudit committee members.The internal audit activity 3,437 55.7 25.6 13.8 4.9 100assumes an important rolein the integrity of financialreporting.The internal audit activity 3,437 64.3 25.3 7.3 3.1 100educates organizationpersonnel about internalcontrols, corporategovernance, and complianceissues.The internal audit activity 3,448 71.5 15.2 8.4 4.9 100places more emphasis onassurance than consultingservices.
58 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The IAAs (64.3% currently, 25.3% more in three years) educate the organizations’ personnelabout internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,25.6% more in three years) have an important role in the integrity of their organizations’ financialreporting. Internal auditors have growing advisory roles in strategy development (28.9% currently,32.7% more in three years) and training of audit committee members (34% currently, 32.3% morein three years). The top three statements that some respondents selected as will not apply in theforeseeable future are that internal auditors have a role in strategy development (30.3%), in thetraining of audit committee members (18.5%) and in the integrity of financial reporting (13.8%).
Summary
Compliance with The IIA’s International Standards for the Professional Practice of InternalAuditing is essential if the responsibilities of internal auditors to their organizations are to be met.Respondents strongly believed that their organizations comply overall with the Standards. Reasonsfor not using the Standards related to organizational attributes, such as management’s perceptionsthat the Standards do not add value, lack of adequate IAA staff, and that it is too time-consumingto comply with them. IAAs should strive to fully comply with the Standards. It appears thatStandard 1300, Quality Assurance and Improvement Program, is a barrier to full compliance formany organizations worldwide. Additional guidance with suggestions for less costly ways to complywith this standard could result in more members fully complying with the Standards.
The CBOK 2006 database provides information about the evolving role of internal auditing as avalue-added activity that helps an organization manage its risks and take advantage of opportunities.The profession of internal auditing is a rich resource for organizations as the IAA monitors theadequacy and effectiveness of management’s internal control framework and contributes to theintegrity of corporate governance; risk assessment; and financial, operating, and IT systems. TheCBOK 2006 database identifies the attributes of an effective IAA; internal auditor skills,competencies, and knowledge; internal audit tools and techniques; and the emerging roles of theIAA. This database can be used to inform the business community about what resources andservices the internal auditor can provide and what skills and knowledge are needed by internalauditing professionals. The database will be updated to document the evolution of global internalaudit practices. Future studies will build upon this baseline, allowing for comparison, analysis, andtrending.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 59
The Institute of Internal Auditors Research Foundation
References
1. Morton, Peter, The New York Stars, camagazine.com,www.camagazine.com/index.cfm?ci_id=33982&la_id=1&print=true
2. Sams, Rachel, “New Accounting Laws Make Internal Auditors ‘Rock Stars,’” BaltimoreBusiness Journal, June 5, 2006,baltimore.bizjournals.com/baltimore/stories/2006/06/05/story3.html
3. The Institute of Internal Auditors, “By the Numbers,” IIA Insight, Vol. 1/November 2006, pp.8-9.
4. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,FL: The Institute of Internal Auditors Research Foundation), 2005.
60 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 61
The Institute of Internal Auditors Research Foundation
CHAPTER 3SURVEY DEMOGRAPHICS
Introduction
The following is a summary of the demographics of the CBOK 2006 respondents and theirorganizations. The total number of responses to the CAE and Practitioner questionnaires was15,028. After consultation with an independent statistical expert, responses were determined to benot useable if the reply was blank or the respondent did not answer enough questions on importantsections such as the use and application of the Standards. Upon completion of this process, 9,366useable responses remained. This results in an overall 7.3% response from the 127,735 IIA memberson September 30, 2006. Due to some affiliates not participating and some members who haveopted not to receive e-mails from The IIA, the survey was sent to approximately 99,000 membersresulting in an estimated 9.5% response rate.
The overall purpose of the CBOK 2006 project is to develop the most comprehensive databaseever to capture a current view of the global state of the internal audit profession. The database willbe updated to recognize the evolution of global internal audit practices. Future studies will buildupon this baseline, allowing for comparison, analysis, and trending.
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those who participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners
Some participants’ responses are presented according to the respondents’ position in the internalaudit activity (IAA). These more detailed summaries of results may be provided for the five
62 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, andOther. The respondents in the Other category consist primarily of other professional staff whosepositions are not captured by the traditional job titles included in the survey. A review of theircredentials indicates they may be members of the IAA, employed by service providers, or inorganizations where their titles are less traditional but with duties within internal auditing.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additionaldetails. For example, Table 3-2 is the total of all respondents for that question with a related Table3-2-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be Table 3-2-2. Additional related tables may be located in Appendix 3at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at theend of its number. For example, Table 3-6-1-A is located in Appendix 3.
Included in this chapter is information about the respondents, their IAA, and their organizations inthe areas of:
• Duration of respondent’s IIA membership.• Age.• Highest level of formal education.• Academic major(s).• Professional qualification(s).• Area(s) of professional experience.• Hierarchical position of the IAA.• Years of experience as CAE.• Years organizations have had an IAA.• Organization type.• Service providers.• Industry classifications.• Geographical area(s) served by respondent organizations.• Legislation affecting internal auditing.
_____________________________________________ Chapter 3: Survey Demographics 63
The Institute of Internal Auditors Research Foundation
Staff Levels of Respondents
Respondents were asked about their position in their organization. As indicated in Figure 3-1,26.5% of the respondents are CAEs, 22.8% are Audit Managers, and 25.2% are Audit Seniors/Supervisors. These three highest positional levels combined represent 74.5% of respondents.Members of the Audit Staff comprise 18.2% of the respondents and Others 7.3%. As indicated inTable 3-5, the Other respondents have as many credentials or more credentials as those respondentswho identify themselves as Audit Seniors/Supervisors or Audit Staff.
Figure 3-1Staff Level
All Respondents (8,935) in Percentages
Audit Staff18.2%
Other7.3%
Chief AuditExecutive
26.5%
Audit Manager22.8%
Audit Senior/Supervisor
25.2%
64 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
IIA Membership
Figure 3-2 shows that 58.6% of the respondents became members of The IIA within the last 5years, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or moreyears. This relatively high number of new members can be linked to the surge in importance of theprofession. In June 2003, IIA membership was 82,645. It grew to 127,735 in September 2006, a54% increase in three years. D.L. Clemmons noted in The IIA’s November 2006 edition of IIAInsight that, “Since 2005 The IIA’s strategic objectives have been to raise the profile of internalauditing and The IIA itself through strong advocacy efforts, globalization, and service tomembers...membership has risen 20 percent.” Although distribution of the original survey instrumentwas only to IIA members, 6.9% of the respondents indicated they are not members of The IIA.
Figure 3-2Number of Years as a Member of The IIAAll Respondents (8,874) in Percentages
Percentage of Respondents
_____________________________________________ Chapter 3: Survey Demographics 65
The Institute of Internal Auditors Research Foundation
Table 3-1 indicates that more than three-fourths (76.5%) of the Audit Staff respondents have beenmembers of The IIA for 5 years or less. Forty-six point six percent of CAEs have been membersfor 5 years or less. Approximately one-fourth of the CAEs (24.3%) and Audit Managers (23.9%)and only 16.7% of the Other respondents have been IIA members for 6 to 10 years. One-fourth ofCAEs (25.7%), 17.1 % of Audit Managers and 21.7% of the Other respondents have been membersfor 11 or more years.
Table 3-1Number of Years as a Member of The IIA
All Respondents in Percentages
Number CAE Audit Audit Audit Staff Other Averageof Percent of Managers Senior/Supervisor Percent of Percent of Percent of
Years 2,357 Percent of Percent of 2,240 1,617 642 8,874Respondents 2,018 Respondents Respondents Respondents Total
Respondents Responses
5 or less 46.6 53.2 65.2 76.5 51.8 58.66 to 10 24.3 23.9 19.8 7.6 16.7 19.511 or 25.7 17.1 8.4 3.3 21.7 15.0moreNot a 3.4 5.8 6.6 12.6 9.8 6.9MemberTotal 100.0 100.0 100.0 100.0 100.0 100.0
66 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 3-1-1 provides an overview of the duration of IIA membership in each of the 13 groups. Thenumber of relatively new IIA members (5 years or less) is higher than the overall average ingroups 9 (83.5%), 7 (80.6%), 5 (74.8%), 12 (74.5%), 4 (72.5%), and 8 (72.4%). These groups mayrepresent a large number of countries where the internal audit profession is relatively new. Thenumber of respondents with a longer membership history in The IIA (6 years or more) are ingroups 10 (51.4%), 2 (48.6%), 6 (43.9%), 1 (43.4%), and 3 (43.0%). These groups appear torepresent countries where the internal audit profession is more established.
Table 3-1-1Number of Years as a Member of The IIA by Groups*
All Respondents in Percentages
Years 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
5 or less 56.6 51.4 57.0 72.5 74.8 56.1 80.6 72.4 83.5 48.6 68.2 74.5 18.56 to 10 20.4 19.2 25.6 23.4 23.4 25.0 14.8 19.6 10.2 31.3 20.2 14.9 5.111 or 23.0 29.4 17.4 4.1 1.8 18.9 4.6 8.0 6.3 20.1 11.3 10.6 3.4moreNot a 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.4 0.0 73.0MemberTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.
_____________________________________________ Chapter 3: Survey Demographics 67
The Institute of Internal Auditors Research Foundation
Age of the Respondents
Figure 3-3 provides an overview of the age of the survey respondents. The figure indicates that34.8% of the survey respondents are between the ages of 35 and 44, 27.8% are between 26 and34 years old, and 24.2% are between 45 and 54 years old. Only 9.3% are 55-64 years old, 3.5%are 25 years old or under, and as seen in Figure 3-3, 0.4% are older than 64.
Figure 3-3Age of Respondents
All Respondents (7,356) in Percentages
Percentage of Respondents
68 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 3-2 breaks down the respondents’ age information into the 5 categories of survey respondents.Based on this information, a positive relationship between the respondent’s age and position in theIAA can be ascertained. More than half of the audit staff (52.4%) is younger than 35 years old,while slightly more than half of the CAEs (50.4%) are older than 44 years old. The largest percentageof Audit Managers (41.5%) are between 35 and 44 years old.
Table 3-2Age of Respondents
All Respondents in Percentages
Number CAE Audit Audit Senior/ Audit Staff Other Averageof Percent of Manager Supervisor Percent of Percent of Percent of
Years 1,944 Percent of Percent of 1,376 535 7,356Respondents 1,653 1,848 Respondents Respondents Total
Respondents Respondents Responses
25 or less 0.4 0.5 3.3 11.2 4.7 3.526 to 34 11.0 25.8 39.2 41.2 20.2 27.835 to 44 38.2 41.5 32.1 26.4 33.8 34.845 to 54 34.5 23.6 18.9 16.3 27.3 24.255 to 64 15.1 8.5 6.2 4.8 12.5 9.365 or 0.8 0.1 0.3 0.1 1.5 0.4moreTotal 100.0 100.0 100.0 100.0 100.0 100.0
_____________________________________________ Chapter 3: Survey Demographics 69
The Institute of Internal Auditors Research Foundation
Table 3-2-1 specifies the average age of the respondents in each of the 13 groups. Group 9consists of relatively young respondents (35.2 years on average). Group 10 consists of relativelyolder respondents (46.1 years on average). This compares with the overall average age for allsurvey respondents of 40.5 years.
Table 3-2-1Average Age of Respondents by Group*
All Respondents in Percentages
Group* Average Age of theRespondents
1 41.62 42.93 37.44 39.95 38.26 42.67 39.98 40.89 35.210 46.111 38.812 37.3
N/C** 39.8Total 40.5
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.
70 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Highest Level of Formal Education
The survey asked about the educational background of the respondents. Figure 3-4 shows thehighest level of formal education indicated by the respondents. Of the respondents, 38.1% haveobtained their bachelor’s degree in business, and 28.9% have obtained a master’s degree in business.Fourteen point three percent have a bachelor’s degree in a non-business subject and 9.4% have amaster’s degree in a non-business field.
Figure 3-4Respondents’ Highest Level of EducationAll Respondents (8,920) in Percentages
Percentage of Respondents
Doctoral Degree
_____________________________________________ Chapter 3: Survey Demographics 71
The Institute of Internal Auditors Research Foundation
Table 3-3 presents an overview of the highest level of education for each of the 5 categories ofrespondents surveyed. There appears to be no pronounced relationship between the respondents’highest level of education and their current position in the IAA. It also appears that for mostrespondents, a bachelor’s degree or comparable level of education is necessary to enter theprofession.
Table 3-3Respondents’ Highest Level of Education
All Respondents in Percentages
Level of CAE Audit Audit Senior/ Audit Staff Other AverageEducation Percent of Managers Supervisor Percent of Percent of Percent of
2,370 Percent of Percent of 1,623 649 8,920Respondents 2,029 2,249 Respondents Respondents Total
Respondents Respondents Responses
Secondary/ 5.1 4.1 4.0 7.0 5.6 5.0High SchoolBachelor’s/ 36.1 37.7 40.3 40.3 33.3 38.1BusinessBachelor’s/ 12.1 14.0 15.4 16.8 13.1 14.3Not BusinessMajorMaster’s/ 32.8 30.9 27.4 21.4 33.4 28.9Graduate/Diploma inBusinessMaster’s/ 9.0 9.7 9.5 9.4 9.7 9.4Graduate/Diploma inOther FieldsDoctoral 2.4 1.5 0.6 0.9 3.4 1.6DegreeOther 2.5 2.1 2.8 4.2 1.5 2.7Total 100.0 100.0 100.0 100.0 100.0 100.0
72 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 3-
3-1
prov
ides
the
educ
atio
nal p
rofil
e of
the
resp
onde
nts i
n ea
ch o
f the
13
grou
ps. S
ever
al d
iffer
ence
s am
ong
the
grou
ps c
an b
e hi
ghlig
hted
. Bac
helo
r’s d
egre
es in
bus
ines
s se
em to
be
dom
inan
t in
grou
p 4
(56.
3%),
whi
lem
aste
r’s d
egre
es in
bus
ines
s ar
e m
ore
prev
alen
t in
grou
ps 6
(48.
3%),
10 (4
4.7%
), an
d 5
(40.
9%).
Gro
up 1
2, w
ith83
.3%
of r
espo
nden
ts a
nd g
roup
1 w
ith 7
8.1%
of t
hose
resp
ondi
ng h
ave
eith
er a
bac
helo
r’s o
r mas
ter’s
deg
ree
inbu
sine
ss. G
roup
9 is
the o
nly
grou
p to
hav
e les
s tha
n 50
.5%
of r
espo
nden
ts w
ith a
degr
ee (b
ache
lor’s
or m
aste
r’s)
inbu
sine
ss.
Tabl
e 3-3
-1H
ighe
st L
evel
of F
orm
al E
duca
tion
by G
roup
*A
ll R
espo
nden
ts in
Per
cent
ages
Leve
l of
12
34
56
78
910
1112
N/C
**Ed
ucat
ion
Seco
ndar
y/H
igh
1.84.7
11.2
1.913
.97.2
0.410
.31.5
6.91.2
0.05.5
Scho
olB
ache
lor’s
/49
.341
.533
.856
.311
.515
.533
.631
.626
.722
.823
.241
.735
.3B
usin
ess
Bac
helo
r’s/N
ot13
.013
.616
.614
.14.6
3.726
.316
.531
.38.3
20.3
12.5
17.4
Bus
ines
s M
ajor
Mas
ter’
s/G
radu
ate/
28.8
28.5
24.7
19.3
40.9
48.3
21.8
27.7
23.7
44.7
34.2
41.6
20.1
Dip
lom
a in
Bus
ines
sM
aste
r’s/
Gra
duat
e/5.3
8.47.0
5.420
.614
.214
.210
.815
.312
.412
.62.1
13.8
Dip
lom
a in
Oth
erFi
elds
Doc
tora
l Deg
ree
0.90.5
0.80.8
3.67.0
0.81.9
1.51.4
1.60.0
1.4O
ther
0.92.8
5.92.2
4.94.1
2.91.2
0.03.5
6.92.1
6.5To
tal
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e A
ffili
ate
or C
hapt
er m
embe
rshi
p.
_____________________________________________ Chapter 3: Survey Demographics 73
The Institute of Internal Auditors Research Foundation
Academic Major(s)
Figure 3-5 lists the top six academic concentrations/majors indicated by survey respondents.Accounting is the most popular academic major (55.8%) followed by general business/management(27 %), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%).
Figure 3-5Top Six Academic Majors
All Respondents in Percentages
Note: Since respondents were able to select all the majors that apply, percentages may not add up to 100%.
Table 3-4 on the following page provides additional information about respondents’ academic majorsby staff level. A higher percentage of the CAEs (60.0%) and Audit Managers (59.9%) haveaccounting as a major than members of the Audit Staff (45.0%). Auditing as a major is morecommon for Audit Managers (22.1%) and CAEs (19.8%) than for the Audit Staff (12.5%).
Percentage of Respondents
74 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 3-4
Aca
dem
ic M
ajor
(s)
All
Res
pond
ents
in P
erce
ntag
es*
Maj
orCA
EA
udit
Aud
itA
udit
Staf
f*O
ther
*Av
erag
ePe
rcen
t of 2
,374
Man
ager
s*Se
nior
/Pe
rcen
t of 1
,626
Perc
ent o
f 651
Perc
ent o
fR
espo
nden
tsPe
rcen
t of 2
,033
Supe
rviso
r*R
espo
nden
tsR
espo
nden
ts8,
935
Tota
l*R
espo
nden
tsPe
rcen
t of 2
,251
Res
pons
esR
espo
nden
ts
Acc
ount
ing
60.0
59.9
55.1
45.0
57.5
55.8
Arts
or
3.5
3.5
3.2
4.6
4.8
3.9
Hum
aniti
esA
uditi
ng19
.822
.117
.912
.516
.917
.8C
ompu
ter
4.1
4.8
4.7
4.2
4.1
4.4
Scie
nce
Econ
omic
s24
.319
.317
.916
.520
.919
.9En
gine
erin
g3.
62.
74.
33.
73.
53.
6Fi
nanc
e25
.624
.324
.219
.524
.923
.8G
ener
al29
.426
.026
.625
.726
.627
.0B
usin
ess/
Man
agem
ent
Info
rmat
ion
7.1
10.1
9.8
7.7
9.8
8.9
Syst
ems
Inte
rnal
12.7
14.9
13.2
11.3
11.4
12.7
Aud
iting
Law
6.8
6.2
6.0
6.6
6.9
6.5
Mat
hem
atic
s/5.
45.
65.
54.
75.
45.
3St
atis
tics
Scie
nce o
r3.
42.
93.
03.
52.
83.
1Te
chni
cal
Fiel
dN
o D
egre
e2.
62.
22.
43.
51.
22.
5
* N
ote:
Sin
ce r
espo
nden
ts c
ould
mar
k al
l th
at a
pply
, pe
rcen
tage
s m
ay n
ot a
dd u
p to
100
%.
_____________________________________________ Chapter 3: Survey Demographics 75
The Institute of Internal Auditors Research Foundation
Table 3-4-1 shows the rankings of the top five academic majors for the groups. Accounting is themost prevalent major in most groups, except for group 9 (2nd place), group 5 (3rd place), andgroup 8 (4th place). In six of the groups, a general business/management major is second. Theimportance of a finance major varies among the groups. Three majors, accounting, general business/management, and finance, appear in the top 5 of all groups. Auditing appears in the rankings of 11of the groups. Despite the importance of technology, data management systems, and the accepteduse of computer auditing, a major in information systems only appears in the top 5 of group 1 (5thplace).
Table 3-4-1Rankings of theTop Five Academic Major(s) by Group*
All Respondents
Major 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Accounting 1 1 1 1 3 1 1 3 2 1 1 1 1Auditing 4 2 5 4 2 5 5 5 3 4 2Economics 4 3 4 1 3 1 1 3 5 5Finance 3 5 4 3 2 5 5 4 3 4 2 2 3General Business/ 2 2 5 2 4 2 4 2 4 2 4 3 4ManagementInformation Systems 5Internal Auditing 3 5 3 5
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.
76 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Professional Qualifications
There are many professional organizations that have qualifying tests and certifications for individualsemployed in accounting and auditing. Survey respondents were asked about their own qualificationsand CAEs were asked about certification held by employees in their departments. The top fiveareas of respondents’ professional certification are shown in Figure 3-6. More than one-third(39.4%) of the respondents have a specific certification in internal auditing and about one-fourth(26.7%) of the respondents have a certification in public accounting/chartered accountancy. Internalauditing and public accounting are the most common areas for professional certification. A muchsmaller number of respondents have certifications in information systems auditing (10.2%),management/general accounting (5.4%), and fraud examination (5.3%).
Figure 3-6Top Five Areas of Professional Certification(s)
All Respondents in Percentages*
*Since respondents were able to select all the certifications that apply, percentages may not add up to 100%.
Percentage of Respondents
Fraud Examination
_____________________________________________ Chapter 3: Survey Demographics 77
The Institute of Internal Auditors Research Foundation
Tabl
e 3-5
pro
vide
s spe
cific
s abo
ut th
e pro
fess
iona
l qua
lific
atio
ns o
f the
5 ca
tego
ries o
f res
pond
ents
. Int
erna
l aud
iting
is th
e mos
t com
mon
certi
ficat
ion
for r
espo
nden
ts in
all 5
cate
gorie
s fol
low
ed b
y pu
blic
acco
untin
g/ch
arte
red
acco
unta
ncy
certi
ficat
ion.
The
pos
sess
ion
of ad
ditio
nal q
ualif
icat
ions
appe
ars m
ore c
omm
on as
indi
vidu
als p
rogr
ess p
rofe
ssio
nally
in th
e IA
A. F
or e
xam
ple,
mor
e C
AEs
(40.
6%) a
nd A
udit
Man
ager
s (4
6.4%
) hav
e an
inte
rnal
aud
iting
cer
tific
atio
nth
an m
embe
rs o
f the
Aud
it St
aff (
26.8
%).
Tabl
e 3-5
Prof
essio
nal Q
ualif
icat
ion(
s)A
ll R
espo
nden
ts in
Per
cent
ages
*
Type
of P
rofe
ssio
nal
CAE
Aud
itA
udit
Seni
or/
Aud
it St
aff*
Oth
er*
Aver
age
Qua
lific
atio
nPe
rcen
t of
Man
ager
s*Su
perv
isor
*Pe
rcen
t of
Perc
ent o
fPe
rcen
t of
2,37
4Pe
rcen
t of
Perc
ent o
f1,
625
651
8,93
4R
espo
nden
ts2,
033
2,25
1R
espo
nden
tsR
espo
nden
tsTo
tal*
Res
pond
ents
Res
pond
ents
Res
pons
es
Inte
rnal
Aud
iting
(suc
h as
CIA
/40
.646
.438
.926
.844
.239
.4M
IIA
/PII
A)
Info
rmat
ion
Syst
ems A
uditi
ng11
.012
.610
.54.
612
.410
.2(s
uch
as C
ISA
/QiC
A/C
ISM
)G
over
nmen
t Aud
iting
/Fin
ance
5.1
3.1
4.3
2.7
3.5
3.7
(suc
h as
CIP
FA/C
GA
P/C
GFM
)C
ontro
l Sel
f-as
sess
men
t (su
ch4.
85.
03.
62.
05.
24.
1as
CC
SA)
Publ
ic A
ccou
ntin
g/C
harte
red
38.3
32.7
23.0
11.0
28.7
26.7
Acc
ount
ancy
(suc
h as
CA
/CPA
/AC
CA
/AC
A)
Man
agem
ent/G
ener
al6.
26.
03.
63.
67.
85.
4A
ccou
ntin
g (s
uch
as C
MA
/C
IMA
/CG
A)
Acc
ount
ing
- Tec
hnic
ian
2.1
2.9
2.5
2.9
3.4
2.8
Leve
l (su
ch a
s C
AT/A
AT)
Frau
d Ex
amin
atio
n (s
uch
7.6
5.6
4.8
2.2
6.1
5.3
as C
FE)
* N
ote:
Sin
ce r
espo
nden
ts c
ould
mar
k al
l th
at a
pply
, pe
rcen
tage
s m
ay n
ot a
dd u
p to
100
%.
78 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 3-5
Prof
essio
nal Q
ualif
icat
ion(
s)A
ll R
espo
nden
ts in
Per
cent
ages
*
Type
of P
rofe
ssio
nal
CAE
Aud
itA
udit
Seni
or/
Aud
it St
aff*
Oth
er*
Aver
age
Qua
lific
atio
nPe
rcen
t of
Man
ager
s*Su
perv
isor
*Pe
rcen
t of
Perc
ent o
fPe
rcen
t of
2,37
4Pe
rcen
t of
Perc
ent o
f1,
625
651
8,93
4R
espo
nden
ts2,
033
2,25
1R
espo
nden
tsR
espo
nden
tsTo
tal*
Res
pond
ents
Res
pond
ents
Res
pons
es
Fina
ncia
l Ser
vice
s Aud
iting
5.0
3.7
3.1
1.3
0.4
2.7
(suc
h as
CFS
A/C
IDA
/CB
A)
Fello
wsh
ip (s
uch
as F
CA
/4.
22.
01.
20.
51.
11.
8FC
CA
/FC
MA
)C
ertif
ied
Fina
ncia
l Ana
lyst
0.8
0.4
0.3
0.4
1.7
0.7
(suc
h as
CFA
)
* N
ote:
Sin
ce r
espo
nden
ts c
ould
mar
k al
l th
at a
pply
, pe
rcen
tage
s m
ay n
ot a
dd u
p to
100
%.
_____________________________________________ Chapter 3: Survey Demographics 79
The Institute of Internal Auditors Research Foundation
Table 3-5-1 presents the rankings of the top five areas of professional qualifications for the groups.In only 2 of the groups (groups 7 and 11) is certification in public accounting/chartered accountancymore prevalent than internal auditing certification. The importance of certification in the areas ofinternal auditing (1st place), public accounting (2nd place), and information systems auditing (3rdplace) is consistent for 75% of the groups.
Table 3-5-1Rankings of the Top Five Professional Qualifications by Group*
All Respondents
Qualifications 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Internal Auditing (such 1 1 1 1 1 1 2 1 1 1 2 1 1as CIA/MIIA/PIIA)Information Systems 3 3 3 3 5 3 4 5 3 2 3 3 5Auditing (such asCISA/QiCA/CISM)Government Auditing/ 3 5 4Finance (such asCIPFA/CGAP/CGFM)Control Self-assessment 4 4 4 3 5(such as CCSAPublic Accounting/ 2 2 2 2 2 2 1 2 2 3 1 2 2Chartered Accountancy(such as CA/CPA/ACCA/ACA)Management/General 4 4 5 4 5 4 5 4Accounting (such asCMA/CIMA/CGA)Accounting - 5 5 3 3Technician Level (suchas CAT/AAT)Fraud Examination 4 5 4(such as CFE)Financial Services 5Auditing (such asCFSA/CIDA/CBA)Fellowship (such as 5 4FCA/FCCA/FCMA)
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.
80 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Areas of Professional Experience
Table 3-6 lists the respondents’ average years of experience by business area. This data wascross-tabulated with the respondents’ current business sector.
Table 3-6Total Years of Professional Experience by Sector
All Respondents Average Responses
Type of Service Private Publicly Governmental Not-for- OverallExperience Provider Company Listed Profit Average
Company Response
Accounting 5.6 6.0 5.5 5.9 3.6 5.3Engineering 2.3 3.7 2.8 3.6 0.3 2.5External 5.4 4.5 3.1 5.6 1.1 3.9(Independent)AuditingFinance 4.7 5.1 5.1 4.7 2.2 4.4Information 4.4 5.3 5.5 4.4 1.7 4.3TechnologyInternal Auditing 5.4 6.4 6.7 7.2 4.9 6.1Management 5.2 6.1 6.0 6.4 3.4 5.4Other Professional 4.2 5.3 4.8 6.2 3.8 4.9Experience
The five areas in which respondents have the most business experience are:
• Internal auditing (6.1 years).• Management (5.4 years).• Accounting (5.3 years).• Other professional experience (4.9 years).• Finance (4.4 years).
_____________________________________________ Chapter 3: Survey Demographics 81
The Institute of Internal Auditors Research Foundation
This pattern is consistent for those currently employed by service providers, private companies,publicly listed companies, and governments. Service providers work on a contractual basis to assistorganizations with assurance and consulting engagements. The not-for-profit sector respondentsindicate less overall work experience.
In Appendix 3, Tables 3-6-1-A to 3-6-5-A provide an overview of the types of work experience foreach of the 5 categories of respondents tabulated by their current employer’s business sector.While Table 3-6-1-A shows the same top five types of professional experience for CAEs as theoverall average for all respondents in Table 3-6, CAEs have relatively more experience in each ofthe business areas.
For members of the Audit Staff, Table 3-6-4-A shows a different ranking for the top five types ofexperience than the overall average for all respondents in Table 3-6. Audit Staff members appearto have the most experience in professional areas other than those specified on the survey list. Forthe Audit Staff, accounting is the second most common area of experience and internal auditingand management are tied for third.
The respondents classified as Other in Table 3-6-5-A have significant years of experience inaccounting, internal auditing, and management. Other professional experience is also common forthese individuals. Such high levels of experience provides support that those respondents classifiedas “Other” are qualified individuals working in less traditional environments.
Years of Existence of IAA and Years of CAE Experience
Figure 3-7 on the following page lists the number of years the respondents’ IAAs have been inexistence. The largest numbers of respondents work for IAAs that have been in existence for 0-5 years (28.4%) and another 21% of the respondents work for IAAs that have been in existencefor 6-10 years. A total of 13.8% of respondent’s organizations have IAAs that have been inexistence for 31 or more years. This is a positive development for internal auditing as it shows thatgrowth has accelerated in the past 10 years. Given the corporate governance issues and regulatorydevelopments in recent years, this could be a reflection of the recognition by organizations andtheir boards of the need for internal audit.
82 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Figure 3-7Number of Years the IAA Has Existed in the Organization
All Respondents (7,747) in Percentages
A young department does not necessarily equate to an unskilled or weak department. NewerIAAs may employ more experienced CAEs who start an audit activity based on their priorexperiences and knowledge.
Table 3-7 provides the number of years respondent organizations have had IAAs by groups. Ingroup 5, respondents indicate that 60.5% of their IAAs are 0-5 years old and another 22.5% are 6-10 years old. Respondents in the other groups indicate between 20% - 33.9% of the IAAs arebetween 0-5 years old and an additional 16.1% - 33.1% indicate their IAAs are between 6-10years old. A review of the countries in each group and historical events explain some of thesedifferences since in some areas of the world, economies are more developed than others. InAppendix 3, Table 3-7-1-A shows the number of years respondent organizations have had IAAsby industry.
0-5 Years28.4%
41+ Years8.1%
31-40 Years5.7%
21-30 Years14.1%
11-20 Years22.7%6-10 Years
21.0%
_____________________________________________ Chapter 3: Survey Demographics 83
The Institute of Internal Auditors Research Foundation
Table 3-7Number of Years the IAA Has Existed by Groups*
All Respondents in Percentages
Morethan
Group Respon- 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50dents Years Years Years Years Years Years Years Years Years Years Years Total
1 3,025 23.8 16.1 10.9 12.6 9.2 8.9 3.1 4.8 .7 4.5 5.4 100.02 188 26.1 20.7 17.0 13.3 5.9 6.9 2.7 2.7 1.1 1.1 2.5 100.03 636 25.8 26.6 11.9 10.2 5.8 7.1 2.7 1.9 .5 4.2 3.3 100.04 347 25.6 33.1 15.9 13.3 3.2 3.5 1.2 2.0 .6 .8 .8 100.05 550 60.5 22.5 8.0 2.7 1.5 1.3 .0 1.1 .2 1.3 .9 100.06 423 23.6 18.0 10.4 7.6 8.0 11.6 3.1 2.6 .9 5.2 9.0 100.07 467 23.1 20.3 13.1 9.9 8.4 11.8 2.8 3.2 .6 2.6 4.2 100.08 910 32.7 25.3 14.3 11.1 5.5 3.7 1.9 1.3 .2 1.3 2.7 100.09 118 33.9 29.7 15.3 7.6 5.1 .8 .0 .0 .8 3.4 3.4 100.0
10 125 22.4 25.6 11.2 8.0 6.4 4.8 3.2 6.4 .0 3.2 8.8 100.011 226 28.8 24.3 11.9 10.2 5.8 8.4 1.3 4.0 .9 2.2 2.2 100.012 40 20.0 27.5 10.0 10.0 5.0 12.5 2.5 .0 7.5 2.5 2.5 100.0
N/C** 692 27.6 23.3 11.6 13.0 4.8 7.4 1.4 3.6 .6 3.3 3.4 100.0Overall 7,747 2,194 1,628 914 847 529 566 181 255 48 257 328Respondentsin CategoryOverall 28.4 21.0 11.8 10.9 6.8 7.3 2.4 3.3 .6 3.3 4.2 100.0Percent inCategory
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
84 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Figure 3-8 summarizes the respondents’ years of experience as CAEs. More than half (56%)indicated they have been a CAE for 5 years or less, 25% of CAE respondents have between 6 and10 years of CAE experience, and 19% of CAE respondents have more than 10 years of experiencein this position.
Figure 3-8Years of Experience as a CAE
CAE Respondents in Percentages
16 to 20 Years6%
21 or MoreYears3%
5 Years or Less56%
11 to 15 Years10%
6 to 10 Years25%
_____________________________________________ Chapter 3: Survey Demographics 85
The Institute of Internal Auditors Research Foundation
Figure 3-9 lists the average years of work experience for CAEs by groups. The overall averagenumber of years of experience as a CAE is 6.6 years. The CAEs in groups 5 (4.5 years) and 12(4.7 years) have less experience as a CAE than their peers. The CAEs in groups 6 (8.2 years), 10(8.1 years), and 11 (8.1 years) have relatively more experience as a CAE than the overall average.
Figure 3-9Average Years of Experience as a CAE by Groups*
CAE Respondents
*For a list of groups, please see the inside back cover. **N/C = Respondents did not indicate Affiliate or Chapter membership.
Average Years of Experience
86 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Types of Organizations
As indicated in Figure 3-10, when asked about their current employers, 38% of all respondentsindicate that they work for a publicly traded (listed) company, while 19.5% work for a privatelyheld (non-listed) company. Twenty-three percent of all respondents currently work in the publicsector and 10.5% work for a service provider or as a consultant. Internal auditing is performed bymembers of the IAA as well as by external service providers and consultants.
Figure 3-10Types of Organizations
All Participants (8.848) in Percentages
6.2%
23.0%
19.5%
38.0%
10.5%
2.8%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Other
Not-for-Profit Organization
Public Sector / Government
Privately Held (Non-listed) Company
Publicly Traded (Listed) Company
Service Provider / Consultant
Percentage of Respondents
_____________________________________________ Chapter 3: Survey Demographics 87
The Institute of Internal Auditors Research Foundation
While Table 3-8 shows that sector representation is relatively consistent for all 5 categories ofrespondents, only 44.5% of the Other respondents work in traditional public or private companies.Publicly traded and private (non-listed) employers tend to represent approximately 53% to 60% ofthe other four categories. The Other four respondent categories have the highest percentage(17.3%) of respondents working for service providers. This is approximately double that of CAEs,Senior/Supervisors, and Audit Staff members.
Table 3-8Types of Organizations
All Respondents in Percentages
Type of CAE Audit Audit Audit Staff Other OverallOrganization Percent of Managers Senior/ Percent of Percent of Average
2,356 Percent of Supervisor 1,608 637 of Percent ofRespondents 2,016 Percent of Respondents Respondents 8,848
Respondents 2,231 TotalRespondents Responses
Service 8.8 13.5 9.2 8.3 17.3 10.5Provider/ConsultantPublicly 34.9 42.2 40.7 37.1 29.7 38.0Traded(Listed)CompanyPrivately 24.9 18.3 18.4 16.2 14.8 19.5Held(Non-listed)CompanyPublic Sector/ 21.9 18.5 23.7 30.3 20.6 23.0GovernmentNot-for-Profit 7.1 5.4 6.3 5.2 7.1 6.2OrganizationOther 2.4 2.1 1.7 2.9 10.5 2.8Total 100.0 100.0 100.0 100.0 100.0 100.0
88 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 3-8-1 summarizes information about the types of organizations represented within the groups.Compared to the overall average of respondents working for service providers/consultants (shownin Table 3-8 as 10.5%), group 4 (4.1%) is well below the overall average and group 11 (18.3%) issignificantly above the overall average. Publicly traded company representation is considerablybelow the overall average of 38% in group 2 (24.9%), while much above the overall average ingroups 4 (68.8%) and 11 (49.3%). Privately held company representation is greatly above theoverall average of 19.5% in groups 9 (38.1%) and 8 (30.8%). Compared to the public sectoroverall average of 23%, groups 4 (4.4%), 9 (10.3%), and 11 (12.9%) are much lower, and groups2 (42.7%), 10 (35.4%), and 3 (35.3%) are well above the overall average. Not-for-profit organizationsare represented significantly below the overall average of 6.2% in groups 5 (1.9%) and 10 (2.1%),but much above the overall average in group 12 (17.0%).
Table 3-8-1Types of Organizations by Group*All Respondents in Percentages
Type of 1 2 3 4 5 6 7 8 9 10 11 12 N/C**Organization
Service Provider/ 10.0 12.2 13.8 4.1 11.8 12.0 11.9 9.5 7.1 8.3 18.3 10.6 9.4ConsultantPublicly Traded 41.6 24.9 31.3 68.8 27.4 35.5 28.6 37.5 31.8 36.1 49.3 27.7 31.8(Listed) CompanyPrivately Held 14.8 11.3 12.0 16.9 23.5 25.6 28.7 30.8 38.1 14.6 13.7 19.2 23.9(Non-listed)CompanyPublic Sector/ 22.7 42.7 35.3 4.4 31.3 19.9 20.4 17.6 10.3 35.4 12.9 23.4 23.2GovernmentNot-for-Profit 8.9 7.0 4.4 3.3 1.9 5.7 5.6 3.4 3.2 2.1 3.3 17.0 5.3OrganizationOther 2.0 1.9 3.2 2.5 4.1 1.3 4.8 1.2 9.5 3.5 2.5 2.1 6.4Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.
_____________________________________________ Chapter 3: Survey Demographics 89
The Institute of Internal Auditors Research Foundation
Service Providers of Internal Audit Services
Internal auditing is performed by members of the IAA as well as by external service providers. Asshown in Figure 3-11, 14% of the survey respondents provide internal audit services to clientorganizations. As some respondents did not answer all the questions, this percentage is close to butnot totally consistent with Figure 3-10, which indicates that 10.5% of respondents work for aservice provider or consulting company.
Figure 3-11Service Provider of Internal Audit Services
All Respondents (8,774) in Percentages
ServiceProvider14.0%
In-houseInternal
Audit Activity86.0%
90 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Age of OrganizationsTable 3-9 reports on how long respondents’ organizations have been in existence. A separatecorrelation test performed by the researchers confirmed that there is a relationship between howlong an organization has been in existence and how long the organization has had an IAA.
Table 3-9Number of Years Organizations Have Existed
All Respondents in Percentages
Number of Years Total Responses Percentage of TotalRespondents
0-5 590 7.26-10 856 10.511-15 648 7.916-20 496 6.121-25 321 3.926-30 442 5.431-35 299 3.736-40 355 4.341-45 165 2.046-50 461 5.6
More than 50 years 3,532 43.4Total 8,165 100.0
In Appendix 3, Table 3-9-1-A lists the number of years the respondents’ organizations have existedby group. Groups 1, 2, 6, and 10 have a large number of respondents (43.5% - 59.3%) working inorganizations that are more than 50 years old. Groups 4, 5, and 11 have respondents whoseorganizations have greater than 24% of their organizations (24.1% - 29.4%) that are less than 11years old. Respondents for group 12 indicate that none of their employer organizations are over 70years old.
_____________________________________________ Chapter 3: Survey Demographics 91
The Institute of Internal Auditors Research Foundation
Industry Classification(s)
The survey population covers a broad range of industries. Since the respondents were asked toselect all industries that applied to their organization, the total of the industries selected is greaterthan 100%. Figure 3-12 on the following page classifies survey respondents by the industry inwhich they work. The top 10 industries indicated by respondents are:
1. Banking/Financial Services/Credit Union (24.5%).2. Other (13.9%).3. Manufacturing (13.4%).4. Financial, Accounting, and/or Business Services (11.1%).5. Insurance (9.3%).6. Utilities (7.9%).7. Education (7.0%).8. Communication/Telecommunication (7.0%).9. Healthcare (6.4).
10. Retail/Wholesale (6.2%).
92 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Figu
re 3
-12
Indu
stry
Cla
ssifi
catio
nA
ll R
espo
nden
ts (8
,934
) in
Perc
enta
ges*
Perc
enta
ge o
f Res
pond
ents
*Res
pond
ents
wer
e ab
le t
o se
lect
all
the
clas
sifi
catio
ns t
hat
appl
y, r
esul
ting
in a
tot
al g
reat
er t
han
100%
.
_____________________________________________ Chapter 3: Survey Demographics 93
The Institute of Internal Auditors Research Foundation
Table 3-10 indicates that this pattern is basically consistent for all 5 categories of respondents.
Table 3-10Industry Classification
All Respondents in Percentages
Industry CAE* Audit Audit Senior/ Audit Staff* Other* AverageClassification Percent of Manager* Supervisor* Percent of Percent of Percent of
2,374 Percent of Percent of 1,625 651 8,934Respondents 2,033 2,251 Respondents Respondents Total
Respondents Respondents Responses*
Agricultural/ 2.9 3.0 2.7 2.7 3.8 3.0ForestryBanking/ 25.3 25.3 24.8 26.5 20.6 24.5FinancialServices/Credit UnionBuilding and 5.4 5.3 3.8 3.1 3.4 4.2ConstructionCommunication/ 6.8 9.0 6.6 6.5 6.0 7.0Telecommuni-cationConsumer 5.6 6.5 4.1 3.1 4.6 4.8GoodsEducation 8.1 5.3 5.0 5.0 11.7 7.0Financial, 7.8 10.1 10.2 10.3 17.2 11.1Accounting,and/or BusinessServicesHealthcare 6.4 7.7 6.3 5.4 6.0 6.4Hospitality/ 4.3 4.6 2.6 2.5 2.9 3.4Leisure/TourismInsurance 9.2 10.3 11.2 10.3 5.4 9.3Manufacturing 14.3 14.4 13.1 11.5 13.8 13.4Mining and Oil 4.5 5.0 5.4 3.0 4.5 4.5Non- 1.0 1.7 0.8 0.7 1.7 1.2professionalServices
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
94 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 3-10 (Cont.)Industry Classification
All Respondents in Percentages
Industry CAE* Audit Audit Senior/ Audit Staff* Other* AverageClassification Percent of Manager* Supervisor* Percent of Percent of Percent of
2,374 Percent of Percent of 1,625 651 8,934Respondents 2,033 2,251 Respondents Respondents Total*
Respondents Respondents Responses
Pharmaceutical/ 3.4 3.7 2.5 1.9 3.1 2.9ChemicalProfessional 4.7 4.9 3.6 3.2 5.8 4.4ServicesReal Estate 4.0 4.1 2.8 2.4 2.5 3.2Retail/Wholesale 6.7 8.8 6.4 4.3 4.6 6.2Technology 5.5 6.1 4.3 3.9 5.2 5.0Trade Services 2.6 2.7 1.6 1.3 1.7 2.0Transport and 7.0 5.9 5.3 5.5 4.8 5.7LogisticsUtilities 7.5 8.4 8.3 7.6 7.8 7.9Other 14.2 12.1 12.5 14.8 16.1 13.9
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Table 3-10-1 provides an overview of the industry representation in each of the groups. The largestgroup of respondents overwhelmingly work in the manufacturing sector in groups 4 (46.8%) and11 (31.3%). These are significantly larger percentages than the total respondents’ average formanufacturing of 13.4% shown in Figure 3-12. The banking/financial services/credit union sectoris considerably above the total respondents’ average of 24.5% in groups 7 (37.9%) and 6 (36.7%)but considerably below the average in group 4 (9.1%). The education sector is well represented ingroup 2 (15.8%) which is well above the total respondents’ average of 7%. In groups 4 (3.8%) and7 (5.3%), the financial, accounting, and/or business services industry is less prevalent than elsewherewhen compared with the total respondents’ average of 11.1%. The insurance industry has muchless representation in groups 11 (4.0%), 5 (4.9%), and 4 (5.9%) than the total respondents’ averageof 9.3%. In groups 4 (2.2%) and 9 (3%), organizations with employees in the utilities sector ismuch lower than the average of 7.9% for all respondents.
_____________________________________________ Chapter 3: Survey Demographics 95
The Institute of Internal Auditors Research Foundation
Table 3-10-1Industry Classification by Group*All Respondents in Percentages
Industry 1 2 3 4 5 6 7 8 9 10 11 12 N/C**Classification
Agricultural/ 2.6 5.1 4.9 0.8 3.3 2.2 5.9 1.6 1.5 4.1 2.4 8.3 1.6ForestryBanking/Financial 22.2 20.5 22.3 9.1 25.0 36.7 37.9 27.3 30.3 25.3 21.3 22.9 21.1Services/CreditUnionBuilding and 3.3 8.4 5.3 3.0 5.6 2.4 6.6 4.5 8.3 6.2 10.4 2.1 2.9ConstructionCommunication/ 4.6 6.1 7.4 5.4 9.1 5.8 10.0 13.1 5.3 8.9 10.4 10.4 5.2TelecommunicationConsumer Goods 3.8 6.1 3.4 3.2 4.3 3.9 8.9 5.6 14.4 4.8 13.7 2.1 3.4Education 8.1 15.8 9.4 2.2 3.3 3.7 5.5 1.7 2.3 8.2 8.0 12.5 3.2Financial, 10.8 11.2 15.0 3.8 9.1 8.9 5.3 8.2 9.1 10.3 14.1 16.7 6.7Accounting,and/or BusinessServicesHealthcare 8.7 13.0 7.8 1.3 3.6 6.7 5.1 3.2 4.6 5.5 5.2 4.2 2.5Hospitality/ 3.4 5.6 4.9 2.2 2.8 1.5 2.3 3.9 7.6 3.4 9.2 2.1 1.7Leisure/TourismInsurance 11.3 10.7 8.6 5.9 4.9 10.4 7.0 13.3 10.6 15.1 4.0 6.3 5.7Manufacturing 11.8 9.3 8.4 46.8 11.7 10.6 12.1 9.1 13.6 13.7 31.3 6.3 10.6Mining and Oil 3.4 5.6 6.8 2.7 8.1 1.9 9.1 4.6 6.1 4.8 7.2 10.4 1.9Non-professional 0.6 5.1 1.5 1.3 0.5 0.7 1.5 1.5 0.0 1.4 1.6 2.1 1.2ServicesPharmaceutical/ 2.0 1.9 2.2 1.9 3.1 5.0 4.4 4.2 4.6 1.4 5.6 0.0 3.0ChemicalProfessional 4.4 9.3 4.5 4.8 2.8 2.8 6.1 2.4 2.3 4.1 5.2 4.2 3.7ServicesReal Estate 3.0 3.7 3.3 1.9 2.6 2.6 4.0 3.4 4.6 8.9 4.0 4.2 2.9Retail/Wholesale 7.0 8.4 7.2 4.8 6.9 4.3 7.6 4.1 12.9 4.8 9.2 2.1 4.2Technology 5.2 6.1 4.9 4.0 2.8 3.7 4.2 5.3 3.8 4.8 14.1 2.1 3.0Trade Services 0.9 2.8 2.3 2.7 3.3 0.9 4.4 3.0 5.3 1.4 7.2 0.0 1.4Transport and 4.0 9.8 7.5 3.2 6.4 7.1 4.9 9.6 4.6 7.5 9.6 16.7 4.2LogisticsUtilities 7.7 10.2 5.4 2.2 12.2 5.8 9.7 12.1 3.0 5.5 6.4 4.2 4.8Other 13.3 23.3 20.3 6.2 14.5 13.0 11.0 10.7 15.2 15.8 12.9 12.5 9.0
Note: Since respondents could mark all that apply, percentages may not add up to 100%.*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.
96 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Geographical Area Served by Organization
Recognizing that companies compete differently, in part based on the locations they serve, datawas collected on the geographical areas served by the respondents’ organizations. Their responsesare shown in Figure 3-13. Of the respondents, 39.2% of the respondents indicate that their employeroperates on an international/multinational scale, while 29.1% of employers operate on a nationalscale. The remaining 31.7% operate on a local, state/provincial, or regional basis.
Figure 3-13Geographical Area Served by the Organization
All Respondents (8,750) in Percentages
Table 3-11 indicates that the geographical regions served by the organizations employing therespondents are fairly consistent. Table 3-11-1 provides more detail on the geographical areaserved by the organizations for each of the 13 groups. Comparing these two tables, international/multinational companies represent more than half of the respondents in groups 6 (58.6%) and 8(53.4%) compared to the average percentage of 39.2% for all respondents. National companiesseem to be more prevalent than the total average percentage of 29.1% in groups 10 (42.6%) and12 (41.2%), while group 6 (19.7%) is well under the average percentage. Companies servingstate/provincial regions are significantly above the average percentage response (10.9%) in group2 (23.1%).
Percentage of Respondents
_____________________________________________ Chapter 3: Survey Demographics 97
The Institute of Internal Auditors Research Foundation
Tabl
e 3-1
1G
eogr
aphi
cal A
rea
Serv
ed b
y th
e Org
aniz
atio
nA
ll R
espo
nden
ts in
Per
cent
ages
Are
aCA
EA
udit
Man
ager
sA
udit
Seni
or/
Aud
it St
aff
Oth
erAv
erag
ePe
rcen
t of
Perc
ent o
fSu
perv
isor
Perc
ent o
fPe
rcen
t of
Perc
ent o
f2,
326
2,00
4Pe
rcen
t of
1,58
862
08,
750
Tota
lR
espo
nden
tsR
espo
nden
ts2,
212
Res
pond
ents
Res
pond
ents
Res
pond
ents
Res
pond
ents
Loc
al14
.68.
99.
411
.116
.612
.1St
ate/
Prov
inci
al11
.88.
910
.311
.911
.610
.9Re
gion
al10
.76.
89.
38.
28.
78.
7N
atio
nal
27.0
29.7
27.3
32.9
28.4
29.1
Inte
rnat
iona
l/35
.945
.743
.735
.934
.739
.2M
ultin
atio
nal
Tota
l10
0.0
100.
010
0.0
100.
010
0.0
100.
0
Tabl
e 3-1
1-1
Geo
grap
hica
l Are
a Se
rved
by
Gro
up*
All
Res
pond
ents
in P
erce
ntag
es
Are
a1*
23
45
67
89
1011
12N
/C**
Loca
l14
.69.
413
.519
.46.
84.
87.
22.
37.
45.
021
.313
.013
.2St
ate/
Prov
inci
al17
.323
.18.
23.
214
.47.
91.
90.
82.
54.
31.
72.
26.
6Re
gion
al11
.04.
35.
19.
18.
59.
07.
86.
012
.32.
88.
84.
69.
3N
atio
nal
22.4
33.0
33.4
26.1
34.6
19.7
36.9
37.5
37.7
42.6
28.0
41.2
34.9
Inte
rnat
iona
l/M
ultin
atio
nal
34.7
30.2
39.8
42.2
35.7
58.6
46.2
53.4
40.1
45.3
40.2
39.0
36.0
Tota
l10
0.0
100.
010
0.0
100.
010
0.0
100.
010
0.0
100.
010
0.0
100.
010
0.0
100.
010
0.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e A
ffili
ate
or C
hapt
er m
embe
rshi
p.
98 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
References
1. Clemmons, D.L., “2006 A year of growth and change,” IIA Insight, Vol. 1/November 2006, p. 5.
_____________________________________________ Chapter 3: Survey Demographics 99
The Institute of Internal Auditors Research Foundation
APPENDIX 3
Table 3-6-1-ATotal Years of Professional Experience by Sector
CAEs’ Average Responses
Type of Service Private Publicly Governmental Not-for- AverageExperience Provider Company Listed Profit Response
Company
Accounting 7.3 6.9 6.8 6.9 4.5 6.5Engineering 5.0 4.9 3.8 4.6 1.0 3.9External 7.1 6.2 4.4 7.5 1.8 5.4(Independent)AuditingFinance 6.1 6.8 6.8 6.1 2.7 5.7Information 5.8 6.1 4.9 4.2 3.5 4.9TechnologyInternal Auditing 6.9 8.1 8.3 8.9 7.1 7.9Management 6.9 7.5 7.2 8.2 5.2 7.0Other Professional 5.2 6.7 5.4 6.7 4.4 5.7Experience
Table 3-6-2-ATotal Years of Professional Experience by Sector
Audit Managers’ Average Response
Type of Service Private Publicly Listed Governmental Not-for- AverageExperience Provider Company Company Profit Response
Accounting 6.0 6.2 5.7 5.7 4.0 5.5Engineering 1.9 3.3 3.5 4.7 0.5 2.8External 4.9 4.8 3.0 5.4 1.0 3.8(Independent)AuditingFinance 4.7 5.0 4.7 4.6 1.7 4.1Information 4.4 5.8 7.1 5.8 1.8 5.0TechnologyInternal 5.9 7.4 7.8 8.0 4.8 6.8AuditingManagement 5.0 6.1 6.5 6.2 3.9 5.5Other 3.4 4.7 4.7 6.9 3.6 4.7ProfessionalExperience
100 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 3-6-3-ATotal Years of Professional Experience by SectorAudit Supervisors’/Seniors’ Average Response
Type of Service Private Publicly Listed Governmental Not-for- AverageExperience Provider Company Company Profit Response
Accounting 4.7 5.0 4.6 5.6 2.7 4.5Engineering 1.8 4.6 3.7 3.7 0.3 2.8External 4.1 3.5 3.2 4.7 1.3 3.4(Independent)AuditingFinance 4.2 3.7 4.2 4.0 1.8 3.6Information 4.6 5.0 5.7 4.1 1.7 4.2TechnologyInternal 3.3 5.4 5.5 6.9 4.2 5.1AuditingManagement 4.5 5.1 4.7 6.0 2.1 4.5Other 3.2 4.7 4.8 4.3 3.3 4.1ProfessionalExperience
Table 3-6-4-ATotal Years of Professional Experience by Sector
Audit Staffs’ Average Response
Type of Service Private Publicly Listed Governmental Not-for- AverageExperience Provider Company Company Profit Response
Accounting 3.2 5.1 4.1 4.9 2.2 3.9Engineering 1.2 2.3 0.9 2.4 0.0 1.4External 2.7 2.4 1.4 2.7 0.3 1.9(Independent)AuditingFinance 3.1 3.6 3.5 3.9 1.3 3.1Information 2.8 4.6 4.4 3.7 0.6 3.2TechnologyInternal 3.3 3.4 3.5 4.7 2.3 3.4AuditingManagement 3.1 4.1 3.3 5.1 1.5 3.4Other 4.9 5.0 4.5 6.8 2.1 4.7ProfessionalExperience
_____________________________________________ Chapter 3: Survey Demographics 101
The Institute of Internal Auditors Research Foundation
Table 3-6-5-ATotal Years of Professional Experience by Sector
Others’ Average Response
Type of Service Private Publicly Listed Governmental Not-for- AverageExperience Provider Company Company Profit Response
Accounting 7.3 6.8 5.5 6.9 6.2 6.5Engineering 3.5 3.3 2.7 2.5 0 2.4External 6.4 3.1 3.1 7.1 1.1 4.2(Independent)AuditingFinance 6.1 6.5 5.6 4.6 4.4 5.4Information 4.4 4.7 5.1 4.6 1.5 4.1TechnologyInternal 5.4 7.0 7.0 6.3 4.8 6.1AuditingManagement 5.7 6.9 6.4 5.4 4.8 5.8Other 4.6 4.7 4.8 6.5 7.8 5.7ProfessionalExperience
102 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 3-7
-1-A
Num
ber o
f Yea
rs th
e IA
A H
as E
xist
ed b
y In
dust
ryA
ll R
espo
nden
ts in
Per
cent
ages
0-5
6-10
11-1
516
-20
21 -2
526
-30
31-3
536
-40
41-4
546
-50
Mor
eYe
ars
Year
sYe
ars
Year
sYe
ars
Year
sYe
ars
Year
sYe
ars
Year
sth
an 5
0Y
ears
Num
ber
of R
espo
nden
ts2,
191
1,62
891
484
752
956
618
125
548
257
328
Agr
icul
tura
l/For
estry
2.6
3.1
3.1
2.2
1.9
3.5
2.8
3.5
4.2
3.5
2.4
Ban
king
/Fin
anci
al S
ervi
ces/
Cre
dit U
nion
17.4
21..9
26.7
27.3
27.8
32.7
26.5
34.9
41.7
37.7
44.5
Bui
ldin
g an
d C
onst
ruct
ion
5.8
4.8
4.5
5.1
1.7
3.4
2.2
5.5
6.3
3.1
3.4
Com
mun
icat
ion
and
Tele
com
mun
icat
ions
8.8
9.4
7.4
5.4
6.2
4.6
6.6
6.7
0.0
3.5
4.9
Con
sum
er G
oods
5.8
5.8
4.8
5.3
2.5
2.3
3.3
5.5
2.1
3.5
4.3
Educ
atio
n5.
15.
86.
37.
76.
47.
49.
99.
08.
35.
44.
0Fi
nanc
ial,
Acc
ount
ing,
or B
usin
ess
10.2
10.4
9.8
7.8
7.9
9.2
9.4
9.8
6.3
8.9
9.8
Serv
ices
Hea
lthca
re7.
97.
05.
46.
74.
75.
75.
05.
52.
14.
35.
2H
ospi
talit
y/Le
isur
e/To
uris
m3.
65.
04.
93.
21.
71.
9.6
3.5
2.1
1.6
1.8
Insu
ranc
e7.
48.
512
.412
.311
.710
.47.
712
.26.
38.
910
.7M
anuf
actu
ring
16.1
16.0
14.0
13.1
8.5
8.3
9.4
12.9
8.3
12.8
11.6
Min
ing
and
Oil
5.5
3.9
4.2
5.8
3.2
5.7
1.1
3.9
6.3
4.3
2.4
Non
-pro
fess
iona
l Ser
vice
s1.
1.7
1.4
1.4
.8.5
1.7
1.2
4.2
.41.
2Ph
arm
aceu
tical
/Che
mic
al3.
62.
92,
73.
31.
71.
93.
94.
32.
12.
32.
7Pr
ofes
sion
al S
ervi
ces
4.6
5.4
4.3
3.4
2.3
3.4
2.2
3.1
0.0
2.7
3.0
Rea
l Est
ate
4.3
2.8
3.5
3.8
2.3
1.9
2.2
4.3
4.2
1.6
3.0
Ret
ail/W
hole
sale
7.2
7.2
6.3
5.9
4.5
5.3
3.3
11.0
12.5
5.8
8.5
Tech
nolo
gy5.
95.
94.
55.
02.
54.
13.
34.
70.
03.
55.
8Tr
ade S
ervi
ces
2.4
2.9
1.9
1.8
.91.
22.
22.
70.
0.8
2.1
Tran
spor
t and
Log
istic
s6.
87.
06.
55.
04.
36.
06.
67.
12.
14.
73.
4U
tiliti
es8.
75.
87.
87.
47.
09.
98.
810
.68.
313
.29.
5O
ther
15.0
13.1
13.9
12.6
11.2
12.2
14.9
10.6
10.4
8.9
11.9
_____________________________________________ Chapter 3: Survey Demographics 103
The Institute of Internal Auditors Research Foundation
Table 3-9-1-ANumber of Years Organizations Have Existed by Groups*
All Respondents in Percentages
Group Respondents 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More TotalYears Years Years Years Years Years Years Years Years Years than
50Years
1 3241 4.4 6.8 4.7 4.8 3.9 5.0 3.7 4.8 1.7 5.7 54.5 100.02 189 8.5 11.1 3.7 6.3 3.7 6.9 4.2 2.6 2.1 7.4 43.5 100.03 648 8.3 13.1 9.3 5.9 5.4 5.1 3.1 5.2 1.4 5.7 37.5 100.04 354 11.6 17.8 9.9 12.7 3.4 9.0 5.9 5.1 4.0 3.7 16.9 100.05 552 12.0 17.4 24.8 6.7 2.2 3.1 2.2 3.1 1.1 4.3 23.1 100.06 434 4.8 8.5 6.0 2.5 1.8 4.4 2.5 3.7 .9 8.5 56.4 100.07 504 6.0 14.1 10.3 5.0 4.0 6.7 5.0 3.4 3.6 6.5 35.4 100.08 954 11.3 10.6 7.0 6.2 3.6 5.8 2.5 4.8 1.5 5.6 41.1 100.09 125 8.0 9.6 7.2 13.6 11.2 3.2 7.2 1.6 5.6 8.0 24.8 100.0
10 135 6.7 6.7 3.7 4.4 3.0 3.7 5.2 1.5 3.7 2.2 59.2 100.011 228 11.4 12.7 10.1 11.0 8.3 6.1 5.7 6.1 4.8 4.8 18.8 100.012 39 5.1 10.3 7.7 10.3 5.1 15.4 10.3 10.3 7.7 0.0 17.8 100.0
N/C** 762 8.7 14.3 9.4 7.9 3.5 6.2 3.1 3.3 1.8 5.4 36.4 100.0Total/ 8165 590 856 648 496 321 442 299 355 165 461 3532
OverallRespondentsin Category
OverallPercent inCategory 7.2 10.5 7.9 6.1 3.9 5.4 3.7 4.3 2.0 5.6 43.4 100.0
*For a list of affiliate groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
104 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 105
The Institute of Internal Auditors Research Foundation
CHAPTER 4THE PROFESSIONAL PRACTICES
FRAMEWORK
Introduction
The Institute of Internal Auditors’ (IIA) (2005) Professional Practices Framework (PPF) consistsof the Definition of Internal Auditing, The IIA’s Code of Ethics, International Standards for theProfessional Practice of Internal Auditing (Standards), and Practice Advisories.” The IIA’sCode of Ethics and the Standards are considered mandatory by The IIA for all those who provideinternal auditing services. Guidance regarding how the Standards might be applied is included inPractice Advisories that are issued by The IIA’s Professional Issues Committee. The PracticeAdvisories are endorsed by The IIA and are strongly recommended.
This chapter first summarizes the extent to which respondents use and are in compliance with TheIIA’s Standards and the related Practice Advisories as of September 2006, when the CBOKquestionnaires were distributed. Next, respondents’ opinions regarding the adequacy of the guidanceprovided in the Standards and Practice Advisories is presented. Then there is a discussion of thereasons why some respondents do not comply with the Standards. Another section reviewsrespondents’ compliance with Standard 1300, Quality Assurance and Improvement Program. Thechapter concludes with a brief discussion about affiliate responses concerning their areas’compliance with The IIA’s Code of Ethics. For reference, The IIA’s Standards, Practice Advisories,and Glossary to the Standards as of September 2006 are included in Appendix 4-A located at theend of this chapter. The Standards employ terms that have been given specific meanings that areincluded in the Glossary.
Diverse legal and cultural variations together with the purpose, size, and structure of organizationsmay affect the practice of internal auditing. The IIA regards full compliance with the Standards asessential for internal audit activities (IAAs) to meet their responsibilities to their organizations. Ifinternal auditors are prohibited by law or regulation from complying with certain parts of theStandards, The IIA believes they should comply with all other parts of the Standards and makeappropriate disclosures.
106 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The Standards were developed to serve the following purposes:
• Delineate basic principles that represent the practice of internal auditing as it should be.• Provide a framework for performing and promoting a broad range of value-added internal
audit activities.• Establish the basis for the evaluation of internal audit performance.• Foster improved organizational processes and operations.
The Standards are continuously reviewed to determine when a revision is necessary. The lastmajor revision occurred when the Board of Directors of The IIA voted to approve a new definitionof internal auditing in 1999 and to update the PPF. The IIA considered the new Standards mandatoryfor all those that provide internal auditing services as of January 1, 2004. In December 2005, TheIIA’s Executive Committee approved a plan to revise The IIA’s current guidance structure.
The Standards consist of Attribute Standards, Performance Standards, and ImplementationStandards. The Attribute Standards address the characteristics of organizations and partiesperforming internal audit services. The Performance Standards describe the nature of internalaudit services and provide quality criteria against which the performance of these services may beevaluated. Implementation Standards expand on the Attribute and Performance Standards byproviding guidance on specific types of engagements for assurance and consulting. The Attributeand Performance Standards apply to all internal audit activities and are divided into the followingcategories:
Attribute Standards
1000 – Purpose, Authority, and Responsibility1100 – Independence and Objectivity1200 – Proficiency and Due Professional Care1300 – Quality Assurance and Improvement Program
Performance Standards
2000 – Managing the Internal Audit Activity2100 – Nature of Work2200 – Engagement Planning2300 – Performing the Engagement2400 – Communicating Results2500 – Monitoring Progress2600 – Resolution of Management’s Acceptance of Risks
_______________________________ Chapter 4: The Professional Practices Framework 107
The Institute of Internal Auditors Research Foundation
CBOK 2006 Survey Questions Related to the Standards
The main objective of the CBOK 2006 study is to develop a summary of the global practice ofinternal auditing around the world. The questions included in the CBOK survey pertaining to theStandards were developed to determine the following:
• The extent to which internal auditors and their internal audit activities (IAAs) comply withthe Attribute Standards, Performance Standards, and Practice Advisories.
• The level of compliance by internal auditors and their IAAs with individual Standards andPractice Advisories.
• Whether or not the guidance in the Standards is perceived by users to be adequate.• The reasons for noncompliance with the Standards.• Whether internal auditors and IAAs comply with the standards relating to quality assurance
and improvement program.
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those that participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents:o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose position is not captured by thetraditional job titles included in the survey. A review of their credentials indicates they may bemembers of the IAA, employed by service providers, or in organizations where their titles are lesstraditional but with duties within internal auditing.
108 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
When relevant, results are given for each of the groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additionaldetails. For example, Table 4-14 is the total of all respondents for that question with a related Table4-14-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be Table 4-14-2. Additional related tables may be located in Appendix4-B at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” atthe end of its number. For example, Table 4-3-1-A is located in Appendix 4-B.
Use of the Standards in Whole or in Part
All respondents were asked if their organizations use the Standards in whole or in part. Of the9,366 potential respondents, 8,647 responded to this question. A total of 7,085 (81.9%) of thoseresponding noted that they use the Standards in whole or in part and 1,562 (18.1%) noted that theydo not comply with the Standards. Those respondents that do not use the Standards were told toskip the questions on compliance and go directly to the questions asking why they do not use theStandards.
Figure 4-1 shows the replies to this question by the respondents’ position in the IAA. While verysimilar results are reported by the respondents in other positions in the department, the highestincidence of use in whole or in part is reported by CAEs (85.1%) who should be in the best positionin the IAA to judge whether the Standards are being applied.
Figure 4-1Organizations’ Use of the Standards in Whole or in Part by Staff Level
All Respondents (8,647) in Percentages
Percentage of Respondents
_______________________________ Chapter 4: The Professional Practices Framework 109
The Institute of Internal Auditors Research Foundation
Use of the Standards by Industry in Whole or in Part
Table 4-1 provides a list of the respondents’ use of the Standards in whole or in part by industryand by position in the IAA. The four industries where respondents indicate the most usage of theStandards in whole or in part are:
• Trade Services (88%).• Professional Services (87.1%).• Building and Construction (86.8%).• Utilities (86.7%).
The five industries where the respondents indicate the least usage of the Standards in whole or inpart are:
• Pharmaceutical/Chemical (80.2%).• Real Estate (80.4%).• Non-professional Services (81.3%).• Manufacturing (82.2%).• Healthcare (82.2%).
Overall, there is a high level of usage of the Standards in whole or in part by all industries.
110 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-1Use of the Standards in Whole or in Part by Industry and Position in the IAA
All Respondents in Percentages
Industry Number of CAE Audit Audit Audit Other AverageRespondents Manager Senior/ Staff
Supervisor
Agricultural/Forestry 254 88.1 91.7 78.3 88.4 75.0 85.4Banking/Financial Services/ 2,178 84.8 86.4 83.2 84.1 81.5 84.4Credit UnionBuilding and Construction 387 89.8 89.7 77.9 91.8 77.8 86.8Communication/ 626 88.7 87.8 76.9 88.5 88.9 85.6TelecommunicationConsumer Goods 427 86.4 84.8 76.1 78.7 83.3 82.7Education 554 89.4 81.0 85.8 86.3 64.2 83.6Financial, Accounting, 870 92.3 87.6 85.0 81.5 79.6 85.9and/or Business ServicesHealthcare 566 87.2 83.0 84.4 77.9 59.5 82.2Hospitality/Leisure/Tourism 306 87.3 86.8 74.1 80.0 86.7 83.7Insurance 861 88.9 88.5 83.0 83.8 86.2 86.1Manufacturing 1,166 86.5 86.8 77.7 77.1 75.0 82.2Mining and Oil 396 92.4 88.2 77.3 84.4 84.0 85.4Non-professional Services 96 95.8 85.3 76.5 70.0 54.5 81.3Pharmaceutical/Chemical 257 83.8 82.7 72.7 82.8 72.2 80.2Professional Services 372 90.1 94.8 80.2 83.7 77.1 87.1Real Estate 291 84.0 84.1 79.0 73.7 60.0 80.4Retail/Wholesale 568 87.2 85.3 78.3 74.2 80.8 82.6Technology 439 88.5 91.1 75.0 73.3 80.0 83.6Trade Services 183 93.4 96.3 77.8 81.0 63.6 88.0Transport and Logistics 511 88.3 84.9 73.7 81.8 85.7 83.0Utilities 694 88.0 88.0 88.0 85.2 76.1 86.7Other 1,181 83.3 83.4 78.5 78.7 61.5 79.5
Compliance with the Standards
For those 7,085 respondents that indicate they use the Standards in whole or in part, the nextsurvey question asked if their organizations were in full compliance, partial compliance, not incompliance, or they did not know their organizations’ level of compliance for each of the individual
_______________________________ Chapter 4: The Professional Practices Framework 111
The Institute of Internal Auditors Research Foundation
standards. According to The IIA’s Tool 19, Standards Compliance Evaluation Summary, of theQuality Assessment Manual, 5th Edition, the extent of compliance with the Standards is expressedas either “generally conforms,” “partially conforms,” or “does not conform.” General conformance(full compliance in the questionnaire) implies that the “relevant structures, policies, and proceduresof the activity, as well as the processes by which they are applied, comply with the requirements ofthe individual Standard…in all material aspects.” Partial conformance (partial compliance in thequestionnaire) means the “activity is making good-faith efforts to comply with the requirements ofthe individual Standard.” Does not conform (not in compliance in the questionnaire) means “theactivity is not aware of, is not making good-faith efforts to comply with, or is failing to achievemany/all of the objectives of the individual Standard.”
For those that indicate their organizations use the Standards in whole or in part, Table 4-2 summarizesall respondents’ input and compares the responses of the CAEs and Practitioners concerningwhether their IAAs fully comply, partially comply, or do not comply with an individual standard.Eighty-five percent (85.5%) of the 7,085 respondents’ IAAs that noted standards usage eitherfully comply (57.2%) or partially comply (28.3%) with the Standards. Of the respondents, 10.6%do not know whether their IAAs comply with any of the Standards.
Table 4-2*Organizations Compliance Levels with the Standards
CAE, Practitioner, and All Respondents in Percentages
CAE Practitioner All Respondents
Full compliance 59.9 56.1 57.2Partial compliance 31.6 26.8 28.3Not in compliance 4.2 3.8 3.9Do not know 4.3 13.3 10.6Total 100.0 100.0 100.0
*Table 4-2 was compiled from Tables 4-3-1-A, 4-3-2-A and 4-3-3-A in Appendix 4-B.
The percentage of CAEs who do not know whether their IAAs comply with the Standards ismuch lower (4.3%) than that of Practitioners (13.3%). This may be due to the CAEs’ position asleader of the IAA providing them with more insight into the use of the Standards. It would appearthat CAEs have more direct access to judge the use of the Standards than other members of theIAA.
112 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
As shown in Table 4-2, when asked about compliance to individual standards, 59.9% of CAErespondents and 56.1% of Practitioner respondents say that they are in full compliance with theStandards when in fact they are not. Table 4-3 shows that only 33.2% of CAE respondents and43% of Practitioner respondents indicate they comply with Standard 1300. The IIA’s position isthat full compliance means full compliance with all the Standards.
Table 4-3 reveals that for CAE respondents, the four standards with the highest percentage of fullcompliance are Standards 1100 (73.6%), 2400 (68.6%), 1000 (68.1%), and 1200 (67%). Thismakes sense as three of the standards, 1100, Independence and Objectivity, 2400, CommunicatingResults, 1000, Purpose, Authority, and Responsibility, are all direct responsibilities of CAEs. Allwork, regardless of who performs it, should be done in accordance with Standard 1200, Proficiencyand Due Professional Care.
Table 4-3Full or Partial Compliance with the Standards
CAE, Practitioner, and All Respondents in Percentages
Standard CAE Practitioner All RespondentsFull Partial Full Partial Full Partial
1000 – Purpose, Authority, and 68.1 26.7 60.8 24.2 63.0 25.0Responsibility1100 – Independence and 73.6 22.0 64.1 22.2 66.9 22.2Objectivity1200 – Proficiency and Due 67.0 28.3 61.1 25.1 62.9 26.1Professional Care1300 – Quality Assurance and 33.2 45.0 43.0 31.7 40.0 35.7Improvement Program2000 – Managing the Internal 61.8 32.0 55.8 27.5 57.6 28.9Audit Activity2100 – Nature of Work 59.3 32.8 56.8 26.9 57.5 28.72200 – Engagement Planning 60.4 32.5 56.7 27.5 57.7 29.02300 – Performing the Engagement 62.1 31.8 58.7 26.7 59.7 28.22400 – Communicating Results 68.6 26.2 62.3 23.8 64.1 24.62500 – Monitoring Progress 56.1 35.5 51.3 30.6 52.6 32.12600 – Resolution of Management’s 49.0 35.0 46.1 28.8 46.9 30.7Acceptance of RisksOverall Average 59.9 31.6 56.1 26.8 57.2 28.3
_______________________________ Chapter 4: The Professional Practices Framework 113
The Institute of Internal Auditors Research Foundation
The two standards with less than 50% full compliance according to CAE respondents are 2600,Resolution of Management’s Acceptance of Risks (49.0%), and 1300, Quality Assurance andImprovement Program (33.2%). Reasons for noncompliance with Standard 1300 are discussed inmore detail in a later section of this chapter. Standard 2600 requires CAEs and senior managementto discuss with the board any areas where the CAE feels that management has accepted residualrisk that is unacceptable to the organization. It involves skills requiring CAEs to analyze manytypes of risks and reporting to the board disagreements with management over acceptable levelsof risk for the organization.
In Table 4-3, the order of the four highest standards (1100, 2400, 1000, 1200) for full complianceare the same for the categories All Respondents and CAEs. For Practitioners, the four standardswith the highest percentages are the same, but the order differs, 1100 (64.1%), 2400 (62.3%), 1200(61.1%), and 1000 (60.8%).
Standard 1000 (63% full compliance and 25% partial compliance for all respondents) requires thatthe purpose, authority, and responsibility of the IAA be formally defined in an audit charter. Havingthe internal audit charter accepted by the board and management should be one of the first actionstaken by a CAE when an IAA is established. The charter establishes the authority for IAAs toperform the scope of work as outlined in the Standards. Standard 1100 (66.9% full complianceand 22.2% partial compliance for all respondents), which deals with the independence and objectivityof the IAA, shows the highest incidence of full compliance by the respondents.
Standard 2400 (64.1% full compliance and 24.6% partial compliance for all respondents) addressesthe required communication of the results of the work performed by the IAAs at the end of eachengagement. In Appendix 4-B, Tables 4-3-1-A (all respondents), 4-3-2-A (CAE), and 4-3-3-A(Practitioner) contain additional details of respondents’ compliance with each individual standard.These tables contain the respondents’ indication of full compliance, partial compliance, not incompliance, and do not know for each category of the Standards.
Table 4-3-4-A to Table 4-3-6-A in Appendix 4-B lists by groups full compliance by IAAs for therespondents, partial compliance for all respondents, and the percentages for not in compliance withthe Standards for all respondents. Refer to the inside back cover of this report for the list ofgroups. Groups 1, 2, 3, 7, 8, and 11 indicate consistently high compliance with the Standards.Although group 4 has consistently lower compliance with the Standards, it also has the highestpartial compliance of any group. Group 9 has the highest overall percentages for noncompliancewith the Standards. Standard 1300, Quality Assurance and Improvement Program, had the highestpercentages of noncompliance ranging from groups 1 and 2 with 9.1% to a high of 24.2% in group12.
114 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Compliance by Types of Organization
Table 4-4 shows the percentage of respondents by type of organization that indicate their organizationsare in full compliance with specific standards. Service provider/consultant respondents have thehighest level of full compliance with Standard 1300, Quality Assurance and Improvement Program(49.6%), and with Standard 2600, Resolution of Management’s Acceptance of Risks (53.1%).Publicly traded (listed) companies place a close second in full compliance for Standard 2600 (50.6%).
Table 4-4Full Compliance to Standards by Type of Organization
Percentage of All Participants
Standard Service Publicly Privately Public Not-for- OtherProvider/ Traded Held Sector/ Profit
Consultant (Listed) (Non- Government OrganizationCompany listed)
Company
1000 – Purpose, Authority, 62.7 66.8 56.6 62.5 64.4 49.3and Responsibility1100 – Independence 69.6 69.7 63.5 64.1 71.8 48.6and Objectivity1200 – Proficiency and 66.2 64.9 57.3 62.6 67.3 50.7Due Professional Care1300 – Quality Assurance 49.6 42.8 30.2 40.1 37.9 32.8and Improvement Program2000 – Managing the 62.1 59.6 53.4 56.6 58.8 43.3Internal Audit Activity2100 – Nature of Work 61.6 58.9 51.2 59.8 61.1 45.22200 – Engagement 61.1 60.0 50.2 58.4 60.2 41.7Planning2300 – Performing the 63.5 60.1 54.3 62.2 62.8 45.6Engagement2400 – Communicating 68.0 64.5 59.3 66.0 67.5 52.2Results2500 – Monitoring Progress 57.0 55.0 47.9 51.1 55.8 37.02600 – Resolution of 53.1 50.6 38.8 44.9 49.6 31.5Management’sAcceptance of Risks
_______________________________ Chapter 4: The Professional Practices Framework 115
The Institute of Internal Auditors Research Foundation
Adequacy of the Guidance Provided by the Standards
The development and issuance of the Standards is an ongoing process. The IIA’s Internal AuditingStandards Board engages in extensive consultation and discussions prior to the issuance or revisionof the Standards. This includes worldwide solicitation of public comment through the exposuredraft process. Although this process should provide assurance that the guidance provided by theStandards is supported by the profession, it is important to determine the views of current usersregarding the adequacy of the guidance provided. Respondents who indicated that they use theStandards were asked to give their opinion about whether the guidance provided by individualstandards is adequate for their IAA to apply that standard or if more guidance is needed.
As presented in Table 4-5, an overall average of 83.2% of the respondents consider the guidanceprovided by the Standards to be adequate. The four standards that received the highest percentagefor adequacy are 1100 (88.1%), Independence and Objectivity, 1200 (87%), Proficiency and DueProfessional Care, 1000 (86.2%) Purpose, Authority, and Responsibility, and 2400 (85.2%)Communicating Results. These are the same four standards that have the highest complianceindicated by respondents in Table 4-3. In Table 4-5 all but two standards are rated above 80% foradequacy.
Table 4-5Standards Guidance is AdequateAll Respondents in Percentages
Standard Total Yes No Do Not Do NotNumber of Use Know
Respondents
1000 – Purpose, Authority, and Responsibility 5,857 86.2 1.2 2.7 9.91100 – Independence and Objectivity 6,015 88.1 1.7 1.7 8.51200 – Proficiency and Due Professional Care 5,994 87.0 1.7 2.3 9.01300 – Quality Assurance and Improvement Program 5,968 77.3 5.1 6.3 11.32000 – Managing the Internal Audit Activity 5,970 83.7 3.1 3.3 9.92100 – Nature of Work 5,916 82.2 3.2 3.5 11.12200 – Engagement Planning 5,950 83.6 3.3 3.2 9.92300 – Performing the Engagement 5,931 83.8 3.6 3.0 9.62400 – Communicating Results 5,941 85.2 3.1 2.6 9.12500 – Monitoring Progress 5,903 81.8 4.1 4.0 10.12600 – Resolution of Management’s Acceptance 5,908 76.0 5.6 5.3 13.1of RisksOverall Average 83.2 3.2 5.7 9.3
116 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Such a high percentage of positive responses indicates that the guidance provided meets theexpectations of the users of the Standards. The slightly lower response for Standards 1300 (77.3%),Quality Assurance and Improvement Program, and 2600 (76%), Resolution of Management’sAcceptance of Risk, in Figure 4-2 may indicate that more or clearer guidance may be appropriatein the areas of quality assurance and improvement and resolution of management’s acceptance ofrisk.
Figure 4-2Standards Guidance is AdequateAll Respondents in Percentages
Percentage of Respondents
_______________________________ Chapter 4: The Professional Practices Framework 117
The Institute of Internal Auditors Research Foundation
Table 4-6 shows that a higher percentage of CAEs (overall average 89%) than Practitioners(overall average 80.7%) regard the guidance provided by the Standards to be adequate. This maybe due to CAEs having more experience with the Standards.
Table 4-6Adequacy of Guidance Provided by Each of the Standards
CAE, Practitioner, and All Respondents in Percentages
Standard CAE Practitioner AllRespondents
1000 – Purpose, Authority, and Responsibility 93.3 83.2 86.21100 – Independence and Objectivity 94.1 85.6 88.11200 – Proficiency and Due Professional Care 92.9 84.5 87.01300 – Quality Assurance and Improvement Program 81.5 75.6 77.32000 – Managing the Internal Audit Activity 90.0 81.0 83.72100 – Nature of Work 88.0 79.8 82.22200 – Engagement Planning 89.4 81.2 83.62300 – Performing the Engagement 89.3 81.5 83.82400 – Communicating Results 91.3 82.6 85.22500 – Monitoring Progress 88.4 79.1 81.82600 – Resolution of Management’s Acceptance of Risks 81.3 73.8 76.0Overall Average 89.0 80.7 83.2
In Appendix 4-B, Tables 4-6-1-A (CAEs) and 4-6-2-A (Practitioners) list respondents’ responsesby standard indicating whether the guidance provided is adequate, not adequate, do not use, or donot know. When asked about the adequacy of the guidance provided, a higher percentage of thePractitioner respondents replied “Do Not Know” than CAEs. For all of the Standards, Practitionerresponses for “Do Not Know” range from 11.1% to 16.3%. In contrast, the CAE responses rangeis from a low of 2.3% to a high of 5.3%. This data indicates that CAEs in this study appear to findthe guidance more adequate than do Practitioners.
In Appendix 4-B, Tables 4-6-3-A (all respondents by groups), 4-6-4-A (CAEs by groups), and 4-6-5-A (Practitioners by groups) show respondents’ answers by groups to the question about theadequacy of guidance provided by the Standards. In the groups, CAEs consistently find theStandards guidance to be more adequate than Practitioners. Table 4-6-3-A indicates that a significantpercentage of all respondents in all groups perceive the guidance provided by each of the Standards
118 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
to be adequate. On average, groups 7, 8, and 12 have the highest percentage of satisfaction withthe guidance provided, while groups 1, 2, and 9 have the lowest average percentage of satisfaction.
Table 4-6-6-A in Appendix 4-B provides a summary of all respondents by group who indicate thatthe guidance provided by the Standards is not adequate. Indicating a range of 11.6% to 14.5% forguidance is not adequate, group 9 has the highest level of dissatisfaction with Standards 2200 to2500. With this group’s exception, the overall low percentages in this table support a high level ofsatisfaction with the adequacy of the guidance provided.
Use of and Adequacy of the Guidance Provided by the Practice Advisories
Practice Advisories are continuously developed and issued. The purpose of the Practice Advisoriesis to provide guidance on the application of the Standards. Compliance with Practice Advisoriesis endorsed by The IIA and strongly recommended but not considered mandatory. The 7,085respondents who use the Standards in whole or in part were asked whether their IAA uses thePractice Advisories in the PPF and to indicate whether they regard the guidance to be adequate.Figure 4-3 shows the percentages of all respondents to this question that use each of the PracticeAdvisories.
Figure 4-3Respondents That Use the Practice Advisories
All Respondents in Percentages
Percentage of Respondents
_______________________________ Chapter 4: The Professional Practices Framework 119
The Institute of Internal Auditors Research Foundation
Table 4-7 indicates that on average 85.8% of the respondents that use the Standards also use thePractice Advisories. The Audit Staff (88.7%) report the highest overall use of the Practice Advisories.Ninety percent or more of the Audit Staff indicate that they use the Practice Advisories for Standards1000, 1100, 1200, and 2300.
Table 4-7Respondents That Use the Practice Advisories
By Staff Level in Percentages
Practice Advisory CAE Audit Audit Audit Other AverageManager Senior/ Staff
Supervisor
1000 – Purpose, Authority, and 88.8 88.2 84.8 90.1 84.7 87.3Responsibility1100 – Independence and Objectivity 89.3 88.5 86.3 90.7 86.9 88.31200 – Proficiency and Due Professional 88.6 88.4 85.1 90.2 86.1 87.7Care1300 – Quality Assurance and 82.7 82.8 80.5 86.5 79.2 82.3Improvement Program2000 – Managing the Internal Audit 87.7 87.2 83.7 89.7 84.1 86.5Activity2100 – Nature of Work 86.4 85.9 83.8 89.7 83.8 85.92200 – Engagement Planning 87.4 87.1 84.5 89.4 84.1 86.52300 – Performing the Engagement 87.8 86.9 85.2 90.0 84.9 87.02400 – Communicating Results 88.6 87.2 84.6 87.5 83.4 86.32500 – Monitoring Progress 87.5 85.3 82.3 88.4 83.0 85.32600 – Resolution of Management’s 81.4 82.2 78.4 83.6 79.0 80.9Acceptance of RisksAverage 86.9 86.3 83.6 88.7 83.6 85.8
In Appendix 4-B, Table 4-7-1-A shows the percentage of respondents who do not use the PracticeAdvisories for all respondents. Groups 6, 1, 2, and 9 use the Practice Advisories the least.
120 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The respondents were asked if they considered the guidance provided by the Practice Advisoriesto be adequate. Table 4-8 shows that for all respondents the overall average satisfaction withPractice Advisories is 82.5%. Standards 1300 (77.2%) and 2600 (75.4%) are the two standardsthat received the lowest percent of satisfaction. This corresponds to the lower level of compliancewith these two Standards by all respondents in Table 4-3.
Table 4-8Practice Advisory Guidance is Adequate
CAE, Practitioner, and All Respondents in Percentages
Practice Advisory CAE Practitioner AllRespondents
1000 – Purpose, Authority, and Responsibility 86.7 85.7 86.01100 – Independence and Objectivity 86.7 86.2 86.31200 – Proficiency and Due Professional Care 86.2 85.1 85.41300 – Quality Assurance and Improvement Program 76.2 77.7 77.22000 – Managing the Internal Audit Activity 83.5 83.4 83.42100 – Nature of Work 81.8 82.5 82.32200 – Engagement Planning 83.5 83.1 83.22300 – Performing the Engagement 83.9 83.3 83.52400 – Communicating Results 84.4 83.8 84.02500 – Monitoring Progress 82.6 80.5 81.12600 – Resolution of Management’s Acceptance of Risks 75.2 75.4 75.4Overall Average 82.7 82.4 82.5
In Appendix 4-B, Tables 4-8-1-A (all respondents), 4-8-2-A (CAE), and 4-8-3-A (Practitioner)show the respondents’ perception of the adequacy of the guidance provided by the Practice Advisoriesand the percentages that do not use each individual Practice Advisory.
Table 4-8-4-A in Appendix 4-B shows all respondents’ perception of the adequacy of the guidanceprovided by the Practice Advisories by groups. This group table also indicates less satisfactionwith the guidance provided to support for Standards 1300 and 2600. Respondents in groups 12, 7,and 8 indicate the highest levels of satisfaction with the adequacy of the Practice Advisories.While still indicating a high level of satisfaction with the guidance, groups 6 and 2 show the lowestrelative levels of satisfaction with the guidance provided by the Practice Advisories.
_______________________________ Chapter 4: The Professional Practices Framework 121
The Institute of Internal Auditors Research Foundation
Reasons for Not Complying with the Standards
All respondents were asked their reasons for not using the Standards in whole or in part. Thequestion listed possible reasons for noncompliance and allowed for individual comments.Respondents could select more than one reason for noncompliance. Figure 4-4 shows the averagepercentage for all respondents for the reasons provided in the question regarding why they do notcomply in whole or in part with the Standards.
Figure 4-4Reasons for Not Complying in Whole or in Part with the Standards
All Respondents (8,159) in Percentages*
Percentage of Respondents
*Respondents who do not comply with the Standards could select more than one reason for noncompliance so thetotals could add to more than 100%.
122 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-9 shows the reasons respondents selected for not using the Standards in whole or in partby staff position.
Table 4-9Reasons for Not Using the Standards in Whole or in Part
All Respondents by Staff Position in Percentages*
Reason Number CAE Audit Audit Senior/ Audit Staff Other AverageW h o % of 2263 Managers Supervisor % of 1442 % of 569 % of 8159
Selected Respondents % of 1845 % of 2040 Respondents Respondents RespondentsCategory Respondents Respondents
Standards or 473 7.1 5.5 5.4 4.4 6.2 5.8PracticeAdvisories aretoo complexNot 846 16.4 8.5 7.4 7.1 11.4 10.4appropriatefor smallorganizationsToo costly to 765 13.3 8.9 7.9 6.2 8.6 9.4complyToo time- 992 16.1 12.1 11.4 8.6 8.1 12.2consumingSuperseded by 875 10.3 10.0 12.6 9.6 11.1 10.7local/governmentregulationsor standardsNot 342 4.4 3.3 4.1 4.7 5.3 4.2appropriatefor myindustryCompliance 970 11.9 12.0 12.6 11.0 11.1 11.9not supportedby manage-ment/boardNot perceived 996 13.6 11.4 13.5 9.9 10.5 12.2as addingvalue bymanagement/boardInadequate 1,026 14.4 11.9 11.7 11.6 13.2 12.6IAA staffCompliance 467 5.9 5.3 6.6 4.9 5.3 5.7not expectedin my countryOther 983 11.4 12.7 12.8 8.7 17.9 12.0
*Respondents who do not comply with the Standards could select more than one reason for noncompliance so thetotals could add to more than 100%.
_______________________________ Chapter 4: The Professional Practices Framework 123
The Institute of Internal Auditors Research Foundation
There appears to be three primary causes for noncompliance. The first relates to practitioners’experiences in application and implementation of guidance or constraints within the IAA. Specificreasons related to this include the following:
• Inadequate staff (12.6%)• Too time-consuming (12.2%)• Not appropriate for small organizations (10.4%)• Too costly to comply (9.4%)• Standards or Practice Advisories are too complex (5.8%)
The second primary cause concerns lack of support by the organization’s management and includesthe following specific reasons:
• Not perceived as adding value by management/board (12.2%)• Compliance not supported by management/board (11.9%)
The third primary cause involves the regulations or standards in the respondents’ countries orcompany, and includes the following reasons:
• Superseded by local/government regulations or standards (10.7%)• Compliance not expected in my country (5.7%)• Not appropriate for my industry (4.2%)
This knowledge should aid The IIA in formulating future guidance and in marketing the profession.
124 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Open-ended Question for Noncompliance
Respondents were provided with space to list other reasons why they did not comply with theStandards in whole or in part. Of the 417 respondents who provided a written response to theopen-ended part of this question, most did not add any new reasons beyond those listed in Table 4-9, but expanded upon why they selected a particular reason. Table 4-10 categorizes these responsesand lists the percentages of the 417 respondents that gave a particular response. Because sevenrespondents gave two reasons why they are not in full compliance with the Standards, there are atotal of 424 responses.
Table 4-10Reasons for Not Complying with the Standards in Whole or in Part
From Open-ended Question for All Participants
Reasons for Noncompliance Number of Percentage ofRespondents* 417
Respondents
Other standards are used (GAGAS/Yellow Book; 94 22.5Own standards based on IIA’s; CICA; ISACA;CIPFA; GAAS; INTOSAI)Informal/partial use of the Standards 57 13.7Do not have the knowledge to implement 54 12.9Standards are not: 41 9.8adequate/relevant/practical/accepted/value addedWorking toward full implementation 40 9.6Newly established IAA or newly appointed in position 36 8.6Do not know 23 5.5Management does not support 21 5.0Not applicable as function is outsourced or 13 3.1respondents not in internal audit departmentUnderstaffed 10 2.4Full compliance to the Standards 5 1.2No IAA 4 1.0Other 26 6.2
*Since 7 of the 417 respondents provided two reasons for noncompliance with the Standards, there are 424 totalresponses.
_______________________________ Chapter 4: The Professional Practices Framework 125
The Institute of Internal Auditors Research Foundation
One respondent suggests that the local affiliate should perform an awareness campaign in hiscountry for non-listed and small companies to show the need for IAAs to comply with the Standards.
Factors Affecting Compliance
To better understand why some respondents are not in full compliance with the Standards, threefactors were reviewed. First, since The IIA’s membership grew 54.6% from June 2003 toSeptember 2006, Table 4-11 compares the number of years respondents have been members ofThe IIA to respondents’ compliance with the Standards in whole or in part. For those respondentswho are members of The IIA, the longer they have been members the more likely they are tocomply with the Standards in whole or in part.
Table 4-11Compliance with the Standards in Whole or in Part
Compared to theNumber of Years as a Member of The IIA
All Respondents in Percentages
Number of Years as Number of Percentage ofMember of IIA Respondents Respondents in
Compliance in Wholeor in Part
5 or less 5,044 80.76 to 10 1,694 86.2
11 or more 1,307 88.4Not a Member 568 64.8
Total/Overall Average 8,613 81.9
126 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The second factor considered is the number of years an organization has had an IAA. Table 4-12suggests a trend indicating that the longer an organization has had an internal audit department thegreater the IAA’s compliance with the Standards in whole or in part.
Table 4-12Compliance with the Standards in Whole or in Part
Compared to theNumber of Years Organization has had an IAA
All Respondents in Percentages
Years Having an Number of Percentage of RespondentIAA Respondents in Compliance in Whole
or in Part
0-5 2,147 81.06-10 1,586 80.911-15 902 83.916-20 835 81.821-25 523 84.926-30 561 84.331-35 180 83.336-40 250 87.241-45 48 85.446-50 254 88.2
More than 50 323 85.1
_______________________________ Chapter 4: The Professional Practices Framework 127
The Institute of Internal Auditors Research Foundation
The final factor reviewed is the impact of the number of full-time staff in the IAA on compliancewith the Standards in whole of in part. Table 4-13 notes that with the exception of the 22-24 stafflevel category, the trend is that the larger the IAA’s audit staff, the higher level of compliance tothe Standards in whole or in part.
Table 4 -13Compliance with the Standards in Whole or in Part
Compared to theNumber of Full-Time Staff at Each Staff
CAE Respondents in Percentages
Number of Staff Number of Percentage ofRespondents Respondents in
Compliance in Wholeor in Part
1-3 1,601 75.74-6 1,253 82.07-9 742 83.2
10-12 448 83.313-15 332 84.316-18 251 84.519-21 179 85.222-24 133 84.7
25 or more 1,707 88.0Total 6,646 82.3
In summary, all three factors, the longer a respondent has been a member of The IIA, or anorganization has had an IAA, or the larger the number of staff in the IAA, positively affect thelevel of compliance by the IAA with the Standards.
128 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Quality Assurance and Improvement Program
Since Standard 1300, Quality Assurance and Improvement Program (QA&IP), relates to themonitoring of IAA compliance with the Standards, the survey included specific questions relatingto internal and external assessments. One of the main objectives of the QA&IP Standard is toencourage the assessment of, application, and conformance with the Standards. According toStandard 1300, the CAE should develop and maintain a QA&IP that covers all aspects of the IAAand continuously monitors its effectiveness. This program includes periodic internal assessments,external quality assessments, and ongoing internal monitoring. Standard 1300 and the PracticeAdvisories further recommend that this program:
• Provide assurance that the IAA is in conformity with The IIA’s Standards.• Provide assurance that the IAA is in conformity with the IIA Code of Ethics.• Add value and improve the organization’s operations.• Include periodic internal and external quality assessments and ongoing internal monitoring.
Each part of the program should be designed to help the IAA provide this assurance and add value.
Standard 1300
Survey participants were asked whether or not their IAAs have QA&IPs in place in accordancewith Standard 1300. Standard 1330, Use of “Conducted in Accordance with the Standards,” statesthat internal auditors are encouraged to report that their activities are conducted in accordancewith the Standards. It further stipulates that internal auditors may use this statement only ifassessment of their QA&IP demonstrates that the IAA is in compliance with the Standards. Thevalue of this statement is that it implies the credibility of the work performed by the IAA and thatthe conclusions reached can be relied upon.
The average response to the question of whether the respondent’s IAA has a QA&IP in place inaccordance with Standard 1300 is reported in Figure 4-5. Of the total respondents, 32.8% say thatthey have a QA&IP in place and thus can use the phrase “Conducted in Accordance with theStandards” in reference to their audit engagements. A further 21.9% indicate that a QA&IPwould be put in place within the next 12 months. Some respondents (7.3%) have a quality assuranceprogram in place, but the program is not in accordance with Standard 1300. Of the respondents,22.9% report that they do not have plans to put in place a QA&IP in the next 12 months.
_______________________________ Chapter 4: The Professional Practices Framework 129
The Institute of Internal Auditors Research Foundation
Figure 4-5IAA Has a Quality Assurance and Improvement Program in
Accordance with Standard 1300All Respondents (7,269) in Percentages
If an IAA is not in compliance with Standard 1300, then the IAA is not in full compliance with theStandards. Of those responding, 38.8% of CAEs and 30.2% of all respondents indicate that theyeither do not have plans to put a QA&IP in place or they have quality programs that are not inaccordance with Standard 1300. These organizations will not be able to report that they are in fullcompliance with the Standards.
Table 4-14 presents the respondents’ answers to the question asking whether their IAAs haveQA&IPs in place in accordance with Standard 1300 by staff level. Of CAE respondents, 5.4%say that they do not know whether their IAA has a QA&IP in accordance with Standard 1300.The “do not know” option to this question was selected by 10.6% of Audit Managers, 18.0% of
Percentage of Respondents
130 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Audit Seniors/supervisors, and 26.7% of the Audit Staff respondents. As the quality assuranceprogram is the responsibility of the CAE, practitioners at less senior levels may not know how thequality assurance requirements have been implemented. Yet, according to the Standards, qualityassurance should form a part of every activity at all levels of the IAA. All internal audit staffshould therefore be trained in the requirements of quality assurance and should be integrally involvedin the quality assessment and improvement programs of their IAAs.
Table 4-14IAA Has a Quality Assurance and Improvement Program
in Accordance with Standard 1300All Respondents by Staff Level in Percentages
QA&IP CAE Audit Audit Audit Staff Other AverageStatus % of 2082 Manager Senior/ % of 1239 % of 441 % of 7269
Respondents % of 1687 Supervisor Respondents Respondents RespondentsRespondents % of 1820
Respondents
Currently in place 26.6 36.5 36.0 36.1 24.5 32.8To be put in place 29.2 23.2 19.0 15.8 10.9 21.9within the next12 monthsNo plans to put in 29.2 22.6 19.6 17.6 23.8 22.9place in the next12 monthsQuality assurance 9.6 7.1 7.4 3.8 7.0 7.3program is not inaccordance withStandard 1300Do not know 5.4 10.6 18.0 26.7 33.8 15.1Total 100.0 100.0 100.0 100.0 100.0 100.0
_______________________________ Chapter 4: The Professional Practices Framework 131
The Institute of Internal Auditors Research Foundation
Table 4-14-1 shows compliance with Standard 1300 by groups. A noticeably higher than averagepercentage (54.7%) of respondents in groups 3 (70.5%), 2 (61.6%), and 1 (61%) indicate that theyhave a QA&IP in place or will put one in place within the next 12 months. The groups that have thehighest percentages of respondents indicating that they have no plans to put a QA&IP in place aregroups 12 (34.8%), 4 (34%), 8 (33.5%), and 11 (30.7%). Group 4 (20.7%) has the highest percentageof respondents who do not know whether they have such a program in place.
Table 4-14-1IAA Has a Quality Assessment and Improvement Program
in Accordance with Standard 1300 by Groups*All Respondents in Percentages
Group Number of Yes, To Be Put in No Plans Program Do Not TotalRespondents Currently Place Within to Put in is Not in Know
in Place the Next 12 Place in AccordanceMonths the Next 12 with
Months Standard1300
1 2,974 40.1 20.9 17.6 5.1 16.3 100.02 190 35.8 25.8 16.9 8.9 12.6 100.03 600 45.3 25.2 12.7 5.5 11.3 100.04 300 19.3 14.3 34.0 11.7 20.7 100.05 502 24.4 27.5 27.7 9.8 10.6 100.06 374 30.2 21.1 24.1 16.0 8.6 100.07 439 25.1 26.9 27.6 10.8 9.6 100.08 835 24.0 20.5 33.5 6.9 15.1 100.09 97 15.5 28.9 29.8 13.4 12.4 100.010 110 30.0 26.4 26.4 7.2 10.0 100.011 199 30.2 23.1 30.7 5.5 10.5 100.012 43 23.3 27.9 34.8 7.0 7.0 100.0
N/C** 624 20.8 17.5 27.6 7.7 26.4 100.0Overall 7,287 32.8 21.9 22.9 7.3 15.1 100.0
Average/Total
*For a list of groups, please see the inside back cover.**N/C = Respondent did not indicate Affiliate or Chapter membership.
132 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Internal Assessments
According to Standard 1311, Internal Assessments should include a process to monitor and assessthe overall effectiveness of the quality program. Internal assessments should include both:
• Ongoing review of the performance of the IAA.• Periodic reviews performed through self-assessment or by other persons within the
organization with knowledge of internal auditing practices and the Standards.
The respondents were asked when their IAAs last had a formal internal quality assessment, periodicor ongoing, in accordance with Standard 1311. Table 4-15 indicates, by staff level, when the IAAwas last subject to an internal quality assessment. On average, 23.6% of the respondents’ IAAshave had an internal review within the last 12 months and a further 8.7% had a review within thelast 5 years. By the end of 2006, an average of 8.1% additional respondents anticipate their IAAswill have had an internal quality assessment (note that the questionnaires were sent out in September2006). On average, 35.3% of the respondents indicate that they have never had an internalassessment. From predominantly lower staff levels and Other, on average 15.8% of the respondentsdo not know if their IAA had a formal internal quality assessment.
Only 5.2% of the CAE’s indicated they did not know when their IAA was last subject to a formalinternal assessment, while 26.7% of the Audit Staff indicated they did not know. This may beascribed to a lack of knowledge at their level of responsibility. A higher percentage (47.4%) ofCAEs indicates that an internal quality assessment has never been done, which may be moreaccurate as the CAE is normally the person responsible for organizing such reviews.
_______________________________ Chapter 4: The Professional Practices Framework 133
The Institute of Internal Auditors Research Foundation
Table 4-15When IAA Was Last Subject to a Formal Internal Quality Assessment
in Accordance with Standard 1311All Respondents by Staff Level in Percentages
Timing CAE Audit Audit Audit Staff Other Average% of 2,083 Manager Senior/ % of 1,240 % of 430 % of 7,249Respondents % of 1,678 Supervisor Respondents Respondents Respondents
Respondents % of 1,818Respondents
Scheduled to 8.7 8.3 8.4 7.5 4.7 8.1be completedprior toJanuary 1,2007, but notyet completedWithin the 21.0 27.9 24.0 24.4 15.3 23.6last 12 months1-3 years ago 6.5 8.1 8.9 6.0 7.7 7.44-5 years ago 1.2 1.4 1.2 1.6 0.7 1.3More than 5 1.5 1.3 1.1 1.0 1.2 1.2years agoNever 47.4 32.5 30.3 26.1 35.3 35.3The internal 8.5 7.4 6.6 6.7 3.7 7.2review wasnot done inaccordancewith Standard1311Do not know 5.2 13.1 19.5 26.7 31.4 15.9
134 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The following compares the results in Table 4-14 (the IAA has a QA&IP in place) to the percentagesin Table 4-15 (the internal assessment is scheduled to be completed prior to January 1, 2007, orcompleted a quality assessment within the last 12 months). The percentages are fairly close forboth tables. For example, Table 4-14 lists CAE respondents indicating that 26.6% have a QA&IPin place, and Table 4-15 has a total of 29.7% CAE respondents having had a formal quality assessmentin accordance with Standard 1311 scheduled before January 1, 2007, or completed in the last 12months. For all respondents in this comparison, Table 4-14 had 32.8% of respondents having aQA&IP in place, and Table 4-15 has a total of 31.7% completed within the last 12 months orscheduled by January 1, 2007.
In Appendix 4-B, Table 4-15-1-A contains the status of the internal assessment by groups. For sixof the groups, more than 40% of respondents have never had an internal assessment. For groups6, 8, and 12, more than 11% of the respondents have completed a quality assessment that was notin accordance with Standard 1311. Only group 3 respondents indicate that 43.4% of their IAAshave had an assessment in accordance with Standard 1311 in the last 5 years. Eleven point fourpercent to 14.9% of the respondents in groups 3, 10, and 12 anticipate completing an assessmentprior to January 1, 2007.
Two factors should be considered when reviewing which respondents’ organizations have had aninternal quality assessment. The first is whether the length of time the IAA has been in existencewithin the organization has any effect on compliance to Standard 1311. Table 4-16 compares thelength of time that respondents’ organizations have had an IAA with when or if they have had aninternal assessment. IAAs that have been in existence for 0 to 5 years have the highest percentage(54.2%) of never having had an internal assessment. That percentage drops to 38% for thoseorganizations whose IAAs have been in existence for 6 to 10 years. It appears that, generally, thelonger the organization has had an IAA the more likely they are to have an internal assessmentprogram in place.
_______________________________ Chapter 4: The Professional Practices Framework 135
The Institute of Internal Auditors Research Foundation
Table 4-16Years the IAA has Existed in an Organization Compared to
When the IAA had an Internal AssessmentAll Respondents in Percentages
Years Number of Scheduled Within 1-3 4-5 More Never The I Do TotalIAA Respondents to Be the Last Years Years Than Internal Not Know
Existed Completed 12 Ago Ago 5 Review WasPrior to Months Years Not Done in
January 1, Ago Accordance2007, But withNot Yet Standard
Completed 1311
0-5 1,857 7.7 14.8 4.0 0.5 0.2 54.2 7.3 11.3 100.06-10 1,364 7.7 21.8 6.2 1.1 1.2 38.0 8.1 15.9 100.011-15 774 8.4 25.2 7.4 1.8 1.4 35.1 7.2 13.5 100.016-20 727 10.0 23.4 10.6 2.6 2.3 25.9 6.2 19.0 100.021-25 727 9.0 30.4 10.1 2.9 1.3 25.8 7.7 12.8 100.026-30 465 8.8 31.0 9.7 1.1 1.5 24.3 8.2 15.4 100.031-35 145 8.3 31.7 11.7 1.4 0.7 26.2 8.3 11.7 100.036-40 208 7.7 35.1 13.0 0.5 1.4 25.0 4.8 12.5 100.041-45 38 13.2 39.5 5.3 5.3 .0 15.8 7.9 13.2 100.046-50 198 6.1 31.8 12.1 3.0 3.0 18.7 6.1 19.2 100.0More 266 9.4 36.1 10.2 1.1 1.5 13.5 8.6 19.6 100.0than
50 years
136 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The second factor to consider is the number of audit staff in the IAA. Table 4-17 shows that forstaff levels of 1-3, respondents indicate that 58.2% of their IAAs have never had an internalreview. As the size of the IAA staff increases, fewer respondents’ IAAs have never had aninternal review with one exception (organizations with a staff size of 10-12). With a staff of 25 ormore only 14.2% indicated that their IAA had never had an internal review.
It appears that the number of years the IAA has existed and the number of staff in the IAA affectwhether an IAA has had an internal assessment program.
Table 4-17Number of Audit Staff in the IAA Compared to
When the IAA had an Internal AssessmentAll Respondents in Percentages
Number Number of Scheduled Within 1-3 4-5 More Never The I Do Totalof Respondents to Be the Last Years Years Than Internal Not Know
Staff Completed 12 Ago Ago 5 Review WasPrior to Months Years Not Done in
January 1, Ago Accordance2007, But withNot Yet Standard
Completed 1311
1-3 1,859 5.9 11.5 4.1 1.0 1.0 58.2 7.0 11.3 100.04-6 1,319 8.6 18.0 6.7 1.1 1.2 42.7 8.3 13.4 100.07-9 775 7.7 26.1 8.1 1.8 1.4 30.6 7.7 16.6 100.0
10-12 451 8.2 23.5 9.1 1.3 2.0 31.9 7.3 16.7 100.013-15 351 12.3 25.4 9.7 1.1 .9 26.2 7.7 16.7 100.016-18 265 12.5 27.2 7.5 .8 1.5 24.9 9.1 16.5 100.019-21 186 8.6 30.6 9.1 2.7 .5 19.4 7.5 21.6 100.022-24 137 12.4 34.3 10.9 1.5 2.2 18.2 8.8 11.7 100.025 or 1,561 9.5 39.4 10.4 1.8 1.3 14.2 5.4 18.0 100.0more
_______________________________ Chapter 4: The Professional Practices Framework 137
The Institute of Internal Auditors Research Foundation
External AssessmentsAccording to Standard 1312, External Assessments, the IAA should have an external assessmentat least once every 5 years by a qualified, independent reviewer or review team from outside theorganization. All IAAs that existed on January 1, 2002, when this standard became effectiveshould have had an external assessment performed by January 1, 2007. For external reviews,Practice Advisory 1312-1, External Assessments, recommends that an opinion on the IAA’scompliance to the Standards based on a structured rating process be communicated to the CAE.
Figure 4-6 indicates when all respondents’ IAAs were last subject to an external quality assessment.The average response for all respondents indicates that 39.7% of respondents’ IAAs have neverhad an external assessment.
Figure 4-6When the IAA was Last Subject to a Formal External Quality Assessment
in Accordance with Standard 1312All Respondents (7,230) in Percentages
Percentage of Respondents
138 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-18 indicates by staff level when respondents’ IAAs were last subject to an external qualityassessment. Comparing the average response (39.7%) indicating the IAA has not had an externalreview to the different levels of staff, 53.7% of the CAE respondents indicate their IAA has nothad an external review. This is probably more reflective of the actual status as the CAE is responsiblefor arranging the external review. It appears that for more than 50% of those responding to thisquestion, their organizations have not been subject to a formal external quality assessment and arenot in compliance with Standard 1312 and are therefore not in full compliance with the Standards.
Table 4-18When the IAA was Last Subject to a Formal External Quality Assessment
in Accordance with Standard 1312All Respondents in Percentages
Timing CAE Audit Audit Audit Staff Other Average% of 2,073 Manager Senior/ % of 1,241 % of 429 % of 7,230
Respondents % of 1,674 Supervisor Respondents Respondents RespondentsRespondents % of 1,813
Respondents
Scheduled to 7.7 8.7 7.4 7.2 4.4 7.6be completedprior toJanuary 1, 2007,but not yetcompletedWithin the last 13.8 16.9 17.9 19.1 14.5 16.512 months1-3 years ago 6.9 11.2 12.0 8.8 7.5 9.54-5 years ago 2.2 1.8 2.4 1.9 1.6 2.1More than 5 1.7 2.1 1.7 1.2 1.2 1.7years agoNever 53.7 38.6 33.4 28.7 35.0 39.7The external 7.7 4.9 4.2 2.4 2.3 5.0review was notdone inaccordancewith Standard1312Do not know 6.3 15.8 21.0 30.7 33.5 17.9
_______________________________ Chapter 4: The Professional Practices Framework 139
The Institute of Internal Auditors Research Foundation
Table 4-18-1 shows the results for external quality assessments for the groups. More than 40% ofthe respondents in groups 3 (48.9%), 2 (42.2%), 10 (43.9%), and 1 (41.5%) indicate that their IAAhas had a formal external assessment in the last 5 years or will have one completed by January 1,2007, in accordance with Standard 1312. More than 50% of respondents in groups 9 (59.6%), 12(59.5%), 5 (54.5%), 4 (51.9%), and 8 (51.5%) noted that they have never had an external assessment.
Table 4-18-1When the IAA was Last Subject to a Formal External Quality Assessment
in Accordance with Standard 1312 by Groups*All Respondents in Percentages
Timing 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Scheduled 8.3 7.5 11.9 3.7 8.3 6.2 6.1 5.6 5.1 18.4 9.6 7.1 4.0to becompletedprior toJanuary 1,2007Within the 19.7 12.8 19.0 15.5 11.4 13.2 17.9 11.9 14.1 13.2 16.2 14.3 12.6last 12months1-3 years ago 11.0 18.2 15.1 4.7 9.8 8.9 5.4 6.5 9.1 8.8 5.1 4.8 6.34-5 years ago 2.5 3.7 2.9 2.7 0.6 3.5 1.4 0.8 1.0 3.5 1.5 0.0 1.3More than 5 2.0 3.7 2.3 5.7 0.6 1.1 0.9 0.4 0.0 0.9 0.5 2.4 1.1years agoNever 31.1 32.6 28.7 51.9 54.5 43.5 48.0 51.5 59.6 40.4 39.6 59.5 48.0Not done in 2.3 4.3 3.2 3.4 6.8 12.1 8.8 8.2 1.0 4.4 7.7 4.8 7.2accordance withStandard 1312Do not know 23.1 17.2 16.9 12.4 8.0 11.5 11.5 15.1 10.1 10.4 19.8 7.1 19.5Total percentage 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0Total number of 2,956 187 596 297 499 372 442 827 99 114 197 42 621respondents
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
140 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
To determine if the length of time the IAA has been in existence within an organization has anyeffect on compliance to Standard 1312, Table 4-19 compares the length of time that respondents’organizations have had an IAA to when and if they have had an external assessment. IAAs thathave been in existence for 0 to 5 years have the highest percentage (61.2%) of never having hadan external assessment. The percentage for never having an external assessment drops to 40.4%for those organizations whose IAAs have been in existence for 6 to 10 years. It appears that,generally, the longer the organization has had an IAA the more likely they have had an externalassessment.
Table 4-19Years the IAA has Existed in an Organization Compared to
When the IAA had an External AssessmentAll Participants in Percentages
Years Number Scheduled Within 1-3 4-5 More Never The I Do TotalIAA of to Be the Last Years Years Than Internal Not
Been in Respondents Completed 12 Ago Ago 5 Review was KnowExistence Prior to Months Years Not Done in
January 1, Ago Accordance2007, with
But Not StandardYet 1312
Completed
0-5 1,853 5.8 8.9 5.0 0.8 0.2 61.2 4.6 13.5 100.06-10 1,365 8.6 14.7 8.2 2.1 1.8 40.4 5.7 18.5 100.011-15 770 7.8 16.2 10.3 2.7 2.1 40.6 5.7 14.6 100.016-20 723 7.9 17.2 11.3 3.6 3.5 29.6 4.7 22.2 100.021-25 449 8.7 26.5 11.6 1.8 2.0 30.3 5.8 13.3 100.026-30 462 8.4 22.5 11.7 3.7 2.4 27.3 7.6 16.4 100.031-35 142 7.7 16.2 21.8 3.5 0.7 28.9 6.3 14.9 100.036-40 210 11.0 27.1 13.8 1.9 1.9 27.1 1.4 15.8 100.041-45 39 23.1 20.5 12.8 5.1 .0 15.4 7.7 15.4 100.046-50 196 6.1 26.0 14.3 3.1 3.1 23.0 2.0 22.4 100.0More 266 9.8 24.4 19.5 2.3 2.6 16.9 5.6 18.9 100.0than
50 years
_______________________________ Chapter 4: The Professional Practices Framework 141
The Institute of Internal Auditors Research Foundation
As shown in Table 4-20, the number of audit staff in the IAA was compared to whether the IAAhas had an external assessment. This factor appears to have a marked influence on the IAAhaving an external assessment. IAAs that have an audit staff of 1-3 indicate that 60.4% neverhave had an external assessment. This drops to 49% for a staff size of 4-6 and to 17.8% for IAAswith an audit staff of 25 or more.
Table 4-20Number of Audit Staff in the IAA Compared to
When the IAA had an External AssessmentAll Participants in Percentages
Number Number Scheduled Within 1-3 4-5 More Never The I Do Totalof of to Be the Last Years Years Than Internal Not
Staff Respondents Completed 12 Ago Ago 5 Review was KnowPrior to Months Years Not Done in
January 1, Ago Accordance2007, with
But Not StandardYet
Completed 1312
1-3 1854 5.1 7.9 4.9 1.7 1.3 60.4 5.7 13.0 100.04-6 1311 7.8 12.5 6.6 1.8 1.6 49.0 5.9 14.8 100.07-9 770 8.4 18.7 9.9 1.9 3.0 37.0 4.8 16.3 100.0
10-12 448 6.0 18.1 8.7 2.7 1.8 39.1 4.5 19.1 100.013-15 352 9.9 18.5 13.9 2.3 1.7 31.3 4.3 18.1 100.016-18 265 9.4 16.6 10.9 3.8 1.9 32.1 6.4 18.9 100.019-21 187 6.4 25.7 10.2 3.7 2.1 25.7 5.3 20.9 100.022-24 137 13.1 19.7 18.2 4.4 1.5 19.7 6.6 16.8 100.025 or 1559 10.1 26.5 16.5 2.4 1.6 17.8 3.7 21.4 100.0more
As with internal assessments, the length of time an IAA has been in existence and the number ofaudit staff in the IAA affect whether IAAs have had an external assessment.
142 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Quality Assurance and Improvement Program Activities
Respondents were asked what types of activities their IAAs used when performing internal andexternal quality assessments. Practice Advisory 1300-1, Quality Assurance and ImprovementProgram, states that the quality assurance and improvement program should include activities thatare designed to provide reasonable assurance of compliance with the Standards such as appropriatesupervision of the audit team.
The respondents were requested to indicate which of the listed activities they performed as part oftheir internal audit quality assessment and improvement program. Figure 4-7 shows the responsesgiven by staff level. As respondents could mark more than one activity the total percentage may begreater than 100%.
On average, the activities that are included most often are engagement supervision (42.7%),checklists/manuals to provide assurance that proper audit processes are followed (40.6%), andfeedback from audit customers at the end of an audit (38.5%). The least used activities areverification that the IAA is in compliance with the Standards (28.4%), review by external party(20.4%), and compliance with non-IIA standards or codes (19.0%).
_______________________________ Chapter 4: The Professional Practices Framework 143
The Institute of Internal Auditors Research Foundation
Figure 4-7Activities Performed by IAAs as Part of a QA&IP
All Respondents (8,159) in Percentages
13.4%
19.0%
20.4%
28.4%
31.1%
38.5%
40.6%
42.7%
12.2%
30.1%
0% 10% 20% 30% 40% 50%
Do not know
Not applicable
Compliance with non-IIA standards orcodes
Review by external party
Verification that the IAA is incompliance with The Standards
Reviews by other members of IAA
Internal audit professionals are in compliance with The IIA's
Code of Ethics
Feedback from audit customers at theend of an audit
Checklists/manuals to provide assurance that proper audit processes
are followed
Engagement supervision
Percentage of Respondents
Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.
144 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-21 shows the responses for the types of activities performed as part of a QA&IP given bystaff level.
Table 4-21Activities Performed by IAAs as Part of a QA&IP
All Respondents by Staff Level in Percentages
Activity CAE Audit Audit Audit Staff Other Average% of 2,263 Managers Senior/ % of 1,442 % of 569 % of
Respondents % of 1,845 Supervisor Respondents Respondents 8,159Respondents % of 2,040 Respon-
Respondents dents
Engagement 48.8 54.2 47.4 38.1 24.8 42.7supervisionChecklists/ 44.8 49.9 43.9 38.0 26.7 40.6manuals toprovideassurance thatproper auditprocesses arefollowedFeedback from 41.4 47.4 41.7 38.5 23.4 38.5audit customersat the end of anauditInternal audit 37.6 38.9 31.3 28.7 19.3 31.1professionals arein compliancewith The IIA’sCode of EthicsReviews by 27.2 39.1 35.6 30.9 17.9 30.1other membersof the IAAVerification that 35.6 36.7 27.6 26.0 16.5 28.4the IAA is incompliance withthe Standards
Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.
_______________________________ Chapter 4: The Professional Practices Framework 145
The Institute of Internal Auditors Research Foundation
Table 4-21 (Cont.)Activities Performed by IAAs as Part of a QA&IP
All Respondents by Staff Level in Percentages
Activity CAE Audit Audit Audit Staff Other Average% of 2,263 Managers Senior/ % of 1,442 % of 569 % of
Respondents % of 1,845 Supervisor Respondents Respondents 8,159Respondents % of 2,040 Respon-
Respondents dents
Review by 21.3 25.4 22.2 18.0 15.1 20.4external partyCompliance with 19.4 23.1 21.9 17.5 13.5 19.0non-IIAstandards orcodesNot applicable 16.4 11.8 10.9 10.1 17.8 13.4Do not know 3.4 8.2 11.9 17.5 20.0 12.2
Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.
Table 4-21-1-A in Appendix 4-B analyzes the responses by groups for the types of activitiesperformed as part of a QA&IP. Consistently throughout the groups, engagement supervision (63.9%to 32.1%), checklists/manuals (57.4% to 33.3%), and feedback from audit customers (55.3% to31.1%) are the most used activities. Least utilized items by groups include review by external party(34.0% to 12.6%) and reviews of compliance with non-IIA standards or codes (28.0% to 14.7%).These results are consistent with the summary results in Table 4-21.
Education of key personnel (audit committees and management) to make them aware of theimportance of compliance and the value that may be derived from the quality assessment processmay help to increase compliance with Standard 1300.
146 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Compliance with The IIA’s Code of Ethics
As part of the CBOK Affiliate survey, affiliates were asked whether they require their members tofollow The IIA’s Code of Ethics. Of the 46 affiliates responding to this question, all but one answeredin the affirmative. One affiliate has adopted a local version of a code of ethics. The affiliates werethen asked how they handled ethical complaints against their members. A wide variety of responseswere received. In a number of instances no complaints had ever been received so no process hadbeen put in place. In most cases, complaints were handled by an ethics or disciplinary committee,while some actions were left to the affiliate’s board of directors. In two cases, investigations wereconducted in consultation with The IIA.
Summary
A large majority of the participants in this study indicate that their IAAs are using the Standards inwhole or in part. Compliance with the Standards is affected by the length of time an individual hasbeen a member of The IIA, the number of years an organization has had an IAA, and the numberof staff in the IAA. Compliance with Standard 1300 is influenced by the period of time an organizationhas had an IAA and the size of the audit staff. A large majority of the respondents also believe thatthe guidance provided by the Standards and most Practice Advisories is adequate. Standards1300, Quality Assurance and Improvement Program, and 2600, Resolution of Management’sAcceptance of Risks, have lower levels of usage and satisfaction with the adequacy of guidanceprovided by the Standards. More or clearer guidance may be appropriate in these areas.
References
1. The Institute of Internal Auditors, A Vision for the Future: The Professional PracticesFramework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors),1999.
2. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,FL: The Institute of Internal Auditors), 2005.
3. The Institute of Internal Auditors, Quality Assessment Manual (Altamonte Springs, FL: TheInstitute of Internal Auditors), February 2006.
4. The Institute of Internal Auditors, The Institute of Internal Auditors Executive Summary(Altamonte Springs, FL: The Institute of Internal Auditors), September 13, 2006.
5. The Institute of Internal Auditors, IIA International Professional Practices Framework –Exposure Document (Altamonte Springs, FL: The Institute of Internal Auditors), 2007.
_______________________________ Chapter 4: The Professional Practices Framework 147
The Institute of Internal Auditors Research Foundation
APPENDIX 4-ATHE IIA’S STANDARDS, PRACTICE ADVISORIES,
AND GLOSSARY TO THE STANDARDSAS OF SEPTEMBER 20061
ATTRIBUTE STANDARDS
1000 – Purpose, Authority, and ResponsibilityThe purpose, authority, and responsibility of the internal audit activity should be formally defined ina charter, consistent with the Standards, and approved by the board.
1000.A1 – The nature of assurance services provided to the organization should be definedin the audit charter. If assurances are to be provided to parties outside the organization,the nature of these assurances should also be defined in the charter.
1000.C1 – The nature of consulting services should be defined in the audit charter.
1100 – Independence and ObjectivityThe internal audit activity should be independent, and internal auditors should be objective inperforming their work.
1110 – Organizational IndependenceThe chief audit executive should report to a level within the organization that allows the internalaudit activity to fulfill its responsibilities.
1110.A1 – The internal audit activity should be free from interference in determining thescope of internal auditing, performing work, and communicating results.
1120 – Individual ObjectivityInternal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.
1130 – Impairments to Independence or ObjectivityIf independence or objectivity is impaired in fact or appearance, the details of the impairmentshould be disclosed to appropriate parties. The nature of the disclosure will depend upon theimpairment.
1Standards are always being updated as the profession evolves.
148 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
1130.A1 – Internal auditors should refrain from assessing specific operations for whichthey were previously responsible. Objectivity is presumed to be impaired if an internalauditor provides assurance services for an activity for which the internal auditor hadresponsibility within the previous year.
1130.A2 – Assurance engagements for functions over which the chief audit executivehas responsibility should be overseen by a party outside the internal audit activity.
1130.C1 – Internal auditors may provide consulting services relating to operations forwhich they had previous responsibilities.
1130.C2 – If internal auditors have potential impairments to independence or objectivityrelating to proposed consulting services, disclosure should be made to the engagementclient prior to accepting the engagement.
1200 – Proficiency and Due Professional CareEngagements should be performed with proficiency and due professional care.
1210 – ProficiencyInternal auditors should possess the knowledge, skills, and other competencies needed to performtheir individual responsibilities. The internal audit activity collectively should possess or obtainthe knowledge, skills, and other competencies needed to perform its responsibilities.
1210.A1 – The chief audit executive should obtain competent advice and assistance if theinternal audit staff lacks the knowledge, skills, or other competencies needed to performall or part of the engagement.
1210.A2 – The internal auditor should have sufficient knowledge to identify the indicatorsof fraud but is not expected to have the expertise of a person whose primary responsibilityis detecting and investigating fraud.
1210.A3 – Internal auditors should have knowledge of key information technology risksand controls and available technology-based audit techniques to perform their assignedwork. However, not all internal auditors are expected to have the expertise of an internalauditor whose primary responsibility is information technology auditing.
1210.C1 – The chief audit executive should decline the consulting engagement or obtaincompetent advice and assistance if the internal audit staff lacks the knowledge, skills, orother competencies needed to perform all or part of the engagement.
_______________________________ Chapter 4: The Professional Practices Framework 149
The Institute of Internal Auditors Research Foundation
1220 – Due Professional CareInternal auditors should apply the care and skill expected of a reasonably prudent and competentinternal auditor. Due professional care does not imply infallibility.
1220.A1 – The internal auditor should exercise due professional care by considering the:• Extent of work needed to achieve the engagement’s objectives.• Relative complexity, materiality, or significance of matters to which assurance
procedures are applied.• Adequacy and effectiveness of risk management, control, and governance processes.• Probability of significant errors, irregularities, or noncompliance.• Cost of assurance in relation to potential benefits.
1220.A2 – In exercising due professional care the internal auditor should consider the useof computer-assisted audit tools and other data analysis techniques.
1220.A3 – The internal auditor should be alert to the significant risks that might affectobjectives, operations, or resources. However, assurance procedures alone, even whenperformed with due professional care, do not guarantee that all significant risks will beidentified.
1220.C1 – The internal auditor should exercise due professional care during a consultingengagement by considering the:• Needs and expectations of clients, including the nature, timing, and communication of
engagement results.• Relative complexity and extent of work needed to achieve the engagement’s objectives.• Cost of the consulting engagement in relation to potential benefits.
1230 – Continuing Professional DevelopmentInternal auditors should enhance their knowledge, skills, and other competencies throughcontinuing professional development.
1300 – Quality Assurance and Improvement ProgramThe chief audit executive should develop and maintain a quality assurance and improvement programthat covers all aspects of the internal audit activity and continuously monitors its effectiveness.This program includes periodic internal and external quality assessments and ongoing internalmonitoring. Each part of the program should be designed to help the internal auditing activity addvalue and improve the organization’s operations and to provide assurance that the internal auditactivity is in conformity with the Standards and the Code of Ethics.
150 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
1310 – Quality Program AssessmentsThe internal audit activity should adopt a process to monitor and assess the overall effectivenessof the quality program. The process should include both internal and external assessments.
1311 – Internal AssessmentsInternal assessments should include:• Ongoing reviews of the performance of the internal audit activity; and• Periodic reviews performed through self-assessment or by other persons within the
organization, with knowledge of internal audit practices and the Standards.
1312 – External AssessmentsExternal assessments, such as quality assurance reviews, should be conducted at leastonce every five years by a qualified, independent reviewer or review team from outsidethe organization.
1320 – Reporting on the Quality ProgramThe chief audit executive should communicate the results of external assessments to theboard.
1330 – Use of “Conducted in Accordance with the Standards”Internal auditors are encouraged to report that their activities are “conducted in accordancewith the International Standards for the Professional Practice of Internal Auditing.” However,internal auditors may use the statement only if assessments of the quality improvement programdemonstrate that the internal audit activity is in compliance with the Standards.
1340 – Disclosure of NoncomplianceAlthough the internal audit activity should achieve full compliance with the Standards andinternal auditors with the Code of Ethics, there may be instances in which full compliance isnot achieved. When noncompliance impacts the overall scope or operation of the internalaudit activity, disclosure should be made to senior management and the board.
PERFORMANCE STANDARDS
2000 – Managing the Internal Audit ActivityThe chief audit executive should effectively manage the internal audit activity to ensure it addsvalue to the organization.
2010 – PlanningThe chief audit executive should establish risk-based plans to determine the priorities of theinternal audit activity, consistent with the organization’s goals.
_______________________________ Chapter 4: The Professional Practices Framework 151
The Institute of Internal Auditors Research Foundation
2010.A1 – The internal audit activity’s plan of engagements should be based on a riskassessment, undertaken at least annually. The input of senior management and the boardshould be considered in this process.
2010.C1 – The chief audit executive should consider accepting proposed consultingengagements based on the engagement’s potential to improve management of risks, addvalue, and improve the organization’s operations. Those engagements that have beenaccepted should be included in the plan.
2020 – Communication and ApprovalThe chief audit executive should communicate the internal audit activity’s plans and resourcerequirements, including significant interim changes, to senior management and to the board forreview and approval. The chief audit executive should also communicate the impact of resourcelimitations.
2030 – Resource ManagementThe chief audit executive should ensure that internal audit resources are appropriate, sufficient,and effectively deployed to achieve the approved plan.
2040 – Policies and ProceduresThe chief audit executive should establish policies and procedures to guide the internal auditactivity.
2050 – CoordinationThe chief audit executive should share information and coordinate activities with other internaland external providers of relevant assurance and consulting services to ensure proper coverageand minimize duplication of efforts.
2060 – Reporting to the Board and Senior ManagementThe chief audit executive should report periodically to the board and senior management onthe internal audit activity’s purpose, authority, responsibility, and performance relative to itsplan. Reporting should also include significant risk exposures and control issues, corporategovernance issues, and other matters needed or requested by the board and senior management.
2100 – Nature of WorkThe internal audit activity should evaluate and contribute to the improvement of risk management,control, and governance processes using a systematic and disciplined approach.
152 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
2110 – Risk ManagementThe internal audit activity should assist the organization by identifying and evaluating significantexposures to risk and contributing to the improvement of risk management and control systems.
2110.A1 – The internal audit activity should monitor and evaluate the effectiveness of theorganization’s risk management system.
2110.A2 – The internal audit activity should evaluate risk exposures relating to theorganization’s governance, operations, and information systems regarding the:• Reliability and integrity of financial and operational information.• Effectiveness and efficiency of operations.• Safeguarding of assets.• Compliance with laws, regulations, and contracts.
2110.C1 – During consulting engagements, internal auditors should address risk consistentwith the engagement’s objectives and be alert to the existence of other significant risks.
2110.C2 – Internal auditors should incorporate knowledge of risks gained from consultingengagements into the process of identifying and evaluating significant risk exposures ofthe organization.
2120 – ControlThe internal audit activity should assist the organization in maintaining effective controls byevaluating their effectiveness and efficiency and by promoting continuous improvement.
2120.A1 – Based on the results of the risk assessment, the internal audit activity shouldevaluate the adequacy and effectiveness of controls encompassing the organization’sgovernance, operations, and information systems. This should include:• Reliability and integrity of financial and operational information.• Effectiveness and efficiency of operations.• Safeguarding of assets.• Compliance with laws, regulations, and contracts.
2120.A2 – Internal auditors should ascertain the extent to which operating and programgoals and objectives have been established and conform to those of the organization.
2120.A3 – Internal auditors should review operations and programs to ascertain the extentto which results are consistent with established goals and objectives to determine whetheroperations and programs are being implemented or performed as intended.
_______________________________ Chapter 4: The Professional Practices Framework 153
The Institute of Internal Auditors Research Foundation
2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors shouldascertain the extent to which management has established adequate criteria to determinewhether objectives and goals have been accomplished. If adequate, internal auditorsshould use such criteria in their evaluation. If inadequate, internal auditors should workwith management to develop appropriate evaluation criteria.
2120.C1 – During consulting engagements, internal auditors should address controlsconsistent with the engagement’s objectives and be alert to the existence of any significantcontrol weaknesses.
2120.C2 – Internal auditors should incorporate knowledge of controls gained fromconsulting engagements into the process of identifying and evaluating significant riskexposures of the organization.
2130 – GovernanceThe internal audit activity should assess and make appropriate recommendations for improvingthe governance process in its accomplishment of the following objectives:• Promoting appropriate ethics and values within the organization.• Ensuring effective organizational performance management and accountability.• Effectively communicating risk and control information to appropriate areas of the
organization.• Effectively coordinating the activities of and communicating information among the board,
external and internal auditors, and management.
2130.A1 – The internal audit activity should evaluate the design, implementation, andeffectiveness of the organization’s ethics-related objectives, programs, and activities.
2130.C1 – Consulting engagement objectives should be consistent with the overall valuesand goals of the organization.
2200 – Engagement PlanningInternal auditors should develop and record a plan for each engagement, including the scope,objectives, timing, and resource allocations.
2201 – Planning ConsiderationsIn planning the engagement, internal auditors should consider:• The objectives of the activity being reviewed and the means by which the activity controls
its performance.
154 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
• The significant risks to the activity, its objectives, resources, and operations and the meansby which the potential impact of risk is kept to an acceptable level.
• The adequacy and effectiveness of the activity’s risk management and control systemscompared to a relevant control framework or model.
• The opportunities for making significant improvements to the activity’s risk managementand control systems.
2201.A1 – When planning an engagement for parties outside the organization, internalauditors should establish a written understanding with them about objectives, scope,respective responsibilities, and other expectations, including restrictions on distribution ofthe results of the engagement and access to engagement records.
2201.C1 – Internal auditors should establish an understanding with consulting engagementclients about objectives, scope, respective responsibilities, and other client expectations.For significant engagements, this understanding should be documented.
2210 – Engagement ObjectivesObjectives should be established for each engagement.
2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevantto the activity under review. Engagement objectives should reflect the results of thisassessment.
2210.A2 – The internal auditor should consider the probability of significant errors,irregularities, noncompliance, and other exposures when developing the engagementobjectives.
2210.C1 – Consulting engagement objectives should address risks, controls, andgovernance processes to the extent agreed upon with the client.
2220 – Engagement ScopeThe established scope should be sufficient to satisfy the objectives of the engagement.
2220.A1 – The scope of the engagement should include consideration of relevant systems,records, personnel, and physical properties, including those under the control of third parties.
2220.A2 – If significant consulting opportunities arise during an assurance engagement, aspecific written understanding as to the objectives, scope, respective responsibilities, andother expectations should be reached and the results of the consulting engagementcommunicated in accordance with consulting standards.
_______________________________ Chapter 4: The Professional Practices Framework 155
The Institute of Internal Auditors Research Foundation
2220.C1 – In performing consulting engagements, internal auditors should ensure that thescope of the engagement is sufficient to address the agreed-upon objectives. If internalauditors develop reservations about the scope during the engagement, these reservationsshould be discussed with the client to determine whether to continue with the engagement.
2230 – Engagement Resource AllocationInternal auditors should determine appropriate resources to achieve engagement objectives.Staffing should be based on an evaluation of the nature and complexity of each engagement,time constraints, and available resources.
2240 – Engagement Work ProgramInternal auditors should develop work programs that achieve the engagement objectives. Thesework programs should be recorded.
2240.A1 – Work programs should establish the procedures for identifying, analyzing,evaluating, and recording information during the engagement. The work program shouldbe approved prior to its implementation, and any adjustments approved promptly.
2240.C1 – Work programs for consulting engagements may vary in form and contentdepending upon the nature of the engagement.
2300 – Performing the EngagementInternal auditors should identify, analyze, evaluate, and record sufficient information to achieve theengagement’s objectives.
2310 – Identifying InformationInternal auditors should identify sufficient, reliable, relevant, and useful information to achievethe engagement’s objectives.
2320 – Analysis and EvaluationInternal auditors should base conclusions and engagement results on appropriate analysesand evaluations.
2330 – Recording InformationInternal auditors should record relevant information to support the conclusions and engagementresults.
2330.A1 – The chief audit executive should control access to engagement records. Thechief audit executive should obtain the approval of senior management and/or legal counselprior to releasing such records to external parties, as appropriate.
156 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
2330.A2 – The chief audit executive should develop retention requirements for engagementrecords. These retention requirements should be consistent with the organization’s guidelinesand any pertinent regulatory or other requirements.
2330.C1 – The chief audit executive should develop policies governing the custody andretention of engagement records, as well as their release to internal and external parties.These policies should be consistent with the organization’s guidelines and any pertinentregulatory or other requirements.
2340 – Engagement SupervisionEngagements should be properly supervised to ensure objectives are achieved, quality is assured,and staff is developed.
2400 – Communicating ResultsInternal auditors should communicate the engagement results.
2410 – Criteria for CommunicatingCommunications should include the engagement’s objectives and scope as well as applicableconclusions, recommendations, and action plans.
2410.A1 – Final communication of engagement results should, where appropriate, containthe internal auditor’s overall opinion and or conclusions.
2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance inengagement communications.
2410.A3 – When releasing engagement results to parties outside the organization, thecommunication should include limitations on distribution and use of the results.
2410.C1 – Communication of the progress and results of consulting engagements willvary in form and content depending upon the nature of the engagement and the needs ofthe client.
2420 – Quality of CommunicationsCommunications should be accurate, objective, clear, concise, constructive, complete, andtimely.
_______________________________ Chapter 4: The Professional Practices Framework 157
The Institute of Internal Auditors Research Foundation
2421 – Errors and OmissionsIf a final communication contains a significant error or omission, the chief audit executiveshould communicate corrected information to all parties who received the originalcommunication.
2430 – Engagement Disclosure of Noncompliance with the StandardsWhen noncompliance with the Standards impacts a specific engagement, communication ofthe results should disclose the:• Standard(s) with which full compliance was not achieved,• Reason(s) for noncompliance, and• Impact of noncompliance on the engagement
2440 – Disseminating ResultsThe chief audit executive should communicate results to the appropriate parties.
2440.A1 – The chief audit executive is responsible for communicating the final results toparties who can ensure that the results are given due consideration.
2440.A2 – If not otherwise mandated by legal, statutory, or regulatory requirements, priorto releasing results to parties outside the organization, the chief executive should:• Assess the potential risk to the organization.• Consult with senior management and/or legal counsel as appropriate.• Control dissemination by restricting the use of the results.
2440.C1 – The chief audit executive is responsible for communicating the final results ofconsulting engagements to clients.
2440.C2 – During consulting engagements, risk management, control, and governanceissues may be identified. Whenever these issues are significant to the organization, theyshould be communicated to senior management and the board.
2500 – Monitoring ProgressThe chief audit executive should establish and maintain a system to monitor the disposition ofresults communicated to management.
2500.A1 – The chief audit executive should establish a follow-up process to monitor andensure that management actions have been effectively implemented or that seniormanagement has accepted the risk of not taking action.
158 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
2500.C1 – The internal audit activity should monitor the disposition of results of consultingengagements to the extent agreed upon with the client.
2600 – Resolution of Management’s Acceptance of RisksWhen the chief audit executive believes that senior management has accepted a level of residualrisk that may be unacceptable to the organization, the chief audit executive should discuss thematter with senior management. If the decision regarding residual risk is not resolved, the chiefaudit executive and senior management should report the matter to the board for resolution.
Practice Advisories
Attribute StandardsPA 1000-1 Internal Audit CharterPA 1000.C1-1 Principles Guiding the Performance of Consulting Activities of Internal AuditorsPA 1000.C1-2 Additional Considerations for Formal Consulting EngagementsPA 1100-1 Independence and ObjectivityPA 1110-1 Organizational IndependencePA 1110-2 Chief Audit Executive (CAE) Reporting LinesPA 1110.A1-1 Disclosing Reasons for Information RequestsPA 1120-1 Individual ObjectivityPA 1130-1 Impairments to Independence or ObjectivityPA 1130.A1-1 Assessing Operations for Which Internal Auditors Were Previously ResponsiblePA 1130.A1-2 Internal Auditing’s Responsibility for Other (Non-audit) FunctionsPA 1200-1 Proficiency and Due Professional CarePA 1210-1 ProficiencyPA 1210.A1-1 Obtaining Services to Support or Complement the Internal Audit ActivityPA 1210.A2-1 Identification of FraudPA 1210.A2-2 Responsibility for Fraud DetectionPA 1220-1 Due Professional CarePA 1230-1 Continuing Professional DevelopmentPA 1300-1 Quality Assurance and Improvement ProgramPA 1310-1 Quality Program AssessmentsPA 1311-1 Internal AssessmentsPA 1312-1 External AssessmentsPA 1312-2 External Assessments Self-assessment with Independent ValidationPA 1320-1 Reporting on the Quality ProgramPA 1330-1 Use of “Conducted in Accordance with the Standards”
_______________________________ Chapter 4: The Professional Practices Framework 159
The Institute of Internal Auditors Research Foundation
Performance StandardsPA 2000-1 Managing the Internal Audit ActivityPA 2010-1 PlanningPA 2010-2 Linking the Audit Plan to Risk and ExposuresPA 2020-1 Communication and ApprovalPA 2030-1 Resource ManagementPA 2040-1 Policies and ProceduresPA 2050-1 CoordinationPA 2050-2 Acquisition of External Audit ServicesPA 2060-1 Reporting to Board and Senior ManagementPA 2060-2 Relationship with the Audit CommitteePA 2100-1 Nature of WorkPA 2100-2 Information SecurityPA 2100-3 Internal Auditing’s Role in the Risk Management ProcessPA 2100-4 Internal Auditing’s Role in Organizations Without a Risk Management ProcessPA 2100-5 Legal Considerations in Evaluating Regulatory Compliance ProgramsPA 2100-6 Control and Audit Implications of E-commerce ActivitiesPA 2100-7 Internal Auditing’s Role in Identifying and Reporting Environmental RisksPA 2100-8 Internal Auditing’s Role in Evaluating an Organization’s Privacy FrameworkPA 2110-1 Assessing the Adequacy of Risk Management ProcessesPA 2110-2 Internal Auditing’s Role in the Business Continuity ProcessPA 2120.A1-1 Assessing and Reporting on Control ProcessesPA 2120.A1-2 Using Control Self-assessment for Assessing the Adequacy of Control
ProcessesPA 2120.A1-3 Internal Auditing’s Role in Quarterly Financial Reporting, Disclosures,
and Management CertificationsPA 2120.A1-4 Auditing the Financial Reporting ProcessPA 2120.A4-1 Control CriteriaPA 2130-1 Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture
of an OrganizationPA 2200-1 Engagement PlanningPA 2210-1 Engagement ObjectivesPA 2210.A1-1 Risk Assessment in Engagement PlanningPA 2230-1 Engagement Resource AllocationPA 2240-1 Engagement Work ProgramPA 2240.A1-1 Approval of Work Programs
160 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
PA 2300-1 Internal Auditing’s Use of Personal Information in Conducting AuditsPA 2310-1 Identifying InformationPA 2320-1 Analysis and EvaluationPA 2330-1 Recording InformationPA 2330.A1-1 Control of Engagement RecordsPA 2330.A1-2 Legal Considerations in Granting Access to Engagement RecordsPA 2330.A2-1 Retention of RecordsPA 2340-1 Engagement SupervisionPA 2400-1 Legal Considerations in Communicating ResultsPA 2410-1 Communication CriteriaPA 2420-1 Quality of CommunicationsPA 2440-1 Recipients of Engagement ResultsPA 2440-2 Communications Outside the OrganizationPA 2440-3 Communicating Sensitive Information Within and Outside the Chain
of CommandPA 2500-1 Monitoring ProgressPA 2500.A1-1 Follow-up ProcessPA 2600-1 Management’s Acceptance of Risks
_______________________________ Chapter 4: The Professional Practices Framework 161
The Institute of Internal Auditors Research Foundation
GLOSSARY TO THE STANDARDS
Add ValueValue is provided by improving opportunities to achieve organizational objectives, identifyingoperational improvement, and/or reducing risk exposure through both assurance and consultingservices.
Adequate ControlPresent if management has planned and organized (designed) in a manner that provides reasonableassurance that the organization’s risks have been managed effectively and that the organization’sgoals and objectives will be achieved efficiently and economically.
Assurance ServicesAn objective examination of evidence for the purpose of providing an independent assessment onrisk management, control, or governance processes for the organization. Examples may includefinancial, performance, compliance, system security, and due diligence engagements.
BoardA board is an organization’s governing body, such as a board of directors, supervisory board, headof an agency or legislative body, board of governors or trustees of a nonprofit organization, or anyother designated body of the organization, including the audit committee, to whom the chief auditexecutive may functionally report.
CharterThe charter of the internal audit activity is a formal written document that defines the activity’spurpose, authority, and responsibility. The charter should (a) establish the internal audit activity’sposition within the organization; (b) authorize access to records, personnel, and physical propertiesrelevant to the performance of engagements; and (c) define the scope of internal audit activities.
Chief Audit ExecutiveTop position within the organization responsible for internal audit activities. Normally, this would bethe internal audit director. In the case where internal audit activities are obtained from outsideservice providers, the chief audit executive is the person responsible for overseeing the servicecontract and the overall quality assurance of these activities, reporting to senior management andthe board regarding internal audit activities, and follow-up of engagement results. The term alsoincludes such titles as general auditor, chief internal auditor, and inspector general.
162 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Code of EthicsThe Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the professionand practice of internal auditing, and Rules of Conduct that describe behavior expected of internalauditors. The Code of Ethics applies to both parties and entities that provide internal audit services.The purpose of the Code of Ethics is to promote an ethical culture in the global profession ofinternal auditing.
ComplianceConformity and adherence to policies, plans, procedures, laws, regulations, contracts, or otherrequirements.
Conflict of InterestAny relationship that is or appears to be not in the best interest of the organization. A conflict ofinterest would prejudice an individual’s ability to perform his or her duties and responsibilitiesobjectively.
Consulting ServicesAdvisory and related client service activities, the nature and scope of which are agreed with theclient and which are intended to add value and improve an organization’s governance, riskmanagement, and control processes without the internal auditor assuming management responsibility.Examples include counsel, advice, facilitation, and training.
ControlAny action taken by management, the board, and other parties to manage risk and increase thelikelihood that established objectives and goals will be achieved. Management plans, organizes,and directs the performance of sufficient actions to provide reasonable assurance that objectivesand goals will be achieved.
Control EnvironmentThe attitude and actions of the board and management regarding the significance of control withinthe organization. The control environment provides the discipline and structure for the achievementof the primary objectives of the system of internal control. The control environment includes thefollowing elements:
• Integrity and ethical values.• Management’s philosophy and operating style.• Organizational structure.• Assignment of authority and responsibility.• Human resource policies and practices.• Competence of personnel.
_______________________________ Chapter 4: The Professional Practices Framework 163
The Institute of Internal Auditors Research Foundation
Control ProcessesThe policies, procedures, and activities that are part of a control framework, designed to ensurethat risks are contained within the risk tolerances established by the risk management process.
EngagementA specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasksor activities designed to accomplish a specific set of related objectives.
Engagement ObjectivesBroad statements developed by internal auditors that define intended engagement accomplishments.
Engagement Work ProgramA document that lists the procedures to be followed during an engagement, designed to achieve theengagement plan.
External Service ProviderA person or firm, outside of the organization, who has special knowledge, skill, and experience in aparticular discipline.
FraudAny illegal acts characterized by deceit, concealment, or violation of trust. These acts are notdependent upon the application of threat of violence or of physical force. Frauds are perpetratedby parties and organizations to obtain money, property, or services; to avoid payment or loss ofservices; or to secure personal or business advantage.
GovernanceThe combination of processes and structures implemented by the board in order to inform, direct,manage, and monitor the activities of the organization toward the achievement of its objectives.
ImpairmentsImpairments to individual objectivity and organizational independence may include personal conflictsof interest, scope limitations, restrictions on access to records, personnel, and properties, andresource limitations (funding).
IndependenceThe freedom from conditions that threaten objectivity or the appearance of objectivity. Suchthreats to objectivity must be managed at the individual auditor, engagement, functional, andorganizational levels.
164 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Internal Audit ActivityA department, division, team of consultants, or other practitioner(s) that provides independent,objective assurance and consulting services designed to add value and improve an organization’soperations. The internal audit activity helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of risk management,control, and governance processes.
ObjectivityAn unbiased mental attitude that allows internal auditors to perform engagements in such a mannerthat they have an honest belief in their work product and that no significant quality compromisesare made. Objectivity requires internal auditors not to subordinate their judgment on audit mattersto that of others.
Residual RiskThe risk remaining after management takes action to reduce the impact and likelihood of an adverseevent, including control activities in responding to a risk.
RiskThe possibility of an event occurring that will have an impact on the achievement of objectives.Risk is measured in terms of impact and likelihood.
Risk ManagementA process to identify, assess, manage, and control potential events or situations to provide reasonableassurance regarding the achievement of the organization’s objectives.
ShouldThe use of the word “should” in the Standards represents a mandatory obligation.
StandardA professional pronouncement promulgated by the Internal Auditing Standards Board that delineatesthe requirements for performing a broad range of internal audit activities, and for evaluating internalaudit performance.
_______________________________ Chapter 4: The Professional Practices Framework 165
The Institute of Internal Auditors Research Foundation
APPENDIX 4-B
Table 4-3-1-AIAA is in Full Compliance with The Standards
All Respondents in Percentages
Standard Number of Full Partial Not in Do NotRespondents Compliance Compliance Compliance Know
1000 – Purpose, Authority, 5,947 63.0 25.0 2.2 9.8and Responsibility1100 – Independence and 5,953 66.9 22.2 2.7 8.2Objectivity1200 – Proficiency and Due 5,923 62.9 26.1 2.0 9.0Professional Care1300 – Quality Assurance 5,896 40.0 35.7 12.1 12.2and Improvement Program2000 – Managing the 5,900 57.6 28.9 3.3 10.2Internal Audit Activity2100 – Nature of Work 5,844 57.5 28.7 2.3 11.52200 – Engagement Planning 5,886 57.7 29.0 2.9 10.42300 – Performing the 5,881 59.7 28.2 1.9 10.2Engagement2400 – Communicating 5,896 64.1 24.6 2.0 9.3Results2500 – Monitoring Progress 5,873 52.6 32.1 4.4 10.92600 – Resolution of 5,873 46.9 30.7 7.4 15.0Management’s Acceptanceof Risks
166 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-3-2-AIAA is in Full Compliance with the Standards
CAE Respondents in Percentages
Standard Number of Full Partial Not in Do NotRespondents Compliance Compliance Compliance Know
1000 – Purpose, Authority, 1,765 68.1 26.7 2.0 3.2and Responsibility1100 – Independence and 1,772 73.6 22.0 2.1 2.3Objectivity1200 – Proficiency and Due 1,760 67.0 28.3 1.5 3.2Professional Care1300 – Quality Assurance 1,746 33.2 45.0 16.1 5.7and Improvement Program2000 – Managing the 1,754 61.8 32.0 2.7 3.5Internal Audit Activity2100 – Nature of Work 1,730 59.3 32.8 2.6 5.32200 – Engagement Planning 1,749 60.4 32.5 2.7 4.42300 – Performing the 1,743 62.1 31.8 1.9 4.2Engagement2400 – Communicating 1,738 68.6 26.2 2.1 3.1Results2500 – Monitoring Progress 1,730 56.1 35.5 4.1 4.32600 – Resolution of 1,742 49.0 35.0 8.0 8.0Management’s Acceptanceof Risks
_______________________________ Chapter 4: The Professional Practices Framework 167
The Institute of Internal Auditors Research Foundation
Table 4-3-3-AIAA is in Full Compliance with the Standards
Practitioner Respondents in Percentages
Standard Number of Full Partial Not in Do NotRespondents Compliance Compliance Compliance Know
1000 – Purpose, Authority, 4,169 60.8 24.2 2.3 12.7and Responsibility1100 – Independence and 4,167 64.1 22.2 2.9 10.8Objectivity1200 – Proficiency and 4,149 61.1 25.1 2.1 11.7Due Professional Care1300 – Quality Assurance 4,136 43.0 31.7 10.4 14.9and Improvement Program2000 – Managing the 4,132 55.8 27.5 3.6 13.1Internal Audit Activity2100 – Nature of Work 4,101 56.8 26.9 2.2 14.12200 – Engagement Planning 4,123 56.7 27.5 2.9 13.02300 – Performing the 4,124 58.7 26.7 1.9 12.7Engagement2400 – Communicating 4,144 62.3 23.8 2.0 11.9Results2500 – Monitoring Progress 4,130 51.3 30.6 4.5 13.62600 – Resolution of 4,117 46.1 28.8 7.0 18.1Management’s Acceptanceof Risks
168 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-3-4-AIAA is in Full Compliance with the Standards by Groups*
All Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 68.9 61.8 62.7 51.0 58.1 60.9 58.7 61.7 62.8 63.6 62.4 55.9 48.31100 70.6 66.2 65.4 54.3 61.8 71.1 66.9 66.7 66.2 70.0 73.2 63.6 54.01200 69.1 69.2 63.3 46.5 52.9 60.5 64.9 59.9 60.5 56.9 61.3 55.9 50.61300 47.2 37.7 40.2 25.9 35.5 34.3 38.7 35.2 32.0 30.0 29.5 21.2 33.32000 63.8 60.1 57.4 47.0 52.5 56.4 55.9 52.5 50.7 56.0 57.3 48.4 43.82100 64.7 61.3 55.4 44.3 46.6 50.0 57.2 56.7 51.3 49.5 57.6 44.8 45.22200 63.3 59.1 58.9 33.3 54.6 52.2 57.6 58.3 56.6 50.0 56.6 56.3 46.52300 67.3 60.4 61.5 35.0 51.0 55.6 57.8 60.5 55.8 47.7 52.4 40.6 46.72400 69.7 66.2 67.9 41.3 56.9 63.5 61.6 63.9 60.5 56.0 64.4 68.8 51.32500 60.1 57.1 51.7 31.2 48.2 53.8 47.6 47.7 50.6 39.8 53.1 50.0 40.22600 57.9 48.1 50.0 29.1 33.6 41.3 37.7 37.3 35.5 36.4 46.6 40.6 33.4
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-3-5-AIAA Partially Complies with the Standards by Groups*
All Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 14.2 23.7 27.8 43.7 34.8 33.2 34.9 29.9 26.9 27.3 31.5 38.2 38.31100 13.9 21.4 25.3 38.8 31.8 24.3 28.1 27.2 16.9 23.6 22.8 33.3 32.81200 15.0 20.5 28.2 46.5 39.7 33.0 29.8 34.4 28.9 33.9 32.0 41.2 37.31300 25.8 40.9 38.3 53.8 43.7 43.7 43.1 38.1 38.7 46.4 53.7 51.5 43.72000 19.0 29.4 29.8 43.7 35.2 35.4 37.6 38.7 34.7 28.4 34.0 48.4 39.72100 17.0 26.0 32.4 45.5 42.8 38.6 36.1 35.8 36.8 36.7 32.6 48.3 39.32200 18.7 27.9 30.5 57.3 35.3 37.9 37.0 34.3 31.6 38.9 33.6 40.6 38.32300 16.1 29.2 29.8 55.7 39.6 35.0 37.8 33.1 33.8 41.3 39.9 53.1 38.52400 14.5 23.4 23.6 51.0 33.2 30.9 32.6 30.1 31.6 36.7 27.4 28.1 35.32500 21.3 29.9 35.8 51.8 39.2 35.5 43.1 40.6 33.8 48.1 36.7 43.8 40.72600 19.8 33.1 32.1 48.6 42.0 37.7 43.9 37.6 34.2 37.3 36.5 37.5 38.5
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
_______________________________ Chapter 4: The Professional Practices Framework 169
The Institute of Internal Auditors Research Foundation
Table 4-3-6-AIAA is Not in Compliance with the Standards by Groups*
All Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 1.1 3.9 2.1 1.6 2.6 2.0 3.4 4.0 5.1 1.8 0.7 5.9 3.81100 1.6 3.2 3.7 4.1 3.1 1.6 3.6 3.1 11.7 0.0 0.0 3.0 5.51200 1.1 1.3 1.9 3.7 3.1 1.6 3.7 2.1 5.3 3.7 1.3 2.9 2.91300 9.1 9.1 12.9 14.2 12.6 15.3 14.3 18.2 16.0 14.5 12.1 24.2 11.92000 1.5 1.3 5.4 4.0 5.8 3.9 4.2 4.4 8.0 4.6 3.3 3.2 5.42100 1.2 1.3 3.1 3.3 2.9 3.4 3.9 2.4 6.6 4.6 2.1 3.4 3.92200 1.9 1.9 3.4 3.7 4.3 3.3 3.4 3.8 5.3 2.8 3.5 0.0 3.62300 1.2 0.6 1.7 2.8 3.6 2.0 1.7 2.3 3.9 2.8 1.4 6.3 3.92400 1.2 0.6 1.7 3.6 5.1 1.0 3.6 2.4 2.6 0.9 2.7 0.0 2.72500 2.4 0.6 5.2 8.1 6.3 4.0 6.8 6.4 7.8 5.6 4.1 6.3 7.32600 3.1 4.5 7.4 9.7 13.3 8.0 13.2 10.9 21.1 10.0 8.8 18.8 10.2
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
170 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-6-1-AStandards Guidance is Adequate
CAE Respondents in Percentages
Standard Number of Yes No Do Not Do NotRespondents Use Know
1000 – Purpose, Authority, and 1,791 93.3 1.1 2.7 2.9Responsibility1100 – Independence and Objectivity 1,775 94.1 2.1 1.5 2.31200 – Proficiency and Due Professional 1,767 92.9 1.7 2.5 2.9Care1300 – Quality Assurance and 1,761 81.5 6.1 8.7 3.7Improvement Program2000 – Managing the Internal Audit 1,755 90.0 3.6 3.3 3.1Activity2100 – Nature of Work 1,738 88.0 3.7 3.9 4.42200 – Engagement Planning 1,752 89.4 3.3 4.2 3.12300 – Performing the Engagement 1,744 89.3 3.9 3.7 3.12400 – Communicating Results 1,751 91.3 3.2 2.9 2.62500 – Monitoring Progress 1,732 88.4 4.0 4.1 3.52600 – Resolution of Management’s 1,729 81.3 6.5 6.9 5.3Acceptance of RisksOverall Average 89.0 3.6 4.0 3.4
_______________________________ Chapter 4: The Professional Practices Framework 171
The Institute of Internal Auditors Research Foundation
Table 4-6-2-AStandards Guidance is Adequate
Practitioner Responses in Percentages
Standard Number of Yes No Do Not Do NotRespondents Use Know
1000 – Purpose, Authority, and 4,266 83.2 1.3 2.7 12.8Responsibility1100 – Independence and Objectivity 4,240 85.6 1.6 1.7 11.11200 – Proficiency and Due Professional 4,227 84.5 1.7 2.2 11.6Care1300 – Quality Assurance and 4,207 75.6 4.7 5.3 14.4Improvement Program2000 – Managing the Internal Audit 4,215 81.0 2.9 3.3 12.8Activity2100 – Nature of Work 4,178 79.8 2.9 3.3 14.02200 – Engagement Planning 4,198 81.2 3.3 2.8 12.72300 – Performing the Engagement 4,187 81.5 3.5 2.7 12.32400 – Communicating Results 4,190 82.6 3.1 2.4 11.92500 – Monitoring Progress 4,171 79.1 4.1 3.9 12.92600 – Resolution of Management’s 4,179 73.8 5.2 4.7 16.3Acceptance of RisksOverall Average 80.7 3.1 3.2 13.0
172 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-6-3-AStandards Guidance is Adequate by Groups*
All Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 81.9 83.8 88.1 90.7 91.6 90.5 90.8 92.7 93.2 91.5 88.0 100.0 81.51100 83.7 84.1 89.5 91.5 93.6 92.7 94.3 93.9 93.2 91.6 91.1 100.0 85.21200 82.6 87.3 88.3 92.7 89.9 91.1 93.1 93.2 91.5 89.5 88.4 97.1 83.81300 75.6 78.3 79.1 79.3 77.7 77.7 86.9 77.3 72.5 77.6 81.2 91.4 72.92000 80.8 82.9 83.7 86.1 85.7 89.4 90.4 89.4 80.3 85.7 83.2 97.1 78.12100 78.9 82.2 81.1 84.3 82.4 84.0 89.4 90.5 81.7 82.9 85.0 96.9 78.92200 80.1 81.0 84.8 82.7 88.2 84.1 92.2 91.3 76.8 86.7 87.5 91.2 78.82300 81.0 82.1 83.7 82.7 87.1 86.6 91.2 91.7 76.8 84.6 86.8 85.3 78.22400 81.5 83.3 86.9 86.8 88.6 88.6 92.0 91.7 78.3 88.5 88.8 97.1 80.32500 79.1 82.1 83.4 79.7 85.6 85.4 88.1 87.6 74.3 79.8 86.2 91.2 75.92600 75.7 74.4 79.3 75.2 72.6 74.8 83.6 77.3 64.8 76.9 78.4 90.9 69.8
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-6-4-AStandards Guidance is Adequate by Groups*
CAE Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 92.2 92.9 96.8 96.1 92.4 94.9 91.9 95.5 93.5 100.0 93.3 100.0 87.81100 92.4 91.2 96.7 96.1 96.5 96.6 96.0 95.9 93.5 100.0 95.0 100.0 88.51200 91.9 98.6 95.2 97.4 91.1 94.9 92.8 92.7 93.3 97.1 89.8 100.0 89.41300 82.5 83.8 86.9 87.0 75.7 76.7 89.5 74.9 75.9 82.9 86.7 100.0 78.92000 90.6 92.6 91.8 90.8 88.2 92.2 88.5 91.6 82.8 91.4 86.7 100.0 81.92100 88.2 92.6 86.9 90.5 80.6 84.8 91.6 91.0 82.1 94.3 89.7 100.0 83.92200 89.0 87.0 87.4 89.3 90.3 84.3 92.6 93.0 89.3 94.3 91.4 100.0 85.42300 89.6 89.7 88.2 89.3 88.8 87.7 89.7 92.5 79.3 94.3 91.1 87.5 82.82400 90.6 91.2 90.9 92.1 93.1 93.9 92.7 93.0 82.8 97.1 91.2 100.0 85.12500 89.1 89.6 86.9 86.5 91.5 89.6 89.5 90.0 80.0 82.4 89.3 87.5 79.82600 84.7 79.1 83.6 81.1 69.0 80.7 84.4 80.9 66.7 85.7 78.9 100.0 74.5
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
_______________________________ Chapter 4: The Professional Practices Framework 173
The Institute of Internal Auditors Research Foundation
Table 4-6-5-AStandards Guidance is Adequate by Groups*
Practitioner Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 77.9 76.7 85.5 88.6 91.0 87.9 90.3 91.3 93.0 87.3 84.7 100.0 79.51100 80.4 78.7 87.3 89.8 91.8 90.4 93.7 93.0 92.9 87.5 88.7 100.0 84.01200 79.1 78.7 86.1 90.4 89.1 88.8 93.2 93.5 90.2 85.9 87.5 96.3 82.01300 73.0 74.2 76.9 76.5 78.6 78.1 86.0 78.5 70.0 75.0 77.7 88.9 71.22000 77.0 75.6 81.3 84.3 84.1 87.8 91.0 88.2 78.6 82.9 81.1 96.2 76.92100 75.3 74.2 79.3 81.8 83.2 83.5 88.6 90.3 81.4 77.1 82.1 95.8 77.32200 76.6 76.4 84.0 80.6 86.9 83.9 92.0 90.5 68.3 82.9 85.1 88.5 76.72300 77.7 76.1 82.3 79.4 85.9 85.8 91.7 91.4 75.0 79.7 84.2 84.6 77.02400 78.0 77.3 85.7 84.1 86.0 85.4 91.7 91.1 75.0 84.1 87.4 96.2 78.82500 75.2 76.4 82.3 77.4 82.1 82.8 87.6 86.4 70.0 78.6 84.4 92.3 74.92600 72.3 70.8 78.0 72.7 74.2 71.2 83.3 75.5 63.4 72.5 78.1 88.0 68.5
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-6-6-AStandards Guidance is Not Adequate by Groups*
All Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 0.8 1.3 1.3 2.0 1.0 1.3 1.9 1.0 0.0 0.0 2.5 0.0 3.21100 1.3 5.1 2.2 2.4 1.0 1.6 1.9 1.5 0.0 0.9 2.5 0.0 3.51200 1.5 1.9 2.4 1.2 2.5 1.0 1.7 0.4 1.4 2.9 2.6 2.9 3.21300 3.8 4.5 7.9 7.7 5.7 6.5 1.9 5.1 2.9 9.3 7.8 2.9 8.22000 2.1 5.1 4.0 4.9 3.2 2.2 2.5 2.5 9.9 4.8 7.7 0.0 4.72100 2.4 2.5 5.7 4.1 3.7 3.9 3.3 1.4 7.0 5.7 4.6 0.0 4.32200 2.4 4.4 3.8 5.3 2.9 4.2 2.5 2.1 14.5 5.7 4.6 2.9 5.62300 2.2 5.1 5.3 5.3 5.5 3.0 2.8 2.1 13.0 7.7 5.3 8.8 6.62400 2.4 3.8 3.4 3.7 4.0 3.2 3.6 2.4 11.6 3.8 3.3 0.0 4.72500 3.1 3.2 5.1 5.8 3.8 3.2 3.6 3.0 14.3 10.6 5.3 5.9 7.32600 4.1 7.1 6.1 6.2 8.5 5.9 5.3 5.0 9.9 7.7 9.2 3.0 8.7
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
174 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-7-1-AIAA Does Not Use Practice Advisories by Groups*
All Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 15.2 11.5 10.6 8.7 7.3 17.1 10.0 7.6 12.5 12.2 7.3 3.4 13.31100 14.6 12.3 11.0 7.3 7.0 16.0 7.1 6.7 14.3 10.2 7.3 3.4 11.61200 15.2 13.8 11.0 7.7 8.1 18.6 7.9 7.5 13.1 11.1 7.5 6.9 11.61300 17.5 18.0 12.6 15.9 16.8 20.6 16.0 20.1 27.0 16.9 15.8 13.8 16.92000 15.6 15.3 12.1 7.2 10.0 18.9 10.5 9.3 14.5 10.2 8.9 3.4 14.22100 16.4 17.0 11.6 9.6 11.8 22.2 8.6 9.3 11.1 11.4 9.0 3.4 16.42200 15.7 19.0 12.4 10.0 8.4 20.8 8.1 7.1 12.9 12.4 7.4 3.4 15.82300 15.4 17.5 11.6 10.1 7.9 18.7 8.7 7.1 11.1 11.4 6.6 6.9 15.62400 15.4 15.6 11.1 7.9 9.7 16.7 9.1 7.4 12.9 11.4 7.4 3.4 14.52500 16.4 16.1 13.3 9.4 11.1 18.3 12.8 11.0 12.7 13.8 8.3 3.4 16.62600 18.2 24.5 14.4 20.2 21.2 27.1 15.9 20.3 28.3 18.2 11.1 13.8 19.9
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
_______________________________ Chapter 4: The Professional Practices Framework 175
The Institute of Internal Auditors Research Foundation
Table 4-8-1-APractice Advisory Guidance is Adequate
All Respondents in Percentages
Practice Advisory Number of Yes No Do NotRespondents Use
1000 – Purpose, Authority, and Responsibility 4,801 86.0 1.7 12.31100 – Independence and Objectivity 4,792 86.3 2.2 11.51200 – Proficiency and Due Professional Care 4,779 85.4 2.4 12.21300 – Quality Assurance and Improvement 4,759 77.2 5.5 17.3Program2000 – Managing the Internal Audit Activity 4,755 83.4 3.4 13.12100 – Nature of Work 4,735 82.3 3.8 13.92200 – Engagement Planning 4,748 83.2 3.7 13.12300 – Performing the Engagement 4,739 83.5 3.7 12.82400 – Communicating Results 4,747 84.0 3.4 12.62500 – Monitoring Progress 4,731 81.1 4.5 14.42600 – Resolution of Management’s Acceptance 4,733 75.4 5.8 18.8of RisksOverall Average 82.5 3.7 13.8
176 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-8-2-APractice Advisory Guidance is Adequate
CAE Respondents in Percentages
Practice Advisory Number of Yes No Do NotRespondents Use
1000 – Purpose, Authority, and Responsibility 1,455 86.7 2.1 11.21100 – Independence and Objectivity 1,442 86.7 2.6 10.71200 – Proficiency and Due Professional Care 1,433 86.2 2.4 11.41300 – Quality Assurance and Improvement 1,427 76.2 6.5 17.3Program2000 – Managing the Internal Audit Activity 1,427 83.5 4.2 12.32100 – Nature of Work 1,420 81.8 4.6 13.62200 – Engagement Planning 1,425 83.5 3.9 12.62300 – Performing the Engagement 1,422 83.9 3.9 12.22400 – Communicating Results 1,422 84.4 4.2 11.42500 – Monitoring Progress 1,417 82.6 4.9 12.52600 – Resolution of Management’s Acceptance 1,416 75.2 6.2 18.6of RisksOverall Average 82.7 4.2 13.1
_______________________________ Chapter 4: The Professional Practices Framework 177
The Institute of Internal Auditors Research Foundation
Table 4-8-3-APractice Advisory Guidance is AdequatePractitioner Respondents in Percentages
Practice Advisory Number of Yes No Do NotRespondents Use
1000 – Purpose, Authority, and Responsibility 3,356 85.7 1.6 12.71100 – Independence and Objectivity 3,350 86.2 2.0 11.81200 – Proficiency and Due Professional Care 3,346 85.1 2.4 12.51300 – Quality Assurance and Improvement 3,332 77.7 4.9 17.4Program2000 – Managing the Internal Audit Activity 3,328 83.4 3.0 13.62100 – Nature of Work 3,315 82.5 3.4 14.12200 – Engagement Planning 3,323 83.1 3.5 13.42300 – Performing the Engagement 3,317 83.3 3.6 13.12400 – Communicating Results 3,323 83.8 3.0 13.22500 – Monitoring Progress 3,314 80.5 4.4 15.12600 – Resolution of Management’s Acceptance 3,317 75.4 5.6 19.0of RisksOverall Average 82.4 3.4 14.2
178 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-8-4-APractice Advisory Guidance is Adequate by Groups*
All Respondents in Percentages
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 83.6 84.9 87.3 87.4 91.7 81.3 88.9 90.5 87.5 86.7 89.1 96.6 83.21100 84.0 81.2 86.4 89.4 90.4 81.0 92.1 91.2 85.7 87.5 89.8 96.6 84.11200 83.0 84.1 85.7 89.6 89.3 79.7 90.4 91.0 83.6 84.4 87.3 93.1 83.41300 78.4 74.8 81.0 74.2 77.6 73.9 81.5 74.4 66.7 70.8 75.2 86.2 74.32000 82.4 78.8 84.6 87.8 85.8 76.8 87.7 87.1 82.3 83.0 80.0 96.6 79.72100 81.3 78.5 84.1 84.8 82.7 73.5 87.1 88.1 81.0 77.3 82.1 93.1 78.32200 81.9 75.9 82.6 80.6 87.7 73.3 90.2 90.3 79.0 82.0 83.8 96.6 79.52300 82.2 79.6 84.4 81.0 84.9 77.4 88.7 90.1 81.0 83.0 85.3 93.1 79.12400 82.6 80.7 86.1 85.9 84.7 80.8 87.7 89.2 79.0 79.5 85.2 96.6 79.62500 80.8 77.4 81.7 83.9 81.1 77.4 82.0 84.8 79.4 81.6 85.7 93.1 75.22600 78.4 66.9 78.5 68.5 68.2 66.9 79.5 75.7 60.0 76.1 75.6 86.2 70.7
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
_______________________________ Chapter 4: The Professional Practices Framework 179
The Institute of Internal Auditors Research Foundation
Table 4-15-1-AWhen IAA was Last Subject to a Formal Internal Quality Assessment in
Accordance with Standard 1311 by Groups*All Respondents in Percentages
Timing 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
To be 9.2 7.4 11.4 6.1 7.8 3.5 6.5 7.2 4.0 14.9 7.6 14.3 6.1completedprior toJanuary 1,2007Within the 25.5 21.6 30.2 16.4 22.2 25.1 24.8 21.1 18.2 20.3 23.0 16.7 16.5last 12months1-3 years 8.5 8.9 10.9 4.7 5.0 6.7 8.2 5.5 7.1 7.0 5.6 4.8 5.2ago4-5 years 1.4 4.2 2.3 1.3 0.8 0.9 0.9 0.7 2.0 2.6 0.0 0.0 0.8agoMore than 1.4 4.2 1.0 3.0 0.6 0.8 0.5 0.7 1.0 0.0 0.0 0.0 1.35 years agoNever 28.5 27.9 22.9 52.8 47.0 41.2 39.5 43.3 53.5 33.3 36.2 45.2 44.3Not done in 3.7 5.3 5.9 2.7 8.4 11.6 9.8 16.9 6.1 7.0 9.2 11.9 8.4accordancewithStandard1311Do not 21.8 20.5 15.4 13.0 8.2 10.2 9.8 4.6 8.1 14.9 18.4 7.1 17.4knowTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0percentageTotal 2,967 190 599 299 500 371 440 830 99 114 196 42 619respon-dents
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
180 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 4-21-1-AActivities Performed by IAAs as Part of a Quality
Assessment and Improvement Program by Groups*All Respondents in Percentages
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Engagement 46.0 43.7 53.7 32.1 37.8 52.4 63.9 44.7 38.8 38.5 47.1 53.2 27.1supervisionChecklists/ 44.8 48.5 51.6 38.4 38.5 52.1 48.8 33.3 34.5 38.5 52.4 57.4 23.2manuals toprovideassurancethat properauditprocessesare followedFeedback 41.6 55.3 53.4 42.9 40.4 43.3 40.0 31.1 32.8 40.0 44.0 36.2 24.0from auditcustomers atthe end of anauditInternal audit 34.6 33.0 36.9 36.0 36.8 31.2 34.7 30.1 31.0 34.8 28.9 36.2 18.1professionalsare incompliancewith The IIA’sCode ofEthicsReviews by 33.9 38.8 45.4 26.2 21.3 31.9 35.1 24.4 27.6 33.3 36.4 31.9 17.7othermembers ofthe IAA
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.
_______________________________ Chapter 4: The Professional Practices Framework 181
The Institute of Internal Auditors Research Foundation
Table 4-21-1-A (Cont.)Activities Performed by IAAs as Part of a Quality
Assessment and Improvement Program by Groups*All Respondents in Percentages
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Verification 33.3 31.6 38.6 26.8 31.4 29.3 30.8 25.5 24.1 37.0 29.3 31.9 14.0that the IAAis incompliancewith theStandardsReview by 22.6 31.1 32.7 13.4 18.8 28.1 21.0 12.6 14.7 19.3 22.2 34.0 11.3externalpartyCompliance 19.8 27.7 23.6 21.4 19.9 19.0 28.0 15.7 15.5 14.8 14.7 23.4 13.2with non-IIAstandardsor codesNot 13.3 12.1 7.9 7.7 12.9 11.7 9.8 18.1 20.7 8.1 12.9 23.4 9.2applicableI do not 14.2 7.8 9.5 7.4 4.9 4.0 2.9 9.2 4.3 10.4 5.8 0.0 7.7knowTotal 3,332 206 661 336 574 420 490 945 116 135 225 47 1,057number ofrespon-dents
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.
182 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 183
The Institute of Internal Auditors Research Foundation
CHAPTER 5CURRENT STATUS OF THE
INTERNAL AUDIT ACTIVITY
Introduction
This chapter summarizes the respondents’ perceptions about their internal audit activities’ (IAAs’)relationships within the organization and how the IAA performs the steps in the audit process. Thechapter follows the outline of the audit process. The topics covered start with respondents’ IAAsreporting relationships within their organizations, their relationships with their audit (oversight)committees, and how IAAs measure the value they add to their organizations. This chapter thenaddresses the IAA’s processes to perform an audit, including the management of the IAA; planningand scope of work; the range of internal audit tasks; types of audits that are performed; andallocation of audit time. The next section of this chapter reviews the tools that are currently used orplan to be used by internal auditors to prepare audit plans and perform engagements. The finalsection covers how respondents report audit findings and how issues are addressed and resolved.
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those that participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose position is not captured by the
184 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
traditional job titles included in the survey. A review of their credentials indicates they may bemembers of the IAA, employed by service providers, or in organizations where their titles are lesstraditional but with duties within internal auditing.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of this report. Some tables have additionaldetails. For example, Table 5-17 is the total of all respondents for that question with a related Table5-17-2 showing the responses by group. Additional related tables may be located in Appendix 5 atthe end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the endof its number. For example, Table 5-3-1-A is located in Appendix 5.
The IAA’s Relationships within the Organization
Reporting Relationships
For the IAA to remain independent, the CAE’s reporting status is very important. The IIArecommends a dual reporting relationship where the CAE reports to the audit committee of theboard as well as to a senior management executive. Such matrix reporting allows the IAA to buildorganizational independence while also serving management. Survey questions asked about reportingrelationships for the CAE.
The results of the survey indicate that the reporting status of CAEs was generally in accordancewith the International Standards for the Professional Practice of Internal Auditing (Standards)Attribute Standard 1110, Organizational Independence. This standard requires the IAA to beindependent and internal auditors to be objective in performing their work. Practice Advisory 1110-2, Chief Audit Executive (CAE) Reporting Lines states “the CAE should report functionally to theaudit committee or its equivalent” and administratively to the chief executive officer of theorganization. The largest percentage of responding CAEs indicate that they report to the auditcommittee.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 185
The Institute of Internal Auditors Research Foundation
As detailed in Figure 5-1, 47.3% of CAEs report to the audit committee level and another 43.4%report to the executive level of management. Only 5.1% report to a staff manager position.
Figure 5-1CAE’s Reporting Status
CAE Respondents (2,367) in Percentages
Other4.2%
Staff positionreporting to astaff manager
5.1%
Officer positionreporting toexecutive
management/high-level
governmentofficial20.6%
Manager positionreporting to
executive management/high-level government
official22.8%
Independent position reporting to the audit committee
of the board/oversight board
47.3%
186 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
To gain a better understanding of the factors that could influence the reporting level of the CAE,Table 5-1 looks at reporting status by type of organization. The IIA believes that the CAE shouldfunctionally report to the audit committee. It is apparent that this occurs in the majority of cases inpublicly listed and not-for-profit organizations. This is not the case in the public sector where thereis a tendency to report to either a line manager or a high government official. This could reflectdifferences in the organizational configuration of public sector operations where the audit committeestructure is often absent.
Table 5-1CAE’s Reporting Status by Type of Organization
CAE Respondents in Percentages
Type of Number of Independent Officer Managerial Staff Position Other TotalOrganization Respondents Position Position Position Reporting to a
Reporting to Reporting to Reporting to Staff Managerthe Audit the Executive Executive
Committee of Management/ Management/the Board/ High-level High-levelOversight Government Government
Board Official Official
Not-for- 171 56.1 13.5 21.1 6.4 2.9 100.0ProfitOrganizationPublicly 820 55.3 17.4 19.9 5.1 2.3 100.0Traded(Listed)CompanyPrivately 587 47.5 22.0 22.5 5.5 2.5 100.0Held(Non-listed)CompanyOther 56 41.1 21.4 23.2 3.6 10.7 100.0Service 205 38.0 22.9 17.7 2.9 18.5 100.0Provider/ConsultantPublic 521 36.1 25.6 29.8 5.2 3.3 100.0Sector/Government
____________________________ Chapter 5: Current Status of the Internal Audit Activity 187
The Institute of Internal Auditors Research Foundation
The high level of reporting status and the importance of the CAE’s relationship with the board isreinforced by those involved in the CAE’s appointment and performance review. The responseslisted in Figure 5-2 indicate that 51.2% of the CAE respondents were appointed by the auditcommittee, and the chairperson of the board was involved in nearly one-third of the CAE respondents’appointments.
Figure 5-2Position that Appoints CAE
CAE Respondents (2,359) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
There is evidence of involvement of the CEO in 54.4% of CAE respondents’ appointments. TheCFO had a role in the CAE respondent’s appointment 27.8% of the time. This level of involvementby the board, the audit committee, and senior management in the appointment of the CAE reinforcesthe overall high level of CAE reporting status and the importance of the CAE to the organization.
188 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-2 shows, by group, information about the position that appoints the CAE (see the insideback cover for a list of the groups). There are noticeable differences between the group results forCAEs that are appointed by the audit committee chairperson in groups 1, 2, 3, 11, and 12 (61.6% to68%) and in groups 4 to 10 (26% to 38%).
Table 5-2Position that Appoints CAE by Group*
CAE Respondents in Percentages
Position 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Audit Committee/ 68.0 61.6 67.1 38.0 26.0 26.0 29.8 36.7 37.0 31.9 65.4 66.7 41.6Oversight Committee/Committee ChairpersonChief Executive Officer 55.6 67.4 58.6 37.0 55.0 56.0 50.4 58.4 37.0 59.6 49.4 55.6 47.0Chairperson of the 18.3 10.5 13.8 68.0 44.0 49.0 44.3 52.8 43.5 40.4 33.3 33.3 38.9BoardChief Financial Officer 41.8 32.6 46.7 7.0 10.0 26.0 6.1 15.4 10.9 8.5 14.8 11.1 20.1Another person 6.8 4.7 5.3 3.0 0.0 3.0 0.8 1.3 2.2 2.1 0.0 0.0 0.7reporting to CFOOther 13.4 23.3 15.8 14.0 21.0 10.0 17.6 8.2 6.5 6.4 4.9 0.0 13.4
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
Tied to the discussion of the reporting level of CAEs within an organization is who undertakes theperformance review of the CAE. Despite the recommended dual reporting structure, evaluation isprimarily a management responsibility (Practice Advisory 1110-2). Board members and/or auditcommittee members usually do not have sole responsibility for such functions for the CAE, althoughtheir input in the evaluation process is valuable.
Figure 5-3 summarizes the CAEs’ responses indicating the level within an organization that performstheir evaluation. The audit committee’s involvement is most prevalent in the CAEs’ evaluation(48.7%) with an almost equal input by the CEO (44.9%) and significant input by senior management(31.2%). The chairperson of the board is involved with 16.4% of the CAEs’ evaluations while the
____________________________ Chapter 5: Current Status of the Internal Audit Activity 189
The Institute of Internal Auditors Research Foundation
entire board is involved 16.1% of the time. As CAE respondents could indicate all those whoparticipated in their evaluation and the percentages in Figure 5-3 add up to well over 100.0%, itappears that input from several high-level officials of an organization are combined to evaluate theperformance of the CAE.
Figure 5-3Evaluation of CAEs’ Performance
CAE Respondents (2,359) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
190 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-3 shows group differences indicating who evaluates the CAE. Further analysis by type oforganization is provided in Table 5-3-1-A in Appendix 5. This table indicates that the audit committeeis most involved in publicly traded and not-for-profit organizations. The chief executive officertakes the lead in privately held and public sector organizations.
Table 5-3Evaluation of CAEs’ Performance by Group*
CAE Respondents in Percentages
Position 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Board of Directors 7.1 5.8 9.9 23.0 34.0 26.0 25.2 24.9 19.6 25.5 19.8 11.1 14.1Chairperson of the 6.5 4.7 5.9 57.0 20.0 23.0 26.7 31.5 15.2 12.8 13.6 11.1 18.1BoardChief Executive Officer 42.1 59.3 46.1 49.0 45.0 44.0 42.7 50.8 39.1 44.7 46.9 77.8 40.3Audit Committee/ 59.8 62.8 67.8 21.0 27.0 29.0 35.1 44.9 37.0 36.2 64.2 88.9 35.6Oversight Committee/Committee ChairpersonSenior Management 38.0 38.4 41.4 25.0 32.0 12.0 25.2 26.6 26.1 23.4 13.6 0.0 28.2Auditee/Client at the 8.1 19.8 27.6 5.0 14.0 15.0 14.5 9.5 0.0 27.7 7.4 22.2 6.0end of auditSupervisor periodically 9.7 5.8 8.6 5.0 11.0 11.0 4.6 4.9 4.3 4.3 2.5 11.1 6.7Peers/Subordinates 4.6 14.0 15.1 6.0 5.0 7.0 4.6 3.0 4.3 10.6 6.2 11.1 2.7periodicallyNot evaluated 3.0 3.5 3.9 1.0 3.0 6.0 5.3 2.0 6.5 10.6 4.9 0.0 7.4
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 191
The Institute of Internal Auditors Research Foundation
Relationship with the Audit Committee
Practice Advisory 2060-2, Relationship with the Audit Committee, governs the relationship of theIAA and the audit committee. As noted in Table 5-4, CAEs confirm that an audit/oversight committeeexists in 72.6% of their organizations. The CAE’s relationship with the committee chairperson isvery important. Of respondent CAEs with audit committees, 63.2% meet regularly with their auditcommittee chair in addition to attending regular audit committee meetings. It is notable that ofthose that have audit/oversight committees, 91.3% of CAEs believe they have appropriate accessto the committee.
Table 5-4CAE’s Relationship with Audit/Oversight Committee
CAE Respondents Percentage of Yes Responses
Question Total YesRespondents Percent of
TotalResponses
Is there an audit/oversight committee 2,315 72.6in your organization?Does the CAE meet with the audit/ 1,669 63.2oversight committee chairperson inaddition to the regularly scheduledmeetings?Does the CAE believe that he/she 1,671 91.3has appropriate access to the audit/oversight committee?
As indicated in Table 5-4-1-A in Appendix 5, CAE responses by groups have some major differencesrelating to the CAE’s relationship with an audit committee. These differences appear to be primarilyrelated to the existence of the audit committee structure in some groups and not in others. CAEs ingroups 1, 2, 3, and 11 specify that 81.5% to 92.9% of their organizations have an audit committee,compared to CAEs in the other groups who indicate that 38.7% to 69.5% of their organizationshave an audit committee. In group 12, all respondents have an audit committee.
192 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
For those CAEs that have an audit committee, Table 5-5 summarizes the number of audit committeemeetings held in the last fiscal year, the number of meetings CAEs were invited to attend, and thenumber of meetings attended by the CAEs. The CAEs responding indicate that 96.9% of auditcommittees met between 1 and 12 times per year. The majority of audit committees (82.7%) met4 or more times per year. There is also a close correlation between the number of audit committeemeetings held, the number of meetings the CAEs were invited to attend, and the number of timesthe CAEs actually attended the meetings.
Table 5-5Audit/Oversight Committee Meetings During Last Fiscal Year
CAE Respondents in Percentages
Number of Meetings Held Meetings the CAE Meetings the CAEAudit Percent of 1,661 Total was Invited to Attend Attended
Committee Respondents Percent of 1,657 Percent of 1,656Meetings Total Respondents Total Respondents
None 8.0 7.91 1.8 4.8 4.72 5.9 7.4 7.93 9.6 8.6 8.84 35.5 31.6 31.65 10.2 9.4 9.66 11.8 9.7 9.07 2.6 2.5 2.88 6.1 5.1 5.09 1.4 1.3 1.310 4.3 3.2 3.511 1.3 0.8 1.312 6.4 4.8 4.0
More than12 3.1 2.8 2.6
Total 100.0 100.0 100.0
External Relationships - Legislation Affecting Internal Auditing
In the CBOK Affiliate questionnaire, IIA affiliate leaders were asked about local and federalregulations and legislation affecting the profession of internal auditing. Of the 46 affiliates that
____________________________ Chapter 5: Current Status of the Internal Audit Activity 193
The Institute of Internal Auditors Research Foundation
responded, 78% indicate that their countries have legislation or regulations affecting the internalauditing profession. Table 5-6 lists the 36 affiliates whose countries have laws and regulationsaffecting internal auditing. The United States and Canada also have legislation affecting internalauditing.
In a majority of the responding affiliates’ countries, legislation or regulations exist affecting internalauditing in the public sector. In most of these affiliates, financial entities, banks, and insurancecompanies are subjected to legislation that prescribes the establishment or the role of internalauditing in an organization. In several affiliates (e.g., The Netherlands, Norway, South Africa, andSpain), corporate governance requirements for listed companies strongly recommend the installationof an IAA as part of their corporate governance structure. In other affiliates (e.g., France, Italy,United Kingdom, and Ireland), it is recommended that all private companies, whether listed or not,have an IAA. In a few affiliates (e.g., Belgium and Turkey), initiatives have been taken to createa more formal legal framework for the internal audit profession.
Table 5-6Countries with Legislation or Regulation
Affecting Internal Auditing
Argentina LuxembourgAustralia MexicoAustria The NetherlandsAzerbaijan NorwayBelgium PeruBolivia PhilippinesBulgaria RussiaCanada SingaporeCongo SloveniaDenmark South AfricaDominican Republic SpainFinland SwedenFrance TaiwanGermany ThailandIsrael TurkeyItaly UgandaJapan United Kingdom and IrelandLebanon United StatesLithuania Venezuela
194 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
In 61% (22 affiliates) of the 36 responding affiliates where legislation or regulation affecting internalauditing exists, The IIA affiliate had an influence on the final form of the legislation or regulation.Table 5-7 provides an overview of these 22 affiliates.
Table 5-7Countries Where the IIA Affiliate Influenced
Legislation or Regulation Affecting Internal Auditing
Australia The NetherlandsAzerbaijan NorwayBulgaria PhilippinesDenmark RussiaFinland South AfricaFrance SpainGermany SwedenItaly TaiwanJapan ThailandLuxembourg TurkeyMexico United Kingdom and Ireland
Those IIA affiliates that assisted in the development of the legislation or regulations took part in thediscussions and provided input through participation and lobbying in committees, work groups, andconferences. IIA affiliates also regularly issue their own opinions on drafts of local and nationallaws and regulations. The publication of position papers and articles reflecting their members’ideas and opinions is a common method of participation in the evolution of local and national lawsand regulations.
Organizations’ and CAEs’ Perceptions About the IAA
To gain an understanding of how the IAA is perceived within their organization, all respondentswere asked to rank their level of agreement with the statements in Table 5-8 on a scale of 1- 5,from strongly disagree (1) to strongly agree (5). The mean response for each question was calculatedfor the four IAA staff levels responding to the survey. With means mostly above 4.2 for all stafflevels, most respondents indicate their IAA is highly independent, objective, adds value, andeffectively evaluates internal controls. This is generally supported by the group results in Table 5-8-1-A located in Appendix 5.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 195
The Institute of Internal Auditors Research Foundation
Statements with means around 4.0 indicate respondents’ agreement that their IAAs have an effectiveapproach to risk management; are an integral part of the governance process; are credible withinthe organization; are proactive in looking at important financial matters, risks, and internal controls;have sufficient status in the organization; and that compliance with the IIA’s Code of Ethics is akey factor for their IAAs to add value to their organizations.
The statements ranked under 4.0 but above 3.5 indicate respondents have less support for thestatements about effectiveness in the evaluation of corporate governance and compliance withThe IIA’s Standards. Overall, the perceptions by the respondents provide a very positive viewabout the IAA within their organizations. In Table 5-8-1-A in Appendix 5, mean responses forthese statements for CAEs by groups show very similar results across all groups.
Table 5-8Relationship of IAA to the Organization
All Respondents in Means*
Statement CAE Mean Audit Audit Senior/ Audit Staffof 2,374 Manager Supervisor Mean
Respondents Mean Mean of 1,626of 2,033 of 2,251 Respondents
Respondents Respondents
Your internal audit function is an 4.45 4.34 4.25 4.10independent objective assuranceand consulting activity.Your internal audit function adds 4.41 4.32 4.26 4.20value. Internal audit brings a systematic 4.03 3.99 3.98 3.95approach to evaluate theeffectiveness of risk management.Your internal audit function brings 4.35 4.27 4.21 4.11a systematic approach to evaluatethe effectiveness of internal controls.Your internal audit function brings a 3.80 3.73 3.71 3.74systematic approach to evaluate theeffectiveness of governanceprocesses.Your internal audit function 4.10 4.05 3.96 3.88proactively examines importantfinancial matters, risks, and internalcontrols.
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
196 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-8 (Cont.)Relationship of IAA to the Organization
All Respondents in Means*
Statement CAE Mean Audit Audit Senior/ Audit Staffof 2,374 Manager Supervisor Mean
Respondents Mean Mean of 1,626of 2,033 of 2,251 Respondents
Respondents Respondents
Your internal audit function is an 4.10 4.04 3.97 3.91integral part of the governanceprocess by providing reliableinformation to management.The way our internal audit function 3.52 3.81 3.66 3.51adds value to the governanceprocess is through direct access tothe audit committee.Your internal audit function has 4.07 3.97 3.86 3.75sufficient status in the organizationto be effective.Independence is a key factor for 4.46 4.40 4.32 4.29your internal audit function to addvalue.Objectivity is a key factor for your 4.58 4.47 4.42 4.36internal audit function to add value.Your internal audit function is 4.30 4.17 4.08 3.99credible within your organization.Compliance with The IIA’s 3.86 3.90 3.89 3.90International Standards for theProfessional Practice of InternalAuditing is a key factor for yourinternal audit activity to add valueto the governance process.Compliance with The IIA’s Code 4.03 4.04 3.98 3.99of Ethics is a key factor for yourinternal audit function to add valueto the governance process.
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 197
The Institute of Internal Auditors Research Foundation
Methods Used to Measure the Value Added by the IAA
The IIA defines internal auditing as “an independent, objective assurance and consulting activitydesigned to add value and improve an organization’s operations.” In The IIA’s Standards Glossary,add value is defined as, “Value is provided by improving opportunities to achieve organizationalobjectives, identifying operational improvement, and/or reducing risk exposure through both assuranceand consulting services.”
Figure 5-4 on the following page lists the methods used by the respondents’ organizations to measurethe value added by their IAAs. The measures include acceptance and implementation ofrecommendations (51.4%), assessment by customer surveys from audited departments (34.6%),and the number of management requests for internal assurance or consulting projects (26.8%).Reliance by the external auditors on the IAA is also used as a value-added indicator (33.5%). Noformal measurement of value added was indicated in 32.6% of the 2,361 respondents.
As can be seen in Table 5-9, considerable differences exist between groups in the methods used toevaluate the value added by IAAs. There are significant differences when relying on customer/auditee surveys (10.9% - 57.9%), external auditors’ reviews (9.7% - 77.8%), and the number ofmajor audit findings (4.3% - 66.7%). There was variation between groups where there is noformal measurement of value added by IAAs’ services with a high of 47.5% for group 6.
198 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Figure 5-4Methods Used to Measure Value Added by the IAA
CAE Respondents (2,361) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
internal audit activity
internal audit assurance or consulting
____________________________C
hapter 5: Current Status of the Internal A
udit Activity 199
The Institute of Internal Auditors R
esearch Foundation
Table 5-9Methods Used to Measure Value Added by the IAA by Group*
All Respondents by Group in Percentages
Method of 1 2 3 4 5 6 7 8 9 10 11 12 N/C**Evaluation
Customer/client 37.5 50.0 57.9 32.0 26.0 24.4 33.6 23.0 10.9 55.3 32.9 44.4 32.0surveys from auditeddepartmentsRecommendations 46.9 52.3 55.3 59.2 53.7 34.4 62.6 56.3 60.9 31.9 64.6 100.0.0 58.0accepted/implementedCost savings and 30.1 27.9 17.8 49.5 31.1 17.5 34.4 21.7 30.4 17.0 42.7 66.7 36.0improvements fromrecommendationsimplementedNumber of management 28.0 44.2 34.9 21.4 21.5 14.4 26.7 23.7 32.6 12.8 39.0 77.8 23.3requests for internalaudit assurance orconsulting projectsReliance by external 37.7 46.5 50.7 9.7 16.4 32.5 30.5 33.2 10.9 34.0 34.1 77.8 26.7auditors on the internalaudit activityBudget to actual audit hours 17.9 30.2 25.7 8.7 12.4 18.8 22.9 9.9 26.1 19.1 14.6 33.3 12.7Cycle time from 10.8 12.8 13.8 3.9 5.6 12.5 11.5 10.2 15.2 14.9 13.4 11.1 12.7entrance conference todraft reportNumber of major audit 15.2 19.8 18.4 44.7 37.3 15.0 29.8 18.4 37.0 4.3 30.5 66.7 29.3findingsOther 11.1 11.6 17.1 3.9 18.6 7.5 4.6 9.9 8.7 8.5 9.8 11.1 11.3No formal measurement 34.5 24.4 27.6 35.0 27.1 47.5 31.3 32.6 26.1 31.9 23.2 11.1 30.0of value addedTotal respondents by 914 86 152 103 177 160 131 304 46 47 82 9 150group
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
200 A G
lobal Summ
ary of the Com
mon B
ody of Know
ledge 2006______________________
The Institute of Internal Auditors R
esearch Foundation
Internal Audit A
ctivity
Governing D
ocuments in the O
rganization
According to Standard 2130, G
overnance, the IAA
“should assess and make appropriate
recomm
endations for improving the governance process.” Table 5-10 show
s the types of documents
that support the establishment of corporate governance in an organization. R
espondents report that73.3%
of their organizations have a corporate ethics policy/code of ethics/code of conduct and66.3%
have a long-term strategic plan. O
nly 53.2% of the respondents’ organizations have a
corporate governance code and 56.9% have an audit oversight/com
mittee charter.
Table 5-10D
ocuments that Exist in the O
rganization Supporting theE
stablishment of C
orporate Governance
All R
espondents in Percentages
Docum
entsN
umber of Yes
Percent ofR
esponsesR
espondents
Corporate Ethics Policy/C
ode of Ethics/6,859
73.3C
ode of Conduct
Long-term Strategic Plan for the
6,20166.3
Organization
Audit O
versight/Com
mittee C
harter5,322
56.9C
orporate Governance C
ode4,974
53.2
Note: The respondents w
ere asked to mark all that apply so the total responses m
ay be more than the total num
ber ofrespondents and the percentages m
ay be more than 100.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 201
The Institute of Internal Auditors Research Foundation
Figure 5-5 shows the type of documents that support the work and performance of the IAA. Eachis important to the success of the IAA. An internal audit charter is required by The IIA’s AttributeStandard 1000, Purpose, Authority, and Responsibility, and Practice Advisory (PA) 1000-1, InternalAudit Charter. Documented audit plans are expected to be in use. Compliance with PerformanceStandard 2010, Planning, requires the CAE to “Establish risk-based plans to determine the prioritiesof the IAA.”
Figure 5-5Documents that Exist in the Organization Supporting the
Work and Performance of the IAAAll Respondents in Percentages
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
The respondents indicate that 81.3% of their IAAs have an audit plan, 72.3% of their IAAs havean internal audit charter, and 60.1% have a mission statement. A majority of respondents’ IAAs(69.5%) use internal audit risk assessments to develop the audit plan. Respondents indicate that63% of their IAAs have an internal audit operating manual/policy statement and 40.3% have anaudit plan that is longer than one year. These are all positive signs for effective internal auditprocedures.
Audit Activity
202 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Managing the Internal Audit Activity
To gather information about compliance with The IIA’s Standards, all respondents were askedquestions about who performed administrative tasks, quality assessments of the IAA, and technicalcompetency training for internal auditors. The questions required the respondent to indicate whatpercentage of these activities are performed by the IAA, by service providers, or not performed atall.
Performance Standard 2000 requires that the chief audit executive (CAE) “should effectivelymanage the internal audit activity to ensure it adds value to the organization.” These activitiesinclude administrative activities such as developing an audit plan and assigning audit tasks.Performance Standard 2200 states that, “Internal auditors should develop and record a plan foreach engagement, including the scope, objectives, timing, and resource allocations.” The results inTable 5-11 show that over 91.5% of all respondents believe that their IAA performs the administrativetasks appropriate for the department. The vast majority of IAA leadership takes charge of theadministrative responsibilities inherent in the IAA.
Table 5-11Managing the Internal Audit Activity
Who Performs Audit ActivitiesAll Respondents in Percentages
Activity Total Number IAA Other Co-Sourced Out- Not Totalof Departments sourced Performed Percent
Respondents in byby Activity Organization Activity
Administrative 7,750 91.5 3.6 2.3 1.2 1.4 100.0(audit plan,assign tasks)Technical 8,746 44.4 14.1 6.6 21.3 13.6 100.0competencytraining forauditorsQuality 8,212 37.0 13.5 5.3 17.4 26.8 100.0assessment ofinternal auditactivity
Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same foreach activity.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 203
The Institute of Internal Auditors Research Foundation
To continuously monitor the effectiveness of the IAA, Standard 1300 states, “The CAE shoulddevelop and maintain a quality assurance and improvement program” (QA&IP). The QA&IPshould include both ongoing and periodic internal assessments that cover the entire spectrum ofaudit and consulting work performed by the internal audit activity. The quality of the internal auditactivities are assessed by the IAA (37%), other departments (13.5%), or outsourced (17.4%).About twenty-seven percent (26.8%) of the respondents do not perform quality assessments oftheir internal audit activities. More details about respondents’ QA&IP programs can be found inChapter 4.
Standard 1210 requires that internal auditors “possess the knowledge, skills, and other competenciesneeded to perform their individual responsibilities.” To be certain that the audit staff has the necessaryskills, 44.4% of the IAAs provide technical competency training for auditors. Other departmentswithin the organization provide 14.1% of the training, and 27.9% of training is either co-sourced oroutsourced. Of the respondents, 13.6% indicate that no training for the audit staff is provided.
204 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Creating the Audit Plan
In accordance with IIA Performance Standard 2010 on Planning, the CAE should plan what toaudit based on risk assessment. Figure 5-6 indicates that 95.6% of CAEs plan their audit activity atleast annually, including 36.4% who update their plan multiple times a year.
Figure 5-6Percentage Frequency of Audit Plan Updating
CAE Respondents (2,305) in Percentages
No audit plan3.2%
Every two years0.7%
More than everytwo years
0.5%
Every year59.2%
Multiple timesper year36.4%
____________________________ Chapter 5: Current Status of the Internal Audit Activity 205
The Institute of Internal Auditors Research Foundation
Figure 5-7 lists the methods CAEs use to determine the audit plan. The use of risk-based methodologyrequired by Performance Standard 2010 and Practice Advisory PA 2010-1, Planning, is used by86.7% of the respondents. This method is supplemented by 73.1% of respondents who includerequests from management. Audit planning is also influenced by consulting the previous year’splan (62.8%) and consultation with divisional or business heads (62.9%). Strong influence on theaudit plan can come from audit committee requests (55.5%) and compliance/regulatory requirements(58.8%) as well.
Figure 5-7How the Audit Plan is Established
CAE Respondents (2,288) in Percentages
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
206 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
As shown in Table 5-12, the groups’ CAEs show a consistently high percentage of reliance on risk-based methodology for audit planning, from a low of 75% to a high of 100%. Audit committee/oversight committee requests are strongly supported in groups 1, 2, 3, 11, and 12, and there is highreliance and compliance/regulatory requirements in groups 1, 2, 7, and 12. Requests frommanagement and review of previous year’s audit plan are also supported.
Table 5-12How Audit Plan is Established by Groups*
CAE Respondents in Percentages
Method 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Use of a risk-based 89.1 94.2 94.6 87.3 85.1 89.8 82.0 77.2 75.0 93.6 91.3 100.0 78.7methodologyConsult previous 62.0 61.6 59.2 80.4 60.6 65.6 60.9 59.9 56.8 53.2 66.3 88.9 68.1years audit planConsultation with 73.1 87.2 78.9 42.2 52.6 49.7 46.1 54.1 40.9 80.9 57.5 44.4 49.6divisional or businessheadsRequests from 78.8 81.4 72.8 53.9 74.9 71.3 64.1 73.5 68.2 59.6 67.5 88.9 62.4managementAudit committee/ 65.7 81.4 68.0 36.3 28.0 38.9 37.5 51.0 47.7 51.1 71.3 77.8 48.9oversight committeerequestsCompliance/regulatory 66.2 67.4 58.5 43.1 39.4 59.2 65.6 55.1 52.3 34.0 55.0 77.8 56.0requirementsRequests from or 40.8 58.1 50.3 22.5 16.6 47.1 22.7 23.1 9.1 38.3 35.0 33.3 30.5consultation withexternal auditorsOther 8.9 9.3 7.5 7.8 14.9 12.1 15.6 7.5 11.4 8.5 6.3 22.2 7.1Total number ofrespondents 878 86 147 102 175 157 128 294 44 47 80 9 141
*For a list of affiliate groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so that the total percent by group may be more than 100.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 207
The Institute of Internal Auditors Research Foundation
Allocation of IAAs’ Time
The definition of internal auditing and Standard 2100, Nature of Work, includes three broad areasof responsibility for IAAs to “evaluate and contribute to the improvement of risk management,control, and governance processes.” The following summarizes the respondent’s responses aboutthe how IAAs’ time is allocated, the types of audits performed in the organization and who performsthem, and what tools are used by the IAA when performing their work. Audits are generally placedin three categories, (1) general types of audits, (2) audits performed in the areas of risk management,control, and governance processes, and (3) other audit activities.
In order to gauge the extent of various types of internal audit activities performed by the IAAs,respondents were asked to estimate the time spent on compliance audits, consulting/advisory,financial process audits, fraud investigations, governance audits, information technology audits,operational, management audits, and other types of audits. Table 5-13 on the following page showsthe mean percentage of time spent for all respondents over a period of 6 years (3 years ago,currently, and an estimate for 3 years from now).
208 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-13Average of IAAs’ Time Spent on Audits
for All Respondents in Mean Percentages
Activity Mean Mean Mean AnticipatedPercentage of Percentage Percentage of Change in MeanTime Spent 3 of Current Time Expected Percentage of
Years Ago Time Spent to be Spent 3 Time Spent fromYears from Now 2003 to 2009
Compliance audits (laws, 23.4 22.4 19.9 -3.5regulations, and policy)Operational 22.5 21.1 19.5 -3.0Financial process audits 15.5 14.9 13.8 -1.7(including assistance to theexternal auditor)Consulting/advisory 8.2 9.8 11.5 +3.3Information technology audits 7.9 9.7 12.3 +4.4Other 6.6 3.3 2.6 -4.0Fraud investigations 5.9 6.1 6.2 +0.3(forensic accounting/auditingManagement audits 5.2 5.5 5.8 +0.6Governance audits (ethics, 4.8 7.2 8.4 +3.6control framework, regulatory,linkage of strategy, andcompany performance)Total 100.0 100.0 100.0
Note: Responses are in percentages and the mean percentage is the average response for that activity.
For the six-year period, while no one type of audit appears to dominate the work performed byIAAs, respondents indicate that most of the IAAs’ time was, is, and will be spent on complianceaudits (23.4% past, 22.4% current, and 19.9% future). Time spent on operational auditing is a closesecond with 22.5% in the past, 21.1% currently, and 19.5% in the future. The third largest type ofaudit is financial with 15.5% of audit time three years ago, 14.9% currently, and 13.8% in thefuture. As the time spent on those types of audits has been decreasing, the time spent on consulting,governance, and information technology is increasing. This seems reasonable since the definitionof internal auditing changed to include consulting and governance in 1999.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 209
The Institute of Internal Auditors Research Foundation
Types of Audits Performed
Table 5-14 lists types of audits and who performs them. The top four types of audits performed bythe IAA are internal auditing (85.6%), operational auditing (79.1%), investigations of fraud andirregularities (56.3%), and financial auditing (56%). Other IAA engagements include ethics audits(47.1%), management effectiveness audits (48.5%), and information technology departmentassessments (45.4%). The three largest audit areas that are co-sourced or outsourced are financialauditing (27.2%), information technology department assessment (18.8%), and quality/ISO audits(14.1%). The three areas where audits are less likely to be performed by the IAA are social andsustainability audits (40.0%), quality/ISO audits (32.6%), and ethics audits (27.4%).
The results in Table 5-13 indicate that IAAs anticipate spending most of their time on complianceaudits, operational audits, and financial process audits. Table 5-14 shows that operational auditsand financial auditing are most often performed by the IAA. The internal auditing category inTable 5-14 presumes to include compliance auditing since that was not asked separately in thissurvey question. The results for where the IAA’s time is spent and who performs these auditactivities appear to be consistent for the respondents. Fraud investigations, ethics audits, andinformation technology department audits do not consume much IAA time in Table 5-13, but are inthe domain of many IAAs as indicated in Table 5-14.
210 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-14Types of Audits
Who Performs Audit ActivitiesAll Respondents in Percentages
Type of Audit Total IAA Other Co- Out- Not TotalNumber Department in Sourced sourced Performed Percent
of Respondents Organization by Activityby Activity
Internal auditing 7,918 85.6 3.4 4.8 3.3 2.9 100.0Operational audits 8,443 79.1 11.9 3.6 2.5 2.9 100.0Investigations of 9,877 56.3 31.4 5.9 3.8 2.6 100.0fraud andirregularitiesFinancial auditing 8,989 56.0 14.7 7.2 20.0 2.1 100.0Management 8,324 48.5 28.4 3.7 3.1 16.3 100.0effectivenessreview/auditEthics audits 7,828 47.1 21.3 3.0 1.2 27.4 100.0Information 8,959 45.4 28.8 8.8 10.0 7.0 100.0technologydepartmentassessmentSocial and 7,648 22.7 30.4 3.4 3.5 40.0 100.0sustainabilityauditsQuality/ISO audits 7,896 20.5 32.8 4.6 9.5 32.6 100.0
____________________________ Chapter 5: Current Status of the Internal Audit Activity 211
The Institute of Internal Auditors Research Foundation
Risk, Controls, and Governance Audits
Practice Advisory 1311-1, Internal Assessments, states, “The CAE is responsible for establishingan internal audit activity whose scope of work includes all the activities in the Standards and in thedefinition of internal auditing,” which includes effectiveness of risk management, control, andgovernance processes. Realizing that all audits have some elements of all three, the followingsummarizes the type of audit activities performed in these three areas and who performs theseaudits.
Effectiveness of Risk Management
The internal auditor has several responsibilities for the effectiveness of risk management within anorganization. Standard 2110, Risk Management, states that the IAA should “assist the organizationby identifying and evaluating significant exposures to risk and contributing to the improvement ofrisk management and control systems.” Standard 2600, Resolution of Management’s Acceptanceof Risks, highlights the importance of the CAE discussing risks and other internal audit findingswith senior management. If the decision regarding residual risk is not resolved, the CAE shouldreport the matter to the board for resolution.
Table 5-15 shows the major audit activities performed in the risk, control, and governance areas.Risk management work performed within organizations includes business viability assessments,information risk assessment, and enterprise risk management. While the majority of businessviability assessments are performed by other departments within the organization (51.6%), IAAsperform 24.6% of these audits and 16.8% of the respondents report that these audits are notperformed. In the area of information risk assessment, the IAA performs 47.5% of the activitiesand other departments perform 30.9% and 15.2% of this work is co-sourced or outsourced. Forenterprise risk management activities, IAAs perform 37.6% of these assessment activities, otherdepartments within the organization perform 43.6%, and 6.5% of these activities are co-sourced oroutsourced.
212 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-15Who Performs Risk, Control, and Governance
Audit ActivitiesAll Respondents in Percentages
Activity Total IAA Other Co- Out- Not TotalNumber Department in Sourced sourced Performed Percent
of Respondents Organization by Activityby Activity
Internal control 9,366 70.8 17.0 6.3 4.2 1.7 100.0testing/systemsevaluationControl framework 8,772 58.9 28.6 4.6 1.5 6.4 100.0monitoring anddevelopmentCompliance with 9,181 51.4 35.3 5.0 2.0 6.3 100.0corporategovernance andregulatory coderequirementsInformation risk 9,282 47.5 30.9 8.2 7.0 6.4 100.0assessmentEnterprise risk 8,679 37.6 43.6 5.0 1.5 12.3 100.0managementResource 8,096 32.1 47.9 3.6 2.0 14.4 100.0management andcontrolsLinkage of strategy 8,266 26.3 55.8 3.8 1.6 12.5 100.0and companyperformanceBusiness viability 7,742 24.6 51.6 4.5 2.5 16.8 100.0assessments
____________________________ Chapter 5: Current Status of the Internal Audit Activity 213
The Institute of Internal Auditors Research Foundation
Audits of Controls
Standard 2120, Control, states that the IAA should “assist the organization in maintaining effectivecontrols.” In Table 5-15, respondents indicate that 70.8% of the activities to test internal controlsand systems evaluation are done by the IAA. Other departments perform 17% of the same activitiesand 10.5% of these activities are co-sourced or outsourced.
Corporate Governance
Standard 2130, Governance, requires IAAs to “assess and make appropriate recommendations forimproving the governance process.” Table 5-15 lists several governance audit activities performedwithin organizations. The corporate governance activities performed by IAA includes controlframework monitoring and development (58.9%), compliance with corporate governance andregulatory code requirements (51.4%), resource management and controls (32.1%), and linkageof strategy and company performance (26.3%). Logically, other departments within organizationsare very active in compliance with corporate governance and regulatory code requirements (35.3%)and in the areas of linkage of strategy and company performance (55.8%) and resource managementand controls (47.9%).
Compliance or Special Consulting Projects
Table 5-16 shows audit activities from the list provided to the respondents in the CBOK 2006questionnaire that are compliance activities or special consulting projects. Practice Advisory2120.A1-1, Assessing and Reporting on Control Processes, states that testing “compliance withlaws, regulations, and contracts” is part of the IAA’s study and evaluation of internal controls.Two areas where the IAA performs compliance activities are compliance with company privacypolicies (43.1%) and health, safety, and environment (22.1%).
The definition of internal auditing includes consulting in its scope of acceptable audit activity. Afew areas of consulting included in the study indicate that 11.3% of the activities for corporatetakeovers/mergers are performed by IAAs while 50.4 % are handled by other departments in theorganization. The IAA provides 46.2% of the support for external auditors, other departmentsprovide 28.1% and co-sourced or outsourced work accounts for 14% of the activities required.Project management activities are performed mainly by other departments (58.3%) with 27.7% ofthese activities performed by the IAA. The IAA and other departments in the organization eachprovide 39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
214 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-16Who Performs Other Audit Activities
All Respondents in Percentages
Activity Total IAA Other Co- Out- Not TotalNumber Department in Sourced sourced Performed Percent
of Respondents Organization by Activityby Activity
External audit 8,421 46.2 28.1 5.1 8.9 11.7 100.0assistanceCompliance with 8,584 43.1 42.1 4.0 1.6 9.2 100.0company privacypoliciesSpecial projects 10,414 39.6 39.6 8.3 7.1 5.4 100.0Project 8,542 27.7 58.3 5.1 2.8 6.1 100.0managementHealth, safety, 8,083 22.1 57.3 4.2 3.0 13.4 100.0and environmentCorporate 7,796 11.3 50.4 4.9 3.8 29.6 100.0takeovers/mergers
Performing the Engagement – The Use of Tools
This section summarizes the use of 16 tools and techniques currently in place or planned to be usedby IAAs globally. The demands on the IAA and its staff are increasing as the significance andusefulness of the work of the IAA become better known and valued throughout the organization.Internal audit is designed to add value and improve an organization’s operations by bringing asystematic, disciplined approach to evaluation, improvement, and effectiveness of risk management,controls, and governance. As internal auditing resources may be constrained, the IAA must useaudit tools and techniques to use its time efficiently. The tools and techniques in the CBOK surveywere identified by reviewing the Standards and Practice Advisories, internal auditing literature,past CBOK studies, and the CBOK 2006 pilot study. Based on this review, 16 tools and techniques
____________________________ Chapter 5: Current Status of the Internal Audit Activity 215
The Institute of Internal Auditors Research Foundation
were identified as being important for the IAA. Respondents could not add to or amend the list thatwas included in the CBOK 2006 survey. Some of the tools listed help with audit administration(planning, managing, preparing working papers, etc.) while others relate to helping internal auditorsperform their engagements (analyzing data, statistical sampling, etc.). All the tools contribute to theIAA adding value to the organization
The selection of tools and techniques in this survey is supported by the Standards and PracticeAdvisories. In the Standards and expanded upon in the Practice Advisories, certain tools areemphasized:
• Attribute Standard 1220, Due Professional Care, recommends that the internal auditor inexercising due professional care should consider the use of computer-assisted audit toolsand other data analysis techniques.
• Analytical review is supported in Practice Advisory 2100-10, Audit Sampling.
• Risk-based audit planning is addressed in Standard 2010, Planning, which requires thechief audit executive to establish risk-based plans to determine the priorities of the internalaudit activity, consistent with the organization’s goals.
• Standard 2010.A1, Assurance Engagement, states that the IAA plan of engagements shouldbe based on a risk assessment, undertaken at least annually. This issue is also analyzed bythe Practice Advisory 2010-2, Linking the Audit Plan to Risk and Exposures.
• Practice Advisory 2100-10, “Audit Sampling is defined as the application of audit proceduresto less than 100 percent of the population to enable the auditor to evaluate audit evidenceabout some characteristics of the items selected to form or assist in forming a conclusionconcerning the population. Statistical sampling involves the use of techniques from whichmathematically constructed conclusions regarding the population can be drawn.”
• Practice Advisory 1311-1, Internal Assessments, suggests that Periodic Assessment mayinclude benchmarking of the IAA practices and performance metrics against relevant bestpractices of the internal auditing profession.
• The balanced scorecard tool is mentioned in Practice Advisory 1311-2, Establishing Measures(Quantitative Metrics and Qualitative Assessments) to Support Reviews of Internal Audit
216 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Activity Performance. This Practice Advisory reflects recommended practices formeasuring the performance of internal auditing and it is related to Standard 1311, InternalAssessments.
• Practice Advisory 2120.A1-2, Using Control Self Assessment (CSA) for Assessing theAdequacy of Control Processes, states that the CSA methodology can be used by managersand internal auditors for assessing the adequacy of the organization’s risk managementand control processes. Internal auditors can utilize CSA programs for gathering relevantinformation about risks and controls, for focusing the audit plan on high risk, unusual areas,and to forge greater collaboration with operating managers and work teams.
• Standard 1300, Quality Assurance and Improvement Program, requires the CAE to developand maintain a quality assurance and improvement program that covers all aspects of theinternal audit activity and continuously monitors its effectiveness. This program includesperiodic internal and external quality assessments and ongoing internal monitoring.
The respondents were asked to indicate which tools/techniques their IAAs currently use or plan touse in the next three years by rating all the tools listed on a five point scale from 1, not used, to 5,extensively used. Results are shown in means and/or in the frequency of respondents selecting atool/technique. Tables include responses by position, by response type, and/or by groups.
Current Usage of Audit Tools and Techniques
The use of various tools and techniques is fundamental for the effectiveness and efficiency of theIAA in performing their engagements. The use of these tools/techniques helps the auditor successfullyplan, monitor progress, document, analyze data, complete the audit, and determine the magnitudeof audit findings. Table 5-17 indicates the extent that respondent IAAs currently use sixteen differentaudit tools/techniques. The means listed in the table summarize the responses given by each stafflevel of auditors: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. Themean was calculated based on a scale of 1 (not used) to 5 (extensively used). An overall mean foreach item is also presented.
The results show that CAEs and Practitioners almost uniformly rank the tools/techniques currentlyused by the IAA the same. Electronic communication (e.g., Internet, e-mail), risk-based auditplanning, analytical review, and electronic workpapers are currently the most utilized tools. Electroniccommunication is overwhelmingly the highest ranked tool/technique for all respondents.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 217
The Institute of Internal Auditors Research Foundation
Table 5-17Extent the IAA Currently Uses Audit Tools/Techniques
All Respondents by Mean*
Tools/Techniques Number of Overall CAE Audit Audit Audit OtherRespondents Mean Manager Senior/ Staff
Supervisor
Other electronic 6,629 4.08 3.98 4.15 4.19 4.13 3.64communication(e.g., Internet, e-mail)Risk-based audit 6,596 3.56 3.57 3.63 3.58 3.54 3.08planningAnalytical review 6,619 3.21 3.12 3.21 3.28 3.23 3.05Electronic workpapers 6,566 3.19 2.99 3.28 3.28 3.38 2.90Statistical sampling 6,522 2.77 2.64 2.69 2.83 3.00 2.76Computer-assisted 6,567 2.67 2.54 2.73 2.73 2.73 2.68audit techniquesFlowchart software 6,526 2.42 2.31 2.51 2.45 2.46 2.41Benchmarking 6,494 2.41 2.37 2.44 2.42 2.42 2.41Process mapping 6,496 2.36 2.22 2.39 2.43 2.46 2.39applicationControl self-assessment 6,497 2.30 2.09 2.27 2.42 2.54 2.40Data mining 6,385 2.26 2.18 2.26 2.29 2.37 2.18Continuous/real-time 6,483 2.21 2.06 2.12 2.30 2.47 2.22auditingThe IIA’s quality 6,409 2.06 1.93 2.13 2.07 2.18 2.09assessment review toolsBalanced scorecard or 6,417 2.02 1.85 2.06 2.09 2.13 2.07similar frameworkTotal quality 6,366 1.97 1.79 1.98 2.00 2.19 2.11management techniquesProcess modeling software 6,352 1.69 1.51 1.66 1.78 1.88 1.87
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,5 = Extensively Used.Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same foreach audit tool/technique.
218 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The tools/techniques that obtained the highest overall means from all respondents are:
1. Other electronic communication (e.g., Internet, e-mail) (4.08).2. Risk-based audit planning (3.56).3. Analytical review (3.21).4. Electronic workpapers (3.19).5. Statistical sampling (2.77).
The tools/techniques that received the lowest overall mean responses are:
12. Continuous/real-time auditing (2.21).13. The IIA’s quality assessment review tools (2.06).14. Balanced scorecard or similar framework (2.02).15. Total quality management techniques (1.97).16. Process modeling software (1.69).
As shown in Table 5-17-1-A, even in regions of the world where access to the Internet might notbe easily or readily available, it is generally ranked the highest. Electronic working papers and risk-based audit planning are uniformly ranked high by all respondents. Many of the remaining tools aregrouped in the 2.00 to 2.50 range, indicating moderate to average use.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 219
The Institute of Internal Auditors Research Foundation
Table 5-18 shows the means in rank order of use by staff level of the respondents. Each rankinggoes from 1, the tool/technique with the highest mean, to 16, the tool/technique with the lowestmean. The consistency in ranking by all staff levels about usage of tools and techniques by theirIAAs is evident.
Table 5-18Extent the IAA Currently Uses Audit Tools/Techniques
All Respondents by Rank
Tools/Techniques Overall CAE Audit Audit Senior/ AuditAverage Manager Supervisor Staff Other
Other electronic communication 1 1 1 1 1 1(e.g., Internet, e-mail)Risk-based audit planning 2 2 2 2 2 2Analytical review 3 3 4 3/4 4 3Electronic workpapers 4 4 3 3/4 3 4Statistical sampling 5 5 6 5 5 5Computer-assisted audit 6 6 5 6 6 6techniquesFlowchart software 7 8 7 7 8/9 7/8Benchmarking 8 7 8 9/10 11 7/8Process mapping application 9 9 9 8 8/9 10Control self-assessment 10 11 10 9/10 10 9Data mining 11 10 11 12 12 12Continuous/real-time auditing 12 12 13 11 7 11The IIA’s quality assessment 13 13 12 14 14 14review toolsBalanced scorecard or similar 14 14 14 13 15 15frameworkTotal quality management 15 15 15 15 13 13techniquesProcess modeling software 16 16 16 16 16 16
Note: In some cases the rankings were tied. For example, rankings of Benchmarking and Control Self Assessment atthe Audit Senior/Supervisor level were tied.
220 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Although the means are generally lower for CAEs than for other respondents, the comparison ofthe overall means with the means and rankings for CAEs and other respondents does not showany significant differences between the categories of respondents. The only major differencesbetween the means for the different staff levels relate to:
• Continuous real-time auditing (2.06, ranked 12 for the CAE versus 2.47, ranked 7 forAudit Staff).
• Electronic working papers (2.99, ranked 4 for the CAE versus 3.38, ranked 3 for AuditStaff).
• Control self-assessment (2.09, ranked 11 for the CAE versus 2.54, ranked 10 for the AuditStaff).
• Statistical sampling (2.64, ranked 5 for the CAE versus 3.00, ranked 5 for Audit Staff).
The analysis of the means according to the 13 groups is provided in Table 5-17-1-A in Appendix 5.There are noticeable differences for electronic workpapers (3.53 for group 8 and 1.97 for group12), risk-based audit planning (3.91 for group 3, 3.86 for groups 2 and 10, and 2.53 for group 4), andother electronic communication (4.38 for group 10; and 3.15 for group 12). Differences related toaccess to electronic resources may be reflected in the results for some of the groups.
Table 5-17-2 shows the rankings by groups. Each ranking goes from 1, the tool/technique with thehighest mean in the group, to 16, the tool/technique with the lowest mean in the group. Thiscomparison shows that the degree of consensus on most tools and techniques among the differentgroups is very high. This is the case for other electronic communications which ranks first orsecond in each group. Process modeling software is always ranked between 13 and 16, analyticalreview is always ranked between second and sixth and electronic workpapers is ranked betweenthird and seventh. The highest variability in this comparison, which indicates the lowest level ofconsensus, relates to data mining (groups 7 and 9), continuous real-time auditing (groups 4 and 11),control self-assessment (groups 4 and 12), and process mapping application (groups 8 and 10).When analyzing the ranking information most groups are within two rankings of the overall ranking.Exceptions are group 7 with 50% of their rankings more than two places away, group 10 with37.5% of their rankings more than two places away, and groups 1, 4, and 12 have 31% of theirrankings more than two places away from the overall ranking.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 221
The Institute of Internal Auditors Research Foundation
Table 5-17-2Tools and Techniques Currently Used by Group*
All Respondents by Means**
Overall 1 2 3 4 5 6 7 8 9 10 11 12 N/C***Tools/Techniques**** AverageOther electronic 1 1 2 2 1 1 1 2 1 1 1 1 1 1communication(e.g., Internet, e-mail)Risk-based audit 2 2 1 1 6 2 2 1 2 2 2 2 2 2planningAnalytical review 3 5 4 5 2 4 4 6 4 3 4 3 5 4Electronic workpapers 4 3 5 3 3 3 3 3 3 5 3 5 7 3Statistical sampling 5 6 7 6 7 6 6 5 7 7 9 6 4 6Computer-assisted 6 4 3 4 9 5 5 4 6 4 5 4 3 5audit techniquesFlowchart software 7 8 11 13 11 9 13 11 11 11 12 13 14 11Benchmarking 8 11 8 7 10 11 8 14 10 10 6 7 6 12Process mapping 9 13 10 12 8 7 7 7 5 12 14 10 9 9applicationControl self- 10 12 6 8 4 10 10 8 8 8 7 8 13 8assessmentData mining 11 7 9 11 12 8 9 16 9 6 13 11 11 10Continuous/real-time 12 9 12 10 5 13 11 9 13 9 10 14 10 7auditingThe IIA’s quality 13 10 13 9 14 12 12 10 14 13 8 9 12 13assessment reviewtoolsBalanced scorecard 14 15 14 15 16 15 14 15 12 15 11 15 15 15or similar frameworkTotal quality 15 14 15 14 13 14 16 12 16 14 15 12 8 14managementtechniquesProcess modeling 16 16 16 16 15 16 15 13 15 16 16 16 16 16software
*For a list of groups, please see the inside back cover.**The ranking goes from 1 (the tool/technique with the highest mean in the group) to 16 (the tool/technique with thelowest mean in the group).***N/C = Respondents did not indicate affiliate or chapter membership.****The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall means.
222 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-19 summarizes how all respondents’ replies are distributed along the 5 options: not used;moderately used; average use; very much used; and extensively used. The frequencies show theextent to which the internal audit activity (IAA) currently uses the listed audit tools and techniqueswhen compared to the overall mean usage of all respondents’ IAAs. This table provides a moredetailed picture of overall usage of tools and techniques. Since some respondents’ organizationsand IAAs are much larger and older than others, they may use more audit tools and have moreresources to purchase and apply the listed tools and techniques.
Table 5-19Extent the IAA Currently Uses the
Listed Audit Tools/TechniquesAll Respondents by Mean and Frequency
Tools/Techniques Number of Mean* % Not % % % %Respondents Used Moderately Average Very Extensively
Used Use Much UsedUsed
Other electronic 6,643 4.08 2.7 6.9 16.7 27.5 46.2communication(e.g., Internet,e-mail)Risk-based audit 6,611 3.56 8.0 13.6 21.3 28.8 28.3planningAnalytical review 6,634 3.21 6.5 20.5 31.1 29.6 12.3Electronic workpapers 6,580 3.19 19.8 15.6 17.2 20.9 26.5Statistical sampling 6,536 2.77 18.0 25.9 27.5 18.8 9.8Computer-assisted 6,581 2.67 22.3 25.4 25.0 17.5 9.8audit techniquesFlowchart software 6,540 2.42 31.7 24.8 21.6 13.5 8.4Benchmarking 6,505 2.41 24.9 30.9 26.6 13.7 3.9Process mapping 6,510 2.36 36.1 21.4 20.9 13.9 7.7applicationControl self- 6,511 2.30 34.1 26.0 21.1 13.0 5.8assessmentData mining 6,399 2.26 36.1 25.4 20.8 12.1 5.6Continuous/real-time 6,497 2.21 39.0 23.8 19.7 12.4 5.1auditing
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,5 = Extensively Used.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 223
The Institute of Internal Auditors Research Foundation
Table 5-19 (Cont.)Extent the IAA Currently Uses the
Listed Audit Tools/TechniquesAll Respondents by Mean and Frequency
Tools/Techniques Number of Mean* % Not % % % %Respondents Used Moderately Average Very Extensively
Used Use Much UsedUsed
The IIA’s quality 6,424 2.06 46.6 20.8 17.4 10.5 4.7assessment reviewtoolsBalanced scorecard 6,427 2.02 48.4 19.2 18.8 9.8 3.8or similar frameworkTotal quality 6,380 1.97 48.6 21.9 17.5 8.5 3.5management techniquesProcess modeling 6,366 1.69 62.7 16.6 12.4 5.8 2.5software
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,5 = Extensively Used.
Extensively Used
The analysis of the usage frequencies reveals that some tools are used extensively for a significantportion (more than 25%) by the respondents’ IAAs:
1. Other electronic communication (e-mail, Internet) (46.3%)2. Risk-based audit plan (28.3%)3. Electronic working papers (26.5%)
These particular tools match three core tasks of the IAA, planning, documenting field work, andcommunication. The latter two tasks can be very labor intensive when completed without technologysupport. For IAAs to have invested and developed tools in these areas seems appropriate.
224 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The frequency of the extensively used category for these three tools and techniques shows theirimportance to the IAAs. The use of these tools allows the IAA to function efficiently and effectively.This is especially true for the use of electronic communication and electronic working paperswhich help with audit administration. A risk-based audit plan also helps with the performance of theaudit. When available resources are limited, both financially and by number of staff, technologyallows the IAA to expand its scope.
These findings are consistent with those based on the mean scores for other electronic communicationand risk-based audit plan. As shown on the frequency distribution in Table 5-19, there is a differencefor analytical review, which has a relatively high overall mean (3.21) and ranking (3) but has alower percentage in the extensively used category (12.3%). Although electronic workpapers isranked fourth with a mean of 3.19, in the frequency distribution it is shown as having 26.5% ofrespondents indicating extensively use. The use of a risk-based audit plan is in keeping with Standard2010.A1, Planning, which states that the IAA’s “Plan of engagements should be based on a riskassessment, undertaken at least annually.” This is supported elsewhere in the Standards andPractice Advisories. Over 78% of respondents indicate that they extensively use, very much use,or have average use of this technique.
In Appendix 5, Table 5-19-1-A shows extensively used responses for tools/techniques by auditorposition. This table reveals that there are usually lower frequencies for the response “extensivelyused” for CAEs. This is consistent with the means analysis. This may be due to the increasedadministrative work and outreach that CAEs do in their daily work. As the head of the department,the CAE must be aware of the activities and audits undertaken, but be less involved in the dailyoperating activities and the audit process. Standard 2030, Resource Management, states that theCAE “should ensure that internal audit resources are appropriate, sufficient, and effectively deployedto achieve the approved plan.” The most significant differences in this table are for electroniccommunications (41.5% for the CAE, 50.6% for Audit Seniors/Supervisors), electronic workpapers(21.1% for CAEs, Audit Staff 30.9%), and risk-based audit planning (29.6% for Audit Seniors/Supervisors, Other 17%).
Not Used
The analysis of frequencies makes it possible to identify those tools that are currently not used atall by respondents in auditing activities. According to Practice Advisory 1210-1, Proficiency, noteveryone in the IAA must be able to apply the tools and techniques required in performingengagements. Rather, the IAA must collectively possess this ability. This means that all membersof the IAA should be aware of the use of various tools and techniques in the department, but eachstaff member need not have a specific facility and ability to use the tool.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 225
The Institute of Internal Auditors Research Foundation
An unusually high number of the listed tools and techniques are indicated as not being used at allbased on Table 5-19. This information can be very important for practitioners, consultants, standardsetters, software companies, and others servicing or involved with the internal audit profession.More than one-fifth of the respondents do not use benchmarking (24.9%) or computer-assistedaudit techniques (22.3%). The least used tool is process modeling software which is not used by62.7% of respondents. Many other tools are indicated as not being used by more than 30% ofrespondents.
The percentage of respondents that do not currently use the listed tools and techniques that fall intothis category are:
• Process modeling software (62.7% of respondents do not use this tool).• Total quality management techniques (48.6%).• The balanced scorecard or similar framework (48.4%).• The IIA’s quality assessment review tools (46.6%).• Continuous/real-time auditing (39.0%).• Data mining (36.1%).• Process mapping application (36.1%).• Control self-assessment (34.1%).• Flowchart software (31.7%).
Standard 1300, Quality Assurance and Improvement Program, requires the CAE to “develop andmaintain a quality assurance and improvement program…and continuously monitors itseffectiveness.” This program is “designed to help the internal audit activity add value and improvethe organization’s operations.” Many IAAs see value in implementing this standard. Low use ofThe IIA’s quality assessment review (QAR) tools makes compliance with this standard andcontributing to the organization’s governance, risk management, and effectiveness more difficult.In Chapter 4, 32.8% of respondents indicated that they currently have a quality assessment andimprovement program in place and 21.9% intend to put one in place in the next 12 months.
According to Practice Advisory 2100-6, Control and Audit Implications of E-commerce Activities,when control self-assessment (CSA) is used by management to review controls, the IAA shouldreview the policies for authenticating transactions and evaluating controls. The use of electronicsystems and models is the most effective way to monitor and evaluate e-commerce activities. Thelist of tools and techniques above indicates that many respondents do not use the listed tools andtechniques that would enable IAA staff to easily test systems and controls.
226 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-19 further reveals that statistical sampling (indicated as not used by 18%) is often used ina moderate or average way. This is in accordance with Practice Advisory 2100-10, Audit Sampling.The use of benchmarking is similar. Some management techniques, such as total quality management(48.6% not used) and the balanced scorecard (48.4% not used), are not generally used in internalaudit activities.
Control self-assessment (CSA) is not widely used by the IAA (34.1% not used), so that in mostorganizations the involvement of management in self-evaluating the control activity might not befully exploited. However, it is important to distinguish between control self-assessment as an audittechnique for the internal auditor to complete an audit engagement and CSA as a managementpractice implemented in an organization with or without the involvement of the IAA. Managementshould self-assess their internal control on an ongoing basis as part of their managerial responsibilitiesexternal to the IAA.
In Appendix 5, Table 5-19-2-A shows by frequency and positional level of the respondent the audittools and techniques that are not currently used by the IAA. The frequencies for the answer “notused” are generally higher for CAE respondents than for Practitioners. Differences between thefrequencies for tools not used are markedly different for control self-assessment (40.8% CAE,27.3% for Audit Staff), process modeling software (69.9% CAE, 55.3% Audit Staff), and totalquality management techniques (54.1% CAE, 41.6% Audit Staff).This continues the patternpreviously noted.
In Appendix 5, Table 5-19-3-A details the frequency for all 13 groups for the response “not currentlyused.” Major differences include the use of electronic workpapers (66.7% in group 12 versus7.8% in group 8), flowchart software (73.5% in group 12 versus 25.5% in group 1), and processmapping application (62.5% in group 12 versus 22.5 in group 8). In group 12, for most tools/techniques the frequency of the not used response is higher than in other groups. Other differencesamong the groups indicate a general lack of consistency in the use of the listed tools and techniquesglobally.
The groups’ means and frequencies highlight differences in the current practice globally among thelisted tools and techniques. Electronic communication and electronic working papers are extensivelyused. Process modeling software is often not used by auditors (62.7%), while computer-assistedaudit techniques and flowchart software are moderately used. In some respondents’ organizations,process mapping application and data mining are not used (frequency of 36.1% for each tool). Thisis also true for continuous/real-time auditing (39.0% not used). Standard 1220, Due ProfessionalCare, recommends that the internal auditor exercise due professional care and consider the use ofcomputer-assisted audit tools and other data analysis techniques.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 227
The Institute of Internal Auditors Research Foundation
Respondents by group indicate that auditing techniques such as analytical review and a risk-basedapproach for audit planning are generally used and in many cases used extensively. Data suggeststhat IAAs are focusing their resources and activities on critical areas and on the organization’sprimary business risks.
Predictive Changes in the Use of Audit Tools and Techniques Over theNext Three Years
It is important to understand how the IAA plans to change the way it performs audits and how itplans to become more effective and efficient as it adds value to its organization. Table 5-20 providesan overall view of the extent to which respondents’ IAAs intend to use the listed tools and techniquesin the next three years. Again, respondents did not have an opportunity to list tools not mentionedon the pre-established list. An overall mean response and means by respondents’ staff level areprovided.
Using the overall mean for all respondents, the top five means for tools where usage is expected toincrease are:
1. Other electronic communication (e.g., Internet, e-mail) (4.16).2. Risk-based audit planning (3.99).3. Electronic workpapers (3.68).4. Analytical review (3.42).5. Computer-assisted audit techniques (CAAT) (3.37).
Respondents are consistent with their emphasis on the same tools and techniques as they arecurrently using. The only change in the top five tools when compared to current use is with numberfive. Statistical sampling (currently ranked sixth) has been replaced by computer-assisted audittechniques which had been ranked sixth.
228 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-20Extent the IAA Plans to Use the
Listed Audit Tools/Techniques in the Next Three YearsAll Respondents by Mean*
Tools/Techniques Number of Mean CAE Audit Audit Audit OtherRespondents Manager Senior/ Staff
Supervisor
Other electronic 4,751 4.16 4.11 4.20 4.24 4.21 3.87communication (e.g.,Internet, e-mail)Risk-based audit planning 4,789 3.99 4.09 4.05 3.96 3.84 3.54Electronic workpapers 4,816 3.68 3.59 3.81 3.75 3.71 3.39Analytical review 4,731 3.42 3.41 3.42 3.46 3.42 3.25Computer-assisted audit 4,826 3.37 3.36 3.44 3.39 3.26 3.23techniquesStatistical sampling 4,756 3.04 2.95 3.00 3.10 3.17 3.15Data mining 4,731 2.84 2.84 2.88 2.86 2.80 2.63Control self-assessment 4,816 2.82 2.75 2.76 2.89 2.97 2.88Benchmarking 4,741 2.79 2.80 2.84 2.77 2.73 2.74Continuous/real-time 4,845 2.78 2.73 2.80 2.82 2.87 2.69auditingFlowchart software 4,794 2.77 2.71 2.84 2.77 2.78 2.82The IIA’s quality 4,799 2.73 2.73 2.82 2.69 2.66 2.70assessment review toolsProcess mapping application 4,767 2.72 2.65 2.71 2.79 2.79 2.77Total quality management 4,772 2.43 2.34 2.44 2.46 2.52 2.57techniquesBalanced scorecard or 4,770 2.38 2.31 2.44 2.39 2.41 2.41similar frameworkProcess modeling software 4,749 2.08 1.95 2.05 2.17 2.23 2.30
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,5 = Extensively Used.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 229
The Institute of Internal Auditors Research Foundation
In Appendix 5, Table 5-20-1-A shows groups’ means for use of tools and techniques in the nextthree years. Again there is consistency globally when taking out the high and low outliers. Thereare noticeable differences for total quality management between group 8 and group 12. Other toolswith a difference of more than 1.25 between groups include benchmarking, CAAT, continuous/real-time auditing, data mining, risk-based audit planning, and statistical sampling.
By comparing the overall means from Table 5-20 and rankings from Table 5-21, with the meansand rankings for CAEs and other practitioners by staff level, there is a high level of consistencybetween the staff levels. This reinforces the expectation that CAEs would adequately communicateplans and expectations with all members of the IAA staff. The only major difference is for theplanned use of risk-based audit planning (4.09 for the CAE versus 3.54 for Other), but all positionsrank this technique as second most used or to be used.
230 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-21Extent the IAA Plans to Use the
Listed Audit Tools/Techniques in the Next Three YearsAll Respondents by Rank*
Tools/Techniques Number of Overall CAE Audit Audit Audit OtherRespondents Average Manager Senior/ Staff
Supervisor
Other electronic 4,751 1 1 1 1 1 1communication (e.g.,Internet, e-mail)Risk-based audit planning 4,789 2 2 2 2 2 2Electronic workpapers 4,816 3 3 3 3 3 3Analytical review 4,731 4 4 5 4 4 4Computer-assisted audit 4,826 5 5 4 5 5 5techniquesStatistical sampling 4,756 6 6 6 6 6 6Data mining 4,731 7 7 7 8 9 13Control self-assessment 4,816 8 9 12 7 7 7Benchmarking 4,741 9 8 8/9 11/12 12 10Continuous/real-time 4,845 10 10/11 11 9 8 12auditingFlowchart software 4,794 11 12 8/9 11/12 11 8The IIA’s quality 4,799 12 10/11 10 13 13 11assessment review toolsProcess mapping application 4,767 13 13 13 10 10 9Total quality management 4,772 14 14 14/15 14/15 14 14techniquesBalanced scorecard or 4,770 15 15 14/15 14/15 15 15similar frameworkProcess modeling software 4,749 16 16 16 16 16 16
Note: In some cases the rankings were tied. For example, rankings of continuous/real-time auditing and The IIA’squality assessment review tools at the CAE level were tied.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 231
The Institute of Internal Auditors Research Foundation
The frequency analysis provides another view of the extent the IAA plans to use the listed audittools/techniques in the next three years. Table 5-22 reports the frequencies for all respondents.
Table 5-22Extent the IAA Plans to Use the Listed Audit Tools/Techniques
in the Next Three YearsAll Respondents by Mean and Frequency
Tools/Techniques Number of Mean* % Not % % % %Respondents Used Moderately Average Very Extensively
Used Use Much UsedUsed
Other electronic 4,751 4.16 1.6 5.6 16.3 28.1 48.4communication (e.g.,Internet, e-mail)Risk-based audit 4,789 3.99 3.1 6.6 17.6 33.6 39.1planningElectronic workpapers 4,816 3.68 8.0 10.7 20.5 27.0 33.8Analytical review 4,731 3.42 4.3 14.6 31.5 33.9 15.7Computer -assisted 4,826 3.37 7.8 15.8 26.8 31.1 18.5audit techniquesStatistical sampling 4,756 3.04 10.5 21.8 32.7 23.7 11.3Data mining 4,731 2.84 18.7 21.9 26.5 22.4 10.5Control self-assessment 4,816 2.82 15.1 26.3 28.6 21.1 8.8Benchmarking 4,741 2.79 13.5 27.6 31.4 21.3 6.2Continuous/real-time 4,845 2.78 18.0 24.3 27.8 21.0 8.9auditingFlowchart software 4,794 2.77 19.4 24.3 26.8 19.0 10.5The IIA’s quality 4,799 2.73 20.3 23.7 27.5 19.4 9.1assessment reviewtoolsProcess mapping 4,767 2.72 22.6 22.2 25.6 19.8 9.8applicationTotal quality 4,772 2.43 30.0 24.5 24.7 14.6 6.2management techniquesBalanced scorecard or 4,770 2.38 31.2 24.1 25.0 15.0 4.7similar frameworkProcess modeling 4,749 2.08 43.9 22.4 19.6 10.0 4.1software
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,5 = Extensively Used.
232 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tools that Will Be Extensively Used
Generally, respondents expect that there will be an extensive use of a wide range of tools in thenext three years, usually more than at present. The results when comparing the overall frequencyin Table 5-22 with the results in Table 5-19 show several significant increases in the use of thelisted tools.
• Risk-based audit planning (usage of 39.1% in the next three years versus 28.3% currentusage)
• Computer-assisted audit techniques (18.5% in the next three years versus 9.8% currently)• Electronic workpapers (33.8% in the next three years versus 26.5% currently)• The IIA’s quality assessment review tools (9.1% in the next three years versus 4.7%
currently)
Some respondents feel the need to control the quality of auditing processes, in accordance with theStandards, The IIA’s quality assessment review will have greater importance in the future.
The general increase in the frequencies of the “extensively used” response is consistent for bothCAEs and Practitioners. There are slight differences between the two categories of respondentswhen comparing the results in Table 5-19-1-A and Table 5-22-1-A:
• Risk-based audit planning (12.9% increase for CAE versus 7.0% increase for Audit Staff)• Other electronic communication (8.3% increase for Other versus 0.7% increase for Audit
Manager)
Tools that Will Not be Used in the Next Three Years
Table 5-23 compares some of the results of Table 5-22-2 in Appendix 5 that lists the tools that willnot be used in the next three years with Table 5-19-2-A in Appendix 5 that shows tools IAAs planto use more of in the future. The decrease in the overall frequencies for all respondents (whichmeans an increase in the number of respondents who will use a certain tool) is particularly relevantfor the following tools and techniques.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 233
The Institute of Internal Auditors Research Foundation
Table 5-23Comparison of the IAA Plans to Use the Listed Audit Tools/Techniques
in the Next Three Years and Not Currently UsedAll Respondents Percentage
Tools and Techniques Respondents Respondents Projecting That ThisIndicating Tool Will Not Be Used in the Next
Current Use Three Years
Process modeling software 62.7 43.9Balanced scorecard or similar 48.4 31.2frameworkIIA’s quality assessment 46.6 20.3review toolsContinuous real-time auditing 39.0 18.0Data mining 36.1 18.7Control self-assessment (CSA) 34.1 15.1Computer-assisted audit 22.3 7.8techniques
These findings are important since they reveal that most CAEs and Practitioners in the near futureintend to use the tools and techniques suggested by the Standards, Practice Advisories, and bestpractices even when they are currently not used today. The expected increase for the CSA tool aswell as for continuous/real-time auditing will contribute to making management more aware of andresponsible for the internal control system.
Resolution of Major Differences
Practice Advisory 2410-1, Communication Criteria, suggests “As part of the internal auditor’sdiscussions with the engagement client, the internal auditor should try to obtain agreement on theresults of the engagement and on a plan of action to improve operations, as needed.” Respondentswere asked to indicate at what points in the audit process major differences are resolved. Eachcategory could be selected by each respondent since they may resolve major issues in severalphases of the audit process. Table 5-24 shows that 44.5% of the respondents usually resolve majordifferences during fieldwork and 45.2% usually resolve them during audit reporting. Thirty-twopoint four percent sometimes resolve audit issues during planning, and 28.5% indicated that resolutionrarely happens during the planning stage.
234 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-24When Are Major Audit Issues Resolved
for All Respondents by Percentage
When Resolved During During During Audit After the Never*Planning Audit Reporting Audit % of 4,319
% of 6,358 Fieldwork % of 6,760 Report is RespondentsRespondents % of 6,710 Respondents Issued
Respondents % of 6,398Respondents
Never 16.1 1.9 2.0 18.6 61.2Rarely 28.5 6.6 7.1 31.6 24.4
Sometimes 32.4 37.1 27.8 20.6 9.2Usually 16.3 44.5 45.2 18.6 2.6Always 6.7 9.9 17.9 10.6 2.6
Total 100.0 100.0 100.0 100.0 100.0
*The researchers presume this means that issues were never left unresolved throughout the process.
Approximately 23% of all respondents believed that audit issues are always or usually resolvedduring planning; about half of them noted that audit issues are usually or always resolved duringaudit fieldwork (54.4%); and about 63.1% of them thought that issues are resolved during auditreporting. About 5.2% of these issues do not appear to ever be followed up. It seems that majoraudit issues are resolved throughout the audit process but predominantly during fieldwork and theaudit reporting period.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 235
The Institute of Internal Auditors Research Foundation
Reporting of Findings
Standard 2440, Disseminating Results, states, “The chief audit executive should communicateresults to the appropriate parties.” Figure 5-8 indicates that a majority of 58.8% of the respondentsagree that the responsibility of reporting audit findings rests with the CAEs. The next staff level forreporting results that respondents selected is the Audit Manager (19.6%).
Figure 5-8Primary Responsibility for Reporting Findings to
Senior ManagementAll Respondents (7,119) in Percentages
No formalreporting of
results1.1%
Other1.9% Auditee/client
3.4%
Both internalaudit manager
and auditee/client7.4%
Both CAE andauditee/client
7.8%
Internal auditmanager19.6%
CAE58.8%
236 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
As shown in Table 5-25, CAEs believe they have the primary responsibility for reporting the auditfindings alone (75.1%) or jointly (10.3%) with the auditee/client, while Audit Managers indicatethey should report the findings alone (28.2%) or with the auditee/client (9.4%). Audit Senior/Supervisor, Audit Staff, and Other concur with the Audit Manager respondents.
Table 5-25Primary Responsibility for Reporting Findings to Senior Management
All Respondents in Percentages
Responsibility Total CAE Audit Audit Audit Staff Other Overallfor Reporting Respondents Respondents Manager Senior/ Respondents Respondents Average
Findings by % of Total Respondents Supervisor % of Total % of Total %Position % of Total Respondents
% of Total
CAE 4,187 75.1 51.6 54.7 51.6 43.0 58.8Internal audit 1,396 6.4 28.2 24.4 24.3 18.0 19.6managerBoth chief 555 10.3 6.6 5.9 6.9 10.0 7.8auditexecutiveand auditee/clientBoth internal 528 3.6 9.4 9.8 8.0 7.0 7.4auditmanager andauditee/clientAuditee/ 240 2.7 2.8 2.5 5.2 7.5 3.4clientOther 134 0.9 0.8 2.1 2.9 7.5 1.9No formal 79 1.0 0.6 0.6 1.1 7.0 1.1reporting ofresultsTotal respon- 7,119 100.0 100.0 100.0 100.0 100.0 100.0dents/total
____________________________ Chapter 5: Current Status of the Internal Audit Activity 237
The Institute of Internal Auditors Research Foundation
Monitoring Corrective Action
In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain asystem to monitor the disposition of results communicated to management.” Standard 2500.A1goes on to require that “a follow-up process to monitor and ensure that management actions havebeen effectively implemented or that senior management has accepted the risk of not taking action.”Figure 5-9 provides respondents’ beliefs about who has the primary responsibility for monitoringcorrective action on findings listed in audit reports. Fifty percent believe that both the internalauditor and auditee/client have the primary responsibility for monitoring corrective action.
Figure 5-9Primary Responsibility for Monitoring Corrective Action Taken
All Respondents (7,116) in Percentages
Other1.9%
No formalfollow-up
3.1%Auditee/client
13.7%
Internal auditor31.3%
Both internalauditor and
auditee/client50.0%
238 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
In Table 5-26, the majority of the respondents (37.5% to 54.5%) believe that both the internalauditor and auditee/client together have the primary responsibility to monitor that needed correctiveaction has been adopted. Between 25.8% and 35.7% of the respondents indicated that the internalauditor has the primary responsibility. With the exception of the Other respondents (8.5%), only2.0% to 3.4% indicated they had no formal follow-up procedures.
Table 5-26Primary Responsibility for Monitoring Corrective Actions Taken
All Respondents in Percentages
Primary Total CAE Audit Audit Audit Staff Other OverallResponsibility Respondents Respondents Manager Senior/ Respondents Respondents Average
by Position % of Total Respondents Supervisor % of Total % of Total Total% of Total Respondents Percent
% of Total
Both internal 3,560 54.5 51.8 47.9 46.9 37.5 50.0audit andauditee/clientInternal auditor 2,226 28.0 30.4 34.3 35.7 25.8 31.3Auditee/client 974 14.0 13.7 12.5 12.9 19.2 13.7No formal 219 2.0 2.8 3.4 3.0 8.5 3.1follow-upOther 137 1.5 1.3 1.9 1.5 9.0 1.9Total 7,116 100.0 100.0 100.0 100.0 100.0 100.0respondents
____________________________ Chapter 5: Current Status of the Internal Audit Activity 239
The Institute of Internal Auditors Research Foundation
Summary
The operation of the internal audit activity is complex and demanding. The chief audit executivemust manage both internal and external relationships, the administration and organization of theactivity, the plan and functioning of the audits performed, and resolve any issues that arise. TheStandards and Practice Advisories provide the guidance needed to accomplish these tasks, butcompliance may be challenging due to internal and external limitations placed upon the department.The appointment procedures, performance evaluations, and reporting relationships for CAEs aregenerally in accordance with Standard 1100, Independence and Objectivity, and 1110, OrganizationalIndependence. IAA independence is maintained by having board and senior managementinvolvement in the CAE’s hiring and performance evaluation. The matrix relationship and participationof key constituents helps maintain independence and the IAA’s position in the organization.
Perceptions by CAE respondents provide a very positive view about the IAA within theirorganizations, and the IAA is seen as highly credible. Many IAAs are relatively young but followthe guidance included in the Standards and utilize the documents recommended by The IIA. MostIAAs use a risk-based approach to engagement planning and allocate time in accordance with theneeds of the organization, focusing on the effectiveness of risk management, control, and governanceprocesses. CAEs and Practitioners almost uniformly rank the tools currently used by the IAA thesame, with electronic communication (e.g., Internet, e-mail), risk-based audit planning, analyticalreview, and electronic workpapers as the most used tools. These tools are also expected to be themost used in the next three years. Major audit issues are resolved throughout the audit process butpredominantly during fieldwork and the audit reporting period.
240 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APP
EN
DIX
5
Tabl
e 5-3
-1-A
Eval
uatio
n of
CA
E’s P
erfo
rman
ce b
y Typ
e of O
rgan
izat
ion
CA
E R
espo
nden
ts in
Per
cent
ages
Type
of
Tota
lB
oard
of
Cha
irC
hief
Aud
itSe
nior
Aud
itee/
Supe
rvis
orPe
ers/
Not
Org
aniz
atio
n/R
espo
n-D
irec
tors
of th
eE
xecu
tive
Com
mit
tee/
Man
age-
Clie
ntPe
riod
ical
lySu
bord
inat
esE
valu
ated
Num
ber
ofde
nts
Boar
dO
ffic
erO
vers
ight
men
tat
the
End
Peri
odic
ally
Res
pond
ents
Com
mit
tee/
of A
udit
Com
mit
tee
Cha
irpe
rson
Publ
icly
811
13.3
19.4
41.4
64.6
36.7
9.59.0
5.21.5
Trad
ed(L
isted
)C
ompa
nyPr
ivat
ely
583
22.6
20.4
49.9
44.4
27.1
9.47.0
3.62.4
Hel
d(N
on-li
sted
)C
ompa
nyPu
blic
515
10.9
11.5
50.5
34.8
29.9
12.8
7.27.4
5.0Se
ctor
/G
over
nmen
tSe
rvic
e20
623
.811
.730
.631
.629
.120
.49.7
12.1
8.7Pr
ovid
er/
Con
sulta
ntN
ot-fo
r-17
19.9
10.5
48.0
55.6
29.2
11.7
7.64.1
9.4Pr
ofit
Org
aniz
atio
nO
ther
5525
.516
.447
.347
.325
.53.6
5.51.8
3.6
Not
e: T
he r
espo
nden
ts w
ere
aske
d to
mar
k al
l th
at a
pply
so
the
tota
l of
the
per
cent
ages
may
be
mor
e th
an 1
00.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 241
The Institute of Internal Auditors Research Foundation
Table 5-4-1-ACAE’s Relationship with Audit/Oversight Committee by Group*
CAE Respondents - Percentage of Yes Responses
Question 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Is there an audit/ 85.2 92.9 91.4 53.5 38.7 49.7 51.2 69.5 65.8 54.3 81.5 100.0 65.5oversight committeein your organization?Does the CAE meet 64.1 75.6 75.5 70.6 62.3 43.4 67.2 48.8 69.2 44.0 77.3 77.8 59.6with the audit/oversight committeechairperson inaddition to theregularlyscheduledmeetings?Does the CAE 93.9 91.0 92.0 90.0 88.2 85.5 88.1 88.1 89.3 92.0 93.9 88.9 84.2believe that he/shehas appropriateaccess to the audit/oversight committee?
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
242 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 5-8
-1-A
Rel
atio
nshi
p of
IAA
to th
e Org
aniz
atio
n by
Gro
up*
CA
E R
espo
nden
ts in
Mea
ns**
Stat
emen
t1
23
45
67
89
1011
12N
/C**
*
Your
inte
rnal
aud
it fu
nctio
n is
an
inde
pend
ent
4.45
4.57
4.44
4.21
4.41
4.64
4.63
4.43
4.31
4.57
4.44
4.78
4.27
obje
ctiv
e as
sura
nce
and
cons
ultin
g ac
tivity
.Yo
ur in
tern
al a
udit
func
tion
adds
val
ue.
4.46
4.55
4.30
4.12
4.35
4.40
4.51
4.40
4.39
4.43
4.37
5.00
4.28
Inte
rnal
aud
it br
ings
a s
yste
mat
ic a
ppro
ach
to3.
994.
234.
083.
804.
024.
004.
194.
104.
053.
804.
134.
564.
00ev
alua
te th
e eff
ectiv
enes
s of r
isk
man
agem
ent.
Your
inte
rnal
aud
it fu
nctio
n br
ings
a sy
stem
atic
4.41
4.51
4.42
3.93
4.23
4.47
4.40
4.34
4.13
4.13
4.40
4.67
4.15
appr
oach
to e
valu
ate
the
effe
ctiv
enes
s of
inte
rnal
con
trols
.Yo
ur in
tern
al a
udit
func
tion
brin
gs a
syst
emat
ic3.
844.
053.
963.
653.
803.
583.
903.
663.
703.
853.
954.
223.
62ap
proa
ch to
eva
luat
e th
e ef
fect
iven
ess
ofgo
vern
ance
pro
cess
es.
Your
inte
rnal
aud
it fu
nctio
n pr
oact
ivel
y4.
164.
184.
104.
163.
874.
124.
343.
983.
983.
804.
134.
224.
02ex
amin
es im
porta
nt fi
nanc
ial m
atte
rs, r
isks
,an
d in
tern
al c
ontro
ls.
Your
inte
rnal
aud
it fu
nctio
n is
an
inte
gral
par
t4.
194.
374.
223.
884.
043.
974.
113.
994.
093.
964.
194.
443.
90of
the
gove
rnan
ce p
roce
ss b
y pr
ovid
ing
relia
ble
info
rmat
ion
to m
anag
emen
t.Th
e w
ay o
ur in
tern
al a
udit
func
tion
adds
val
ue3.
703.
873.
803.
273.
092.
783.
333.
513.
483.
153.
984.
333.
34to
the
gove
rnan
ce p
roce
ss is
thro
ugh
dire
ctac
cess
to th
e au
dit c
omm
ittee
.Yo
ur in
tern
al a
udit
func
tion
has s
uffic
ient
4.07
4.21
4.03
3.90
4.09
4.26
4.27
4.00
4.00
3.91
4.08
4.67
3.89
stat
us in
the
orga
niza
tion
to b
e ef
fect
ive.
Inde
pend
ence
is a
key
fact
or fo
r you
r int
erna
l4.
434.
554.
384.
324.
304.
624.
674.
554.
494.
394.
455.
004.
38au
dit f
unct
ion
to a
dd v
alue
.O
bjec
tivity
is a
key
fact
or fo
r you
r int
erna
l4.
564.
644.
644.
384.
514.
754.
734.
644.
564.
614.
514.
784.
41au
dit f
unct
ion
to a
dd v
alue
.
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
* *T
he m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
Stro
ngly
Dis
agre
e, 2
= D
isag
ree,
3 =
Neu
tral,
4 =
Agr
ee, 5
= S
trong
ly A
gree
.**
*N/C
= R
espo
nden
ts d
id n
ot i
ndic
ate
affi
liate
or
chap
ter
mem
bers
hip.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 243
The Institute of Internal Auditors Research Foundation
Tabl
e 5-8
-1-A
(Con
t.)R
elat
ions
hip
of IA
A to
the O
rgan
izat
ion
by G
roup
*C
AE
Res
pond
ents
in M
eans
**
Stat
emen
t1
23
45
67
89
1011
12N
/C**
*
Your
inte
rnal
aud
it fu
nctio
n is
cre
dibl
e w
ithin
4.35
4.45
4.22
4.05
4.19
4.52
4.51
4.16
4.24
4.28
4.33
4.33
4.13
your
org
aniz
atio
n.C
ompl
ianc
e w
ith T
he II
A’s I
nter
natio
nal
3.74
3.85
3.99
3.99
4.01
3.83
4.27
3.79
4.07
3.98
3.91
4.56
3.77
Stan
dard
s for
the
Prof
essi
onal
Pra
ctic
e of
Inte
rnal
Aud
iting
is a
key
fact
or fo
r you
rin
tern
al a
udit
func
tion
to a
dd v
alue
to th
ego
vern
ance
pro
cess
.C
ompl
ianc
e w
ith T
he II
A’s
code
of e
thic
s is
3.99
4.04
4.11
3.99
4.11
3.99
4.42
3.91
4.20
4.22
4.13
4.78
3.80
a ke
y fa
ctor
for y
our i
nter
nal a
udit
func
tion
to a
dd v
alue
to th
e go
vern
ance
pro
cess
.
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
Stro
ngly
Dis
agre
e, 2
= D
isag
ree,
3 =
Neu
tral,
4 =
Agr
ee, 5
= S
trong
ly A
gree
.**
*N/C
= R
espo
nden
ts d
id n
ot i
ndic
ate
affi
liate
or
chap
ter
mem
bers
hip.
244 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 5-1
7-1-
AE
xten
t the
IAA
Cur
rent
ly U
ses t
he L
iste
d A
udit
Tool
s/Te
chni
ques
by
Gro
up*
All
Res
pond
ents
by
Mea
ns**
Tool
s/Te
chni
ques
12
34
56
78
910
1112
N/C
***
Ana
lytic
al re
view
3.24
3.10
2.97
2.98
3.47
3.33
3.31
3.10
3.57
3.20
3.44
3.32
3.07
Bal
ance
d sc
orec
ard
or si
mila
r fra
mew
ork
2.04
1.91
2.15
1.52
1.98
1.80
2.13
2.17
1.98
2.11
2.09
1.76
1.977
Ben
chm
arki
ng2.4
92.3
92.4
62.1
22.5
82.2
92.1
92.2
82.7
02.5
32.4
52.4
72.3
02C
ompu
ter-
assi
sted
aud
it te
chni
ques
2.75
2.70
2.68
2.39
2.53
2.74
2.91
2.43
3.00
2.40
2.54
2.50
2.051
Con
tinuo
us/re
al-ti
me a
uditi
ng2.0
61.9
82.1
32.7
92.4
72.2
62.4
62.0
92.6
02.0
12.1
62.4
42.4
9C
ontro
l sel
f-as
sess
men
t2.2
52.4
12.3
32.7
62.4
12.1
12.3
12.3
22.5
52.2
02.2
42.1
92.2
9D
ata m
inin
g2.3
02.0
52.1
12.1
52.7
72.1
91.8
82.2
82.8
61.8
52.2
92.1
22.1
5El
ectro
nic w
orkp
aper
s3.2
02.7
83.3
12.7
33.3
43.1
03.1
23.5
33.2
63.2
12.5
61.9
73.1
0Fl
owch
art s
oftw
are
2.61
2.43
2.20
2.12
2.44
2.18
2.38
2.37
2.51
2.10
2.32
1.68
2.20
Oth
er el
ectro
nic c
omm
unic
atio
n4.2
63.9
94.1
93.3
94.0
74.1
13.8
43.9
54.0
54.3
83.9
03.1
53.8
4(e
.g.,
Inte
rnet
, e-m
ail)
Proc
ess m
appi
ng a
pplic
atio
n2.2
12.4
62.2
52.5
92.4
32.2
52.6
72.6
92.3
51.8
92.4
91.8
42.4
0Pr
oces
s mod
elin
g so
ftwar
e1.6
11.6
91.6
41.6
71.7
31.7
31.9
51.7
91.7
81.5
61.7
11.4
21.7
7R
isk-
base
d au
dit p
lann
ing
3.71
3.86
3.91
2.53
3.54
3.71
3.38
3.36
3.23
3.86
3.52
3.55
3.17
Stat
istic
al sa
mpl
ing
2.82
2.60
2.72
2.59
2.81
2.53
2.81
2.82
2.85
2.18
2.71
3.00
2.77
The
IIA’
s qu
ality
ass
essm
ent r
evie
w to
ols
2.25
1.92
2.14
1.82
1.98
1.99
1.95
1.78
1.83
2.01
2.06
1.91
1.82
Tota
l qua
lity
man
agem
ent t
echn
ique
s2.0
91.8
42.1
11.8
51.9
71.8
61.8
61.6
32.0
21.7
52.1
41.9
71.9
1
*For
a l
ist
of a
ffili
ate
grou
ps,
plea
se s
ee t
he i
nsid
e ba
ck c
over
.**
The
mea
n is
the
ave
rage
res
pons
e to
: 1
= N
ot U
sed,
2 =
Mod
erat
ely
Use
d, 3
= A
vera
ge U
se, 4
= V
ery
Muc
h U
sed,
5 =
Ext
ensi
vely
Use
d.**
*N/C
= R
espo
nden
ts d
id n
ot i
ndic
ate
affi
liate
or
chap
ter
mem
bers
hip.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 245
The Institute of Internal Auditors Research Foundation
Table 5-19-1-AAudit Tools/Techniques that are Currently Extensively Used
All Respondents by Frequency*
Tools/Techniques** Mean CAE Audit Audit Audit Other Manager Senior/ Staff
Supervisor
Other electronic communication 46.3 41.5 49.5 50.6 48.5 31.7(e.g., Internet, e-mail)Risk-based audit planning 28.3 28.1 28.8 29.6 29.5 17.0Electronic workpapers 26.5 21.1 28.4 30.1 30.9 18.4Analytical review 12.4 10.8 11.5 13.5 15.0 12.8Computer-assisted audit techniques 9.8 6.9 10.2 11.0 12.5 11.1Statistical sampling 9.7 7.2 8.1 10.7 15.3 9.8Flowchart software 8.3 6.2 8.6 9.3 10.7 8.1Process mapping application 7.7 5.8 8.0 9.1 9.2 6.4Control self-assessment 5.7 3.8 5.3 6.2 9.0 7.3Data mining 5.6 4.5 5.2 5.6 8.0 6.1Continuous/real-time auditing 5.1 3.0 4.3 5.9 8.2 7.0The IIA’s quality assessment 4.6 3.5 5.2 4.4 6.4 4.9review toolsBalanced scorecard or similar 3.9 1.9 4.1 4.4 6.0 4.9frameworkBenchmarking 3.9 3.6 2.8 4.4 5.1 5.4Total quality management techniques 3.5 2.3 3.6 3.4 5.9 4.3Process modeling software 2.5 1.1 2.2 3.0 4.2 4.1
*As this is a frequency for only the “Currently Extensively Used” category, the rows will not add across to 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
246 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-19-2-AAudit Tools/Techniques Not Currently Used
All Respondents by Frequency*
Tools/Techniques** Mean CAE Audit Audit Audit Other Manager Senior/ Staff
Supervisor
Process modeling software 62.7 69.9 64.0 58.7 55.3 55.7Total quality management techniques 48.6 54.1 48.3 47.8 41.6 42.2Balanced scorecard or similar 48.4 52.9 46.9 46.2 46.2 46.6frameworkThe IIA’s quality assessment review 46.6 49.8 43.8 47.5 43.5 46.0toolsContinuous/real-time auditing 39.0 42.9 42.5 34.8 31.9 42.7Data mining 36.1 38.0 34.6 35.5 34.5 39.6Process mapping application 36.1 40.1 35.1 34.3 33.7 33.7Control self-assessment 34.1 40.8 35.1 30.5 27.3 30.2Flowchart software 31.7 33.9 27.1 31.3 34.1 33.9Benchmarking 24.9 23.8 23.0 26.4 26.4 28.4Computer-assisted audit techniques 22.3 23.7 19.8 21.1 24.4 24.9Electronic workpapers 19.8 22.3 18.2 19.3 17.1 23.6Statistical sampling 18.0 19.6 19.3 16.8 14.7 18.7Risk-based audit planning 8.0 6.6 7.2 7.9 9.6 16.1Analytical review 6.5 5.4 5.7 5.9 8.3 12.5Other electronic communication 2.7 2.9 2.6 1.6 2.3 7.7(e.g., Internet, e-mail)
*As this is a frequency for only the “Not Currently Used” category, the rows will not add across to 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 247
The Institute of Internal Auditors Research Foundation
Tabl
e 5-1
9-3-
AA
udit
Tool
s/Tec
hniq
ues N
ot C
urre
ntly
Use
d by
Gro
up*
All
Res
pond
ents
by
Mea
n**
Tool
s/Te
chni
ques
12
34
56
78
910
1112
N/C
***
Ana
lytic
al re
view
5.84.9
8.26.7
3.53.4
4.510
.27.4
5.42.2
14.7
9.9B
alan
ced
scor
ecar
d or
sim
ilar f
ram
ewor
k49
.347
.543
.868
.047
.053
.042
.340
.059
.146
.444
.363
.652
.6B
ench
mar
king
22.8
19.4
23.0
35.7
23.8
22.7
33.3
25.2
19.6
18.8
21.5
37.5
32.2
Com
pute
r-as
sist
ed a
udit
tech
niqu
es18
.818
.221
.326
.529
.018
.718
.629
.821
.727
.328
.238
.225
.4C
ontin
uous
/real
-tim
e aud
iting
44.3
50.0
46.4
16.8
32.2
33.9
27.6
40.8
28.0
46.3
40.9
35.3
27.9
Con
trol s
elf-
asse
ssm
ent
37.9
29.9
34.9
13.9
29.9
40.4
32.5
29.0
34.4
27.9
37.6
50.0
33.5
Dat
a min
ing
33.0
38.5
40.3
36.8
20.3
34.1
54.9
37.1
22.0
51.8
38.9
48.5
43.0
Elec
troni
c wor
kpap
ers
22.7
27.8
20.1
25.7
11.8
17.5
17.9
7.814
.614
.334
.866
.720
.9Fl
owch
art s
oftw
are
25.5
30.0
40.4
38.0
33.0
34.9
32.8
32.2
36.7
39.3
36.2
73.5
41.2
Oth
er el
ectro
nic c
omm
unic
atio
n2.0
3.31.8
7.21.5
1.24.3
2.76.4
1.83.3
23.5
3.2(e
.g.,
Inte
rnet
, e-m
ail)
Proc
ess m
appi
ng a
pplic
atio
n42
.134
.440
.328
.331
.935
.724
.322
.539
.151
.837
.162
.533
.2Pr
oces
s mod
elin
g so
ftwar
e66
.960
.666
.363
.659
.256
.252
.056
.563
.767
.962
.181
.859
.5R
isk-
base
d au
dit p
lann
ing
6.36.6
4.824
.26.6
4.010
.48.4
13.7
5.45.6
8.814
.6St
atis
tical
sam
plin
g16
.819
.120
.517
.017
.518
.118
.116
.520
.732
.420
.814
.720
.0Th
e II
A’s
qual
ity a
sses
smen
t rev
iew
tool
s39
.748
.345
.749
.048
.745
.252
.456
.859
.649
.546
.960
.657
.1To
tal q
ualit
y m
anag
emen
t tec
hniq
ues
42.6
54.7
44.6
47.8
47.4
49.0
55.7
64.8
52.7
56.0
41.9
59.4
52.2
*For
a l
ist
of a
ffili
ate
grou
ps,
plea
se s
ee t
he i
nsid
e ba
ck c
over
.**
The
mea
n is
the
ave
rage
res
pons
e to
: 1
= N
ot U
sed,
2 =
Mod
erat
ely
Use
d, 3
= A
vera
ge U
se, 4
= V
ery
Muc
h U
sed,
5 =
Ext
ensi
vely
Use
d.**
*N/C
= R
espo
nden
ts d
id n
ot i
ndic
ate
affi
liate
or
chap
ter
mem
bers
hip.
248 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 5-2
0-1-
AE
xten
t the
IAA
Pla
ns to
Use
the L
iste
dA
udit
Tool
s/Te
chni
que i
n th
e Nex
t Thr
ee Y
ears
by
Gro
up*
All
Res
pond
ents
by
Mea
n**
Tool
s/Te
chni
ques
12
34
56
78
910
1112
N/C
***
Ana
lytic
al re
view
3.51
3.36
3.37
3.34
3.74
3.56
2.86
3.02
4.11
3.55
3.82
3.96
3.22
Bal
ance
d sc
orec
ard
or si
mila
r fra
mew
ork
2.37
2.24
2.61
2.13
2.60
2.22
2.27
2.30
2.51
2.40
2.77
3.36
2.23
Ben
chm
arki
ng2.8
62.1
83.0
12.4
93.0
92.7
92.2
92.5
23.2
52.9
93.0
43.7
62.5
0C
ompu
ter-
assi
sted
aud
it te
chni
ques
3.54
3.24
3.54
2.83
3.46
3.37
3.14
2.79
4.08
3.24
3.45
4.23
3.14
Con
tinuo
us/re
al-ti
me a
uditi
ng2.8
72.0
72.9
13.0
22.9
72.6
32.6
22.2
63.3
42.4
12.8
03.5
22.8
3C
ontro
l sel
f-as
sess
men
t2.7
53.1
02.9
83.1
03.1
02.6
72.6
52.6
63.3
62.8
93.0
13.5
02.7
9D
ata m
inin
g3.0
32.7
92.8
52.4
63.1
52.6
92.2
22.5
53.5
62.2
82.9
13.5
22.5
7El
ectro
nic w
orkp
aper
s3.8
23.2
84.0
03.1
54.0
03.5
63.2
93.5
84.0
13.6
13.3
13.6
23.4
0Fl
owch
art s
oftw
are
2.93
2.71
2.74
2.49
3.13
2.46
2.56
2.42
3.19
2.30
2.87
3.48
2.53
Oth
er el
ectro
nic c
omm
unic
atio
n4.3
54.1
24.3
53.4
74.3
54.2
53.5
03.8
64.3
64.4
64.1
04.3
63.8
4(e
.g.,
Inte
rnet
, e-m
ail)
Proc
ess m
appi
ng a
pplic
atio
n2.5
32.7
22.8
02.9
03.2
92.8
22.7
52.8
02.9
82.2
73.9
83.5
52.7
8Pr
oces
s mod
elin
g so
ftwar
e1.9
11.9
52.1
92.1
52.5
62.2
12.3
01.9
92.3
51.8
82.3
32.8
72.1
9R
isk-
base
d au
dit p
lann
ing
4.13
4.28
4.36
3.01
4.18
4.17
3.56
3.66
4.17
4.24
4.07
4.36
3.53
Stat
istic
al sa
mpl
ing
3.09
2.89
3.08
3.01
3.37
2.92
2.89
2.78
3.44
2.53
3.20
4.00
2.91
The
IIA’
s qu
ality
ass
essm
ent r
evie
w to
ols
2.86
2.58
2.92
2.41
3.04
2.60
2.60
2.18
2.94
2.85
3.01
3.52
2.49
Tota
l qua
lity
man
agem
ent t
echn
ique
s2.4
32.1
62.7
32.4
52.8
32.2
12.4
61.9
12.8
72.0
92.8
93.5
72.4
1
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
Not
Use
d, 2
= M
oder
atel
y U
sed,
3 =
Ave
rage
Use
, 4 =
Ver
y M
uch
Use
d, 5
= E
xten
sive
ly U
sed.
***N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 249
The Institute of Internal Auditors Research Foundation
Table 5-22-1-AAudit Tools/Techniques that Will Be Extensively Used
in the Next Three YearsAll Respondents by Frequency*
Tools/Techniques** Mean CAE Audit Audit Audit Other Manager Senior/ Staff
Supervisor
Other electronic communication 48.5 45.2 50.2 51.7 51.5 40.0(e.g., Internet, e-mail)Risk-based audit planning 39.1 41.0 41.2 38.1 36.5 27.2Electronic workpapers 33.9 29.6 37.6 36.9 36.8 26.9Computer-assisted audit techniques 18.5 16.7 20.4 19.6 18.0 17.9Analytical review 15.7 14.8 14.5 16.6 18.7 15.1Statistical sampling 11.4 9.5 10.9 12.3 15.0 13.0Flowchart software 10.5 8.8 11.1 10.4 13.3 12.4Data mining 10.4 9.4 10.6 10.8 12.3 10.6Process mapping application 9.8 7.8 9.1 11.4 12.7 12.2The IIA’s quality assessment 9.0 8.2 10.4 8.6 8.8 12.4review toolsContinuous/real-time auditing 8.9 7.4 8.2 10.0 11.8 10.6Control self-assessment 8.8 7.2 7.9 9.4 12.8 11.1Benchmarking 6.2 6.4 5.2 6.6 7.3 5.4Total quality management techniques 6.2 4.7 6.6 6.3 7.9 10.9Balanced scorecard or similar 4.7 3.3 4.4 4.9 7.8 5.3frameworkProcess modeling software 4.1 2.0 3.8 5.6 5.9 8.1
*As this is a frequency for only the “Extensively Used in the Next Three Years” category, the rows will not add acrossto 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.
250 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 5-22-2-AAudit Tools/Techniques that Will Not Be Used in the Next Three Years
All Respondents by Frequency*
Tools/Techniques** Overall CAE Audit Audit Audit OtherAverage Manager Senior/ Staff
Supervisor
Process modeling software 43.9 47.9 44.5 41.0 39.8 38.1Balanced scorecard or similar 31.2 32.3 28.7 31.9 32.0 31.3frameworkTotal quality management techniques 30.0 31.4 29.5 29.3 29.3 28.5Process mapping application 22.6 24.1 23.3 21.1 21.0 21.2The IIA’s quality assessment 20.3 18.7 18.6 22.1 23.6 23.5review toolsFlowchart software 19.4 19.9 17.2 19.3 22.1 19.1Data mining 18.7 17.1 18.1 18.9 21.7 25.1Continuous/real-time auditing 18.0 18.0 16.9 17.9 18.6 23.3Control self-assessment 15.1 14.5 17.9 13.3 14.5 17.7Benchmarking 13.5 11.2 11.9 15.7 17.3 17.0Statistical sampling 10.5 11.3 10.6 10.3 9.2 9.3Electronic workpapers 8.0 8.3 5.8 8.0 9.1 12.1Computer-assisted audit techniques 7.8 7.3 6.1 8.1 10.7 10.8Analytical review 4.3 3.2 4.0 3.8 7.1 9.2Risk-based audit planning 3.1 2.1 2.8 2.7 5.6 7.6Other electronic communication 1.6 1.4 1.7 1.1 1.7 5.5(e.g., Internet, e-mail)
*As this is a frequency for only the “Will Not Be Used in the Next Three Years” category, the rows will not add acrossto 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.
_______________________________ Chapter 6: Staffing and Professional Development 251
The Institute of Internal Auditors Research Foundation
CHAPTER 6STAFFING AND PROFESSIONAL
DEVELOPMENT
Introduction
This chapter summarizes the respondents’ perceptions about staffing their internal audit activities(IAA) and their staffs’ qualifications. The topics addressed include staffing of the IAA, serviceproviders, staff evaluation, number of staff with certifications, and continuing professionaldevelopment. The main objective of the CBOK 2006 study is to develop a summary of the globalpractice of internal auditing around the world.
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those that participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose position is not captured by thetraditional job titles included in the survey. A review of their credentials indicates they may bemembers of the IAA, employed by service providers, or in organizations where their titles are lesstraditional but with duties within internal auditing.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additional
252 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
details. For example, Table 6-1 has a related Table 6-1-1. Additional related tables may be locatedin Appendix 6 at the end of this chapter. A table that is in the Appendix can be clearly identified byan “A” at the end of its number. For example, Table 6-7-1-A is located in Appendix 6.
Staffing
Number of Staff in the IAA
Practice Advisory 2230-1 states, “The number and experience level of the internal auditing staffrequired should be based on an evaluation of the nature and complexity of the engagement assignment,time constraints, and available resources.” Several survey questions were asked to gain anunderstanding of the type of staff, use of co-sourcing, and size of respondents’ IAAs. Table 6-1lists CAE responses to the current number of audit staff by staff level in their IAAs. Of the 359CAEs that responded to the use of external auditors as staff, 49.3% or 177 indicate they use thissource for audit staff and 255 of 438 CAE respondents use contract audit staff.
Table 6-1Number of Full-time Staff at Each Staff Level in the IAA
CAE Respondents in Percentages
Number CAE’s Audit Audit Audit Staff External Contract Supportat Each % of Managers Seniors/ % of Auditors Audit Staff Staff
Staff 2,184 % of Supervisors 1,742 (co-sourced) (co-sourced) (Adminis-Level Respondents 1,173 % of Respondents % of % of trative,
Respondents 954 359 438 Secretarial,Respondents Respondents Respondents & Clerical)
Total of936
Respondents
None 0.4 10.9 13.2 3.9 50.7 41.6 12.7One 90.1 36.7 27.7 19.5 12.3 22.1 54.62-5 6.0 41.6 41.7 44.0 24.5 27.6 25.4
6-10 1.8 6.3 9.1 14.4 7.2 4.3 3.411 or 1.7 4.5 8.3 18.2 5.3 4.4 3.9MoreTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0
_______________________________ Chapter 6: Staffing and Professional Development 253
The Institute of Internal Auditors Research Foundation
Table 6-1-1 shows that very few of the CAE respondents’ IAAs have part-time staff and thosetend to be at the audit staff level or with outsourced personnel.
Table 6-1-1Number of Part-time Staff in the IAA
CAE Respondents in Percentages
Number CAE Audit Audit Audit Staff External Contract Supportof Staff Total of Managers Seniors/ Total of Auditors Audit Staff Staff
153 Total of Supervisors 231 (co-sourced) (co-sourced) (Adminis-Respondents 119 Total of Respondents Total of Total of trative,
Respondents 120 181 194 Secretarial,Respondents Respondents Respondents & Clerical)
Total of206
Respondents
None 51.6 70.6 65.0 31.2 42.0 42.3 39.8One 39.2 19.3 21.7 37.7 19.3 29.4 53.42-5 6.5 8.4 12.5 26.8 32.6 22.7 4.9
6-10 2.0 0.8 0.0 2.2 3.3 2.1 0.511 or 0.7 0.9 0.8 2.1 2.8 3.5 1.4MoreTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0
254 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Many of the respondents’ IAAs have a fairly small number of staff members at each staff level.Figure 6-1 reports that 24% of the respondents to this question indicate that their IAAs have 1-3members of the audit staff. Another 18.9% have 4-6 staff members and an additional 11.1% have7-9 staff members in their IAAs. Of the respondents, 25.8% have 25 or more staff members intheir IAA.
Figure 6-1Number of Full-time Staff at Each Staff Level
All Respondents (6,646) in Percentages
25 or more25.8%
1-324.0%
4-618.9%
7-911.1%10-12
6.7%
13-155.0%
16-183.8%
19-212.7%
22-242.0%
_______________________________ Chapter 6: Staffing and Professional Development 255
The Institute of Internal Auditors Research Foundation
Open Staff Positions
Several questions were asked about hiring practices for open positions and what methods are usedto make up for staff vacancies. As seen in Figure 6-2, special incentives to hire staff are notgenerally used. Only 12.8% of CAEs’ organizations offer relocation expenses, 10.9% provide atransportation allowance, and 8.4% give a signing bonus.
Figure 6-2Special Incentives Offered to Hire Staff
CAE Respondents (2,367) in Percentages
Percentage of Respondents
256 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
CAEs were also asked what methods are used to make up for staff vacancies. Figure 6-3 showthat 28.2% of CAE respondents replied that their IAAs have no vacancies. CAEs indicate thatthe two most common methods used to cover staff vacancies are reduction in the areas of auditcoverage (30.7%) and co-sourcing from internal audit service providers (28.7%).
Figure 6-3Methods Used to Make Up for Staff Vacancies
CAE Respondents (2,367) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Percentage of Respondents
_______________________________ Chapter 6: Staffing and Professional Development 257
The Institute of Internal Auditors Research Foundation
For groups, Table 6-2 points out that a reduction in coverage is a general strategy common to allgroups, whereas the use of co-sourcing is primarily practiced in groups 1, 2, 3, and 11. Groups 5(39.7%) and 6 (39.1%) have the highest percentages of no vacancies. Groups 12 (11.1%) and 11(14.8%) report the lowest levels of no vacancies and the highest level of reducing the areas ofaudit coverage, 44.4% and 37% respectively, due to lack of staff.
Table 6-2Methods Used to Make Up for Staff VacanciesCAE Respondents in Percentages by Groups*
Methods 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Facilitate control self- 5.4 14.0 14.7 35.6 16.8 10.3 16.7 11.7 15.2 10.6 18.5 44.4 17.9assessments in placeof auditsReduce areas of 35.3 26.7 34.7 23.1 21.2 23.7 26.5 33.0 19.6 23.4 37.0 44.4 25.2coverageIncreased use of audit 10.6 11.6 18.0 18.3 10.3 17.3 20.5 12.6 26.1 8.5 29.6 33.3 15.9softwareBorrowing staff from 11.4 17.4 13.3 19.2 17.9 12.8 8.3 14.2 4.3 14.9 13.6 33.3 15.9other departmentsCo-sourcing from 34.6 41.9 43.3 11.5 14.7 21.8 22.0 27.5 17.4 29.8 33.3 11.1 17.2internal audit serviceprovidersNo vacancies 28.0 24.4 21.3 29.8 39.7 39.1 27.3 24.9 30.4 25.5 14.8 11.1 27.8Other methods 8.4 10.5 14.0 10.6 14.7 8.3 15.2 16.2 19.6 17.0 17.3 22.2 19.9Respondents 912 86 150 104 184 156 132 309 46 47 81 9 151
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Missing Skills
Standard 1210.A1, Proficiency, notes that, “The CAE should obtain competent advice and assistanceif the internal audit staff lacks the knowledge, skills, or other competencies needed to perform allor part of the engagement.” Standard 1210.C1 goes on to state, “The CAE should decline theconsulting engagement or obtain competent advice and assistance if the internal audit staff lacksthe knowledge, skills, or other competencies needed to perform all or part of the engagement.”
258 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Skill shortages are an issue that CAEs must often address in creative ways. Methods respondentsuse to compensate for missing skill sets are indicated in Figure 6-4. In only 13.1% of the respondents’IAAs are there no missing skill sets. The most typical techniques to address skill shortages arethrough the use of co-sourcing/outsourcing (51.4%), reduction of areas of coverage (17.7%), andborrowing staff from other departments (14.5%).
Figure 6-4Methods Used to Compensate for Missing Skills
CAE Respondents (2,367) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Percentage of Respondents
_______________________________ Chapter 6: Staffing and Professional Development 259
The Institute of Internal Auditors Research Foundation
Service Providers
Respondents by Staff Level that are Service Providers
Respondents were asked if they work for a service provider or worked for an in-house IAA. Asshown in Figure 6-5, 86% indicate that they work within an organization and 14% of the respondentsindicate that they work for services providers.
Figure 6-5Service Provider of Internal Audit Services
All Respondents (8,774) in Percentages
ServiceProvider14.0%
In-houseInternal
Audit Activity86.0%
260 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 6-3 shows by staff level if the respondents work for an in-house IAA or work for a serviceprovider.
Table 6-3Staff Levels at In-house IAA or Service Provider
All Respondents in Percentages
Staff Level Number of Percent of Percent of Totalof Respondent Respondents Staff Level Staff Level
Working Working forIn-house a Service
IAA Provider
CAEs 2,337 86.7 13.3 100.0Audit Managers 2,004 83.0 17.0 100.0Audit Seniors/Supervisors 2,208 87.2 12.8 100.0Audit Staff 1,595 88.7 11.3 100.0Other 630 82.1 17.9 100.0Total/Average 8,774 86.0 14.0 100.0
_______________________________ Chapter 6: Staffing and Professional Development 261
The Institute of Internal Auditors Research Foundation
Outsourced IAA Activities
Figure 6-6 indicates the percentage of the IAAs’ activities that are performed by service providers.Sixty-eight point eight percent of CAE respondents indicate that 10% or less of their IAAs’ auditwork is being co-sourced/outsourced. All respondents indicated some level of outsourcing/co-sourcing.
Figure 6-6IAA’s Audit Activities - Percentage Outsourced/Co-sourced
CAE Respondents (2,222) in Percentages
Percentage of Respondents
262 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
As described in Table 6-4, 33% of CAEs indicate that their budget for co-sourcing/outsourcing isprojected to increase in the next three years. It appears that most organizations are conductingtheir internal audits with in-house audit staff.
Table 6-4Anticipated Budget Changes for Outsourced/Co-sourced Activities
in the Next Three YearsCAE Respondents in Percentages
Change Percent ofAnticipated 2,145 Respondents
Remain the same 55.7Increase 33.0Decrease 11.3Total 100.0
Staff Evaluation
Table 6-5 summarizes how audit staff is evaluated. The audit staff is mainly evaluated by a supervisoron a periodic basis (78.5%). Customer/auditee feedback is the second most commonly used methodfor evaluation of audit staff’s performance (45.6%).
Table 6-5Method of Staff Evaluation
CAE Respondents in Percentages
Methods of Percent ofStaff Evaluation 2,367 Respondents
By supervisor periodically 78.5Customer/auditee feedback 45.6Peers/subordinates periodically 23.4Other 15.5
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
_______________________________ Chapter 6: Staffing and Professional Development 263
The Institute of Internal Auditors Research Foundation
Certifications
To ensure an adequate grounding of skills and abilities among the audit staff, it is important forindividuals in the IAA to be Certified Internal Auditors (CIA). Other certifications such as CGAP,CCSA, CFSA, and CISA are also important to show the staff’s proficiency in specialized areas.CAE respondents were asked about the types of certifications held by their staff. Figure 6-7provides a listing of the staff certification profile from responding CAEs. A staff member couldhave more than one certification. This table indicates that the audit staff has a wide range ofcertifications. Public accounting is the most common (35.0%), followed by the CIA certification(28.6%).
Figure 6-7IAA Staff Members with Certifications
CAE Respondents (7,072) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Percentage of Respondents
264 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
In T
able
6-6
, the
type
s of c
ertif
icat
ions
hel
d by
gro
ups a
re li
sted
. CA
Es in
gro
ups 2
(45.
3%) a
nd 4
(40.
9%) i
ndic
ate
thei
r sta
ff h
ave
the
high
est p
erce
ntag
es o
f CIA
s. D
istri
butio
n of
the
mai
n ce
rtific
atio
ns in
Fig
ure
6-7
are
gene
rally
cons
iste
nt w
ith th
e gr
oup
dist
ribut
ion
in T
able
6-6
. Whe
n th
e C
AEs
wer
e as
ked
if th
ere
is a
nee
d fo
r ad
ditio
nal
certi
ficat
ions
bey
ond
the
CIA
/MII
A/P
IIA
for a
udit
man
ager
s, 40
.9%
of C
AEs
agr
eed
it w
as n
eces
sary
. Man
y C
AEs
(40.
4%) b
elie
ve th
at th
ey n
eed
othe
r cer
tific
atio
ns in
add
ition
to th
e C
IA/M
IIA
/PII
A d
esig
natio
n.
Tabl
e 6-6
IAA
Sta
ff M
embe
rs W
ith C
ertif
icat
esC
AE
Res
pond
ents
- Av
erag
e Per
cent
ages
by
Gro
ups*
Type
of
Cer
tific
ate
12
34
56
78
910
1112
N/C
**
Inte
rnal
Aud
iting
(suc
h31
.045
.326
.040
.921
.928
.97.7
17.7
28.8
28.7
23.8
19.3
27.08
as C
IA/M
IIA
/PII
A)
Info
rmat
ion
Syst
ems
19.5
20.0
13.0
11.7
6.618
.49.7
9.219
.113
.713
.415
.510
.83A
uditi
ng (s
uch
as C
ISA
/Q
iCA
/CIS
M)
Gov
ernm
ent A
uditi
ng/
18.5
6.414
.86.0
13.9
6.52.6
.61.3
5.40.0
5.08.2
5Fi
nanc
e (s
uch
as C
IPFA
/CG
AP/
CGFM
)C
ontro
l Sel
f-as
sess
men
t9.1
6.910
.914
.59.4
10.1
4.39.3
8.08.1
5.06.6
76.0
0(s
uch
as C
CSA
)Pu
blic
Acc
ount
ing/
39.6
51.4
24.1
17.9
16.3
29.4
39.9
21.3
26.4
34.8
30.8
29.8
31.95
Cha
rtere
d A
ccou
ntan
cy(s
uch
as C
A/C
PA/
AC
CA
/AC
A)
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.N
ote:
The
res
pond
ents
wer
e as
ked
to m
ark
all
that
app
ly s
o th
e to
tal
of t
he p
erce
ntag
es m
ay b
e m
ore
than
100
.
_______________________________ Chapter 6: Staffing and Professional Development 265
The Institute of Internal Auditors Research Foundation
Tabl
e 6-6
(Con
t.)IA
A S
taff
Mem
bers
With
Cer
tific
ates
CA
E R
espo
nden
ts -
Aver
age P
erce
ntag
es b
y G
roup
s*
Type
of
Cer
tific
ate
12
34
56
78
910
1112
N/C
**
Man
agem
ent/G
ener
al17
.223
.315
.514
.92.1
5.21.7
14.6
9.08.0
12.9
19.1
14.44
Acc
ount
ing
(suc
h as
CMA
/CIM
A/C
GA
)A
ccou
ntin
g - t
echn
icia
n2.2
6.620
.427
.54.1
13.7
9.618
.27.8
0.010
.13.9
13.76
leve
l (su
ch a
s CAT
/AAT
)Fr
aud
Exam
inat
ion
16.2
11.2
10.0
4.58.9
3.02.9
2.912
.21.9
3.65.0
16.81
(suc
h as
CFE
)Fi
nanc
ial S
ervi
ces
19.0
0.01.1
1.24.1
6.33.5
2.60.0
2.26.7
5.05.8
0A
uditi
ng (
such
as
CFSA
/CID
A/C
BA)
Fello
wsh
ip (s
uch
as5.4
29.9
17.28
0.010
.219
.58.4
6.86.3
0.010
.80.0
10.11
FCA
/FCC
A/F
CMA
)C
ertif
ied
Fina
ncia
l2.6
0.00.9
71.7
1.38.2
1.55.3
0.00.0
4.38
0.01.4
5A
naly
st (s
uch
as C
FA)
Oth
er C
ertif
icat
ions
23.7
31.4
26.19
21.7
44.0
48.3
14.2
29.9
15.2
39.9
29.0
62.9
37.59
Tota
l Num
ber o
f3,0
9524
451
724
039
843
540
268
212
916
330
235
430
Res
pond
ents
Per
Gro
up
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.N
ote:
The
res
pond
ents
wer
e as
ked
to m
ark
all
that
app
ly s
o th
e to
tal
of t
he p
erce
ntag
es m
ay b
e m
ore
than
100
.
266 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Continuing Professional Development
The IIA requires 80 hours of continuing professional development (CPD) every two years. TheIIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to“enhance their knowledge, skills, and other competencies through continuing professionaldevelopment.” Respondents were asked how many hours of formal training they received over thelast 36 months or while they have been working in their IAA if less than 3 years. Training includes,but is not limited to, seminars, conferences, workshops, and in-house information sessions providedby either the respondents’ organization or other organizations.
Hours of Training Over the Last 36 Months by Staff Level
Table 6-7 lists the number of hours of formal training by staff level taken by the respondents duringthe 36-month period prior to responding to the CBOK 2006 survey. The range in hours of formaltraining reported is from none to 240 or more hours. There is an expectation that all respondentswould have taken at least 120 hours of CPD over the prior three-year period. Of the CAEs, 48.2%achieved or exceeded 120 hours of CPD. Another 16.4% of the CAEs attained the 80-119 hourlevel of CPD. The percentages of respondents at the other staff levels that achieved 120 or morehours of formal training are 49.1% for Audit Managers, 42.4% for Senior/Supervisors, 35.5% forAudit Staff, and 34.1% for Others.
Table 6-7Hours of Formal Training During the Last 36 Months or
While in IAA if Less Than 3 YearsAll Respondents in Percentages
Number CAE Audit Audit Senior/ Audit Staff Othersof Hours of 2,288 Manager Supervisor of 1,558 of 598
Respondents of 1,947 of 2,159 Respondents RespondentsRespondents Respondents
None 0.9 1.2 1.2 2.2 7.41-39 11.6 11.2 13.2 19.1 19.440-79 22.9 21.7 24.5 25.4 23.980-119 16.4 16.8 18.7 17.8 15.2120-159 23.9 24.8 20.6 16.9 16.7160-199 4.9 5.8 5.1 3.1 4.7200-239 6.5 6.3 5.6 4.6 3.0
240 or More 12.9 12.2 11.1 10.9 9.7Total 100 100 100 100 100
_______________________________ Chapter 6: Staffing and Professional Development 267
The Institute of Internal Auditors Research Foundation
In Appendix 6, Tables 6-7-1-A through 6-7-6-A provide more detailed data for the groups. Thetables show details about the hours of formal training received by all respondents within the last 36months and then broken down by category of internal audit staff.
Hours of Training Compared to Years as a Member of IIA
Table 6-8 looks at whether the period of IIA membership has any affect on the amount of CPDtaken by respondents. It does appear that respondents who have been IIA members for a longerperiod of time have taken more CPD in the 36 months prior to the survey. For respondents thathave been members for 11 or more years, 54.6% have taken 120 or more hours of CPD comparedto 50.3% of respondents who have been members for 6-10 years, and 39.4% of respondents whohave been members for 1-5 years.
Table 6-8Comparing Hours of CPD During the Last 36 Months and
Years as a Member of The IIA All Respondents in Percentages
Number of IIA Member IIA Member IIA MemberHours of for 1-5 Years for 6-10 Years for 11 or MoreFormal of 5,014 of 1,657 Years of 1,266
Training Respondents Respondents Respondents
None 1.8 0.9 1.41- 39 15.5 9.4 9.140-79 25.4 21.8 20.580-119 17.9 17.6 14.4120-159 18.5 26.6 30.0160-199 4.0 5.8 7.9200-239 5.5 5.8 6.6
240 or More 11.4 12.1 10.1Total 100.0 100.0 100.0
268 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
CIA/MIIA/PIIA Certification and Hours of CPD
Figure 6-8 summarizes the number of hours of CPD taken by respondents who have their CIA/MIIA/PIIA certification. Of those that indicate that they are a CIA/MIIA/PIIA, 51% have taken120 or more hours of CPD.
Figure 6-8Number of Hours of Formal Training During the Last
36 Months for CIA/MIIA/PIIA RespondentsAll Respondents (3,366) in Percentages
Hours of Training Required by Law/Statute
To further understand the factors impacting the amount of CPD taken by internal auditors,respondents were asked how many hours of training over a 12-month period are required by law/statute in the country where they work. The benchmark for a 24-month period is still the 80 hoursrequired by The IIA, but it is acknowledged that there could be some country specific variation. InTable 6-9, the replies appear to be consistent across all levels of audit staff. Respondents that
None1.1% 1-39 hours
9.9%
40-79 hours21.4%
80-119 hours16.6%
120-159 hours26.1%
200-239 hours6.2%
240 or morehours12.7%
160-199 hours6.0%
_______________________________ Chapter 6: Staffing and Professional Development 269
The Institute of Internal Auditors Research Foundation
indicate they do not have any law/statute requiring CPD in the countries where they work rangefrom 38.0% to 41.2%. Countries that have statutory requirements for 31-40 hours per year ofCPD range from 25.0% to 32.8%. A few countries require more than 40 hours of CPD annually.
The relatively high percentage of respondents that work in countries that have no or minimumstatutory CPD requirement, may help explain why many of the respondents in Table 6-7 indicatethat they have taken the equivalent of 119 hours or less of CPD in the past 36 months.
Table 6-9Hours of Training Over a 12-Month Period Required by Law/Statute
All Respondents in Percentages
Number CAE Audit Audit Senior/ Audit Staff Othersof Hours % of 2,028 Manager Supervisor % of 1,177 % of 513
Respondents % of 1,687 % of 1,832 Respondents RespondentsRespondents Respondents
None 41.0 38.1 41.2 38.0 39.01-10 5.6 3.7 4.5 9.0 4.011-20 8.5 9.1 8.3 8.0 12.021-30 4.8 5.0 5.5 5.0 7.031-40 30.3 32.8 29.5 25.0 28.041-50 1.9 2.1 2.3 3.0 2.051-60 1.6 1.7 2.1 1.0 1.061-70 0.1 0.3 0.5 1.0 0.0
Over 70 6.2 7.2 6.1 10.0 7.0Total 100.0 100.0 100.0 100.0 100.0
Frequency of Types of Training
The survey asked the CAEs to provide information on the frequency of training in several specificareas for themselves and other members of the IAA. Respondents were asked to indicate whetherthe training was more frequent than annually, annually, less frequently than annually, as needed, ornever. The detailed results are shown in Table 6-10. CAEs report that training on the Standardsand professional practices are most common with 46.3% receiving training annually or morefrequently than annually and 37.5% receiving training as needed. Another important training areais basic/advanced technology, with 36.3% of the training being provided annually or more frequently
270 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
and 46.3% being trained as necessary. This result is expected as the IAA seeks skill upgradeswhen new technology becomes available.
Table 6-10Frequency of Types of Training
CAE Respondents in Percentages
Type of Number of More Annually Less As Never TotalTraining Respondents Frequently Frequently Needed
than thanAnnually Annually
Standards and 2,286 18.5 27.8 12.1 37.5 4.1 100.0professionalpracticesBasic/advanced 2,231 13.0 23.3 12.3 46.3 5.1 100.0technologyAnti-fraud 2,217 9.5 22.5 17.2 41.1 9.7 100.0techniquesEthics training 2,211 6.7 31.4 13.8 35.9 12.2 100.0Communication 2,242 8.8 18.4 15.3 46.9 10.6 100.0skillsTeam-building 2,232 9.4 17.1 15.6 43.5 14.4 100.0skills
The responses given to the question on ethics training could reflect the desire for improving corporategovernance or the need for more transparent business practices following many widely publicizedcorporate collapses in recent years. It was reported that 38.1% of ethics training sessions tookplace annually or more frequently and 35.9% as needed. It is interesting to note that 12.2% ofrespondents indicate that ethics training is never provided, compared with 4.1% indicating notraining on the Standards and professional practices and 5.1% indicating no training on basic/advanced technology.
_______________________________ Chapter 6: Staffing and Professional Development 271
The Institute of Internal Auditors Research Foundation
Summary
The majority (54%) of the CAE respondents’ IAAs have 9 or fewer staff and 25.8% of the IAAshave 25 or more audit staff. A minority of respondents offer incentives to attract individuals foropen positions in the IAA. The respondents’ most used methods to compensate for missing skillsets are to reduce the audit scope or to outsource the task. Over 25% of the respondents hold aCIA/MIIA/PIIA designation. About half of the CAE respondents received 120 hours of CPD overthe 36 months prior to the CBOK 2006 survey.
272 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APP
EN
DIX
6
Tabl
e 6-7
-1-A
Hou
rs o
f For
mal
Tra
inin
g D
urin
g L
ast 3
6 M
onth
s or W
hile
in IA
A if
Les
s Tha
n 3 Y
ears
All
Res
pond
ents
in P
erce
ntag
es b
y G
roup
s*
N
umbe
r of
Hou
rs1
23
45
67
89
1011
12N
/C**
Non
e1.1
1.02.9
1.11.8
0.71.6
1.93.3
1.52.2
2.44.3
1- 39
9.713
.114
.235
.210
.213
.68.4
16.8
23.6
14.6
20.3
12.2
21.7
40-7
923
.521
.427
.926
.418
.525
.416
.728
.125
.223
.425
.119
.520
.480
-119
16.9
21.8
15.2
16.8
18.9
18.3
14.9
18.7
15.4
20.4
17.3
22.0
17.3
120-
159
30.1
19.4
15.3
10.5
15.7
19.2
16.7
14.6
12.2
13.1
16.5
24.4
14.6
160-
199
6.13.9
4.92.6
6.54.5
4.53.1
4.12.9
3.52.4
2.520
0-23
95.9
9.24.9
2.05.8
4.99.6
4.66.5
5.85.6
4.94.8
240
or M
ore
6.710
.214
.75.4
22.6
13.4
27.6
12.2
9.718
.39.5
12.2
14.4
Tota
l10
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
_______________________________ Chapter 6: Staffing and Professional Development 273
The Institute of Internal Auditors Research Foundation
Tabl
e 6-7
-2-A
Hou
rs o
f For
mal
Tra
inin
g D
urin
g L
ast 3
6 M
onth
s or W
hile
in IA
A if
Les
s Tha
n 3 Y
ears
CA
E R
espo
nden
ts in
Per
cent
ages
by
Gro
ups*
N
umbe
r of
Hou
rs1
23
45
67
89
1011
12N
/C**
Non
e0.5
0.01.4
1.01.7
0.60.0
1.34.8
2.30.0
0.02.1
1-39
6.512
.28.2
40.4
7.916
.76.9
15.2
19.0
11.6
15.6
0.017
.540
-79
21.3
25.6
23.8
21.2
14.1
31.4
15.3
30.7
26.2
23.3
28.6
14.3
19.6
80-1
1913
.912
.213
.618
.323
.716
.713
.020
.516
.718
.613
.057
.119
.612
0-15
934
.719
.521
.19.6
17.5
18.6
18.3
14.9
9.514
.020
.80.0
21.7
160-
199
7.24.9
5.41.9
7.33.8
2.31.7
2.42.3
2.60.0
2.820
0-23
96.8
11.0
8.21.9
7.93.2
9.24.0
4.89.3
10.4
14.3
5.624
0 or
Mor
e9.1
14.6
18.3
5.719
.99.0
35.0
11.7
16.6
18.6
9.014
.311
.1To
tal
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
274 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 6-7
-3-A
Hou
rs o
f For
mal
Tra
inin
g D
urin
g L
ast 3
6 M
onth
s or W
hile
in IA
A if
Les
s Tha
n 3 Y
ears
Aud
it M
anag
er R
espo
nden
ts in
Per
cent
ages
by
Gro
ups*
Num
ber
of H
ours
12
34
56
78
910
1112
N/C
**
Non
e0.7
0.02.5
0.01.0
2.01.5
1.80.0
0.01.4
0.02.0
1-39
7.49.8
14.5
28.9
6.06.9
3.617
.313
.00.0
23.0
15.4
22.3
40-7
920
.221
.626
.033
.323
.019
.616
.825
.326
.127
.324
.30.0
18.9
80-1
1915
.027
.512
.513
.320
.027
.515
.317
.817
.422
.716
.215
.420
.312
0-15
935
.821
.617
.520
.019
.022
.518
.211
.613
.018
.217
.653
.812
.216
0-19
97.6
3.94.5
0.09.0
2.95.8
4.98.7
0.04.1
0.03.4
200-
239
5.99.8
5.50.0
6.06.9
8.86.7
17.4
9.15.4
7.75.4
240
or M
ore
7.45.8
17.0
4.516
.011
.829
.914
.74.3
22.7
8.17.7
15.5
Tota
l10
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
_______________________________ Chapter 6: Staffing and Professional Development 275
The Institute of Internal Auditors Research Foundation
Tabl
e 6-7
-4-A
Hou
rs o
f For
mal
Tra
inin
g D
urin
g L
ast 3
6 M
onth
s or W
hile
in IA
A if
Les
s Tha
n 3 Y
ears
Aud
it Se
nior
/Sup
ervi
sor R
espo
nden
ts in
Per
cent
ages
by
Gro
ups*
Num
ber
of H
ours
12
34
56
78
910
1112
N/C
**
Non
e0.8
0.01.6
0.00.0
0.02.3
2.06.5
0.02.4
0.01.8
1-39
9.215
.217
.428
.811
.97.8
10.5
16.8
29.0
14.3
19.0
22.2
21.6
40-7
925
.415
.233
.727
.420
.331
.416
.322
.829
.025
.021
.444
.419
.980
-119
18.9
30.4
17.9
21.9
16.1
15.7
17.4
17.8
19.4
21.4
26.2
11.1
17.5
120-
159
28.3
17.4
10.3
8.216
.115
.715
.720
.86.5
7.114
.311
.112
.316
0-19
95.6
4.34.9
6.85.6
7.85.8
3.00.0
3.62.4
0.03.5
200-
239
6.26.6
3.32.7
3.53.9
11.1
4.66.5
7.12.4
0.04.7
240
or M
ore
5.610
.910
.94.2
26.5
17.7
20.9
12.2
3.121
.511
.911
.218
.7To
tal
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
276 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 6-7
-5-A
Hou
rs o
f For
mal
Tra
inin
g D
urin
g L
ast 3
6 M
onth
s or W
hile
in IA
A if
Les
s Tha
n 3 Y
ears
Aud
it St
aff i
n Pe
rcen
tage
s by
Gro
ups*
Num
ber
of H
ours
12
34
56
78
910
1112
N/C
**
Non
e1.3
6.33.3
2.25.0
0.00.0
0.50.0
3.24.2
0.04.6
1-39
16.3
12.5
15.8
40.2
14.9
20.0
10.0
17.1
38.1
12.9
29.2
0.023
.540
-79
27.0
31.3
30.0
27.2
16.8
11.7
20.0
32.1
14.3
25.8
16.7
28.6
21.8
80-1
1920
.825
.017
.510
.911
.913
.312
.519
.29.5
19.4
25.0
28.6
15.5
120-
159
22.1
18.8
12.5
9.811
.920
.020
.013
.014
.319
.48.3
14.3
13.0
160-
199
3.40.0
4.21.1
5.03.3
2.53.6
9.56.5
4.20.0
0.820
0-23
94.7
6.14.2
2.26.9
8.35.0
4.10.0
0.00.0
0.05.0
240
or M
ore
4.40.0
12.5
6.427
.623
.430
.010
.414
.312
.812
.428
.515
.8To
tal
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
_______________________________ Chapter 6: Staffing and Professional Development 277
The Institute of Internal Auditors Research Foundation
Tabl
e 6-7
-6-A
Hou
rs o
f For
mal
Tra
inin
g D
urin
g L
ast 3
6 M
onth
s or W
hile
in IA
A if
Les
s Tha
n 3 Y
ears
Oth
er R
espo
nden
ts in
Per
cent
ages
by
Gro
ups*
Num
ber
of H
ours
12
34
56
78
910
1112
N/C
**
Non
e5.5
9.115
.42.8
2.30.0
6.910
.00.0
0.014
.320
.015
.91-
3914
.127
.315
.427
.813
.629
.620
.724
.016
.753
.821
.420
.024
.640
-79
25.9
0.017
.927
.825
.022
.220
.730
.033
.37.7
35.7
20.0
18.8
80-1
1915
.727
.312
.822
.220
.514
.810
.312
.00.0
23.1
7.10.0
13.0
120-
159
22.7
18.2
15.4
8.39.1
18.5
3.48.0
50.0
0.07.1
20.0
17.4
160-
199
5.90.0
7.72.8
4.53.7
3.42.0
0.00.0
7.120
.02.9
200-
239
3.19.1
0.02.8
2.33.7
13.8
2.00.0
0.00.0
0.01.5
240
or M
ore
7.19.0
15.4
5.522
.77.5
20.8
12.0
0.015
.47.3
0.05.9
Tota
l10
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.010
0.0
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
278 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 279
The Institute of Internal Auditors Research Foundation
CHAPTER 7INTERNAL AUDIT SKILLS
Introduction
Recognizing the evolutionary nature of the profession, this chapter summarizes the skills internalauditors are expected to possess today while they perform as internal auditors in their IAA or forclient organizations. All respondents were provided with a list of technical and behavioral skillsdeveloped from the International Standards for the Professional Practice of Internal Auditing(Standards), Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK2006 pilot study. Respondents were unable to amend or change the list of skills provided in theCBOK 2006 survey. As a guide when answering the survey questions, respondents were given thefollowing definition of technical skills: “using terminology or subject matter in a particular field.”Behavioral skills were defined in the survey as “actions toward others measured by commonlyaccepted standards and management of one’s own actions.”
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those that participated in the survey answered all of the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the four categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, and Audit Staff.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additional
280 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
details. For example, Table 7-4 is the total of all respondents for that question with a related Table7-4-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be 7-4-2. Additional related tables may be located in Appendix 7 at theend of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end ofits number. For example, Table 7-1-1-A is located in Appendix 7.
The possession and use of certain behavioral and technical skills are necessary elements forinternal audit practitioners to achieve a high level of quality performance in their internal auditingwork. The Standards and Practice Advisories each indicate specific skills that are appropriate forinternal auditors to possess. Standard 1220, Due Professional Care, requires internal auditors to“apply the care and skill expected of a reasonably prudent and competent internal auditor.” Standard1210, Proficiency, states, “Internal auditors should possess the knowledge, skills, and othercompetencies needed to perform their individual responsibilities.” The standard continues, “Theinternal audit activity collectively should possess or obtain the knowledge, skills, and othercompetencies needed to perform its responsibilities.”
The possession and application of technical skills enable internal auditors to achieve a high level ofperformance in their activities. The selection of technical skills in the survey is supported by theStandards and Practice Advisories which emphasize certain technical skills:
• Attribute Standard 1210.A2 – “The internal auditor should have sufficient knowledge toidentify the indicators of fraud...”
• Attribute Standard 1210.A3 – “Internal auditors should have knowledge of key informationtechnology risks and controls...”
• Performance Standard 2120.A1 – “...the internal audit activity should evaluate the adequacyand effectiveness of controls...”
• Performance Standard 2210.A1 – “Internal auditors should conduct a preliminary assessmentof the risks relevant to the activity under review…”
• Performance Standard 2320 – “Internal auditors should base conclusions and engagementresults on appropriate analyses and evaluations.”
The objectives for this survey question were to understand the current skill framework of technicaland behavioral skills necessary for internal auditors to successfully perform their jobs in theirposition within the internal audit activity (IAA). Figure 7-1 lists the technical and behavioral skillsincluded in CBOK 2006.
_______________________________________________ Chapter 7: Internal Audit Skills 281
The Institute of Internal Auditors Research Foundation
Figure 7-1Technical and Behavioral Skills
Data collection and analysisFinancial analysisForensic skills/fraud awarenessIdentifying types of controlsInterviewingISO/quality knowledgeNegotiatingResearch skillsRisk analysisStatistical samplingTotal quality managementUnderstanding businessUse of information technologyConfidentialityFacilitatingGovernance and ethics sensitivityInterpersonal skillsLeadershipObjectivityRelationship buildingStaff managementTeam buildingTeam playerWorking independentlyWork well with all levels of management
Technical Skills
CAE Respondents
Chief audit executives (CAEs) were asked to identify the five most important technical andbehavioral skills they need to possess in order to be successful as the leader of their IAA. Theywere also asked to identify the five most important technical and behavioral skills that the Audit
TechnicalSkills
BehavioralSkills
282 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform their jobs. The resultscan be used to identify similarities among the CAEs’ responses.
Table 7-1 shows the CAEs’ selection of the five most important technical skills by staff level fromthe 13 listed in the questionnaire. Understanding the business and risk analysis are skills that onaverage get the highest scores. There is no individual technical skill that is highly rated by CAErespondents for all staff levels in the IAA. The higher the percentages in Table 7-1 for eachtechnical skill the more CAEs agreed on the importance of that skill.
Table 7-1Most Important Technical Skills by Staff Level
CAE Respondents (2,092) in Percentages
Technical Skills CAE Audit Audit AuditManager Senior/ Staff
Supervisor
Data collection and analysis 15.2 14.7 33.9 77.6Financial analysis 35.9 35.4 36.4 35.1Forensic skills/fraud awareness 43.2 38.7 31.7 20.9Identifying types of controls 30.8 33.6 45.2 52.1(e.g., preventative, detective)Interviewing 37.7 37.8 44.1 58.3ISO/quality knowledge 18.9 16.0 10.7 7.6Negotiating 68.7 49.5 23.5 7.3Research skills 20.8 19.6 29.9 41.5Risk analysis 74.9 59.0 41.3 27.5Statistical sampling 6.5 8.8 20.7 29.5Total quality management 33.4 21.0 10.6 3.7Understanding the business 78.3 58.6 43.9 45.5Use of information technology 28.3 30.4 37.3 51.4
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
_______________________________________________ Chapter 7: Internal Audit Skills 283
The Institute of Internal Auditors Research Foundation
CAE
At the CAE position, high-level technical skills are vital for the IAA to be successful. For their owncategory, the technical skills most commonly chosen as important are:
• Understanding the business (78.3%).• Risk analysis (74.9%).• Negotiating (68.7%).• Forensic skills/fraud awareness (43.2%).• Interviewing (37.7%).
From the list provided, the CAEs indicate that understanding the business (78.3%), risk analysis(74.9%), and negotiating (68.7%) are especially important technical skills they need to performtheir role in the IAA. These results are in accordance with Performance Standard 2010, Planning,and its related Practice Advisories that require the CAE to establish a risk-based audit plan todetermine the priorities of the internal audit activity. As this is a high-level technical skill, it isappropriate that it is not vital at lower staff levels. Forensic skills/fraud awareness skills were alsocommonly chosen as important (43.2%). This seems appropriate as Standard 2210A.2 requiresthe internal auditor to consider for all assurance engagements “the probability of significant errors,irregularities, noncompliance, and other exposures when developing the engagement objectives.”
Audit Manager
For the Audit Manager category, the technical skills most commonly chosen as important by CAEsare:
• Risk analysis (59%).• Understanding the business (58.6%).• Negotiating (49.5%).• Forensic skills/fraud awareness (38.7%).• Interviewing (37.8%).
For Audit Managers, risk analysis (59%) and understanding the business (58.6%) are critical forsuccessful performance of duties. CAEs also identified negotiating (49.5%) as an important technicalskill for Audit Managers, although there is a more than 19% decrease in the importance of this skillfrom the CAE level. The most commonly chosen technical skills are the same at both the CAE andthe Audit Manager level.
284 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Audit Senior/Supervisor
For the Audit Senior/Supervisor category, the technical skills that were most commonly chosen byCAEs as important are:
• Identifying types of controls (45.2%).• Interviewing (44.1%).• Understanding the business (43.9%).• Risk analysis (41.3%).• Use of information technology (37.3%).
Some technical skills become less important at the Audit Senior/Supervisor level than the AuditManager level. One example shown in Table 7-1 is forensic skill/fraud awareness, which decreasesfrom 38.7% at the Audit Manager level to 31.7% at the Audit Senior/Supervisor level. Anotherdecrease is found in risk analysis, which decreases from 59.0% at the Audit Manager level to41.3% at the Audit Senior/Supervisor level. Understanding the business follows the same pattern,decreasing from 58.6% at the Audit Manager level to 43.9% at the Audit Senior/Supervisor level.
There are also some technical skills that are newly identified as important by CAEs when theyconsidered the Audit Senior/Supervisor level. Identifying types of controls (45.2%) and the use ofinformation technology (37.3%) were chosen by CAEs as important to the Audit Senior/Supervisorlevel.
Audit Staff
For the Audit Staff category, the technical skills that were most commonly chosen by CAEs asimportant are:
• Data collection and analysis (77.6%).• Interviewing (58.3%).• Identifying types of controls (52.1%).• Use of information technology (51.4%).• Understanding the business (45.5%).
_______________________________________________ Chapter 7: Internal Audit Skills 285
The Institute of Internal Auditors Research Foundation
CAE respondents indicate that the technical skills needed by each staff level change as theyprogress to higher staff levels. For example, while 77.6% of the CAEs selected data collection andanalysis as an important technical skill for the Audit Staff, only 14.7% indicate that it is importantfor Audit Managers, and 15.2% selected it as important for CAEs. For negotiating, 68.7 % feelthat it is important for CAEs and only 7.3% note that it is considered an important technical skill forthe Audit Staff.
Identifying types of controls was identified by CAEs as slightly increasing in importance from45.2% at the Audit Senior/Supervisor level to 52.1% at the Audit Staff level. Interviewing alsoshows an increase from 44.1% at the Audit Senior/Supervisor level to 58.3% at the Audit Stafflevel. The use of information technology shows a relatively large increase from 37.3% at the AuditSenior/Supervisor level to 51.4% at the Audit Staff level.
In Appendix 7, Tables 7–1-1-A (CAEs), 7-1-2-A (Audit Managers), 7-1-3-A (Audit Seniors/Supervisors), and 7-1-4-A (Audit Staff) show CAE responses for technical skills broken out forthe 13 groups. Overall the tabulation by CAE by groups agrees with the top five technical skills foreach staff level. These results clearly indicate that the CAE respondents believe that the technicalskills appropriate for success in the IAA differ at various staff levels in the IAA.
Practitioner Respondents
While CAEs ranked the five most important technical skills for all staff levels including themselves,the Practitioners were asked to indicate the importance of all thirteen technical skills to performtheir work at their current staff position. The practitioner respondents indicated importance of thetechnical skill to them on a scale of 1 (minimally important) to 5 (very important). Table 7-2 dividesthe mean responses into the three staff levels: Audit Manager, Audit Senior /Supervisor, and AuditStaff. The results for technical skills show little variation by staff levels. The skills that consistentlyget the highest mean scores from the Practitioner respondents are data collection and analysis,identifying types of controls, interviewing, research skills, risk analysis, and understanding thebusiness. The higher the mean in Table 7-2 for each technical skill the more Practitioners agreedon the importance of that skill.
286 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 7-2Importance to Respondent of Technical Skills to Perform Work
Practitioner Respondents by Means*
Technical Skills Audit Audit AuditManager Senior/ Staff
Supervisor
Data collection and analysis 4.1 4.3 4.4Financial analysis 3.8 3.9 3.7Forensic skills/fraud awareness 3.6 3.6 3.6Identifying types of controls 4.3 4.2 4.1(e.g., preventative, detective)Interviewing 4.3 4.3 4.3ISO/quality knowledge 2.9 2.9 3.0Negotiating 3.7 3.6 3.5Research skills 3.9 4.0 4.0Risk analysis 4.4 4.3 4.2Statistical sampling 3.2 3.3 3.5Total quality management 2.9 2.9 3.0Understanding the business 4.5 4.4 4.3Use of information technology 4.1 4.1 4.1
*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
The skills related to quality (ISO/quality knowledge and TQM) received the lowest ranking of allthe skills for all three professional levels in the IAA.
_______________________________________________ Chapter 7: Internal Audit Skills 287
The Institute of Internal Auditors Research Foundation
In Table 7-2-1, the main differences that emerge by comparing group data are those skills that aregenerally not considered as important by Practitioners: statistical sampling, total quality management,and negotiating. Group 9 considers statistical sampling to be very important (mean of 3.9) whilegroup 10 has a much lower mean (2.8). Group 12 differs from the others for TQM with a mean of3.4 which is very different than group 10’s mean of 2.4. Negotiating gets its highest score in groups2, 3, and 7 (4.0) while group 10 gives this skill a much lower value (2.9).
Table 7-2-1Importance to Respondent of Technical Skills to Perform Work by Groups*
Practitioner Respondents in Means**
Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C***
Data collection and 4.2 4.0 4.2 4.4 4.5 4.0 4.6 4.2 4.4 4.2 4.3 4.5 4.3analysisFinancial analysis 3.8 3.5 3.8 4.0 3.9 3.4 4.1 3.5 4.2 3.4 4.3 4.1 3.9Forensic skills/fraud 3.6 3.4 3.5 3.9 3.7 3.3 3.8 3.3 4.0 3.3 3.5 3.8 3.7awarenessIdentifying types of 4.3 4.4 4.4 4.1 4.1 3.8 4.41 3.8 4.4 4.2 4.2 4.5 4.1controls (e.g.,preventative, detective)Interviewing 4.4 4.3 4.4 3.9 4.4 4.4 4.3 4.2 4.1 4.4 4.3 4.2 4.1ISO/quality knowledge 2.8 2.8 3.1 3.4 3.0 2.6 3.4 2.8 3.0 2.6 3.1 3.3 3.3Negotiating 3.5 4.0 4.0 3.7 3.9 3.5 4.0 3.4 3.9 2.9 3.8 3.6 3.7Research skills 4.0 3.9 3.9 3.7 4.1 3.7 4.1 3.7 4.3 3.1 3.8 3.8 3.9Risk analysis 4.2 4.4 4.4 4.2 4.4 4.3 4.5 4.4 4.3 4.5 4.3 4.2 4.2Statistical sampling 3.2 3.0 3.2 3.5 3.5 2.9 3.7 3.3 3.9 2.8 3.5 3.8 3.5Total quality 2.9 2.7 3.1 3.2 3.1 2.6 3.3 2.7 3.3 2.4 3.2 3.4 3.1managementUnderstanding 4.7 4.5 4.6 4.3 4.3 4.5 4.5 4.2 4.5 4.6 4.5 4.5 4.4businessUse of information 4.1 3.9 4.3 4.0 4.1 3.9 4.4 4.0 4.2 4.2 4.1 4.0 4.2technology
*For a list of groups, please see the inside back cover.**The mean is the average response to: 1 = minimally important to 5 = very important.***N/C = Respondents did not indicate affiliate or chapter membership.
288 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
To add to the understanding of the importance placed by the Practitioners on the different technicalskills by staff level, the data from Table 7-2 is displayed in rank order by staff level in Table 7-3. InTable 7-3, the technical skills are ranked from 1 (most important) through 13 (least important).There is a high level of consistency in the ranking of technical skills among the three staff levels(Audit Manager, Audit Senior/Supervisor, and Audit Staff). The relative decreasing importance ofcertain skills as one achieves higher staff levels in the IAA is only indicated for data collection andanalysis. There is only slightly more importance of risk analysis and identifying types of controls asone achieves higher staff levels in the IAA.
Table 7-3Rankings of Technical Skills by Staff Level
Practitioner Respondents by Rank
Technical Skills Audit Audit Senior/ AuditManager Supervisor Staff
Data collection and analysis 5/6 2/3/4 1Financial analysis 8 8 8Forensic skills/fraud awareness 10 9/10 9Identifying types of controls 3/4 5 5/6(e.g., preventative, detective)Interviewing 3/4 2/3/4 2/3ISO/quality knowledge 12/13 12/13 12/13Negotiating 9 9/10 10/11Research skills 7 7 7Risk analysis 2 2/3/4 4Statistical sampling 11 11 10/11Total quality management 12/13 12/13 12/13Understanding the business 1 1 2/3Use of information technology 5/6 6 5/6
Note: In some cases the rankings are tied. For example, rankings of Data Collection andAnalysis and Use of Information Technology at the Audit Manager level are tied.
_______________________________________________ Chapter 7: Internal Audit Skills 289
The Institute of Internal Auditors Research Foundation
Behavioral Skills
CAE Respondents
For an IAA to be successful, internal auditors must possess the appropriate level of skills that arefundamental for performance of their work (Standard 1210, Proficiency). From the twelve behavioralskills that were listed in the survey question, CAEs were asked to indicate the five most importantfor various professional staff levels in the IAA. The results can be used to identify similaritiesamong the CAEs’ responses.
Table 7-4 provides an overall view of the skills that CAEs chose as important for those performinginternal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Stafflevels in the IAA. Their responses are presented in percentages by frequency of response forthose that answered the question. The higher the percentages in Table 7-4 for each behavioral skillthe more CAEs agreed on the importance of that skill. CAEs selected confidentiality first orsecond for all staff levels with a low of 53.2% for Audit Managers to a high of 73.4% for the AuditStaff. CAEs also selected objectivity (45.7% to 73.7%) and interpersonal skills (44% to 67.4%) ashighly needed behavioral skills for all staff levels.
290 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 7-4Most Important Behavioral Skills by Staff Level
CAE Respondents (2,092) in Percentages
Behavioral Skills CAE Audit Audit AuditManager Senior/ Staff
Supervisor
Confidentiality 68.7 53.2 56.2 73.4Facilitating 34.3 33.3 28.6 13.4Governance and ethics sensitivity 54.8 32.0 23.5 24.1Interpersonal skills 49.0 44.0 49.9 67.4Leadership 75.1 48.8 21.8 3.4Objectivity 58.2 45.7 54.3 73.7Relationship building 44.7 30.9 24.7 29.0Staff management 34.8 44.0 30.1 2.2Team building 32.9 39.4 30.8 7.8Team player 15.2 18.4 34.9 65.2Work well with all levels of management 58.3 42.6 35.2 40.3Working independently 18.9 16.9 26.4 55.6
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The importance of objectivity and confidentiality is supported by many references in the ProfessionalPractices Framework. Objectivity and confidentiality are two of the four principles in The IIA’sCode of Ethics. The IIA’s Code of Ethics states for objectivity, “Internal auditors exhibit the highestlevel of professional objectivity in gathering, evaluating, and communicating information about theactivity or process being examined.” For confidentiality, The IIA’s Code of Ethics states, “Internalauditors respect the value and ownership of information they receive and do not disclose informationwithout appropriate authority unless there is a legal or professional obligation to do so.” Accordingto the Code, internal auditors must be prudent in their use and protection of information acquired.Information cannot be used for personal gain or in a way that would be against the law or hurt theorganization.
_______________________________________________ Chapter 7: Internal Audit Skills 291
The Institute of Internal Auditors Research Foundation
The following discusses the CAE’s rankings by staff level based on Table 7-4.
CAE
The behavioral skills CAEs commonly chose as important at their level are:
• Leadership (75.1%).• Confidentiality (68.7%).• Work well with all levels of management (58.3%).• Objectivity (58.2%).• Governance and ethics sensitivity (54.8%).
For CAEs, the importance of relationships and leadership skills instead of skills emphasizing theirown individual success is supported in Standards 2440, Disseminating Results, 2500, MonitoringProgress, and 2600, Resolution of Management’s Acceptance of Risks. Each requires the CAE tocommunicate with management and monitor progress. Practice Advisory 2340-1 states that theCAE, “Is responsible for assuring that appropriate engagement supervision is provided.” CAEs didnot commonly choose as important behavioral skills such as team player (15.2%) and workingindependently (18.9%).
Audit Manager
The most important behavioral skills that CAEs commonly believe Audit Managers should possessat their level are:
• Confidentiality (53.2%).• Leadership (48.8%).• Objectivity (45.7%).• Interpersonal skills (44.0%).• Staff management (44.0%).• Works well with all levels of management (42.6%).
The importance of staff management skills at higher levels in the IAA is consistent with Standard2340, which states that “engagements should be properly supervised to ensure objectives areachieved...” Based on Standard 2030, Resource Management, if they are managing the engagementproperly, they are ensuring that the staff is effectively deployed to achieve the approved plan.Progression in hierarchical position in the IAA from Audit Staff to Audit Manager results in arelative decrease in importance of the percentage ranking for confidentiality, objectivity, interpersonalskills, and team player as shown by the percentages attributed to each.
292 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Audit Senior/Supervisor
For the Audit Senior/Supervisor level, the behavioral skills chosen by CAEs as important include:
• Confidentiality (56.2%).• Objectivity (54.3%).• Interpersonal skills (49.9%).• Work well with all levels of management (35.2%).• Team player (34.9%).
Comparing four of the behavioral skills CAEs chose as important for the Audit Manager and AuditSenior/Supervisor levels, confidentiality is important at all levels. This holds true when comparingthe Audit Manager (53.2%) and the Audit Senior/Supervisor (56.2%) levels. Objectivity is alsorelatively close in importance at both levels (45.7% and 54.3%). Interpersonal skills show closealignment for the Audit Manager (44.0%) and Audit Senior/Supervisor (49.9%) levels. Work wellwith all levels of management is also commonly chosen as important by CAEs for both of theselevels (42.6% ad 35.2%).
Audit Staff
A comparison of the CAEs’ responses regarding the important behavioral skills related to the fourstaff levels reveals some noticeable differences. For the Audit Staff, the most commonly chosenbehavioral skills CAEs believe they should possess are:
• Objectivity (73.7%).• Confidentiality (73.4%).• Interpersonal skills (67.4%).• Team player (65.2%).• Working independently (55.6%).
Skills indicated by CAEs as not critical for Audit Staff members to possess at this point in theirinternal auditing career are staff management (2.2%), leadership (3.4%), and team building (7.8%).
In Table 7-4, when comparing results for Audit Seniors/Supervisors and Audit Staff to those ofAudit Managers, CAE respondents’ choices show a trend of increasing importance for:
_______________________________________________ Chapter 7: Internal Audit Skills 293
The Institute of Internal Auditors Research Foundation
• Leadership (3.4% to 48.8%).• Staff management (2.2% to 44.0%).• Team building (7.8% to 39.4%).• Facilitating (13.4% to 33.3%).
CAE Respondents by Staff Level for Groups
Tables 7-4-1 (CAEs), 7-4-2 (Audit Managers), 7-4-3 (Audit Seniors/Supervisors), and 7-4-4 (AuditStaff) show the selections by CAEs by groups of the most commonly chosen behavioral skills.
Table 7-4-1 shows the behavioral skills CAEs by group chose as important for the performance oftheir job. Variability of results relate predominantly to facilitating, works well with all levels ofmanagement, governance and ethics sensitivity, and staff management.
Table 7-4-1Most Important Behavioral Skills
for CAEs by Groups*CAE Respondents in Percentages
Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Confidentiality 65.2 66.7 67.9 74.4 72.7 71.5 81.6 75.9 62.5 50.0 72.5 62.5 61.1Facilitating 32.2 34.6 32.1 33.7 52.1 38.7 28.9 37.2 30.0 14.3 24.6 50.0 33.6Governance and ethics 48.0 59.3 53.7 73.3 50.3 54.7 69.3 63.5 65.0 40.5 68.1 75.0 52.7sensitivityInterpersonal skills 52.6 59.3 53.0 54.7 50.9 40.9 46.5 39.8 35.0 45.2 59.4 37.5 40.5Leadership 78.4 75.3 88.1 64.0 66.7 72.3 78.9 75.6 80.0 57.1 78.3 75.0 60.3Objectivity 52.0 56.8 53.7 65.1 70.3 59.1 64.9 64.7 65.0 54.8 65.2 75.0 57.3Relationship building 45.8 60.5 63.4 36.0 40.0 38.7 44.7 42.5 32.5 38.1 46.4 37.5 37.4Staff management 26.1 29.6 36.6 30.2 58.8 43.8 33.3 51.5 27.5 28.6 33.3 12.5 28.2Team building 28.4 33.3 32.8 45.3 41.2 24.8 33.3 44.4 37.5 19.0 29.0 37.5 31.3Team player 8.2 13.6 13.4 20.9 27.9 10.2 37.7 22.2 7.5 9.5 17.4 12.5 17.6Working independently 10.9 19.8 12.7 36.0 29.1 19.7 25.4 25.6 25.0 19.0 21.7 25.0 26.7Work well with all levels 64.0 65.4 59.7 47.7 69.1 56.9 48.2 41.0 55.0 76.2 65.2 50.0 47.3of management
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
294 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
In Table 7-4-2 for Audit Managers, CAEs in group 4 indicate that governance and ethics sensitivity(60.5%) and leadership (69.8%) are commonly important for Audit Managers. Governance andethics sensitivity is one of the most important behavior skills for only 21.6% of the CAE respondentsbelonging to group 1. Leadership is considered an important skill by CAEs for Audit Managers foronly 33.3% of respondents in group 10. A major difference between CAE respondents by group isfor facilitating, which is identified as much less important in group 10. Staff management skills arecommonly chosen as important by CAEs in group 3 (59.7%) but not by CAEs in group 10 (23.8%).
Table 7-4-2Most Important Behavioral Skills
for Audit Manager by Groups*CAE Respondents in Percentages
Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Confidentiality 50.8 54.3 56.7 61.6 49.7 54.7 63.2 57.1 47.5 33.3 62.3 75.0 45.8Facilitating 29.3 30.9 38.1 46.5 42.4 30.7 34.2 35.7 45.0 9.5 36.2 50.0 32.8Governance and ethics 21.6 28.4 31.3 60.5 29.1 34.3 45.6 43.6 50.0 31.0 40.6 62.5 35.1sensitivityInterpersonal skills 47.9 55.6 61.9 39.5 42.4 31.4 32.5 33.8 35.0 42.9 58.0 62.5 38.2Leadership 49.9 37.0 46.3 69.8 50.9 35.8 57.9 44.7 50.0 33.3 59.4 50.0 47.3Objectivity 41.4 46.9 49.3 43.0 49.1 43.8 56.1 47.4 52.5 40.5 60.9 87.5 43.5Relationship building 29.7 34.6 42.5 32.6 29.7 27.0 26.3 33.5 20.0 26.2 39.1 37.5 27.5Staff management 42.9 53.1 59.7 45.3 49.1 38.7 33.3 44.4 47.5 23.8 50.7 50.0 38.2Team building 38.3 33.3 43.3 55.8 39.4 41.6 35.1 43.6 27.5 40.5 40.6 25.0 31.3Team player 11.4 16.0 19.4 16.3 27.3 13.1 37.7 27.1 15.0 14.3 24.6 12.5 23.7Working independently 13.6 14.8 13.4 22.1 21.8 16.1 17.5 18.8 10.0 21.4 31.9 25.0 22.1Work well with all 47.5 49.4 56.0 38.4 38.8 31.4 38.6 33.1 27.5 42.9 52.2 25.0 36.6levels of management
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
_______________________________________________ Chapter 7: Internal Audit Skills 295
The Institute of Internal Auditors Research Foundation
Table 7-4-3 highlights the CAEs’ responses for Audit Seniors/Supervisors. With the exception ofCAEs in groups 4, 5, and 12, there is remarkable consistency among CAEs in the groups. The maindifferences are for staff management and leadership. For CAEs in group 4, these two skills areconsidered quite important (53.5% and 46.5%) while group 5 indicates that these skills are notimportant for Audit Seniors/Supervisors (13.9% and 7.9%). The percentages from Table 7-4 forthese two categories are respectively 30.1% and 21.8%. Another large difference relates tofacilitating where group 4 considers this much more important (57%) than group 10 (19%).
Table 7-4-3Most Important Behavioral Skills
for Audit Seniors/Supervisors by Groups*CAE Respondents in Percentages
Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Confidentiality 52.5 53.1 63.4 57.0 56.4 61.3 68.4 61.7 65.0 40.5 59.4 87.5 45.0Facilitating 24.3 27.2 25.4 57.0 35.2 31.4 31.6 26.3 37.5 19.0 42.0 37.5 25.2Governance and ethics 14.7 22.2 22.4 41.9 33.3 27.7 39.5 28.2 47.5 14.3 29.0 25.0 21.4sensitivityInterpersonal skills 52.6 61.7 63.4 57.0 42.4 38.0 37.7 42.5 47.5 47.6 62.3 87.5 46.6Leadership 20.9 14.8 17.9 46.5 7.9 17.5 36.8 19.9 27.5 21.4 27.5 25.0 28.2Objectivity 52.0 51.9 54.5 40.7 53.3 62.8 57.9 58.6 60.0 40.5 62.3 100.0 55.0Relationship building 22.1 30.9 35.8 34.9 30.3 20.4 21.1 21.8 20.0 28.6 27.5 50.0 22.9Staff management 32.1 32.1 41.0 53.5 13.9 31.4 23.7 26.7 37.5 16.7 29.0 37.5 22.9Team building 33.3 29.6 29.9 46.5 17.0 24.8 31.6 28.9 42.5 16.7 33.3 25.0 33.6Team player 29.1 27.2 43.3 27.9 32.1 38.0 56.1 41.4 45.0 28.6 44.9 50.0 34.4Working independently 23.9 22.2 31.3 25.6 30.3 38.0 18.4 26.7 15.0 19.0 37.7 25.0 29.0Work well with all 38.0 40.7 50.0 39.5 27.3 31.4 30.7 29.7 37.5 40.5 33.3 25.0 24.4levels of management
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
296 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
In Table 7-4-4 (Audit Staff) there are uniformly low indicators of importance for staff management,leadership, team building, and facilitating. Group 6 believes that working independently is importantfor Audit Staff (70.8%) while group 7 considers this skill much less important (35.1%). Being ateam player is vital for CAEs in group 7 (72.8%) and much less important in group 9 (37.5%).Whereas CAEs in group 9 believe that governance and ethics sensitivity is very important (45.0%)for Audit Staff when compared to the average 24.1% in Table 7-4, CAEs in group 12 show thelowest percentage for this skill (12.5%). CAEs’ range of percentages for objectivity is 100% forgroup 12, 82.5% for group 7, and 52.3% for group 4. The percentage from Table 7-4 is 73.7%.Works well with all levels of management ranges from a low of 12.5% in group 12 to a high of52.3% in group 4.
Table 7-4-4Most Important Behavioral Skills
for Audit Staff by Groups*CAE Respondents in Percentages
Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Confidentiality 71.7 69.1 76.9 65.1 71.5 75.9 84.2 81.2 77.5 59.5 71.0 100.0 65.6Facilitating 9.0 8.6 7.5 32.6 23.0 10.2 16.7 16.5 15.0 14.3 20.3 0.0 15.3Governance and ethics 14.5 25.9 24.6 31.4 35.8 21.2 42.1 29.7 45.0 26.2 33.3 12.5 27.5sensitivityInterpersonal skills 76.1 77.8 65.7 70.9 58.8 55.5 54.4 60.9 55.0 61.9 71.0 100.0 56.5Leadership 2.9 2.5 2.2 4.7 1.8 0.7 13.2 2.3 7.5 0.0 2.9 0.0 6.1Objectivity 76.2 61.7 77.6 52.3 69.1 75.2 82.5 75.6 80.0 71.4 72.5 100.0 65.6Relationship building 25.8 34.6 37.3 41.9 35.2 24.1 24.6 27.8 47.5 31.0 27.5 37.5 26.0Staff management 1.3 1.2 0.7 9.3 0.6 0.7 10.5 1.5 5.0 0.0 2.9 0.0 2.3Team building 5.1 8.6 4.5 22.1 17.0 2.9 8.8 8.3 10.0 4.8 8.7 0.0 10.7Team player 65.9 59.3 71.6 61.6 72.1 65.7 72.8 68.4 37.5 45.2 59.4 75.0 55.7Working independently 60.6 56.8 62.7 65.1 59.4 70.8 35.1 43.6 45.0 47.6 49.3 50.0 41.2Work well with all 43.8 45.7 50.7 52.3 23.6 40.9 32.5 38.7 25.0 33.3 40.6 12.5 35.9levels of management
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
_______________________________________________ Chapter 7: Internal Audit Skills 297
The Institute of Internal Auditors Research Foundation
Practitioner Respondents
Practitioners were asked to indicate the importance of each of the twelve behavioral skills toperform their work at their current position in their organization. These respondents were asked touse a scale of importance from 1 (minimally important) to 5 (very important). The data is dividedinto the three staff levels: Audit Manager, Audit Senior/Supervisor, and Audit Staff. The higher themean in Table 7-5 for each behavioral skill the more Practitioners agreed on the importance of thatskill.
Practitioners consider almost all of the behavioral skills to be important with only marginal differencesin the means. The only skill categories with ratings below 4.0 are:
• Staff management (the lowest score of all categories analyzed).• Facilitating (among the lowest scores given a skill by all respondents).• Leadership and team building (a mean lower than 4.0 only for the Audit Staff category).
Table 7-5Importance of Behavioral Skills to Perform Work
Practitioner Respondents by Mean*
Behavioral Skills Audit Audit AuditManager Senior/ Staff
Supervisor
Confidentiality 4.8 4.8 4.7Facilitating 4.1 4.0 3.9Governance and ethics sensitivity 4.4 4.3 4.3Interpersonal skills 4.6 4.5 4.5Leadership 4.3 4.1 3.9Objectivity 4.8 4.8 4.7Relationship building 4.4 4.4 4.3Staff management 4.1 3.8 3.5Team building 4.2 4.0 3.9Team player 4.3 4.2 4.2Work well with all levels of management 4.6 4.6 4.5Working independently 4.2 4.2 4.2
*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
298 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The practitioner results highlight many similarities with the CAE respondents. Confidentiality andobjectivity are the skills that practitioners consider the most important for all professional levels.This is consistent with Practice Advisory 1120-1, Individual Objectivity, which states, “Objectivityis an independent mental attitude which internal auditors should maintain in performingengagements.” Interpersonal skills and works well with all levels of management are also viewedby respondents as very important to perform audit work.
Table 7-5-1 shows the means of the Practitioner responses by groups. The responses show that alllisted behavorial skills are considered important, regardless of where respondents reside.Confidentiality and objectivity are the highest ranking skills for all groups. Considering the contentsof The IIA’s Code of Ethics and the Standards, the uniformity of this perception among practitionersglobally is very important. Almost universally the lowest rankings by Practitioner groups are forstaff management, facilitating, and leadership. Staff management has a mean of more than 4.0only for groups 12 and 7. For the other groups, the mean varies from 3.4 for group 10 to 4.0 forgroup 3. Regarding leadership, group 12 considers this behavioral skill to be very important (4.6) toperform audit work, while groups 5 and 6 assign leadership a much lower value (3.7).
Table 7-5-1Importance of Behavioral Skills to Perform Work by Groups*
Practitioner Respondents in Means**
Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C***
Confidentiality 4.8 4.7 4.8 4.6 4.7 4.8 4.9 4.7 4.7 4.7 4.7 4.9 4.7Facilitating 4.1 4.1 3.9 3.8 4.1 3.8 4.3 3.9 4.1 3.5 4.0 4.0 4.0Governance and ethics 4.3 4.4 4.4 4.2 4.2 4.1 4.6 4.2 4.2 4.3 4.1 4.4 4.3sensitivityInterpersonal skills 4.6 4.7 4.6 4.5 4.5 4.3 4.5 4.3 4.3 4.3 4.5 4.7 4.4Leadership 4.3 4.3 4.2 4.0 3.7 3.7 4.4 3.8 4.1 3.8 4.2 4.6 4.0Objectivity 4.7 4.8 4.8 4.7 4.7 4.7 4.8 4.7 4.7 4.8 4.5 4.8 4.7Relationship building 4.5 4.5 4.5 4.2 4.2 4.0 4.2 4.2 4.3 4.1 4.2 4.5 4.2Staff management 3.9 3.7 4.0 3.8 3.7 3.5 4.2 3.8 3.9 3.4 3.9 4.5 3.8Team building 4.1 4.0 4.1 4.1 4.0 3.7 4.3 4.0 4.0 3.7 4.1 4.5 4.0Team player 4.3 4.2 4.2 4.1 4.2 4.0 4.5 4.2 4.1 4.0 4.2 4.4 4.2Work well with all 4.4 4.3 4.3 4.1 4.1 4.3 3.9 3.7 4.4 4.3 4.3 4.4 4.1levels of managementWorking independently 4.7 4.7 4.7 4.3 4.5 4.5 4.6 4.4 4.4 4.6 4.5 4.6 4.4
*For a list of groups, please see the inside back cover.**The mean is the average response to: 1 = minimally important to 5 = very important.***N/C = Respondents did not indicate affiliate or chapter membership.
_______________________________________________ Chapter 7: Internal Audit Skills 299
The Institute of Internal Auditors Research Foundation
Summary
For their own position, CAEs indicate understanding the business and risk analysis as importanttechnical skills for them to possess. CAEs indicate noticeable difference in technical skills neededbetween the various staff levels. Technical skills that are considered more important by CAEs forthe Audit Staff but less vital for themselves are data collection and analysis, identifying types ofcontrols, and use of information technology. CAEs considered other technical skills, such asunderstanding the business, risk analysis, and negotiating, to be more important for themselves butnot as important for the Audit Staff or Audit Seniors/Supervisors.
Practitioners uniformly indicate the need for most of the technical skills and behavioral skills attheir own staff level. Practitioners consider most technical and behavioral skills listed to be importantto perform their work at their current position in the IAA. The results show that the CAEs andPractitioners almost uniformly consider confidentiality and objectivity to be important behavioralskills.
300 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APPENDIX 7
Table 7-1-1-AMost Important Technical Skills
for CAEs by Groups*CAE Respondents in Percentages
Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Data collection and 11.1 13.6 9.0 39.5 27.9 11.7 21.9 14.3 17.5 16.7 11.6 12.5 16.8analysisFinancial analysis 37.7 23.5 38.8 44.2 38.8 35.0 28.1 34.6 40.0 26.2 39.1 12.5 32.8Forensic skills/fraud 45.4 34.6 35.1 68.6 46.7 35.8 43.9 37.6 42.5 33.3 53.6 25.0 38.9awarenessIdentifying types of 26.6 34.6 14.9 53.5 32.1 29.2 28.9 38.3 57.5 35.7 30.4 25.0 32.8controls (e.g.,preventative, detective)Interviewing 35.2 46.9 38.8 39.5 47.9 36.5 24.6 40.2 45.0 47.6 33.3 25.0 37.4ISO/quality knowledge 13.1 14.8 24.6 25.6 29.7 15.3 29.8 21.4 20.0 11.9 34.8 12.5 16.8Negotiating 70.1 77.8 75.4 54.7 69.1 70.8 65.8 77.4 55.0 57.1 65.2 50.0 49.6Research skills 14.5 28.4 28.4 19.8 42.4 19.0 20.2 21.8 22.5 9.5 33.3 50.0 16.0Risk analysis 76.1 80.2 74.6 74.4 69.1 70.8 74.6 82.0 75.0 71.4 78.3 62.5 61.8Statistical sampling 3.2 6.2 3.7 18.6 12.7 3.6 13.2 7.5 15.0 0.0 11.6 0.0 7.6Total quality 30.3 24.7 38.1 34.9 50.3 32.1 43.0 28.2 42.5 19.0 46.4 25.0 29.8managementUnderstanding the 83.9 86.4 88.8 53.5 65.5 72.3 74.6 83.8 57.5 88.1 82.6 75.0 59.5businessUse of information 28.9 27.2 35.1 32.6 36.4 12.4 39.5 17.7 40.0 26.2 37.7 50.0 24.4technology
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
_______________________________________________ Chapter 7: Internal Audit Skills 301
The Institute of Internal Auditors Research Foundation
Table 7-1-2-AMost Important Technical Skillsfor Audit Managers by Groups*
CAE Respondents in Percentages
Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Data collection and 12.7 18.5 14.9 27.9 18.2 10.9 13.2 14.3 7.5 21.4 20.3 12.5 14.5analysisFinancial analysis 36.0 19.8 35.8 59.3 39.4 27.0 24.6 32.3 40.0 28.6 47.8 25.0 39.7Forensic skills/fraud 41.9 33.3 42.5 47.7 33.9 32.8 41.2 34.6 32.5 33.3 44.9 50.0 30.5awarenessIdentifying types of 29.9 40.7 35.1 48.8 33.9 27.0 36.8 38.7 45.0 23.8 36.2 37.5 32.1controls (e.g.,preventative, detective)Interviewing 35.0 45.7 42.5 47.7 38.8 34.3 23.7 42.5 47.5 35.7 40.6 50.0 39.7ISO/quality knowledge 9.3 12.3 16.4 32.6 26.1 16.1 27.2 17.7 15.0 4.8 30.4 12.5 19.1Negotiating 48.1 54.3 59.0 60.5 50.9 46.7 49.1 50.8 45.0 28.6 60.9 62.5 38.2Research skills 15.8 21.0 22.4 18.6 30.3 17.5 28.1 21.1 10.0 14.3 31.9 25.0 17.6Risk analysis 59.2 60.5 72.4 64.0 49.7 51.1 64.9 60.9 65.0 47.6 69.6 37.5 48.9Statistical sampling 6.2 6.2 8.2 9.3 7.9 10.9 14.9 12.0 15.0 4.8 18.8 0.0 9.2Total quality 16.5 13.6 17.9 48.8 34.5 16.1 24.6 18.8 37.5 16.7 31.9 37.5 18.3managementUnderstanding 61.7 65.4 76.9 46.5 50.9 51.1 52.6 60.2 45.0 64.3 63.8 50.0 44.3businessUse of information 33.2 28.4 31.3 25.6 37.0 14.6 32.5 22.6 40.0 23.8 47.8 37.5 28.2technology
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
302 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 7-1-3-AMost Important Technical Skills for
Audit Seniors/Supervisors by Groups*CAE Respondents in Percentages
Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Data collection and 34.8 37.0 41.8 44.2 32.1 30.7 33.3 29.7 40.0 23.8 34.8 62.5 26.0analysisFinancial analysis 35.2 22.2 42.5 46.5 38.8 35.8 42.1 33.8 37.5 26.2 50.7 25.0 33.6Forensic skills/fraud 33.1 28.4 29.9 38.4 28.5 29.9 36.8 26.7 40.0 23.8 43.5 50.0 27.5awarenessIdentifying types of 43.8 46.9 55.2 55.8 37.0 41.6 53.5 45.5 45.0 33.3 56.5 37.5 39.7controls (e.g.,preventative, detective)Interviewing 42.6 42.0 53.0 50.0 33.9 52.6 36.8 48.5 32.5 42.9 52.2 37.5 42.7ISO/quality knowledge 3.9 4.9 3.0 40.7 22.4 6.6 24.6 10.5 20.0 4.8 24.6 25.0 13.7Negotiating 20.6 24.7 24.6 41.9 15.8 36.5 21.1 23.7 27.5 23.8 33.3 25.0 19.1Research skills 27.4 29.6 20.1 38.4 37.6 30.7 42.1 36.1 30.0 11.9 26.1 12.5 25.2Risk analysis 35.3 40.7 57.5 55.8 33.3 38.7 54.4 48.1 35.0 40.5 42.0 37.5 42.7Statistical sampling 18.4 14.8 20.9 20.9 20.6 21.9 32.5 22.2 20.0 4.8 34.8 37.5 19.8Total quality 6.0 4.9 11.2 36.0 12.7 6.6 19.3 10.2 17.5 7.1 17.4 12.5 15.3managementUnderstanding the 45.5 45.7 56.7 47.7 27.3 43.8 40.4 38.7 52.5 61.9 50.7 37.5 39.7businessUse of information 37.9 33.3 46.3 30.2 35.2 23.4 47.4 36.5 55.0 28.6 50.7 50.0 31.3technology
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
_______________________________________________ Chapter 7: Internal Audit Skills 303
The Institute of Internal Auditors Research Foundation
Table 7-1-4-AMost Important Technical Skills for
Audit Staff by Groups*CAE Respondents in Percentages
Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Data collection and 78.8 72.8 78.4 77.9 79.4 78.1 80.7 77.4 75.0 66.7 85.5 87.5 66.4analysisFinancial analysis 37.0 27.1 31.3 33.7 33.9 27.0 49.1 34.6 42.5 19.0 46.4 37.5 29.0Forensic skills/fraud 21.9 13.6 24.6 22.1 25.5 23.4 21.1 13.9 30.0 16.7 23.2 12.5 18.3awarenessIdentifying types of 58.6 61.7 73.1 38.4 32.1 37.2 59.6 48.1 42.5 45.2 53.6 62.5 38.9controls (e.g.,preventative, detective)Interviewing 62.1 58.0 70.9 27.9 64.2 64.2 44.7 56.8 32.5 59.5 62.3 62.5 47.3ISO/quality knowledge 1.6 2.5 0.7 46.5 15.1 4.4 13.1 9.4 7.5 23.8 14.4 0.0 13.7Negotiating 4.6 8.6 8.21 9.3 14.5 10.2 5.2 9.0 15.0 4.8 11.6 0.0 3.8Research skills 47.0 42.0 21.6 41.8 51.5 48.9 39.8 39.8 40.0 19.0 18.8 0.0 34.3Risk analysis 19.8 33.3 40.3 25.6 27.3 24.8 43.0 34.2 42.5 50.0 21.7 25.0 28.2Statistical sampling 26.0 23.4 23.9 39.5 36.9 25.5 39.5 36.1 37.5 7.1 39.1 25.0 27.5Total quality 1.1 1.2 3.7 20.9 5.4 2.2 6.1 5.3 7.5 0.0 5.8 0.0 3.8managementUnderstanding the 47.3 45.7 54.5 64.0 29.1 54.7 36.8 33.1 40.0 69.0 55.1 50.0 45.8businessUse of information 44.7 45.7 46.3 70.9 66.7 42.3 62.3 59.7 72.5 45.2 53.6 75.0 45.8technology
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
304 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 305
The Institute of Internal Auditors Research Foundation
CHAPTER 8INTERNAL AUDITOR COMPETENCIES
Introduction
Internal auditors at all levels need to obtain and develop a range of competencies and knowledgethat enable them to perform their work effectively and enable the internal audit activity (IAA) tofunction properly. This chapter summarizes the fundamental competencies and the areas of knowledgeneeded by practicing internal auditors today. Competencies range from generally applicable individualcompetencies, such as time management and presentation competencies, to abilities such as beingable to work through an issue to find the root cause of a problem area. Internal auditors also musthave different competencies to be successful at a given staff position within the IAA. This chapteraddresses the range of internal audit competencies at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Staff levels and areas of knowledge at all staff levels except CAE.
Certain competencies and knowledge are essential for the success of an individual internal auditor,the audit process, and the overall success of the IAA. Standard 1210, Proficiency, states, “Internalauditors should possess the knowledge, skills, and other competencies needed to perform theirindividual responsibilities,” and Standard 1230, Continuing Professional Development, states, “Internalauditors should enhance their knowledge, skills, and other competencies through continuingprofessional development.” Internal auditors must continually update their competencies andknowledge to remain current. The importance of competencies is also highlighted as one of fourprinciples in The IIA’s Code of Ethics.
Internal auditors at all staff levels need to obtain and develop a range of competencies and abilitiesthat enable them to perform their work effectively. These competencies range from generallyapplicable individual competencies to qualities that are specific to internal auditors. Since PracticeAdvisory 1210-1, Proficiency, requires that “The internal audit staff should collectively possess theknowledge and skills essential to the practice of the profession within the organization,” eachindividual internal auditor need not possess all competencies and abilities in each knowledge area.It is the responsibility of the CAE to insure that the IAA collectively possesses or have access tothe needed competencies and abilities. When assigning staff to an audit, the CAE must considerwhether they are qualified and competent in the areas being audited. This implies that differentcompetencies and knowledge are appropriate for those in different staff levels in the IAA. Anassessment of auditor abilities and competencies within the IAA should be completed annually toensure the staff remains proficient and current, collectively and individually.
306 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
This chapter addresses respondents’ perception of the importance of a set of competencies andknowledge areas to their job performance at their staff level in the IAA. Respondents were alsoasked to determine those competencies that change in importance as one goes up the IAA hierarchy.Table 8-1 lists the competencies and knowledge areas developed from The IIA’s Standards,Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK 2006 pilotstudy. As a guide for respondents, competencies were defined in the survey as “competenciesessential to perform certain tasks.” Respondents could not amend or add to the list of competenciesor knowledge areas provided in the survey.
Table 8-1Competencies and Knowledge Areas Included in the Survey
Competencies Knowledge Areas
Ability to promote the internal audit Accountingactivity within the organizationAnalytical (ability to work through Auditingan issue)Change management Business law and government regulationCommunication Business managementConceptual thinking Changes to professional standardsConflict resolution Enterprise risk managementCritical thinking EthicsForeign language skills FinanceKeeping up to date with professional Fraud awarenesschanges in opinions, standards, andregulationsOrganization skills GovernancePresentation skills Human resource managementProblem identification and solution Information technologyProject planning and management Internal auditing standardsReport development Managerial accountingTime management MarketingTraining and developing staff Organization cultureUnderstanding complex information Organizational systemssystemsWriting skills Strategy and business policy
Technical knowledge for your industry
______________________________________ Chapter 8: Internal Auditor Competencies 307
The Institute of Internal Auditors Research Foundation
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those that participated in the survey answered all of the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the four categories of respondents:CAEs, Audit Managers, Audit Senior/Supervisor, and Audit Staff.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. For example, Table 8-2 isthe total of all respondents for that question with a related table 8-2-1 showing the responses bygroup. A table can have more than one related table, where the second related table would beTable 8-2-2. Additional related tables may be located in Appendix 8 at the end of this chapter. Atable that is in the Appendix can be clearly identified by an “A” at the end of its number. Forexample, Table 8-3-1-A is located in Appendix 8.
Competencies
CAE Respondents
Chief audit executives (CAEs) were asked to identify the five most important competencies theyneed to possess in order to be successful as the leader of their IAA. They were also asked toidentify the five most important competencies that Audit Manager, Audit Senior/Supervisor, andAudit Staff each need to perform their jobs. The results can be used to identify similarities amongthe CAEs’ responses.
Successful completion of the IAA annual plan requires that the internal auditor staff possess theproper competencies crucial for the nature and extent of the activities performed at various levels
308 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
of responsibility. Practice Advisory 2030-1, Resource Management, suggests that CAEs select“individuals who are qualified and competent regarding the areas being audited and in applyinginternal auditing skills.” From the eighteen competencies that were listed in this question, CAEswere asked to indicate the five most important for various professional staff levels in the IAA.Table 8-2 provides an overall view of the skills that CAEs commonly chose as important for thoseperforming internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, andAudit Staff levels. Their responses are presented in percentages by frequency of response. Highpercentages in Table 8-2 indicate the competencies received strong common support from CAEsregarding the importance of these competencies.
Table 8-2Most Important Competencies by Staff Level
CAE Respondents (2,092 ) in Percentages
CAE Audit Audit AuditManager Senior/ Staff
Supervisor
Ability to promote the internal audit activity within 78.1 28.3 10.9 9.3the organizationAnalytical (ability to work through an issue) 24.9 31.5 47.7 63.9Change management 34.7 20.4 7.6 4.1Communication 60.3 46.7 43.2 51.9Conceptual thinking 38.0 20.7 16.1 17.8Conflict resolution 41.2 35.3 20.2 7.2Critical thinking 31.3 26.3 31.0 43.9Foreign language skills 13.4 10.8 8.1 12.4Keeping up to date with professional changes in 41.3 31.0 22.9 22.5opinions, standards, and regulationsOrganization skills 30.3 27.9 22.0 20.9Presentation skills 37.4 25.5 15.5 13.0Problem identification and solution 21.6 23.8 34.5 47.0Project planning and management 24.7 35.7 24.3 7.1Report development 13.0 23.0 27.3 22.1Time management 15.8 18.7 28.2 40.2Training and developing staff 30.1 38.2 20.9 2.6Understanding complex information systems 12.4 14.9 16.1 16.3Writing skills 23.6 24.2 32.0 51.0
Note: Each CAE respondent was able to select five most important competencies from the provided list for each stafflevel.
______________________________________ Chapter 8: Internal Auditor Competencies 309
The Institute of Internal Auditors Research Foundation
CAEs identified communication as highly important for all staff levels. This supports PracticeAdvisory 1210-1, Proficiency, which states, “Internal auditors should be skilled in oral and writtencommunication.” Foreign language skills was the only competency identified as being of lowimportance for all staff levels.
The other 16 competencies show changing relative importance when going up or down the stafflevels of the IAA. This is in keeping with the intent of the Standards, which suggests that skills andcompetencies vary in importance among the staff of the IAA.
Important Competencies Identified by CAEs for Staff Levels
As shown in Table 8-2, there is relative consistency in the identification of the most importantcompetencies for the Audit Staff and the Audit Senior/Supervisor levels. This is not the case forthe Audit Manager and CAE positions which have increasing oversight responsibility.
Keeping current with professional changes is important for all members of the IAA. Standard1230, Continuing Professional Development, states that internal auditors “...enhance their knowledge,skills, and other competencies through continuing professional development.” Despite the criticalnature of the acquisition of knowledge for the success of the IAA as a whole, this competency wasnot commonly indicated by CAE respondents as one of the most important for any of the stafflevels.
CAE
When looking at Table 8-2, the two highest percentages for CAEs are the ability to promote theIAA within the organization (78.1%) and communication (60.3%). This is consistent with Standard2000, Managing the Internal Audit Activity, which states that the CAE “...should effectively managethe internal audit activity to ensure it adds value to the organization.” Standard 2020, Communicationand Approval, states, “The chief audit executive should communicate the internal audit activity’splans…to senior management and to the board for review and approval.” Standard 2060, Reportingto the Board and Senior Management, states, “The chief audit executive should report periodicallyto the board and senior management on the internal audit activity’s purpose, authority, responsibility,and performance relative to its plan. Reporting should also include significant risk exposures andcontrol issues, corporate governance issues, and other matters needed or requested by the boardand senior management.”
310 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The major role the CAE respondents identified for themselves is to communicate and promote theIAA to senior members of management and the board. CAE respondents commonly indicated themost important competencies that they should possess are:
• Ability to promote the IAA within the organization (78.1%).• Communication (60.3%).• Keeping up to date with professional changes in opinions, standards, and regulations (41.3%).• Conflict resolution (41.2%).• Conceptual thinking (38.0%).
While CAEs strongly support their perception of the most important competencies at their level,the majority of the respondents also show that a wide range of other competencies are valued.CAEs should also excel in presentation skills (37.4%) and change management (34.7%). CAEsdid not identify time management (15.8%), foreign language skills (13.4%), report development(13.0%), and understanding complex information systems (12.4%) as important for someone intheir position to possess.
Audit Manager
CAE respondents identified the following competencies as most important for Audit Managers:
• Communication (46.7%)• Training and developing staff (38.2%)• Project planning and management (35.7%)• Conflict resolution (35.3%)• Analytical (31.5%)• Keeping up to date with professional changes in opinions, the Standards, and regulations
(31.0%)
Communication skills are perceived by the CAE respondents as an essential part of the AuditManager’s skills. Competencies that CAEs did not identify as critical for Audit Managers arechange management (20.4%), time management (18.7%), understanding complex informationsystems (14.9%), and foreign language skills (10.8%).
______________________________________ Chapter 8: Internal Auditor Competencies 311
The Institute of Internal Auditors Research Foundation
At the Audit Manager level, some skills learned at lower levels are mastered. As indicated in Table8-2, skills for which CAE respondents believe relative importance diminishes from Audit Staff toAudit Manager levels are:
• Analytical (from 63.9% to 31.5%).• Writing skills (from 51.0% to 24.2%).• Problem identification and solution (from 47.0% to 23.8%).• Time management (from 40.2% to 18.7%).
Comparing data related to Audit Managers with those of Audit Staff, skills that show a trend ofincreasing importance are:
• Training and developing staff (2.6% to 38.2%).• Project planning and management (7.1% to 35.7%).• Conflict resolution (7.2% to 35.3%).• Ability to promote the IAA within the organization (9.3% to 28.3%).
Audit Senior/Supervisor
For the Audit Senior/Supervisor, CAEs commonly indicated that the most important competencieswere:
• Analytical (47.7%).• Communication (43.2%).• Problem identification and solution (34.5%).• Writing skills (32.0%).• Critical thinking (31.0%).
Even though not commonly identified as one of the most important competencies for Audit Senior/Supervisor, note that CAEs respondents gave higher percentages for report development (27.3%),project planning (24.3%), and training and developing staff (20.9%) for the Audit Senior/Supervisorlevel than for Audit Staff. Competencies that CAEs do not consider critical for Audit Senior/Supervisor are presentation skills (15.5%), ability to promote the IAA (10.9%), foreign languageskills (8.1%), and change management (7.6%).
312 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Audit Staff
In Table 8-2 the competency commonly indicated as the most important by CAEs for the AuditStaff is analytical (ability to work through an issue) (63.9%). This supports Standard 2320, Analysisand Evaluation, which states that internal auditors “base conclusions and engagement results onappropriate analyses and evaluations.” The CAE respondents indicated the following as the mostimportant competencies for the Audit Staff level:
• Analytical (63.9%)• Communication (51.9%)• Writing skills (51.0%)• Problem identification and solution (47.0%)• Critical thinking (43.9%)
Competencies that CAEs indicate are not as critical for Audit Staff members to possess at thispoint in their internal auditing career are conflict resolution (7.2%), project planning and management(7.1%), change management (4.1%), and training and developing staff (2.6%).
CAE Respondents by Staff Level for Groups
Tables 8-2-1 (CAE), 8-2-2 (Audit Manager), 8-2-3 (Audit Senior/Supervisor), and 8-2-4 (AuditStaff) show CAE respondents’ percentages for the five most important competencies for the 13groups.
Table 8-2-1 highlights the competencies CAEs value for their own job performance. Overwhelmingly,CAEs in all groups find it critically important to be able to promote the IAA within the organizationand to have the ability to communicate in general. CAEs indicate variability in importance by groupon their competencies in change management, conceptual thinking, foreign language skills, reportdevelopment, and time management.
______________________________________ Chapter 8: Internal Auditor Competencies 313
The Institute of Internal Auditors Research Foundation
Tabl
e 8-2
-1Fi
ve M
ost I
mpo
rtan
t Com
pete
ncie
s for
CA
E b
y G
roup
s*C
AE
Res
pond
ents
in P
erce
ntag
e
Com
pete
ncie
s1
23
45
67
89
1011
12N
/C**
Abi
lity
to p
rom
ote
the
75.1
84.0
88.8
80.2
80.6
80.3
80.7
82.3
80.0
64.3
72.5
75.0
71.0
inte
rnal
aud
it ac
tivity
with
in th
e or
gani
zatio
nA
naly
tical
(abi
lity
to21
.021
.020
.139
.533
.919
.737
.726
.320
.035
.727
.50.
025
.2w
ork
thro
ugh
an is
sue)
Cha
nge m
anag
emen
t28
.137
.053
.733
.726
.734
.353
.544
.440
.04.
853
.637
.528
.2C
omm
unic
atio
n67
.064
.260
.452
.349
.148
.955
.362
.045
.076
.260
.937
.548
.9C
once
ptua
l thi
nkin
g37
.045
.741
.024
.458
.243
.832
.532
.037
.516
.755
.125
.029
.8C
onfli
ct re
solu
tion
37.5
37.0
38.8
40.7
53.3
42.3
39.5
51.1
42.5
14.3
47.8
75.0
36.6
Crit
ical
thin
king
31.1
32.1
26.9
30.2
33.9
24.8
35.1
31.2
37.5
40.5
46.4
12.5
26.0
Fore
ign
lang
uage
skill
s2.
62.
52.
231
.432
.713
.938
.625
.927
.511
.914
.50.
012
.2K
eepi
ng u
p to
dat
e w
ith40
.437
.038
.852
.341
.829
.253
.545
.535
.031
.046
.450
.038
.9pr
ofes
sion
al ch
ange
sin
opi
nion
s, st
anda
rds,
and
regu
latio
nsO
rgan
izat
ion
skill
s20
.922
.226
.938
.450
.933
.634
.246
.627
.531
.031
.925
.026
.0Pr
esen
tatio
n sk
ills
44.3
39.5
39.6
30.2
41.8
19.7
24.6
30.5
40.0
47.6
39.1
37.5
29.0
Prob
lem
iden
tific
atio
n13
.723
.514
.936
.031
.514
.627
.235
.337
.526
.229
.012
.519
.1an
d so
lutio
nPr
ojec
t pla
nnin
g an
d20
.023
.528
.438
.433
.913
.136
.032
.035
.011
.930
.40.
017
.6m
anag
emen
tR
epor
t de
velo
pmen
t8.
17.
47.
524
.421
.22.
226
.320
.722
.54.
820
.325
.015
.3Ti
me m
anag
emen
t10
.412
.39.
031
.433
.910
.218
.422
.622
.52.
420
.30.
016
.8Tr
aini
ng an
d24
.927
.226
.944
.241
.225
.535
.138
.735
.033
.333
.312
.523
.7de
velo
ping
staf
fU
nder
stan
ding
8.4
9.9
9.0
15.1
21.2
5.1
26.3
13.9
20.0
7.1
20.3
12.5
17.6
com
plex
info
rmat
ion
syst
ems
Writ
ing
skill
s27
.024
.725
.418
.627
.913
.123
.719
.520
.019
.027
.50.
018
.3*F
or a
lis
t of
gro
ups,
ple
ase
see
the
insi
de b
ack
cove
r.**
N/C
= R
espo
nden
ts d
id n
ot i
ndic
ate
affi
liate
or
chap
ter
mem
bers
hip.
Not
e: E
ach
CA
E re
spon
dent
was
abl
e to
sel
ect
five
mos
t im
port
ant
com
pete
ncie
s fr
om t
he p
rovi
ded
list
for
each
sta
ff l
evel
.
314 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
In Table 8-2-2 for Audit Manager, CAE respondents selected communication, project planning andmanagement, and training and developing staff as the most important skills for this staff level.While there is generally consistency among the CAE respondents within the groups about theimportance of most of the competencies for Audit Manager, there are some outliers that place lessweight on certain competencies. In group 10, CAEs’ percentage for training and staff developmentis only 14.3% while the next lowest value was 25.0% for CAEs in group 12. CAEs in six othergroups have values of 40% or higher for training and staff development. CAEs in ten groups hadpercentages of 30% or more for project planning and management, but CAEs in groups 12 (12.5%)and 6 (21.2%) had far fewer CAEs selecting this competency as being important for Audit Manager.CAEs in group 2 (11.1%) had fewer respondents selecting change management as important thanCAEs in groups 4 (50%) and 12 (62.5%).
______________________________________ Chapter 8: Internal Auditor Competencies 315
The Institute of Internal Auditors Research Foundation
Tabl
e 8-2
-2M
ost I
mpo
rtan
t Com
pete
ncie
s for
Aud
it M
anag
er b
y G
roup
s*C
AE
Res
pond
ents
in P
erce
ntag
es
Com
pete
ncie
s1
23
45
67
89
1011
12N
/C**
Abi
lity
to p
rom
ote
the
23.6
32.1
39.6
33.7
23.6
26.3
40.4
31.2
32.5
28.6
29.0
37.5
29.0
inte
rnal
aud
it ac
tivity
with
in t
he o
rgan
izat
ion
Ana
lytic
al (
abili
ty t
o27
.830
.933
.645
.336
.423
.439
.531
.217
.538
.144
.937
.533
.6w
ork
thro
ugh
an is
sue)
Cha
nge
man
agem
ent
14.7
11.1
20.9
50.0
21.8
14.6
29.8
27.1
25.0
14.3
21.7
62.5
22.1
Com
mun
icat
ion
48.5
53.1
56.7
58.1
39.4
37.2
41.2
44.4
32.5
50.0
53.6
50.0
42.7
Con
flict
res
olut
ion
31.6
32.1
35.8
57.0
38.8
28.5
36.8
39.5
42.5
14.3
47.8
37.5
36.6
Crit
ical
thi
nkin
g23
.423
.529
.926
.726
.125
.532
.528
.230
.031
.034
.812
.527
.5C
once
ptua
l th
inki
ng16
.218
.519
.424
.425
.524
.125
.426
.330
.04.
830
.437
.520
.6Fo
reig
n la
ngua
ge sk
ills
1.7
2.5
0.7
29.1
20.0
10.2
24.6
24.1
17.5
9.5
15.9
0.0
16.8
Kee
ping
up
to d
ate
26.1
25.9
35.8
40.7
31.5
25.5
45.6
38.0
32.5
26.2
36.2
25.0
29.8
with
pro
fess
iona
lch
ange
s in
opi
nion
s,st
anda
rds,
and
regu
latio
nsO
rgan
izat
ion
skill
s23
.319
.826
.953
.540
.624
.823
.732
.332
.514
.333
.312
.529
.0Pr
esen
tatio
n sk
ills
23.9
21.0
31.3
30.2
25.5
19.0
26.3
25.2
20.0
23.8
47.8
0.0
28.2
Prob
lem
ide
ntifi
catio
n18
.824
.726
.129
.126
.713
.928
.133
.525
.023
.833
.337
.525
.2an
d so
lutio
nPr
ojec
t pla
nnin
g an
d36
.139
.535
.143
.040
.021
.236
.838
.045
.031
.033
.312
.531
.3m
anag
emen
tR
epor
t de
velo
pmen
t22
.728
.425
.420
.923
.013
.130
.728
.215
.04.
826
.125
.019
.8Ti
me
man
agem
ent
13.7
16.0
11.2
32.6
30.3
10.2
28.1
24.8
22.5
4.8
31.9
0.0
21.4
Trai
ning
and
40.2
48.1
48.5
47.7
30.3
32.1
41.2
31.2
35.0
14.3
52.2
25.0
32.8
deve
lopi
ng s
taff
Und
erst
andi
ng11
.614
.815
.718
.614
.58.
828
.117
.312
.59.
521
.725
.020
.6co
mpl
ex i
nfor
mat
ion
syst
ems
Writ
ing
skill
s29
.125
.926
.117
.419
.412
.424
.620
.715
.023
.830
.40.
022
.1*F
or a
lis
t of
gro
ups,
ple
ase
see
the
insi
de b
ack
cove
r.**
N/C
= R
espo
nden
ts d
id n
ot i
ndic
ate
affi
liate
or
chap
ter
mem
bers
hip.
Not
e: E
ach
CA
E re
spon
dent
was
abl
e to
sel
ect
five
mos
t im
port
ant
com
pete
ncie
s fr
om t
he p
rovi
ded
list
for
each
sta
ff l
evel
.
316 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 8-2-3 highlights the CAE respondents’ group results for Audit Senior/Supervisor. There isrelative consistency among the CAEs’ selections of the most important and least importantcompetencies for this staff level. CAEs in group 12 did not support the importance of changemanagement, foreign language skills, presentation skills, or writing skills (00.0%). CAEs in group 4consider project planning and management to be very important (40.7%), but only 9.1% CAEs ingroup 5 selected this competency to be one of the top five competencies. CAEs in group 3 believethat writing skills are important (41.0%), but CAEs in group 4 believe they are less significant forthe Audit Senior/Supervisor (17.4%). CAEs in group 7 believe that keeping up to date withprofessional changes in opinions, standards, and regulations is fundamental (42.1%), but CAEs ingroup 10 believes that this element is not critical for the Audit Senior/Supervisor (14.3%).
______________________________________ Chapter 8: Internal Auditor Competencies 317
The Institute of Internal Auditors Research Foundation
Tabl
e 8-2
-3M
ost I
mpo
rtan
t Com
pete
ncie
s for
Aud
it Se
nior
/Sup
ervi
sor b
y G
roup
s*C
AE
Res
pond
ents
in P
erce
ntag
es
Com
pete
ncie
s1
23
45
67
89
1011
12N
/C**
Abi
lity
to p
rom
ote
the
8.1
8.6
16.4
23.3
6.7
5.8
18.4
9.0
22.5
14.3
15.9
25.0
16.0
inte
rnal
aud
it ac
tivity
with
in t
he o
rgan
izat
ion
Ana
lytic
al (
abili
ty t
o46
.251
.956
.757
.043
.051
.851
.844
.047
.554
.849
.375
.039
.7w
ork
thro
ugh
an is
sue)
Cha
nge
man
agem
ent
4.8
4.9
2.2
25.6
10.3
5.8
15.8
9.0
17.5
7.1
10.1
0.0
5.3
Com
mun
icat
ion
44.6
43.2
51.5
53.5
40.6
38.7
37.7
32.0
42.5
42.9
59.4
62.5
45.0
Con
flict
res
olut
ion
17.5
14.8
20.1
32.6
17.0
21.9
28.1
22.9
25.0
14.3
29.0
50.0
16.8
Crit
ical
thi
nkin
g31
.522
.220
.925
.630
.338
.036
.837
.227
.533
.321
.712
.529
.8C
once
ptua
l th
inki
ng12
.811
.110
.425
.613
.921
.219
.322
.227
.57.
121
.712
.518
.3Fo
reig
n la
ngua
ge sk
ills
1.7
1.2
1.5
20.9
12.1
11.7
14.0
20.7
17.5
7.1
10.1
0.0
8.4
Kee
ping
up
to d
ate
14.5
16.0
21.6
36.0
27.9
25.5
42.1
33.8
37.5
14.3
27.5
37.5
19.1
with
pro
fess
iona
lch
ange
s in
opi
nion
s,st
anda
rds,
and
regu
latio
nsO
rgan
izat
ion
skill
s24
.118
.517
.929
.116
.421
.923
.721
.120
.09.
530
.412
.519
.1Pr
esen
tatio
n sk
ills
10.3
13.6
14.2
29.1
15.2
18.2
22.8
20.3
17.5
14.3
30.4
0.0
16.8
Prob
lem
ide
ntifi
catio
n31
.437
.042
.552
.333
.327
.736
.834
.237
.533
.346
.437
.532
.1an
d so
lutio
nPr
ojec
t pla
nnin
g an
d26
.629
.631
.340
.79.
124
.121
.920
.320
.014
.330
.412
.519
.8m
anag
emen
tR
epor
t de
velo
pmen
t25
.323
.535
.823
.324
.214
.640
.437
.627
.519
.027
.525
.023
.7Ti
me
man
agem
ent
25.3
30.9
38.8
40.7
24.8
23.4
28.9
31.6
35.0
9.5
44.9
12.5
23.7
Trai
ning
and
dev
elop
ing
22.2
24.7
25.4
38.4
13.3
11.7
29.8
13.9
27.5
11.9
24.6
25.0
18.3
staf
fU
nder
stan
ding
com
plex
11.4
14.8
17.2
20.9
18.2
20.4
21.1
21.1
22.5
4.8
23.2
25.0
17.6
info
rmat
ion
syst
ems
Writ
ing
skill
s36
.532
.141
.017
.426
.129
.231
.626
.722
.523
.839
.10.
029
.0*F
or a
lis
t of
gro
ups,
ple
ase
see
the
insi
de b
ack
cove
r.**
N/C
= R
espo
nden
ts d
id n
ot i
ndic
ate
affi
liate
or
chap
ter
mem
bers
hip.
Not
e: E
ach
CA
E re
spon
dent
was
abl
e to
sel
ect
five
mos
t im
port
ant
com
pete
ncie
s fr
om t
he p
rovi
ded
list
for
each
sta
ff l
evel
.
318 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 8-2-4 shows that for Audit Staff there are uniformly low percentages for training anddeveloping staff, project planning and management, change management, and conflict resolution.CAE respondents consider analytical ability and communication to be by far the most importantcompetencies for the Audit Staff in all groups.
There is variability among the CAE respondents among some groups for some competencies.Foreign language skills vary from a low of 3.2% in group 1 to a high of 29.1% for group 4. Group6 believes that critical thinking is very important for Audit Staff (58.4 %) while group 4 considersthis much less important (19.8%). Keeping up to date with professional changes in opinions,standards, and regulations is considered vital by responding CAEs in group 7 (51.8%) and significantlyless important for group 1 (10.4%). While responding CAEs in Group 4 believe that presentationskills are very important (50.0%) for Audit Staff, no CAEs in group 12 selected this competency asimportant. The range of percentages for responding CAEs for report development is 8.0% forgroup 6 to 59.3% for group 4.
______________________________________ Chapter 8: Internal Auditor Competencies 319
The Institute of Internal Auditors Research Foundation
Tabl
e 8-2
-4M
ost I
mpo
rtan
t Com
pete
ncie
s for
Aud
it St
aff M
embe
rs b
y G
roup
s*C
AE
Res
pond
ents
in P
erce
ntag
es
Com
pete
ncie
s1
23
45
67
89
1011
12N
/C**
Abi
lity
to p
rom
ote
the
6.6
7.4
16.4
10.5
4.8
8.0
15.8
9.0
27.5
9.5
13.0
25.0
12.2
inte
rnal
aud
it ac
tivity
with
in t
he o
rgan
izat
ion
Ana
lytic
al (
abili
ty t
o68
.467
.970
.941
.966
.165
.759
.657
.570
.071
.459
.450
.051
.1w
ork
thro
ugh
an is
sue)
Cha
nge
man
agem
ent
2.6
1.2
1.5
10.5
6.7
4.4
8.8
6.4
7.5
2.4
1.4
0.0
2.3
Com
mun
icat
ion
58.1
53.1
61.9
45.3
61.2
46.0
41.2
30.1
57.5
57.1
58.0
62.5
47.3
Con
cept
ual
thin
king
13.7
14.8
9.0
29.1
13.9
19.7
30.7
29.3
25.0
11.9
18.8
25.0
14.5
Con
flict
res
olut
ion
5.9
2.5
6.7
11.6
12.7
9.5
7.9
7.9
10.0
2.4
7.2
12.5
4.6
Crit
ical
thi
nkin
g47
.438
.334
.319
.839
.458
.445
.649
.230
.050
.033
.337
.537
.4Fo
reig
n la
ngua
ge sk
ills
3.2
3.7
5.2
29.1
21.8
23.4
14.9
27.8
22.5
9.5
14.5
12.5
11.5
Kee
ping
up
to d
ate
with
10.4
17.3
25.4
38.4
30.9
27.7
51.8
30.8
37.5
23.8
20.3
12.5
26.0
prof
essi
onal
cha
nges
inop
inio
ns,
stan
dard
s, a
ndre
gula
tions
Org
aniz
atio
n sk
ills
33.3
16.0
13.4
18.6
6.7
13.9
15.8
12.4
17.5
2.4
21.7
0.0
9.9
Pres
enta
tion
skill
s7.
19.
910
.450
.016
.46.
616
.715
.015
.023
.815
.90.
019
.8Pr
oble
m i
dent
ifica
tion
51.5
59.3
52.2
51.2
41.8
44.5
39.5
37.6
47.5
42.9
47.8
25.0
39.7
and
solu
tion
Proj
ect p
lann
ing
and
7.2
11.1
11.2
9.3
4.8
5.1
7.0
6.0
5.0
9.5
5.8
0.0
6.9
man
agem
ent
Rep
ort
deve
lopm
ent
13.4
17.3
17.9
59.3
26.7
8.0
30.7
36.5
37.5
19.0
23.2
37.5
26.0
Tim
e m
anag
emen
t46
.250
.658
.250
.025
.529
.929
.835
.335
.011
.942
.050
.029
.8Tr
aini
ng a
nd1.
10.
01.
511
.63.
01.
53.
54.
15.
02.
45.
80.
03.
1de
velo
ping
sta
ffU
nder
stan
ding
com
plex
9.6
9.9
11.9
34.9
20.0
24.8
24.6
19.9
30.0
14.3
18.8
25.0
20.6
info
rmat
ion
syst
ems
Writ
ing
skill
s53
.755
.658
.247
.757
.045
.354
.446
.242
.538
.153
.637
.537
.4
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.N
ote:
Eac
h C
AE
resp
onde
nt w
as a
ble
to s
elec
t fi
ve m
ost
impo
rtan
t co
mpe
tenc
ies
from
the
pro
vide
d lis
t fo
r ea
ch s
taff
lev
el.
320 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Practitioner Respondents
The Practitioners were asked to indicate the importance of each of the eighteen competencies toperforming their jobs at their current position in their organization. The scale used to determine thelevel of importance was 1 (minimally important) to 5 (very important). Table 8-3 shows the meanresponses by Practitioners for the eighteen competencies.
Table 8-3Importance of Competencies to Perform Work
Practitioner Respondents in Means*
Competencies Audit Audit AuditManager Senior/ Staff
Supervisor
Ability to promote the internal audit activity 4.32 4.15 4.11within the organizationAnalytical (ability to work through an issue) 4.52 4.53 4.45Change management 4.03 3.89 3.72Communication 4.61 4.59 4.54Conceptual thinking 4.33 4.29 4.25Conflict resolution 4.27 4.24 4.13Critical thinking 4.48 4.43 4.36Foreign language skills 2.59 2.54 2.66Keeping up to date with professional changes 4.05 4.01 4.02in opinions, standards, and regulationsOrganization skills 4.15 4.13 4.13Presentation skills 4.13 4.03 4.02Problem identification and solution 4.50 4.48 4.44Project planning and management 4.13 4.02 3.84Report development 4.31 4.27 4.19Time management 4.26 4.25 4.21Training and developing staff 4.06 3.74 3.56Understanding complex information systems 3.79 3.73 3.65Writing skills 4.49 4.47 4.39
*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and4,735.
______________________________________ Chapter 8: Internal Auditor Competencies 321
The Institute of Internal Auditors Research Foundation
As indicated by only marginal differences in the means, Practitioners consider almost all of thecompetencies equally important across the positional levels in the IAA. The only categories whichshow some change between the Audit Staff level and the Audit Manager level are:
• Ability to promote the IAA within the organization (4.11 to 4.32).• Project planning and management (3.84 to 4.13).• Change management (3.72 to 4.03).• Training and developing staff (3.56 to 4.06).
The competency categories for all levels with the most means below 4.0 are:
• Foreign language skills (the lowest score of all categories analyzed with means between2.54 and 2.66).
• Understanding complex information systems (second lowest mean for all levels but stillsomewhat important with means of 3.65 to 3.79).
• Training and developing staff (a mean higher than 4.0 only for the Audit Manager category).• Change management (a mean higher than 4.0 only for the Audit Manager category).• Project planning and management (a mean higher than 4.0 for the Audit Senior /Supervisor
and Audit Manager categories).
Table 8-4 shows the ranking of the competency means for Practitioners. The consistent rankingsamong the Audit Manager, Audit Senior/Supervisor, and Audit Staff levels are striking. Practitionersindicate that many of the competencies are equally important across the hierarchical scale in theIAA with only marginal differences in the ranks. The results highlight some similarities with theresponses of the CAE group. Communication is the most important for all professional levels. Thisis consistent with Standard 2420, Quality of Communication, which states, “Communications shouldbe accurate, objective, clear, concise, constructive, complete, and timely.” This standard appliesfor all internal auditors. The foreign language skills competency is indicated by respondents as theleast important for all Practitioners at all staff levels.
322 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 8-4Rankings of the Competencies by Staff Level
Practitioner Respondents by Rank
Competencies Audit Audit AuditManager Senior/ Staff
Supervisor
Ability to promote the internal audit activity 7 10 11within the organizationAnalytical (ability to work through an issue) 2 2 2Change management 16 15 15Communication 1 1 1Conceptual thinking 6 6 6Conflict resolution 9 9 9/10Critical thinking 5 5 5Foreign language skills 18 18 18Keeping up to date with professional changes 15 14 12/13in opinions, standards, and regulationsOrganization skills 11 11 9/10Presentation skills 12/13 12 12/13Problem identification and solution 3 3 3Project planning and management 12/13 13 14Report development 8 7 8Time management 10 8 7Training and developing staff 14 16 17Understanding complex information systems 17 17 16Writing skills 4 4 4
Note: In some cases the rankings were tied. For example, rankings of conflict resolution and organization skills at theAudit Staff level were tied.
______________________________________ Chapter 8: Internal Auditor Competencies 323
The Institute of Internal Auditors Research Foundation
CAEs and Practitioners seem to approach the competencies differently. CAEs appear to be viewingcompetencies appropriate for a positional level from a department manager’s perspective, whilePractitioners appear to view the need for a variety of competencies necessary for their success.For Audit Managers especially, the difference between the CAE and the Audit Manager responsesis noticeable for the following competencies: training and development, project planning, writingskills, problem identification and solution, and keeping up to date with professional changes inopinions, standards, and regulations. The differences for the Audit Manager level may be reflectiveof the transition from more operational duties to managerial duties. (CAEs and Practitioners wereasked to rank the same list of competencies but their methods differed. CAEs indicated the fivemost important competencies for each audit staff level, while Practitioners ranked each competencyas it related to the competency’s importance for themselves to do their job.)
Practitioner Rankings by Groups
In Appendix 8, Tables 8-3-1-A (Audit Manager), 8-3-2-A (Audit Senior/Supervisor), and 8-3-3-A(Audit Staff) show Practitioner responses for competencies broken out for the 13 groups. Foreignlanguage skills are universally the lowest ranked competency. For all groups, analytical ability,communication, and problem identification and solution are the only abilities to receive meansabove 4.0 for all three staff levels. For the three staff levels, understanding complex informationsystems has a mean of more than 4.0 for only seven groups. In general after taking out the veryhigh and very low outliers among the groups, the responses show the perception that many skillsare important to the respondents regardless of where they reside. Considering the contents of TheIIA’s Code of Ethics and the Standards, the uniformity of this perception among practitionersglobally is very important. These tables indicate that the findings are relatively consistent betweenthe groups for the three staff levels.
Areas of Knowledge
Standard 1210, Proficiency states, “Internal auditors should possess the knowledge …needed toperform their individual responsibilities.” Practice Advisory 1210-1, Proficiency, states, “Proficiencymeans the ability to apply knowledge to situations likely to be encountered and to deal with themwithout extensive recourse to technical research and assistance.” This section looks at 19 areas ofknowledge to determine which are important to internal auditors for the satisfactory performanceof their job at staff positions in the IAA.
324 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Certain areas of knowledge are emphasized in the Standards and expanded upon in the PracticeAdvisories:
• Attribute Standard 1210 – “Internal auditors should possess the knowledge, skills, andother competencies needed to perform their individual responsibilities.”
• Attribute Standard 1210.A1 – “The chief audit executive should obtain competent adviceand assistance if the internal audit staff lacks the knowledge…needed to perform all orpart of the engagement.”
• Practice Advisory 1210-1 – “An appreciation is required of the fundamentals of subjectssuch as accounting, economics, commercial law, taxation, finance, quantitative methods,and information technology.”
• Practice Advisory 1210-1 – “Proficiency in accounting principles and techniques is requiredof auditors who work extensively with financial records and reports.”
• Practice Advisory 1210-1 – “An understanding of management principles is required.”
The areas of knowledge for this question were identified by reviewing the Standards and PracticeAdvisories, internal auditing literature, past CBOK studies, and the current CBOK 2006 pilotstudy. Based on this review, nineteen areas of knowledge were identified as being important forinternal auditors. The Practitioner Questionnaire asked respondents to indicate the importance ofthese nineteen areas of knowledge to perform their work at their current position in their organizationon a scale of 1 (minimally important) to 5 (very important). Respondents were unable to amend oradd to the list. Table 8-5 shows an analysis of the three professional levels Audit Manager, AuditSenior/Supervisor, and Audit Staff. In Appendix 8, Tables 8-5-1-A (Audit Manager), 8-5-2-A (AuditSenior/Supervisor), and 8-5-3-A (Audit Staff) list the areas of knowledge in descending order bymean.
______________________________________ Chapter 8: Internal Auditor Competencies 325
The Institute of Internal Auditors Research Foundation
Table 8-5Importance of Areas of Knowledge to Perform Work
Practitioner Respondents in Means*
Areas of Knowledge Audit Audit AuditManager Senior/ Staff
Supervisor
Accounting 3.83 3.77 3.71Auditing 4.68 4.66 4.61Business law and government regulation 3.68 3.70 3.68Business management 3.75 3.60 3.53Changes to professional standards 3.71 3.64 3.68Enterprise risk management 3.85 3.74 3.71Ethics 4.21 4.18 4.26Finance 3.70 3.68 3.64Fraud awareness 4.00 3.93 3.91Governance 3.95 3.80 3.77Human resource management 3.44 3.23 3.15Information technology 3.85 3.84 3.79Internal auditing standards 4.19 4.19 4.24Managerial accounting 3.35 3.30 3.27Marketing 2.70 2.60 2.64Organization culture 3.91 3.79 3.82Organizational systems 3.75 3.76 3.78Strategy and business policy 3.73 3.61 3.60Technical knowledge for your industry 3.97 3.92 3.96
*The mean is the average response to: 1 = minimally important to 5 = very important.NOTE: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and4,751.
The means in Table 8-5 and the rankings in Table 8-6 indicate that knowledge of auditing isoverwhelmingly ranked first for all Practitioner respondents (4.61 to 4.68 for the Audit Staff throughAudit Manager). Ethics is ranked second (4.21 to 4.26) by all levels except for Audit Senior/Supervisor (4.18, ranked 3). Areas of knowledge consistently ranked in the top five for all Practitionerrespondents are internal auditing standards, which is ranked second or third by all staff levels,technical knowledge for your industry (3.92 to 3.97), and fraud awareness (3.91 to 4.00), whichare ranked either fourth or fifth for all Practitioner respondents.
326 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
There is unanimity in the ranking of the least important areas of knowledge for all Practitionerrespondents. Marketing at 19 is ranked the lowest (2.60 to 2.70), and human resource management(3.15 to 3.44) and managerial accounting (3.27 to 3.35) are ranked either 18 or 17 for all respondents.For the other areas of knowledge listed, Practitioner rankings vary.
Table 8-6Importance of Areas of Knowledge to Perform Work
Practitioner Respondents by Staff Level
Areas of Knowledge Audit Audit AuditManager Senior/ Staff
Supervisor
Accounting 10 9 10Auditing 1 1 1Business law and government regulation 16 12 12Business management 11 16 16Changes to professional standards 14 14 13Enterprise risk management 8 11 11Ethics 2 3 2Finance 15 13 14Fraud awareness 4 4 5Governance 6 7 9Human resource management 17 18 18Information technology 9 6 7Internal auditing standards 3 2 3Managerial accounting 18 17 17Marketing 19 19 19Organization culture 7 8 6Organizational systems 12 10 8Strategy and business policy 13 15 15Technical knowledge for your industry 5 5 4
______________________________________ Chapter 8: Internal Auditor Competencies 327
The Institute of Internal Auditors Research Foundation
Audit Manager
Looking at Table 8-5-1, the five most important areas of knowledge that Audit Managers indicatethey should possess are:
1. Auditing (4.68).2. Ethics (4.21).3. Internal auditing standards (4.19).4. Fraud awareness (4.00).5. Technical knowledge for your industry (3.97).
Table 8-5-1Importance of Areas of Knowledge to Perform Work as Audit Manager
Practitioner Respondents in Means*
Areas of Knowledge Audit Manager
Auditing 4.68Ethics 4.21Internal auditing standards 4.19Fraud awareness 4.00Technical knowledge for your industry 3.97Governance 3.95Organization culture 3.91Enterprise risk management 3.85Information technology 3.85Accounting 3.83Business management 3.75Organizational systems 3.75Strategy and business policy 3.73Changes to professional standards 3.71Finance 3.70Business law and government regulation 3.68Human resource management 3.44Managerial accounting 3.35Marketing 2.70
*The mean is the average response to: 1 = minimally important to 5 = very important.
Practitioners indicated that progression in hierarchical position in the IAA from Audit Staff to AuditManager results in no significant change in areas of knowledge that are fundamental to internal
328 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
auditors’ success. Focus on business management, enterprise risk management, and governancedoes gain more importance. Marginally less crucial are business law and government regulation,information technology, and organizational systems.
Audit Senior/Supervisor
Table 8-5-2 reveals that Audit Seniors/Supervisors indicate that the five most important areas ofknowledge fundamental to their job performance are:
1. Auditing (4.66).2. Internal auditing standards (4.19).3. Ethics (4.18).4. Fraud awareness (3.93).5. Technical knowledge for your industry (3.92).
Table 8-5-2Importance of Areas of Knowledge to Perform Work as
Audit Senior/SupervisorPractitioner Respondents in Means*
Areas of Knowledge Audit Manager/Supervisor
Auditing 4.66Internal auditing standards 4.19Ethics 4.18Fraud awareness 3.93Technical knowledge for your industry 3.92Information technology 3.84Governance 3.80Organization culture 3.79Accounting 3.77Organizational systems 3.76Enterprise risk management 3.74Business law and government regulation 3.70Finance 3.68Changes to professional standards 3.64Strategy and business policy 3.61Business management 3.60Managerial accounting 3.30Human resource management 3.23Marketing 2.60
*The mean is the average response to: 1 = minimally important to 5 = very important.
______________________________________ Chapter 8: Internal Auditor Competencies 329
The Institute of Internal Auditors Research Foundation
There is no area of knowledge that becomes more significant for this level than for the Audit Staff.
Audit Staff
Table 8-5-3 shows the five most important areas of knowledge that the Audit Staff believes arefundamental for their job performance are:
1. Auditing (4.61).2. Ethics (4.26).3. Internal auditing standards (4.24).4. Technical knowledge for your industry (3.96).5. Fraud awareness (3.91).
Table 8-5-3Importance of Areas of Knowledge to Perform Work as Audit Staff
Practitioner Respondents in Means*
Areas of Knowledge Audit Staff
Auditing 4.61Ethics 4.26Internal auditing standards 4.24Technical knowledge for your industry 3.96Fraud awareness 3.91Organization culture 3.82Information technology 3.79Organizational systems 3.78Governance 3.77Accounting 3.71Enterprise risk management 3.71Business law and government regulation 3.68Changes to professional standards 3.68Finance 3.64Strategy and business policy 3.60Business management 3.53Managerial accounting 3.27Human resource management 3.15Marketing 2.64
*The mean is the average response to: 1 = minimally important to 5 = very important.
330 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Group Means for Areas of Knowledge
Tables 8-5-4-A (Audit Manager), 8-5-5-A (Audit Senior/Supervisor), and 8-5-6-A (Audit Staff)show Practitioner mean responses for areas of knowledge broken out for the 13 groups. Whenanalyzed by groups there is evidence of a wide divergence of opinion for many knowledge areas.There is a high level of consistency once very high and low rated knowledge areas by individualgroups are removed.
For Audit Managers in Table 8-5-4-A, auditing receives the highest means. Internal auditing standardshas means of 4.00 and above for all but one group and ethics is above 4.00 for all but two groups.
Group means for the Audit Senior/Supervisor level in Table 8-5-5-A are very similar to those of theAudit Staff for the high and low ranking areas of knowledge. The other areas of knowledge meansare relatively close together for most of the groups.
For the Audit Staff (Table 8-5-6-A), auditing is critical for all groups with all means above 4.24.Ethics (9 groups) and internal auditing standards (8 groups) receive rankings above 4.0 for themajority of the groups. The low rankings continue to be low for human resource management,managerial accounting, and marketing. Group 12 was the only group whose means for enterpriserisk management, ethics, organizational systems, and strategy and business policy are all 5.00,indicating the respondents in this group believe that these knowledge areas are of the highestimportance for that group’s respondents.
______________________________________ Chapter 8: Internal Auditor Competencies 331
The Institute of Internal Auditors Research Foundation
Summary
The results show that the CAEs and Practitioners consider communication as the most importantcompetency for all members of the IAA. The CAE respondents believe that ability to promote theIAA within the organization is overwhelmingly the most important competency that the CAEshould possess. The top two competencies deemed most important by the CAE for the Audit Staffand Audit Senior/Supervisor are analytical and communication. The CAEs’ responses indicate adifference among the competencies needed based on staff levels (Audit Staff, Audit Senior/Supervisor, Audit Manager, CAE) while the Practitioner responses at each staff level generallyindicate that for their current position the competencies are equally important.
When viewing the importance of competencies across the array of hierarchical positions in theIAA from CAE to the Audit Staff, the ability to promote the IAA within the organization, changemanagement, conflict resolution and training, and developing staff show a trend of increasingimportance at higher staff levels. Problem identification, time management, and writing competenciesnoticeably decline in importance as an internal auditor advances to higher staff levels.
Areas of knowledge important to the respondents’ job performance were only ranked by Practitionersand did not include CAEs in the rankings. They indicated that for all Practitioner levels, auditing isthe most important knowledge area followed by ethics and internal auditing standards. Fraudawareness and technical knowledge of the respondents’ industry are the only other competencieswith rankings in the top five for all Practitioner respondents. There are no noticeable differencesbased on comparisons of members of the audit staff and those at the Audit Senior/Supervisor level.At the manager level, enterprise risk management marginally increases in importance. There is anoverall consistency of rankings of the knowledge areas by Practitioner respondents for all stafflevels.
When comparing the data for the 13 groups, differences relate to only a few competencies andknowledge areas.
332 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APP
EN
DIX
8Ta
ble 8
-3-1
-AIm
port
ance
of C
ompe
tenc
ies t
o Pe
rfor
m W
ork
for A
udit
Man
ager
by
Gro
ups*
Prac
titio
ner R
espo
nden
ts in
Mea
ns**
Com
pete
ncie
s1
23
45
67
89
1011
12N
/C**
*
Abi
lity
to p
rom
ote
the
4.20
4.36
4.46
4.18
4.41
4.29
4.75
4.33
4.83
4.06
4.14
4.83
4.27
inte
rnal
aud
it ac
tivity
with
in t
he o
rgan
izat
ion
Ana
lytic
al (
abili
ty t
o4.
584.
604.
544.
284.
504.
564.
664.
324.
724.
504.
374.
674.
40w
ork
thro
ugh
an is
sue)
Cha
nge
man
agem
ent
4.06
4.09
4.22
3.56
3.77
3.77
4.34
3.94
4.33
3.81
3.96
4.42
3.93
Com
mun
icat
ion
4.70
4.72
4.69
4.28
4.49
4.43
4.62
4.51
4.53
4.50
4.54
4.75
4.44
Con
flict
res
olut
ion
4.32
4.19
4.38
4.05
4.29
3.95
4.48
4.21
4.56
3.88
4.21
4.58
4.11
Crit
ical
thi
nkin
g4.
574.
474.
503.
794.
424.
414.
484.
394.
724.
444.
404.
924.
34C
once
ptua
l th
inki
ng4.
414.
454.
403.
774.
384.
344.
354.
054.
724.
384.
334.
504.
23Fo
reig
n la
ngua
ge sk
ills
1.77
1.62
2.02
3.38
3.65
3.61
3.90
3.59
4.00
3.69
3.00
3.25
3.14
Kee
ping
up
to d
ate
with
3.91
3.70
4.16
3.87
4.08
4.02
4.48
4.15
4.56
4.33
4.10
4.50
4.09
prof
essi
onal
cha
nges
inop
inio
ns,
stan
dard
s,an
d re
gula
tions
Org
aniz
atio
n sk
ills
4.21
4.07
4.14
3.62
4.08
3.93
4.35
4.20
4.39
3.94
4.00
4.33
4.03
Pres
enta
tion
skill
s4.
154.
174.
164.
004.
053.
884.
164.
114.
504.
254.
284.
504.
00Pr
oble
m i
dent
ifica
tion
4.52
4.52
4.55
4.36
4.45
4.45
4.53
4.49
4.89
4.44
4.42
4.58
4.45
and
solu
tion
Proj
ect p
lann
ing
and
4.28
4.11
4.09
3.74
4.06
3.81
4.23
3.90
4.33
4.00
4.13
4.42
3.92
man
agem
ent
Rep
ort
deve
lopm
ent
4.35
4.50
4.35
3.87
4.36
3.64
4.52
4.30
4.33
4.25
4.38
4.67
4.33
Tim
e m
anag
emen
t4.
334.
374.
433.
774.
293.
824.
394.
174.
503.
814.
444.
834.
00Tr
aini
ng a
nd4.
033.
984.
153.
864.
003.
814.
444.
064.
393.
604.
004.
504.
04de
velo
ping
sta
ffU
nder
stan
ding
3.71
4.09
3.77
3.54
3.70
3.75
4.25
3.68
4.67
3.75
3.90
4.33
3.81
com
plex
inf
orm
atio
nsy
stem
sW
ritin
g Sk
ills
4.56
4.60
4.59
3.79
4.58
4.36
4.53
4.31
4.61
4.33
4.52
4.92
4.28
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
min
imal
ly i
mpo
rtan
t to
5 =
ver
y im
port
ant.
***N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
______________________________________ Chapter 8: Internal Auditor Competencies 333
The Institute of Internal Auditors Research Foundation
8-3-
2-A
Impo
rtan
ce o
f Com
pete
ncie
s to
Perf
orm
Wor
k fo
r Aud
it Se
nior
/Sup
ervi
sor b
y G
roup
s*Pr
actit
ione
r Res
pond
ents
in M
eans
**
Com
pete
ncie
s1
23
45
67
89
1011
12N
/C**
*
Abi
lity
to p
rom
ote
the
4.06
4.08
4.24
4.28
4.18
4.15
4.48
4.04
4.36
4.24
4.09
4.71
4.28
inte
rnal
aud
it ac
tivity
with
in t
he o
rgan
izat
ion
Ana
lytic
al (
abili
ty t
o4.
584.
714.
574.
364.
564.
574.
604.
294.
554.
564.
505.
004.
42w
ork
thro
ugh
an is
sue)
Cha
nge
man
agem
ent
3.95
3.89
4.09
3.76
3.70
3.41
4.24
3.76
3.68
3.36
3.82
3.43
3.79
Com
mun
icat
ion
4.67
4.79
4.72
4.48
4.56
4.32
4.56
4.36
4.14
4.58
4.52
4.86
4.53
Con
cept
ual
thin
king
4.39
4.39
4.26
3.80
4.38
4.32
4.31
4.05
4.05
4.08
4.24
4.71
4.19
Con
flict
res
olut
ion
4.31
4.16
4.33
4.18
4.36
3.72
4.35
4.08
4.00
3.76
4.09
4.00
4.23
Crit
ical
thi
nkin
g4.
534.
534.
453.
884.
344.
434.
524.
274.
244.
404.
354.
434.
33Fo
reig
n la
ngua
ge sk
ills
1.81
1.55
1.90
3.36
3.46
3.66
3.61
3.29
3.36
3.68
2.88
2.43
3.22
Kee
ping
up
to d
ate
with
3.86
3.71
4.18
4.22
4.06
4.04
4.40
4.05
3.73
4.17
3.97
4.00
4.16
prof
essi
onal
cha
nges
inop
inio
ns,
stan
dard
s,an
d re
gula
tions
Org
aniz
atio
n sk
ills
4.23
4.26
4.14
3.48
4.10
3.83
4.33
4.01
3.73
3.71
3.74
4.57
4.11
Pres
enta
tion
skill
s4.
113.
973.
933.
944.
043.
764.
043.
993.
954.
124.
034.
003.
89Pr
oble
m i
dent
ifica
tion
4.51
4.66
4.56
4.24
4.52
4.34
4.50
4.41
4.14
4.56
4.45
5.00
4.44
and
solu
tion
Proj
ect p
lann
ing
and
4.17
4.08
4.04
3.76
3.91
3.43
4.07
3.80
3.86
4.20
4.03
4.00
3.91
man
agem
ent
Rep
ort
deve
lopm
ent
4.28
4.47
4.43
4.02
4.24
3.41
4.56
4.38
4.50
4.00
4.26
4.83
4.20
Tim
e m
anag
emen
t4.
344.
374.
433.
784.
193.
664.
414.
143.
903.
804.
354.
574.
14Tr
aini
ng a
nd3.
653.
683.
823.
713.
773.
284.
163.
793.
413.
563.
794.
293.
94de
velo
ping
sta
ffU
nder
stan
ding
com
plex
3.64
3.61
3.98
3.67
3.55
3.71
4.09
3.65
3.95
3.68
3.79
3.43
3.90
info
rmat
ion
syst
ems
Writ
ing
Skill
s4.
534.
554.
573.
904.
594.
414.
584.
294.
324.
364.
414.
294.
33
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
min
imal
ly i
mpo
rtan
t to
5 =
ver
y im
port
ant.
***N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
334 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 8-3
-3-A
Impo
rtan
ce o
f Com
pete
ncie
s to
Perf
orm
Wor
k fo
r the
Aud
it St
aff b
y G
roup
s*Pr
actit
ione
r Res
pond
ents
in M
eans
**
Com
pete
ncie
s1
23
45
67
89
1011
12N
/C**
*
Abi
lity
to p
rom
ote
the
4.01
4.17
4.33
4.30
4.11
3.89
4.42
3.99
4.62
3.88
3.82
5.00
4.25
inte
rnal
aud
it ac
tivity
with
in t
he o
rgan
izat
ion
Ana
lytic
al (
abili
ty t
o4.
534.
174.
494.
534.
544.
304.
774.
164.
384.
294.
124.
674.
48w
ork
thro
ugh
an is
sue)
Cha
nge
man
agem
ent
3.75
3.83
3.85
3.70
3.60
3.20
4.29
3.61
4.00
3.16
3.59
4.00
3.87
Com
mun
icat
ion
4.65
4.42
4.74
4.56
4.45
4.40
4.77
4.30
4.38
4.28
4.00
4.67
4.50
Con
cept
ual
thin
king
4.39
4.25
4.29
4.09
4.27
4.04
4.55
3.96
4.31
3.92
3.82
5.00
4.22
Con
flict
res
olut
ion
4.20
4.00
4.26
4.27
4.02
3.76
4.58
3.90
4.23
3.36
3.94
4.00
4.25
Crit
ical
thi
nkin
g4.
544.
424.
443.
934.
164.
364.
684.
154.
234.
483.
944.
334.
27Fo
reig
n la
ngua
ge sk
ills
1.90
1.50
2.27
3.36
3.60
3.33
3.48
3.21
4.00
3.48
2.29
3.33
3.13
Kee
ping
up
to d
ate
with
3.82
4.00
4.30
4.34
4.28
3.89
4.55
3.99
4.38
3.52
3.76
5.00
4.16
prof
essi
onal
cha
nges
inop
inio
ns,
stan
dard
s,an
d re
gula
tions
Org
aniz
atio
n sk
ills
4.28
4.42
4.22
3.86
4.04
3.84
4.29
4.08
4.31
3.63
3.71
4.67
4.03
Pres
enta
tion
skill
s4.
013.
923.
974.
134.
073.
804.
194.
124.
153.
843.
824.
673.
96Pr
oble
m i
dent
ifica
tion
4.45
4.58
4.53
4.57
4.45
4.31
4.68
4.41
4.62
4.05
4.18
4.67
4.35
and
solu
tion
Proj
ect p
lann
ing
and
3.96
3.42
3.89
3.89
3.81
3.49
3.84
3.75
4.15
3.56
3.59
3.67
3.72
man
agem
ent
Rep
ort
deve
lopm
ent
4.21
4.33
4.38
4.10
3.99
3.72
4.84
4.17
4.46
3.84
3.88
5.00
4.26
Tim
e m
anag
emen
t4.
394.
334.
454.
134.
113.
694.
524.
024.
543.
523.
825.
004.
06Tr
aini
ng a
nd3.
353.
253.
433.
993.
563.
304.
103.
804.
233.
163.
475.
003.
76de
velo
ping
sta
ffU
nder
stan
ding
3.51
3.33
3.81
3.81
3.69
3.51
4.06
3.53
3.92
3.56
3.35
5.00
3.90
com
plex
inf
orm
atio
nsy
stem
sW
ritin
g Sk
ills
4.49
4.17
4.46
3.90
4.54
4.24
4.58
4.24
4.23
4.24
4.41
5.00
4.41
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
min
imal
ly i
mpo
rtan
t to
5 =
ver
y im
port
ant.
***N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
______________________________________ Chapter 8: Internal Auditor Competencies 335
The Institute of Internal Auditors Research Foundation
Tabl
e 8-5
-4-A
Impo
rtan
ce o
f Are
as o
f Kno
wle
dge t
o Pe
rfor
m W
ork
for A
udit
Man
ager
by
Gro
ups*
Prac
titio
ner R
espo
nden
ts in
Mea
ns**
Are
as o
f Kno
wle
dge
12
34
56
78
910
1112
N/C
***
Acc
ount
ing
3.84
3.34
3.67
3.95
3.81
3.65
4.20
3.67
4.44
3.44
4.17
4.25
3.96
Aud
iting
4.70
4.53
4.61
4.42
4.67
4.58
4.84
4.68
4.89
4.88
4.69
4.92
4.72
Bus
ines
s la
w a
nd3.
483.
703.
733.
683.
793.
534.
293.
694.
174.
004.
064.
423.
86go
vern
men
t reg
ulat
ion
Bus
ines
s m
anag
emen
t3.
643.
843.
853.
613.
813.
664.
193.
673.
944.
063.
854.
273.
83C
hang
es t
o pr
ofes
sion
al3.
613.
403.
853.
793.
523.
524.
183.
594.
173.
634.
024.
333.
83st
anda
rds
Ente
rpris
e ris
k m
anag
emen
t3.
544.
074.
114.
033.
953.
944.
354.
004.
444.
203.
984.
334.
00Et
hics
4.26
4.04
4.16
4.21
3.95
3.76
4.67
4.09
4.56
4.38
4.09
4.50
4.33
Fina
nce
3.52
3.38
3.70
3.69
4.00
3.58
4.25
3.71
4.44
3.63
4.11
4.08
3.75
Frau
d aw
aren
ess
4.01
3.85
3.94
3.82
3.99
3.71
4.36
3.90
4.33
3.81
4.13
4.17
4.10
Gov
erna
nce
3.81
4.26
4.21
3.79
3.97
3.79
4.30
3.97
4.17
4.25
4.09
4.17
3.84
Hum
an r
esou
rce
3.25
3.32
3.52
3.21
3.57
3.28
3.96
3.59
3.94
3.63
3.55
3.75
3.58
man
agem
ent
Info
rmat
ion
tech
nolo
gy3.
793.
573.
803.
643.
833.
884.
363.
744.
443.
944.
064.
423.
87In
tern
al a
uditi
ng s
tand
ards
4.15
3.68
4.27
4.00
4.20
4.04
4.67
4.05
4.72
4.06
4.29
4.67
4.23
Man
ager
ial a
ccou
ntin
g3.
053.
173.
283.
453.
553.
404.
043.
534.
173.
313.
694.
003.
69M
arke
ting
2.45
2.53
2.86
3.16
2.95
2.58
3.30
2.61
3.67
2.40
2.92
3.58
3.00
Org
aniz
atio
n cu
lture
3.92
3.89
3.92
3.49
3.82
3.80
4.07
3.94
4.22
3.50
3.81
4.42
3.84
Org
aniz
atio
nal
syst
ems
3.65
3.93
3.99
3.45
3.71
3.86
3.93
3.61
4.33
3.75
3.77
4.40
3.90
Stra
tegy
and
bus
ines
s3.
633.
684.
023.
643.
653.
693.
993.
574.
334.
063.
834.
503.
77po
licy
Tech
nica
l kno
wle
dge
3.99
4.02
4.02
3.72
3.92
3.40
4.16
4.03
4.44
3.50
4.00
4.33
3.90
for
your
ind
ustr
y
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
min
imal
ly i
mpo
rtan
t to
5 =
ver
y im
port
ant.
***N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
336 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 8-5
-5-A
Impo
rtan
ce o
f Are
as o
f Kno
wle
dge t
o Pe
rfor
m W
ork
for A
udit
Seni
or/S
uper
viso
r by
Gro
ups*
Prac
titio
ner R
espo
nden
ts in
Mea
ns**
Are
as o
f Kno
wle
dge
12
34
56
78
910
1112
N/C
***
Acc
ount
ing
3.77
3.55
3.45
3.94
3.78
3.53
4.20
3.46
4.27
3.76
3.97
4.71
4.02
Aud
iting
4.67
4.76
4.73
4.53
4.56
4.42
4.80
4.56
4.77
4.60
4.65
4.71
4.68
Bus
ines
s la
w a
nd3.
553.
713.
773.
793.
793.
514.
163.
623.
773.
803.
533.
574.
02go
vern
men
t reg
ulat
ion
Bus
ines
s m
anag
emen
t3.
583.
683.
633.
713.
543.
493.
943.
433.
273.
673.
683.
863.
62C
hang
es t
o pr
ofes
sion
al3.
603.
503.
763.
923.
523.
464.
063.
483.
413.
283.
624.
003.
76st
anda
rds
Ente
rpris
e ris
k m
anag
emen
t3.
513.
793.
864.
103.
823.
934.
163.
943.
553.
923.
624.
293.
85Et
hics
4.30
4.11
4.10
4.06
3.95
3.78
4.62
3.85
4.09
4.24
3.82
4.29
4.16
Fina
nce
3.58
3.49
3.71
3.88
3.97
3.26
4.04
3.55
3.59
3.76
3.73
4.00
3.91
Frau
d aw
aren
ess
3.95
3.82
3.95
3.94
3.90
3.64
4.27
3.66
3.86
3.64
3.76
4.14
4.07
Gov
erna
nce
3.76
4.08
4.16
3.63
3.61
3.57
4.06
3.65
3.55
3.88
3.85
3.57
3.87
Hum
an r
esou
rce
3.08
3.42
3.41
3.31
3.26
3.05
3.70
3.15
3.09
3.16
3.06
3.43
3.48
man
agem
ent
Info
rmat
ion
tech
nolo
gy3.
783.
713.
864.
083.
573.
884.
223.
713.
554.
173.
794.
004.
09In
tern
al a
uditi
ng s
tand
ards
4.22
4.16
4.26
4.00
4.15
3.93
4.55
3.92
3.82
4.08
4.09
4.29
4.26
Man
ager
ial a
ccou
ntin
g3.
133.
083.
223.
693.
413.
163.
923.
283.
233.
383.
183.
573.
61M
arke
ting
2.41
2.37
2.68
3.16
2.68
2.29
3.23
2.55
2.45
2.64
2.59
2.71
2.88
Org
aniz
atio
n cu
lture
3.80
4.03
3.96
3.62
3.54
3.51
4.09
3.79
3.68
3.76
3.47
4.29
3.72
Org
aniz
atio
nal
syst
ems
3.70
4.03
4.15
3.63
3.68
3.67
3.90
3.66
3.64
3.64
3.59
4.43
3.79
Stra
tegy
and
bus
ines
s3.
573.
843.
893.
883.
423.
513.
893.
333.
503.
763.
654.
573.
54po
licy
Tech
nica
l kno
wle
dge
3.97
3.92
3.99
4.20
3.73
3.50
4.08
3.97
3.55
3.54
3.76
4.43
3.83
for
your
ind
ustr
y
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
min
imal
ly i
mpo
rtan
t to
5 =
ver
y im
port
ant.
***N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
______________________________________ Chapter 8: Internal Auditor Competencies 337
The Institute of Internal Auditors Research Foundation
Tabl
e 8-5
-6-A
Impo
rtan
ce o
f Are
as o
f Kno
wle
dge t
o Pe
rfor
m W
ork
for t
he A
udit
Staf
f by
Gro
ups*
Prac
titio
ner R
espo
nden
ts in
Mea
ns**
Are
as o
f Kno
wle
dge
12
34
56
78
910
1112
N/C
***
Acc
ount
ing
3.71
3.17
3.56
4.06
3.85
3.36
4.10
3.48
4.50
3.12
3.71
4.33
3.86
Aud
iting
4.62
4.75
4.75
4.56
4.72
4.24
4.90
4.57
4.92
4.40
4.29
4.33
4.57
Bus
ines
s la
w a
nd3.
583.
753.
764.
093.
563.
314.
033.
614.
253.
723.
534.
003.
87go
vern
men
t reg
ulat
ion
Bus
ines
s m
anag
emen
t3.
463.
253.
563.
873.
593.
444.
033.
294.
253.
483.
533.
333.
65C
hang
es t
o pr
ofes
sion
al3.
653.
754.
024.
043.
733.
114.
003.
424.
333.
083.
124.
003.
82st
anda
rds
Ente
rpris
e ris
k m
anag
emen
t3.
423.
423.
964.
174.
063.
804.
033.
714.
173.
563.
355.
003.
87Et
hics
4.40
4.42
4.29
4.31
4.06
3.77
4.55
4.01
4.75
3.88
3.88
5.00
4.26
Fina
nce
3.54
3.42
3.89
4.09
3.93
3.18
4.03
3.31
4.50
2.84
3.76
4.33
3.85
Frau
d aw
aren
ess
3.95
3.67
3.93
4.17
3.71
3.53
4.45
3.60
4.33
3.28
3.76
4.67
4.18
Gov
erna
nce
3.73
3.92
4.16
3.80
3.72
3.53
4.13
3.53
4.09
3.88
3.76
3.67
3.85
Hum
an r
esou
rce
2.95
3.17
3.18
3.46
3.38
2.80
3.65
3.07
4.00
2.84
3.06
4.00
3.45
man
agem
ent
Info
rmat
ion
tech
nolo
gy3.
693.
583.
883.
973.
963.
424.
353.
594.
003.
883.
594.
674.
04In
tern
al a
uditi
ng s
tand
ards
4.29
4.00
4.52
4.16
4.37
3.80
4.68
3.94
4.67
3.80
3.59
4.33
4.34
Man
ager
ial a
ccou
ntin
g3.
052.
923.
243.
963.
553.
023.
743.
143.
922.
923.
384.
333.
53M
arke
ting
2.44
2.25
2.66
3.24
2.86
2.16
3.27
2.53
3.67
2.00
2.76
2.67
2.91
Org
aniz
atio
n cu
lture
3.83
4.08
3.94
3.74
3.59
3.58
4.13
3.71
4.08
4.13
3.59
4.67
3.88
Org
aniz
atio
nal
syst
ems
3.71
3.92
4.16
3.68
3.72
3.69
4.10
3.56
4.00
3.84
3.82
5.00
3.91
Stra
tegy
and
bus
ines
s3.
513.
504.
103.
913.
433.
414.
323.
174.
003.
963.
185.
003.
73po
licy
Tech
nica
l kno
wle
dge
for
3.98
4.00
4.13
4.21
3.83
3.02
4.23
4.14
3.75
3.36
3.47
4.67
3.96
your
ind
ustr
y
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**Th
e m
ean
is t
he a
vera
ge r
espo
nse
to:
1 =
min
imal
ly i
mpo
rtan
t to
5 =
ver
y im
port
ant.
***N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
338 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 339
The Institute of Internal Auditors Research Foundation
CHAPTER 9EMERGING ROLES OF
INTERNAL AUDIT ACTIVITIES
Introduction
To examine the emerging role of the internal audit activity (IAA) in the organization, this chapterstarts with a discussion of the length of time organizations have had IAAs and the number of yearsthe organizations have been in existence. The next section reports on the general types of auditsbeing performed currently by IAAs and the expected changes in emphasis over the next threeyears. Another section examines the range of special audit activities respondents’ IAAs performnow and how that is expected to change in the next three years. The last section looks at therespondents’ organizations and the IAA’s current role in the organization as well as how theorganization’s environment and the IIA’s role will evolve over the next three years.
The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:
• Not all of those that participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.
• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).o Some questions were asked of both CAEs and Practitioners.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additionaldetails. For example, Table 9-4 is the total of all respondents for that question with a related Table9-4-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be 9-4-2.
340 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Years That the IAA and Organizations Have Existed
Before looking at the roles and expected roles of the IAAs, one needs to gain a perspective of thelength of time respondents’ organizations have had IAAs and the years their organizations havebeen in existence. Figure 9-1 lists the number of years the respondents’ IAAs have been in existence.The largest numbers of respondents work for IAAs that have been in existence for only 0-5 years(28.4%). Another 21% of the respondents work for IAAs that have been in existence for 6-10years. This shows that many of the respondents’ IAAs (49.4%) are just starting to develop in theirorganizations. Only 13.8% of the respondents work in IAAs that have been in existence for 31 ormore years.
Figure 9-1Number of Years the IAA Has Existed in the Organization
All Respondents (7,747) in Percentages
0-5 Years28.4%
41+ Years8.1%
31-40 Years5.7%
21-30 Years14.1%
11-20 Years22.7%6-10 Years
21.0%
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 341
The Institute of Internal Auditors Research Foundation
Table 9-1 provides the number of years respondent organizations have had IAAs by groups. Thegroups are listed on the inside back cover of this report. In group 5 respondents indicate that 60.5%of their IAAs are 0-5 years old and another 22.5% are 6-10 years old. Respondents in the othergroups indicate between 20% - 33.9% of the IAAs are between 0-5 years old and an additional16.1% - 33.1% indicate their IAAs are between 6-10 years old. A review of the countries in eachgroup and historical events explain some of these differences since in some areas of the world,economies are more developed than others.
Table 9-1Number of Years the IAA Has Existed by Groups*
All Respondents in Percentages
Morethan
Group Respon- 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50dents Years Years Years Years Years Years Years Years Years Years Years Total
1 3,025 23.8 16.1 10.9 12.6 9.2 8.9 3.1 4.8 .7 4.5 5.4 100.02 188 26.1 20.7 17.0 13.3 5.9 6.9 2.7 2.7 1.1 1.1 2.5 100.03 636 25.8 26.6 11.9 10.2 5.8 7.1 2.7 1.9 .5 4.2 3.3 100.04 347 25.6 33.1 15.9 13.3 3.2 3.5 1.2 2.0 .6 .8 .8 100.05 550 60.5 22.5 8.0 2.7 1.5 1.3 .0 1.1 .2 1.3 .9 100.06 423 23.6 18.0 10.4 7.6 8.0 11.6 3.1 2.6 .9 5.2 9.0 100.07 467 23.1 20.3 13.1 9.9 8.4 11.8 2.8 3.2 .6 2.6 4.2 100.08 910 32.7 25.3 14.3 11.1 5.5 3.7 1.9 1.3 .2 1.3 2.7 100.09 118 33.9 29.7 15.3 7.6 5.1 .8 .0 .0 .8 3.4 3.4 100.0
10 125 22.4 25.6 11.2 8.0 6.4 4.8 3.2 6.4 .0 3.2 8.8 100.011 226 28.8 24.3 11.9 10.2 5.8 8.4 1.3 4.0 .9 2.2 2.2 100.012 40 20.0 27.5 10.0 10.0 5.0 12.5 2.5 .0 7.5 2.5 2.5 100.0
N/C** 692 27.6 23.3 11.6 13.0 4.8 7.4 1.4 3.6 .6 3.3 3.4 100.0Overall 7,747 2,194 1,628 914 847 529 566 181 255 48 257 328Respondentsin CategoryOverall 28.4 21.0 11.8 10.9 6.8 7.3 2.4 3.3 .6 3.3 4.2 100.0Percent inCategory
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
342 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Figure 9-2 reports on how long respondents’ organizations have been in existence. A correlationtest performed by the researchers showed a relationship between how long the organizations havebeen in existence and how long the organizations have had an IAA. It appears that older companiestend to have established IAAs longer than younger companies.
Figure 9-2Number of Years Organizations Have Existed
All Respondents (8,165) in Percentages
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 343
The Institute of Internal Auditors Research Foundation
Table 9-2 lists the length of time respondents’ organizations have been in existence by the 13groups. Groups 1, 6, and 10 have a large number of respondents (54.5% - 59.2%) working inorganizations that are more than 50 years old and only 11.2% - 13.4% with organizations that are10 or less years old. While for respondents in groups 4, 5, and 11, greater than 24% of theirorganizations (24.1% - 29.4%) are 10 years old or less.
Table 9-2Number of Years Organizations Have Existed by Groups*
All Respondents in Percentages
Group Respondents 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More TotalYears Years Years Years Years Years Years Years Years Years than
50Years
1 3241 4.4 6.8 4.7 4.8 3.9 5.0 3.7 4.8 1.7 5.7 54.5 100.02 189 8.5 11.1 3.7 6.3 3.7 6.9 4.2 2.6 2.1 7.4 43.5 100.03 648 8.3 13.1 9.3 5.9 5.4 5.1 3.1 5.2 1.4 5.7 37.5 100.04 354 11.6 17.8 9.9 12.7 3.4 9.0 5.9 5.1 4.0 3.7 16.9 100.05 552 12.0 17.4 24.8 6.7 2.2 3.1 2.2 3.1 1.1 4.3 23.1 100.06 434 4.8 8.5 6.0 2.5 1.8 4.4 2.5 3.7 .9 8.5 56.4 100.07 504 6.0 14.1 10.3 5.0 4.0 6.7 5.0 3.4 3.6 6.5 35.4 100.08 954 11.3 10.6 7.0 6.2 3.6 5.8 2.5 4.8 1.5 5.6 41.1 100.09 125 8.0 9.6 7.2 13.6 11.2 3.2 7.2 1.6 5.6 8.0 24.8 100.0
10 135 6.7 6.7 3.7 4.4 3.0 3.7 5.2 1.5 3.7 2.2 59.2 100.011 228 11.4 12.7 10.1 11.0 8.3 6.1 5.7 6.1 4.8 4.8 18.8 100.012 39 5.1 10.3 7.7 10.3 5.1 15.4 10.3 10.3 7.7 .0 17.8 100.0
N/C** 762 8.7 14.3 9.4 7.9 3.5 6.2 3.1 3.3 1.8 5.4 36.4 100.0Total/ 8165 590 856 648 496 321 442 299 355 165 461 3532
OverallRespondentsin Category
OverallPercent inCategory 7.2 10.5 7.9 6.1 3.9 5.4 3.7 4.3 2.0 5.6 43.4 100.0
*For a list of affiliate groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
344 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Changing Emphasis on Types of Audits
This section focuses on the anticipated change in demand for the general types of audits that willbe performed by the IAA in the next three years. The definition of internal auditing in The IIA’s1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,acknowledges the importance of assurance services and consulting in the areas of risk management,governance, and controls. With this expansion of scope, it was expected that the audits performedby IAAs would include these three areas. In order to assess staffing needs, required competencies,and the skills necessary in the near future, the profession needs to anticipate changes in the demandfor their services. Table 9-3 shows the estimates of all respondents to the question about whetherthey anticipate the general types of audits performed by their IAA will increase, decrease, or staythe same over the next three years.
Table 9-3Anticipated Changes in Types of Audits to Be Performed
Within the Next Three YearsAll Respondents in Percentages
Activity Total Increase Decrease Stay the TotalResponses Same Percent
Risk management 6,728 79.5 2.3 18.2 100.0Governance 6,704 63.2 4.0 32.8 100.0Regulatory compliance 6,698 46.9 11.7 41.4 100.0Operational auditing 6,715 46.2 14.7 39.1 100.0Review of financial processes 6,724 43.5 14.6 41.9 100.0
Respondents predict that the greatest increase in the types of audits performed in the next threeyears will be in risk management (79.5%) and governance (63.2%) audits. The projected increasesfor these types of audits will need to be reflected in the IAA’s internal audit plan, the resourcesallocated to the IAA, and in the audit staff’s competencies. For many of the respondents, regulatorycompliance (46.9%), operational auditing (46.2%), and reviews of financial processes (43.5%)show material increases as well. Some respondents do anticipate that less time will be spent onoperational audits (14.7%), the review of financial processes (14.6%), and regulatory complianceaudits (11.7%).
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 345
The Institute of Internal Auditors Research Foundation
As IAAs around the world are evolving at different rates, this study also looked at the expectedchanges in the types of audits to be performed by IAAs by groups. Table 9-3-1 presents predictedincreases in the types of audits for all respondents by group, Table 9-3-2 presents the decreasesanticipated by group, and Table 9-3-3 shows predictions of no change by group. The respondentsin all groups agreed that the performance of risk management and governance audits should increasethe most in the next three years.
Table 9-3-1Changes in Types of Audits Performed – Increased Role in the Future
(Next Three Years) by Groups*All Respondents in Percentages
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Review of financial 45.0 30.0 44.0 41.2 48.0 35.9 44.5 37.2 55.9 40.9 47.2 70.6 46.0processesRisk management 74.5 75.0 84.0 88.5 83.6 77.2 89.0 82.6 87.9 79.1 83.9 100.0 80.7Governance 55.9 67.0 76.0 72.2 61.0 64.5 75.9 64.6 79.4 52.6 77.2 85.3 63.9Regulatory compliance 46.4 46.0 50.0 40.8 41.2 44.6 54.7 47.2 52.2 25.0 49.2 64.7 51.1Operational auditing 47.9 48.0 45.0 51.9 44.6 44.7 44.5 38.3 59.1 30.7 45.8 67.7 50.1
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
Table 9-3-2Changes in Types of Audits Performed – Decreased Role in the Future
(Next Three Years) by Groups*All Respondents in Percentages
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Review of financial 10.1 21.0 16.0 21.4 21.0 17.9 17.7 19.1 15.1 20.9 15.7 8.8 12.1processesRisk management 1.7 5.0 3.0 0.4 6.3 2.2 1.0 1.8 2.2 2.6 3.3 0.0 2.7Governance 3.7 2.0 2.0 2.3 12.1 3.7 3.7 2.7 4.4 4.4 2.8 2.9 4.6Regulatory compliance 10.4 13.0 12.0 11.6 23.1 10.2 7.1 11.2 16.3 21.4 14.5 14.7 9.6Operational auditing 12.3 14.0 18.0 13.3 24.1 15.4 17.7 14.7 10.8 14.0 17.3 11.8 14.0
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
346 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 9-3-3Changes in Types of Audits Performed – Stay the Same in the Future
(Next Three Years) by Groups*All Respondents in Percentages
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Review of financial 44.9 49.0 40.0 37.5 31.1 46.2 37.8 43.7 29.0 38.7 37.1 20.6 41.9processesRisk management 23.8 20.0 14.0 11.2 10.2 20.6 10.1 15.7 9.9 18.3 12.8 0.0 16.6Governance 40.4 30.0 22.0 25.6 26.9 31.8 20.4 32.8 16.3 43.0 20.0 11.8 31.6Regulatory compliance 43.2 41.0 38.0 47.6 35.8 45.2 38.2 41.6 31.5 53.6 36.3 20.6 39.3Operational auditing 39.8 39.0 37.0 34.8 31.3 39.9 37.8 47.0 30.1 55.3 36.9 20.6 35.9
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
Emerging Roles in Organizations’ Activities
To gain an understanding of what roles IAAs have and will have in various types of activities andfunctions performed within an organization, respondents were provided with a list of importanttasks performed by organizations. They were asked to indicate if their IAA currently has a role inthe area, if the IAA is likely to have a role in the next three years, or if it is unlikely for the IAA tohave a role. Role was defined as being within the IAA’s scope of work. The list was developedfrom a review of internal auditing literature and the CBOK 2006 pilot survey. An overview of allresponses is shown in Table 9-4.
The respondents’ IAAs all do some work in the areas listed. The four highest ranked areas whererespondents indicate that their IAAs currently perform audits are fraud prevention/detection (69%),risk management (66.6%), regulatory compliance assessment monitoring (64%), and corporategovernance (52.2%). Areas where respondents’ IAAs currently have less of a role are emergingmarkets (11.5%), environmental sustainability (14%), and globalization (15.3%). For most of theaudit areas that are not currently being audited, respondents indicated that 17.7% to 38.1% of theirIAAs plan to do audit work in those areas over the next three years. Currently 23.6% have a rolein corporate social responsibility and an additional 31.6% of the respondents are likely to have arole in the next three years. Areas where more than a third of the respondents indicate they areunlikely to be involved are executive compensation (45.4%), environmental sustainability (39.9%),emerging markets (39.5%), globalization (35.2%), and intellectual property and knowledge assessment(35.1%).
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 347
The Institute of Internal Auditors Research Foundation
Table 9-4Emerging Roles of the IAA - Total Responses in Percentages
Roles Total Currently Likely to Have Unlikely to Not TotalRespon- Have a Role a Role Within Have a Role Applicable
dents the Next 3Years
Alignment of strategy 6,500 23.1 35.2 30.1 11.6 100.0and performancemeasures (e.g., BalancedScorecard)Benchmarking 6,476 28.6 35.7 26.0 9.7 100.0Corporate governance 6,511 52.2 31.2 11.4 5.2 100.0Corporate social 6,415 23.6 31.6 33.8 11.0 100.0responsibilityDevelop training and 6,522 46.6 34.4 15.3 3.7 100.0education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 6,490 34.0 26.1 29.0 10.9 100.0Evidential issues 6,385 39.8 23.9 23.5 12.8 100.0Emerging markets 6,426 11.5 22.5 39.5 26.5 100.0Environmental sustainability 6,436 14.0 24.7 39.9 21.4 100.0Executive compensation 6,429 16.0 17.7 45.4 20.9 100.0Fraud prevention/detection 6,530 69.0 22.9 5.7 2.4 100.0Globalization 6,431 15.3 21.1 35.2 28.4 100.0Intellectual property and 6,391 19.2 28.4 35.1 17.3 100.0knowledge assessmentIT management assessment 6,453 46.1 32.2 16.8 4.9 100.0Knowledge management 6,387 26.1 38.1 26.9 8.9 100.0systems development reviewMergers and acquisitions 6,437 18.4 23.7 30.8 27.1 100.0Project management 6,410 39.8 27.6 25.1 7.5 100.0Provide training to the 6,436 31.2 34.4 21.7 12.7 100.0audit committeeRegulatory compliance 6,442 64.0 23.0 9.2 3.8 100.0assessment monitoringRisk management 6,509 66.6 25.5 5.6 2.3 100.0Strategic frameworks 6,407 27.0 36.8 27.7 8.5 100.0
348 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tables 9-4-1 and 9-4-2 show the total results by group for the question about roles and work areasthat respondent IAAs’ currently have or are likely to have in the next three years. The respondents’group data shows many variations in the roles the IAAs currently have and are likely to have inthree years. Approximately 80% of the groups’ respondents indicate that they are currently involvedor will be involved in the next three years in corporate governance, fraud prevention, IT managementassessment, regulatory compliance, and risk management. The group data indicates thatapproximately 50% to 59% of the IAAs have or will have a role in alignment of strategy andperformance measures.
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 349
The Institute of Internal Auditors Research Foundation
Table 9-4-1Emerging Roles of the IAA - Currently Have a Role by Groups*
All Respondents in Percentages
Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Alignment of strategy and 22.8 19.1 32.6 11.6 17.6 16.6 34.4 22.7 18.9 26.4 28.2 25.7 22.0performance measures(e.g., Balanced Scorecard)Benchmarking 30.6 26.6 34.9 16.0 26.6 22.2 26.3 26.8 35.2 29.1 33.0 36.4 25.6Corporate governance 56.5 70.7 75.2 25.7 37.6 47.2 47.4 52.9 40.0 48.2 60.7 62.9 35.7Corporate social 26.4 15.5 30.7 15.4 15.2 11.1 31.6 22.7 25.3 17.4 20.2 30.3 20.7responsibilityDevelop training and 48.7 44.6 51.0 40.5 39.8 30.5 52.5 50.8 41.1 31.8 50.6 64.7 42.5education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 45.2 41.3 47.8 17.7 18.9 21.6 24.6 20.3 26.4 22.7 29.3 37.1 21.4Evidential issues 40.8 36.3 41.5 29.2 43.6 35.6 55.2 35.3 40.0 24.5 34.5 56.3 38.5Emerging markets 11.9 10.4 15.0 5.9 8.0 10.1 13.1 11.1 10.0 15.5 11.5 12.5 12.1Environmental 13.1 9.3 20.6 12.9 11.8 7.9 18.6 13.4 12.4 18.2 11.5 17.6 17.3sustainabilityExecutive compensation 19.8 9.8 17.2 8.2 13.1 7.4 18.2 11.6 11.1 19.8 14.5 21.2 14.3Fraud prevention/ 75.1 71.7 73.4 52.7 56.9 64.7 69.2 64.8 72.8 65.8 63.2 82.9 60.7detectionGlobalization 14.4 7.7 18.1 13.4 12.9 12.5 29.0 12.9 15.6 23.9 19.0 14.7 15.2Intellectual property and 22.3 18.7 24.7 10.6 16.6 10.7 23.2 14.9 16.7 24.1 17.5 14.3 14.7knowledge assessmentIT management assessment 48.7 47.8 48.0 26.0 37.2 45.0 62.7 46.8 42.7 51.8 36.9 48.6 37.9Knowledge management 31.4 27.6 34.2 12.4 18.5 20.6 28.4 16.8 26.7 23.6 23.1 17.6 21.4systems developmentreviewMergers and acquisitions 20.6 12.7 19.9 8.2 12.1 19.1 23.8 20.0 23.3 14.5 12.7 8.6 13.5Project management 44.4 45.3 50.4 32.0 30.2 40.6 36.2 33.4 28.1 42.2 30.5 41.2 31.7Provide training to the 40.2 29.4 39.5 16.1 15.1 13.2 31.7 26.8 19.1 24.8 23.1 31.4 23.3audit committeeRegulatory compliance 63.9 64.8 58.4 61.4 60.8 67.2 70.3 75.7 56.7 54.5 55.2 57.1 57.1assessment monitoringRisk management 69.5 76.9 79.6 46.4 57.7 62.7 67.7 68.8 56.0 67.9 67.1 76.5 52.9Strategic frameworks 29.2 29.1 39.0 15.2 20.5 13.5 39.8 19.2 22.4 31.2 22.4 47.1 25.3
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
350 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 9-4-2Emerging Roles of the IAA - Likely to Have a Role in
Next Three Years by Groups*All Respondents in Percentages
Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Alignment of strategy and 31.0 36.1 37.7 41.7 41.9 26.5 43.3 37.3 46.7 20.0 41.8 54.3 39.6performance measures(e.g., Balanced Scorecard)Benchmarking 32.2 35.3 36.2 36.7 44.8 33.9 44.3 35.1 44.3 27.3 42.6 42.4 37.9Corporate governance 25.8 22.8 20.1 49.4 39.8 33.4 39.3 34.0 50.0 25.5 33.1 28.6 40.9Corporate social 23.9 36.5 36.5 39.0 30.5 29.7 41.4 39.9 39.1 31.2 42.2 42.4 38.0responsibilityDevelop training and 31.8 32.6 31.3 40.5 41.4 35.8 36.9 31.6 44.4 44.5 36.8 32.4 39.5education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 24.7 27.2 25.2 24.6 27.7 20.8 37.4 21.9 46.2 19.1 39.1 40.0 27.2Evidential issues 22.4 24.2 26.6 29.2 25.8 20.3 25.8 21.1 27.8 19.1 35.1 34.4 25.1Emerging markets 19.1 18.1 27.4 23.8 24.7 16.3 35.6 20.9 26.7 12.7 37.9 43.8 25.2Environmental 17.9 26.2 32.8 28.1 24.5 21.2 37.5 29.3 33.7 20.0 38.5 55.9 27.3sustainabilityExecutive compensation 14.5 10.4 21.3 17.3 20.6 11.5 30.5 17.3 15.6 15.3 30.1 30.3 21.6Fraud prevention/ 18.9 19.0 17.5 38.9 32.0 25.1 25.3 23.4 21.7 21.6 28.7 8.6 30.1detectionGlobalization 13.9 19.1 21.2 42.4 24.6 16.6 33.8 21.3 22.2 15.6 37.4 35.3 31.4Intellectual property and 23.3 39.6 32.4 38.4 32.5 20.5 37.6 24.0 41.1 16.7 49.1 51.4 33.3knowledge assessmentIT management assessment 27.5 31.9 32.2 41.5 43.9 31.2 29.2 32.6 44.9 24.5 42.0 42.9 39.4Knowledge management 31.3 43.1 39.1 45.0 47.8 36.4 45.1 42.0 46.7 33.6 46.8 64.7 41.8systems developmentreviewMergers and acquisitions 21.8 17.7 20.1 23.5 25.8 20.9 28.5 25.0 32.2 20.0 32.4 42.9 28.1Project management 23.2 26.3 28.4 37.9 37.5 27.4 30.7 25.7 36.0 25.7 32.2 41.2 33.1Provide training to the 30.0 41.1 36.5 39.2 36.0 31.1 41.9 34.4 43.8 32.1 48.6 51.4 38.4audit committeeRegulatory compliance 20.8 21.4 27.7 28.6 25.7 22.0 22.6 16.4 36.7 19.1 32.0 31.4 29.8assessment monitoringRisk management 22.2 18.1 15.8 46.8 31.6 28.3 25.5 23.5 38.5 22.0 28.9 17.6 37.1Strategic frameworks 33.2 37.4 37.7 44.4 41.4 33.1 40.3 35.4 54.1 25.7 48.3 41.2 43.3
*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 351
The Institute of Internal Auditors Research Foundation
Table 9-4-3 summarizes the areas where respondents think the IAA would not have a role in thenext three years. The areas that most groups agree that the IAA will not have a role in theforeseeable future are emerging markets, environmental sustainability, executive compensation,and intellectual property and knowledge assessment.
Table 9-4-3Emerging Roles of the IAA – Not Likely to Have a Role in
Next Three Years by Groups*All Respondents in Percentages
Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Alignment of strategy and 34.7 34.4 24.2 31.3 25.1 41.9 12.2 28.9 18.9 41.8 22.0 11.4 26.3performance measures(e.g., Balanced Scorecard)Benchmarking 28.5 31.5 23.4 35.5 17.3 33.3 16.2 26.6 11.4 34.5 18.8 3.0 22.9Corporate governance 12.9 6.0 3.4 20.8 13.8 13.5 6.9 8.3 6.7 12.7 3.9 5.7 15.3Corporate social 38.7 38.1 26.5 33.6 36.7 46.2 19.0 25.1 26.4 45.9 30.6 21.2 29.2responsibilityDevelop training and 16.0 19.0 15.0 13.3 14.3 28.5 7.8 13.6 10.0 18.2 10.9 0.0 14.3education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 25.4 29.9 23.2 40.0 28.2 41.8 23.6 38.4 19.8 50.0 25.9 11.4 29.3Evidential issues 25.4 28.6 21.3 26.2 18.4 31.8 10.3 22.7 21.1 45.5 19.5 3.1 21.3Emerging markets 44.0 48.9 33.3 45.7 32.4 43.5 30.4 37.5 43.3 41.8 35.1 25.0 31.1Environmental 46.5 49.2 31.7 38.3 33.3 46.8 26.5 35.2 38.2 50.9 37.4 11.8 30.9sustainabilityExecutive compensation 49.1 59.6 44.1 45.5 41.4 50.1 30.0 44.7 47.8 46.8 41.6 30.3 37.1Fraud prevention/detection 4.0 7.1 7.0 6.1 7.6 8.4 3.3 7.9 4.3 12.6 4.0 5.7 6.2Globalization 37.7 42.6 32.9 29.0 30.0 40.1 24.9 36.9 46.7 37.6 34.5 35.3 29.7Intellectual property and 36.7 31.3 30.7 36.5 29.8 44.9 24.5 40.4 28.9 50.0 24.0 14.3 34.0knowledge assessmentIT management assessment 19.5 17.6 15.9 22.5 11.0 18.8 3.8 15.4 9.0 20.9 17.0 2.9 16.8Knowledge management 28.4 23.8 22.1 28.7 22.7 34.0 19.6 30.3 22.2 34.5 24.3 8.8 25.4systems developmentreviewMergers and acquisitions 29.6 30.4 30.4 40.8 28.3 36.8 27.2 32.1 28.9 36.4 39.9 25.7 28.6Project management 26.0 22.3 18.7 20.2 21.7 27.9 24.0 31.4 22.5 25.7 30.5 5.9 22.7Provide training to the 20.1 25.0 19.2 27.5 23.0 32.8 13.6 23.7 22.5 25.7 22.0 11.4 22.4audit committeeRegulatory compliance 11.0 12.1 11.4 8.9 8.2 7.6 3.8 4.0 4.4 19.1 11.6 2.9 8.4assessment monitoringRisk management 6.2 3.3 3.4 4.9 6.6 7.9 2.5 5.5 3.3 10.1 3.5 0.0 6.8Strategic frameworks 30.1 25.8 19.0 29.2 25.2 45.2 12.9 33.4 17.6 37.6 20.7 2.9 21.5*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.
352 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Organizational Environment and Key Activities of the IAA
This final section of the chapter captures CAE and Audit Manager respondents’ agreement withstatements about their organizations and their IAA’s role in the organization. The survey asked if astatement currently applies, is likely to apply within the next three years, or will not apply in theforeseeable future. As listed in Table 9-5, 61.2% of the respondents indicate that their countriescurrently have laws or regulations that require organizations to have an IAA and an additional13.1% anticipate having such requirements in the next three years. Corporate governance codesare complied with in 67.7% of the organizations with 22.7% of the respondents’ organizationslikely to comply with a corporate governance code in the next three years. In 70.5% of therespondents’ organizations, there is an internal control framework and 24.3% indicate that theirorganizations will have a framework in the next three years.
Assurance audits receive more emphasis than consulting services in 71.5% of the organizations.The IAAs (64.3% currently, 25.3% more in three years) educate their organizations’ personnelabout internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,25.6% more in three years) have an important role in the integrity of their organizations’ financialreporting. Internal auditors anticipate having a growing advisory involvement in the development ofstrategy (28.9% currently, 32.7% in the next three years) while 30.3% noted they would not havean advisory role in strategy development in the foreseeable future. Providing training to auditcommittee members (34% currently, 32.3% in the next three years) is also anticipated to increase.Implementation of a knowledge management system is expected to escalate (25.6% currently,43.9% in the next three years) while 20.6% indicate their organizations will not apply a knowledgemanagement system in the foreseeable future.
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 353
The Institute of Internal Auditors Research Foundation
Table 9-5How Statements Apply to Your Organization
CAEs’ and Audit Managers’ Agreement with Statements in Percentages
Statement Number of Currently Likely to Will Not Not TotalRespondents Applies Apply Apply in the Applicable
Within the ForeseeableNext 3 FutureYears
Internal auditing is required 3,464 61.2 13.1 12.9 12.8 100.0by law or regulation wherethe organization is based.Internal auditors in the 3,445 28.9 32.7 30.3 8.1 100.0organization have anadvisory role in strategydevelopmentThe organization complies 3,447 67.7 22.7 4.3 5.3 100.0with a corporate governancecode.The organization has 3,443 70.5 24.3 3.5 1.7 100.0implemented an internalcontrol framework.The organization has 3,423 25.6 43.9 20.6 9.9 100.0implemented a knowledgemanagement systemThe internal audit activity 3,424 34.0 32.3 18.5 15.2 100.0has provided training toaudit committee members.The internal audit activity 3,437 55.7 25.6 13.8 4.9 100.0assumes an important rolein the integrity of financialreporting.The internal audit activity 3,437 64.3 25.3 7.3 3.1 100.0educates organizationpersonnel about internalcontrols, corporategovernance, and complianceissues.The internal audit activity 3,448 71.5 15.2 8.4 4.9 100.0places more emphasis onassurance than consultingservices.
354 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tables 9-5-1 and 9-5-2 provide information by groups for CAE and Audit Manager respondents’current agreement with these statements and the likelihood of application in the next three years.The group tables show that the majority (48.0% up to 84.2%) live in countries that have or likelywill have laws and regulations in the next three years requiring organizations to have internalauditors. Most organizations within the groups have (49.1% to 78.8%) or likely will adopt (16.8%to 45.3%) an internal control framework in the next three years projecting coverage of over 90%of the respondents’ IAAs. Most respondents within the groups agree that the IAA does or willassume an important role in the integrity of financial reporting, educates organization personnelabout internal controls, corporate governance and compliance issues, and places more emphasison assurance than internal controls and consulting services. In most groups, the advisory role theIAA has in the organization’s strategy development (currently 17.5% - 39.5% with group 12 at60%) will likely significantly increase in the next three years.
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 355
The Institute of Internal Auditors Research Foundation
Tabl
e 9-5
-1H
ow S
tate
men
ts C
urre
ntly
App
ly to
Res
pond
ents
’ Org
aniz
atio
ns b
y G
roup
s*C
AE
and
Aud
it M
anag
er A
gree
men
t with
Sta
tem
ents
in P
erce
ntag
es
Stat
emen
t1
23
45
67
89
1011
12N
/C**
Inte
rnal
aud
iting
is r
equi
red
58.0
48.0
67.7
80.0
64.7
60.6
65.7
62.4
52.7
54.7
66.4
84.2
58.8
by la
w o
r re
gula
tion
whe
reth
e or
gani
zatio
n is
bas
ed.
Inte
rnal
aud
itors
in
the
29.7
30.3
33.8
39.5
22.8
17.5
35.5
22.9
37.0
20.8
33.9
60.0
28.4
orga
niza
tion
have
an
advi
sory
role
in
stra
tegy
dev
elop
men
tTh
e or
gani
zatio
n co
mpl
ies
73.8
72.4
79.6
55.5
60.3
54.8
55.7
66.9
53.7
54.7
71.9
55.0
56.6
with
a c
orpo
rate
gov
erna
nce
code
.Th
e or
gani
zatio
n ha
s70
.471
.373
.278
.861
.259
.278
.477
.565
.549
.177
.963
.265
.5im
plem
ente
d an
int
erna
lco
ntro
l fr
amew
ork.
The
orga
niza
tion
has
22.9
27.9
32.4
30.5
25.2
19.3
26.5
26.2
46.3
25.0
33.9
26.3
23.9
impl
emen
ted
a kn
owle
dge
man
agem
ent
syst
emTh
e in
tern
al a
udit
activ
ity46
.935
.843
.417
.414
.513
.034
.024
.021
.220
.821
.915
.023
.0ha
s pr
ovid
ed t
rain
ing
toau
dit
com
mitt
ee m
embe
rs.
The
inte
rnal
aud
it ac
tivity
64.1
62.3
58.4
42.4
39.5
45.2
58.1
46.7
54.7
39.6
62.8
50.0
47.5
assu
mes
an
impo
rtant
rol
ein
the
int
egrit
y of
fin
anci
alre
port
ing.
The
inte
rnal
aud
it ac
tivity
73.1
68.0
71.3
47.1
50.2
42.7
66.2
62.9
45.5
43.4
65.8
60.0
53.2
educ
ates
org
aniz
atio
npe
rson
nel
abou
t in
tern
alco
ntro
ls,
corp
orat
ego
vern
ance
, an
d co
mpl
ianc
eis
sues
.Th
e in
tern
al a
udit
activ
ity75
.272
.481
.665
.060
.968
.871
.267
.158
.262
.369
.378
.966
.8pl
aces
mor
e em
phas
is o
nas
sura
nce
than
con
sulti
ngse
rvic
es.
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
356 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Tabl
e 9-5
-2H
ow S
tate
men
ts a
re L
ikel
y to
App
ly W
ithin
the N
ext 3
Yea
rs t
oR
espo
nden
ts’ O
rgan
izat
ions
by
Gro
ups*
CA
E a
nd A
udit
Man
ager
Agr
eem
ent w
ith S
tate
men
ts in
Per
cent
ages
Stat
emen
t1
23
45
67
89
1011
12N
/C**
Inte
rnal
aud
iting
is r
equi
red
by9.
616
.313
.113
.315
.113
.013
.015
.432
.711
.315
.510
.520
.8la
w o
r re
gula
tion
whe
re t
heor
gani
zatio
n is
bas
ed.
Inte
rnal
aud
itors
in
the
28.6
24.6
32.7
32.8
41.8
31.6
43.9
33.8
44.4
17.0
42.6
35.0
36.7
orga
niza
tion
have
an
advi
sory
role
in
stra
tegy
dev
elop
men
tTh
e or
gani
zatio
n co
mpl
ies
16.8
22.8
17.3
40.3
28.4
27.9
33.5
22.8
44.4
24.5
21.1
40.0
29.2
with
a c
orpo
rate
gov
erna
nce
code
.Th
e or
gani
zatio
n ha
s23
.223
.823
.618
.632
.832
.519
.720
.227
.345
.316
.831
.629
.5im
plem
ente
d an
int
erna
lco
ntro
l fr
amew
ork.
The
orga
niza
tion
has
37.4
49.2
49.6
47.5
49.1
43.5
51.2
45.3
44.4
46.2
47.0
63.2
53.2
impl
emen
ted
a kn
owle
dge
man
agem
ent
syst
emTh
e in
tern
al a
udit
activ
ity27
.934
.131
.346
.132
.027
.539
.630
.251
.930
.248
.275
.038
.7ha
s pr
ovid
ed t
rain
ing
toau
dit
com
mitt
ee m
embe
rs.
The
inte
rnal
aud
it ac
tivity
20.9
19.7
27.4
37.3
29.4
27.9
31.2
30.5
34.0
18.9
27.4
40.0
26.2
assu
mes
an
impo
rtant
rol
ein
the
int
egrit
y of
fin
anci
alre
port
ing.
The
inte
rnal
aud
it ac
tivity
20.1
23.8
20.9
35.5
32.3
30.6
26.8
26.6
43.6
30.2
26.3
35.0
34.7
educ
ates
org
aniz
atio
npe
rson
nel
abou
t in
tern
alco
ntro
ls,
corp
orat
ego
vern
ance
, an
d co
mpl
ianc
eis
sues
.Th
e in
tern
al a
udit
activ
ity11
.919
.59.
928
.320
.614
.418
.612
.629
.122
.621
.115
.821
.8pl
aces
mor
e em
phas
is o
nas
sura
nce
than
con
sulti
ngse
rvic
es.
*For
a l
ist
of g
roup
s, p
leas
e se
e th
e in
side
bac
k co
ver.
**N
/C =
Res
pond
ents
did
not
ind
icat
e af
filia
te o
r ch
apte
r m
embe
rshi
p.
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 357
The Institute of Internal Auditors Research Foundation
Summary
Internal auditing has evolved significantly from its origins in the early 20th century. The results ofCBOK demonstrate that internal auditing will continue to evolve in the future by incorporating newresponsibilities and having an impact on more areas of the organization.
It is especially interesting to note that respondents indicated their IAA’s responsibilities increasingin all of the major types of audits that are currently being performed, some by large amounts. Forexample, risk management is expected to increase 79.5% over the next three years. Furthermore,it does not appear that any of the current types of audits performed will decrease in any significantway over the next three years.
As the profession evolves, emerging roles to monitor include alignment of strategy and performancemeasures, benchmarking, knowledge management, systems development review, and strategicframeworks. Each of these was indicated by respondents as having an increase of more than 35%over the next three years.
Executive compensation stood out in the CBOK results as clearly showing that IAAs do notcurrently and most likely will not have a role in the future. Respondents indicate that 16% of IAAscurrently have a role and 17.7% are likely to have a role in the next three years. This is comparedwith 45.4% of respondents who indicate that their IAA is unlikely to have a role in the next threeyears in this activity.
358 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 359
The Institute of Internal Auditors Research Foundation
CHAPTER 10RESEARCH METHOD
AND LITERATURE REVIEW
This chapter reviews the research method used to gather the data for the Common Body ofKnowledge (CBOK) 2006 study and provides a literature review prepared by each of the researchteams listed below summarizing the past studies reviewed prior to preparing the CBOKquestionnaires.
RESEARCH METHOD
Project Teams
The research team was comprised of three international teams that were selected from the responsesto the CBOK request for proposals. Table 10-1 lists the members of the three CBOK 2006 teams.Based on the location of the selected research teams, the international affiliates and chapters werebroken down into three broad geographical areas.
360 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 10-1Research Teams
Teams General Areasof Responsibilities
Lead Team• Priscilla A.Burnaby (Bentley College, United States) – North, Central, and
Project Coordinator and Team Coordinator South America and• Susan Hass (Simmons College, United States) the Caribbean• Mohammad J. Abdolmohammadi (Bentley College,
United States)• Rob Melville (Cass Business School, England) – Europe and Africa
Team Coordinator• Marco Allegrini and Giuseppe D’Onza
(University of Pisa, Italy)• Leen Paape (Erasmus University, Netherlands)• Gerrit Sarens (University of Ghent, Belgium)• Marinda M. Marais (University of South Africa)• Elmarie Sadler (University of South Africa)• Houdini Fourie (Tshwane University of
Technology, South Africa)• Barry J. Cooper (Deakin University, Australia) – Asia and Pacific
Team Coordinator• Philomena Leung (Deakin University, Australia)
_____________________________ Chapter 10: Research Method and Literature Review 361
The Institute of Internal Auditors Research Foundation
Pilot Test and Literature Review1
The pre-scope questionnaire sent to practitioners for their input was developed after reviewing theProfessional Practices Framework (The IIA, 2004) and performing a literature review of currentinternal auditing studies around the world. A summary of the literature review is included in thesecond part of this chapter. The objective of the pilot survey was to determine what practitionersbelieved should be included in the CBOK 2006 questionnaires. Based upon discussions withknowledgeable internal auditors, key stakeholders at The IIA, and the literature review, the followingtopics were selected for inclusion in the pilot survey:
• Audit methods, tools, and techniques• Auditor skill sets• Certification and professional development• Emerging trends in internal auditing• Evaluation of staff• Internal auditing standards from the Professional Practices Framework• Percentage of time spent on different types of audits in 2005• Role of the board of directors and audit committee• Specific areas of knowledge required of internal auditors
To collect data from a small representative group of experienced internal auditors, the pre-scopequestionnaire was sent to a number of internal auditors in various regions of the world by each ofthe three global teams. The respondents were asked to indicate which items listed on the pre-scope questionnaire should be included or excluded from the CBOK 2006 study. Each topic on thepilot questionnaire was followed by a request for the respondents to add related areas and questionsthat they thought should be included in the final questionnaire.
Sixty-three responses were received from nine countries. Table 10-2 indicates the number ofresponses from each country. Appendix 10-A contains the pre-scope questionnaire and a summaryof the responses, including the respondents’ suggestions for additional areas to be included inCBOK 2006. A majority of participants agreed with the inclusion in the study of most of the topicsin the pre-scope questionnaire and provided insights into other topics that should be included.These areas were priorities for inclusion in the final CBOK questionnaires.
1The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue ofManagerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher ofMAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “Areview of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby,“The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
362 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Table 10-2Summary of Pilot Test Respondents by Countries
Countries RespondentsAsia
Australia 11New Zealand 5Malaysia 2
EuropeBelgium 9France 2Italy 6South Africa 1U.K./Ireland 13
USA 14Total 63
To include current practices and explore emerging practices in the profession, CBOK 2006incorporated several topics that were not included in prior CBOK studies. This was based on theliterature review and the results of the pilot survey. Appendix 10-B lists topical areas covered inpast CBOK studies and those that were covered in CBOK 2006. CBOK 2006 used The IIA’sInternational Standards for the Professional Practice of Internal Auditing (Standards) as ofSeptember 2006, the date of the study, as the basis for the focus of the study. The Standardscontain the expanded scope in The IIA’s definition of internal auditing, which includes governance,risk management, and internal control engagements for the internal audit activity (IAA).
_____________________________ Chapter 10: Research Method and Literature Review 363
The Institute of Internal Auditors Research Foundation
CBOK 2006 Questionnaires
Due to the need expressed by The IIA’s CBOK Steering Committee to limit the members’ responsetime to 40 minutes, it was decided to create three separate CBOK questionnaires as follows:
1. Affiliates: The IIA is fortunate to have numerous Affiliate organizations around the world thatprovide services to their geographic area in cooperation with IIA headquarters. This questionnaireasked affiliate leaders questions about regulatory and cultural differences affecting the applicationof ethics and the Standards in their area. One questionnaire was sent to each participatingaffiliate.
2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest positionwithin the organization responsible for the internal audit activity (IAA). Data on the status ofthe IAA within the organization, application of the Standards, skills needed at each staff level,and emerging audit roles were collected from CAEs worldwide.
3. Practitioners: For purposes of this study, Practitioners are all other internal auditors that arenot CAEs. Data about the application of the Standards, how an audit is performed, skill setsneeded, and the emerging roles of IAA were collected from internal auditors worldwide.
The three detailed questionnaires developed by the CBOK 2006 teams were subjected to closescrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, thequestionnaires were reviewed by a statistical expert and a small group of internal auditors worldwideto ensure completeness and validity. Based on their comments, the final questionnaires weredeveloped and translated from English into 16 languages (Spanish, French, German, Russian, Czech,Turkish, Simplified Chinese, Japanese, Traditional Chinese, Indonesian, Arabic, Polish, Bulgarian,Italian, Portuguese, and Swedish). In September 2006, the CAE and Practitioner questionnaireswere distributed electronically to The IIA membership by participating affiliates, chapters, andUnited States members that allow The IIA to send them e-mails using the survey software Peruses.The Affiliate questionnaire was distributed by The IIA in December 2006. As some of the questionsfor the CAE and Practitioner questionnaires were the same, the questionnaires were combined fortranslation. Please see Appendix 10-C for the combined CAE and Practitioner questionnaire. Aguide for which questions were asked of all participants or either the CAE or the Practitioner isprovided in the first two pages of Appendix 10-C.
364 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Number of Responses
As of September 2006, The IIA had approximately 127,700 members. As listed in Table 10-3, themembership was made up of 143 chapters in the United States, 11 chapters in Canada, 9 chaptersin the Caribbean, and 94 affiliates. The total number of responses to the CAE and Practitionerquestionnaires was 15,028. After the responses that were deemed not usable were deleted fromthe database, 9,366 usable responses remained resulting in a 7.3% overall response rate. Due tosome Affiliates not participating and some members who have opted not to receive e-mails fromThe IIA, the survey was sent to approximately 99,000 members resulting in an estimated 9.5%response rate. The respondents represent 91 countries as one of the participating countries hastwo affiliates.
Table 10-3Number of Participating Chapters and Affiliates
Area *Number of 1 or More Usable Number of AffiliatesChapters/Affiliates Responses from that Returned CBOK
Chapters/Affiliates AffiliateQuestionnaire
U.S.A. 143 133 Not ApplicableCanada 11 11 Not ApplicableCaribbean 9 7 Not ApplicableIIA Affiliates 94 83 46
*Tallied from The IIA’s Web site
Responses were determined to not be useable if the reply was empty or the respondent did notanswer enough questions to be considered for inclusion. A total of 133 United States’ chapters, allof the Canadian chapters, and 7 of the Caribbean chapters participated in CBOK 2006. Eighty-three affiliates had at least one usable CAE or Practitioner response. The number of respondentsfor the United States, Canada, and the Caribbean and for each participating affiliate is summarizedin Appendix 1-B of Chapter 1 and on the inside back cover of this research report. Forty-sixaffiliates returned the CBOK Affiliate questionnaire by the January 15, 2007, cutoff date forinclusion (noted by a + sign in Appendix 1-B in Chapter 1).
Clustering for Groups
As data was collected from numerous affiliates and chapters, a methodology was needed to combinethem into groups for comparison of responses. Clustering literature was reviewed for plausible
_____________________________ Chapter 10: Research Method and Literature Review 365
The Institute of Internal Auditors Research Foundation
ways to combine affiliates and chapters by cultural classification. Pioneer work for culturalclassification was performed by Hofstede (1980), who argued that the four dimensions of PowerDistance, Individualism, Masculinity, and Uncertainty Avoidance influence work environments.Based on these dimensions, Hofstede (1983) classified fifty countries into different cultural zones.In 2004, House et al. expanded Hofstede’s dimensions and the number of countries classified intocultural zones. House et al. (2004) used nine dimensions to classify 62 countries into variouscategories. Table 10-4 defines and lists the dimensions used by Hofstede (1983) and House et al.(2004).
Table 10-4Cultural Classification Criteria
No. Criterion Definition +
1* Uncertainty The extent to which members of an organization or society strive to avoidAvoidance uncertainty by relying on established social norms, rituals, and bureaucratic
practices.2* Power The degree to which members of an organization or society expect and agree
Distance that power should be stratified and concentrated at higher levels of anorganization or government.
3** Institutional The degree to which organizational and societal institutional practicesCollectivism encourage and reward collective distribution of resources and collective
action.4** In-group The degree to which individuals express pride, loyalty, and cohesiveness in
Collectivism their organizations or families.5*** Gender The degree to which an organization or society minimizes gender role
Egalitarianism differences while promoting gender equality.6*** Assertiveness The degree to which individuals in organizations or societies are assertive,
confrontational, and aggressive in social relationships.7@ Future The degree to which individuals in organizations or societies engage in
Orientation future-oriented behaviors such as planning, investing in the future, anddelaying individual or collective gratification.
8@ Performance The degree to which an organization or society encourages and rewardsOrientation group members for performance improvement and excellence.
9@ Human The degree to which individuals in organizations or societies encourage andOrientation reward individuals for being fair, altruistic, friendly, generous, caring, and
kind to others.
+Definitions are from House and Javidan (2004, 11-13)*These two criteria are the same as those of Hofstede’s (1980)**These two criteria are based on Hofstede’s (1980) Individualism***These two criteria are based on Hofstede’s (1980) Masculinity.@House et al. (2004) added these based on literature other than Hofstede (1980).
366 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62societies was insufficient for complete classification of the CBOK 2006 participants. By usingadditional information from the Central Intelligence Agency World Fact Book (2006), affiliatelanguage, geographical location, and discussions with The IIA staff and leadership, the affiliatesand chapters were classified into 12 groups. Respondents who did not indicate membership in aspecific affiliate or chapter were clustered into a 13th group that was included in statistical summariesfor the aggregate results but not in affiliate or chapter cultural cluster results. Please refer to theinside back cover of this report for the groups used for the analysis of responses for CBOK 2006.
_____________________________ Chapter 10: Research Method and Literature Review 367
The Institute of Internal Auditors Research Foundation
LITERATURE REVIEW
Introduction
The objective of the literature review for CBOK 2006 was to provide a summary of publishedarticles, studies on special topics, and research projects about the practice of internal auditingaround the world as determined by the research teams around the world. Each research teamprepared a literature review for the countries in their area of the world.
Prior IIA CBOK Studies2
Overview
The IIA has sponsored four prior CBOK studies. Appendix 10-C lists the topical areas covered inthese studies and identifies topical areas covered in the CBOK 2006 study. The past four CBOKstudies are summarized in the following section. Table 10-5 compares the number of participatingcountries and usable questionnaire responses used in each CBOK study.
Table 10-5Comparison of CBOK’s Number of Countries and Number of Respondents
CBOK Year Number of Number of UsableNumber Countries Respondents
I 1972 1 75II 1985 2 340III 1991 2 1,163IV 1999 21 136V 2006 91 9,366
2The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue ofManagerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher ofMAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “Areview of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby,“The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
368 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
CBOK I in 1972
The objective of CBOK I (Gobeil, 1972) was to define the CBOK for the profession of internalauditing. The survey was conducted only in the United States. The report was based on a sampleof 100 internal auditors from which there were 75 responses. The questionnaires were distributedto The IIA’s international officers, directors, and the chairs and committee members of allinternational committees. It attempted to define and interpret three areas. The first area was toestablish the knowledge that internal auditors should possess to be considered professionally proficient.The second area of interest was the knowledge required for candidates sitting for the CertifiedInternal Auditor (CIA) exam. The final area was the type of knowledge that should be the focus ofcontinuing professional development and training.
The study outlined three different levels of knowledge required in the three different subject matters(Gobeil, 1972), namely:
• Appreciation of the broad nature and fundamentals involved in, and an ability to recognizethe existence of special features and problems in, various business transactions, anddetermination of what further study or research must be undertaken under variousconditions.
• A sound appreciation of the broad aspects of practices and procedures and an awarenessof the problems related to more detailed aspects thereof. It also included the ability toapply such broad knowledge to situations likely to be encouraged, to recognize the moredetailed aspects which must be considered, and to carry out research and studies necessaryto come to a reasonable solution.
• A sound understanding of principles, practices, and procedures and the ability to applysuch knowledge to situations likely to be encountered in order to deal with all aspectswithout extensive recourse to technical research and assistance.
CBOK II in 1985
The objective of CBOK II (Barrett et al., 1985) was to establish the structure of the CBOK forpracticing internal auditors. This study included responses from the United States and Canada.The researchers first reviewed how the medical, legal, military, religious, accounting, and auditingprofessions determined their CBOK. Then they conducted interviews with directors and managersof large international audit departments in Canada and the United States. Based on this backgroundthe researchers developed and distributed questionnaires to approximately 900 individuals of whom340 returned usable responses.
_____________________________ Chapter 10: Research Method and Literature Review 369
The Institute of Internal Auditors Research Foundation
The researchers identified three key areas of CBOK: knowledge of relevant disciplines; skillsneeded to perform appropriate internal auditing tasks; and experiences necessary to be professionallyqualified, proficient, and a competent internal auditor. Barrett et al. (1985) presented three broadconclusions. First, senior internal auditors should have a firm grasp of the core academic disciplinesof auditing and computer systems and a working knowledge of communications and accounting.Second, at the bottom of the importance scale of knowledge is marketing. Finally, entry-levelinternal auditors are expected to possess as much knowledge but fewer skills as senior-levelauditors, and senior-level (not entry-level) auditors are expected to become professionally certified.
CBOK III in 1991
Albrecht et al. (1992) sent questionnaires to internal auditors in Canada and the United States. Ofthe 1,247 returned questionnaires, 1,163 responses were usable. The research method used by theauthors was the most elaborate of the CBOK studies to date. It included:
• Review of current internal audit literature.• Interviews with content experts in the subject areas identified by the literature review.• Development of the initial questionnaire.• One-day meetings with selected groups of internal audit practitioners in various cities.• Distribution of the CBOK questionnaire to practicing internal auditors and analysis of the
data.
This study contributed to the literature in several significant ways. It identified the competenciesand knowledge that was required for internal auditors to practice at varying levels of experience.It also identified the most appropriate setting (formal education, professional development seminars,or on-the-job experience) where the competency should be acquired. The researchers includedthe following in their findings:
• The knowledge included in the CBOK• The levels at which internal auditors should possess various knowledge elements of the
CBOK• The kind of knowledge that should be included on the CIA examination• The kind of knowledge that should be included in professional development and training
seminars for internal auditors
The authors found that a major demographic factor causing responses to the CBOK questionnaireto vary was the position level of the respondent. As auditors move from staff auditor to senior, tomanager, and finally to director, there are changes in what the respondents perceived should be therequired CBOK.
370 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
CFIA in 1999 (CBOK IV)
The next CBOK project, known as the Competency Framework for Internal Auditing (CFIA),was undertaken by a group of researchers in Australia. The study resulted in the publication of fivedetailed monographs (see Birkett, et al., 1999). To summarize the large amount of informationpresented, The IIA published a short executive summary monograph (McIntosh, 1999). Thesestudies surveyed five groups of participants and provided information about the changing nature ofinternal auditing from compliance to assurance, risk exposures, and control strategies.
The scope of Birkett, et al.’s (1999) studies addressed the areas of the future of the internal auditprofession, the value proposition of internal auditing, the critical competencies of internal auditors,global practices, and an assessment of these competencies. One of the interesting conclusionsfrom this study was that the future will be driven by global organizational change, which would beaccompanied by lower independence for internal auditors. The monographs also concluded thatinternal auditors must increasingly get involved with the assessment of risk and strategies forcontrol. The authors proved to be correct as both of these issues have been addressed by the U.S.Sarbanes-Oxley Act of 2002.
Internal Auditing: The Global Landscape
Birkett, et al. (1999) found that there were major difficulties in discussing the topic of internalauditing at a global level. They found that there was a lack of common meaning for terms like“internal control” and “compliance.” There were also differences in interpretation of “propergovernance.” The surveyed countries agreed on the desired skills that an internal auditor shouldpossess, including cognitive, behavioral, technical, analytic, appreciative, personal, interpersonal,and organizational skills. It was also important for internal auditors to have knowledge in specificareas such as information systems, finance, risk analysis, accounting, internal auditing, benchmarkingtechniques, and legal/regulatory systems. The respondents expressed concern that the certificationrequirements for the CIA designation were oriented toward North American practice. Major issuesand concerns that would affect the profession in the future were identified as globalization, increasedcompetition, rapid technological advancement, and changes in corporate governance.
Internal Auditing Knowledge: Global Perspectives
The profession of internal auditing was also discussed at the global level. The internal auditor’swork environment was further analyzed by its context, factors of influence, key roles in the function,critical knowledge/expertise needed, and the evaluation of the auditing function. The key roles inthe auditing function included audit management, project leader, internal auditor, management
_____________________________ Chapter 10: Research Method and Literature Review 371
The Institute of Internal Auditors Research Foundation
development trainee, specialist, and external consultant. A competent internal audit departmentmust have knowledge of the organization, auditing tasks, technical applications, managementprocesses, risk/control framework, and commercial viability. Developing competency within internalauditing was done through an improved recruiting process and implementation of training/developmentprograms. The auditing function was then assessed based on the linkage between their activitiesand the value they provided. It was suspected that in the future, internal auditing would take on amore anticipatory/proactive role which brought up a discussion on auditors’ independence.
Competency: Best Practices and Competent Practitioners
This monograph includes six units, 27 elements, and many sub-elements, which are assessed throughbest practices. The focus of the monograph was on internal auditor competencies (skills) andcapabilities (potential for making judgment). The authors found that competency was the relationshipbetween task performance and individual attributes such as knowledge, skills, and attitudes(McIntosh, 1999, p. 4). The authors argued for common terminology but admitted that this was notan easy task because there is no equivalent for certain terminology (e.g., compliance) in somecountries.
Competency was defined in terms of best practices that are subject to benchmarks. The authorsdefined competency standards in terms of units of set tasks needed to meet the fundamentalrequirements of performing the audit. Elements of competency are subsets of tasks such asunderstanding organizational objectives/strategies, processes and capabilities, and the contextualdynamics affecting its functioning and sub-elements such as “identify/clarify the organization’sobjectives.” The authors listed six units of competency:
1. U1: Understanding risk2. U2: Understanding adequacy of control strategies3. U3: Improve risk management and control4. U4: Provide ongoing assurance to organizations5. U5: Manage the IA function6. U6: Manage the dynamic context that affect the work of the function
The Future of Internal Auditing: A Delphi Study
Birkett, et al. (1999) conducted a study that captured the opinions of 136 internal auditing expertsrepresenting 21 countries. The study focused on topics of importance to the future of the profession,key tasks performed, drivers of change, skills/knowledge required, and assessment criteria. Theresults indicated that the profession was gradually moving toward a focus on alignment with
372 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
organizational needs and how to create value for the organization. Drivers such as globalization,competition, increasing expectations/demands from stakeholders, legal perspectives, and technologywere changing the context of internal auditing work. With the changes that the profession wasfacing, auditors needed to be knowledgeable and aware of the importance of evaluating riskexposures. The assessment of the auditing function could be assessed internally according to theorganization’s value proposition or externally relative to best practices.
Assessing Competency in Internal Auditing: Structures and Methodologies
In this study, the authors provided four performance criteria: qualitative outcomes such as accuracy,critical process variables such as holistic review, evidence and performance such as relevantdocuments, and consulting and timing. The authors stated that the different designations of auditorlevels are trainee, team leader, manager, and director. Other designations included junior, senior,manager, and director. Internal auditors can also be called consultant, managing consultant, andvice president of audit.
North American Literature Review on Internal Auditing
Overview
The literature reviewed indicates that the role of the IAA has grown significantly over the yearsand given the significant change factors organizations are facing, such as the regulatory environmentand new technologies, it is likely to be subjected to more significant changes in the future. Theliterature is fairly extensive in its investigation of the internal auditor’s role in various corporategovernance issues. An extensive literature review by Gramling, et al. (2004) investigated theincreasing role of the IAA in corporate governance. Due to the recent review of this topic providedby Gramling, et al. (2004), that literature is not reviewed in detail in this chapter. The focus of thisliterature review is primarily on the external environment that is causing change in the organizationand the resulting expanded scope of audits required of the IAA.
The Professional Practices Framework of 2004
The most recent study undertaken by The IIA to determine the nature of the changes in internalauditing and the need to update the definition and standards of the profession was in 1999. Basedon this study The IIA published a report titled, A Vision for the Future: Professional PracticesFramework for Internal Auditing (The IIA, 1999). The report had the following objectives:
_____________________________ Chapter 10: Research Method and Literature Review 373
The Institute of Internal Auditors Research Foundation
• Revise the definition of internal auditing• Produce a new framework• Improve existing processes of standards-setting and guidance development through better
coordination and leveraging of The IIA’s volunteer committees
This report resulted in changes to the definition of internal auditing, The IIA’s Code of Ethics, andThe IIA’s Standards. As seen below, the new definition of internal auditing expands the scope ofinternal auditing into corporate governance and risk management (The IIA, 2004):
Internal auditing is an independent, objective assurance and consulting activity designed toadd value and improve an organization’s operations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control, and governance processes.
This is The IIA’s most proactive and comprehensive definition of internal auditing. It acknowledgesthe changing role of internal auditing in organizations, the need for a comprehensive and adaptableframework, and the ever-increasing value that the IAA contributes to contemporary organizationsof differing sizes and types.
As late as the beginning of the twenty-first century, the evolutionary practice of internal auditingresulted in developing internal audit best practices and adding value to the organization and itsstakeholders by understanding the link between internal audit and organizational goals. Before theenactment of Sarbanes-Oxley, internal audit services were focusing on detection, not prevention.Internal auditors were moving from a confrontational approach to partnering with managementand moving from a controls approach to a risk-based approach. They were also focusing onconsulting services (Roth, 2002).
Chapman and Anderson (2002) argue that the inclusion of assurance and consulting services in thenew definition of internal auditing results in internal auditing becoming a proactive, consumer-focused activity concerned with the important issues of control, risk management, and governance.The definition specifically states the internal audit activity (IAA) is designed to add value andimprove an organization’s operations (The IIA, 2002).
The Standards indicate examples of assurance engagements as financial, performance, compliance,system security, and diligence audits. Examples of consulting activities include conducting internalcontrol training, providing advice to management about the control concerns in new systems, draftingpolicies, and participating in quality teams. In addition, assurance services include financial auditing,performance auditing, and quick response auditing, and consulting services includes assessment
374 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
services, facilitation services, and remediation services (Anderson, 2003). These are all value-added activities and contribute to organizational success and strategic achievement. This wasreflected in the revised Professional Practices Framework which recognized that the IAA neededto support and promote a broad range of value-adding activities (RGTF, 1999). This also allowedfor the recognition of the practice of internal auditing as evolutionary in the competitive marketplace(Krogstad, et al., 1999). The next sections include more focused discussion of the factors thatsignificantly impact the future of the IAA.
Regulations
Prior to the need for compliance with the requirements of Sarbanes-Oxley in the United States andsimilar laws in other countries, the emphasis of the IAA in the late 1990s was more a consultativepartner with management (Roth and Espersen, 2003). Internal auditors also performed reviews ofcontrols over operational systems. In responding to regulatory and technological change factors,organizations are evolving in their need for different types of internal audit involvement. TheSarbanes-Oxley Act (2002) legislation in the United States resulted in extensive regulatoryrequirements for a more effective and better documented system of internal controls over financialreporting in publicly listed companies. The IAA is in an advantageous position to help organizationscomply with these requirements and is being called upon by companies to do much of the work indocumenting and testing key internal controls over financial reporting. The new regulatoryrequirements have increased the IAA’s participation in the development of control documentationand compliance auditing over financial reporting that was often left in the past to external auditors.
Sarbanes-Oxley legislation in the United States required the creation of the Public AccountingOversight Board in 2004 (PCAOB, 2004). PCAOB was created to reform the auditing of internalcontrol systems and financial reporting systems. The major objectives of the PCAOB are to enhancereliable financial reporting and to restore investor confidence after the business scandals andaccounting failures of early 2000s. Faced with the regulatory requirements of Sarbanes-Oxley,many organizations turned to their IAAs for help. Internal auditor involvement was primarilycompliance work surrounding the adequacy of key controls to aid in the increased reporting andgovernance requirements for publicly held companies. Although Sarbanes-Oxley work primarilyemphasized control compliance, it also required internal auditors to provide consulting activitiessuch as control system design.
Sarbanes-Oxley Changes Audit Coverage
The shift of the IAA to a compliance focus is a result of a regulatory regime imposed by therequirements of Sarbanes-Oxley (2002) and the PCAOB (2004). Also influential were the changes
_____________________________ Chapter 10: Research Method and Literature Review 375
The Institute of Internal Auditors Research Foundation
in governance requirements that various stock exchanges implemented (Gray, 2004). Although theresulting involvement in responding to regulatory requirements is still deemed value-added work, itis a different trend than was evolving before the business scandals at the beginning of the centuryin such areas as governance and risk assessment.
An outcome of the current regulatory climate in the United States is that many IAA resources arespent on Sarbanes-Oxley compliance assurance work. A survey of audit managers undertaken inthe third quarter of 2005 indicated that Sarbanes-Oxley (2002) first-year compliance efforts utilized50% or more of internal audit (PwC, 2006). In the resource constrained paradigm within which theIAA operates, this emphasis means that resources must be diverted from operational audits andconsulting activities to increase Sarbanes-Oxley assurance services. This is a challenging resourceallocation problem for the IAA, where strong leadership and analytical skills as well as the abilityto manage projects more efficiently and effectively are required. Also needed are effectivecommunication and negotiation skills to interact with various stakeholders. When diverting resources,leaders of the IAA must be certain that they have a thorough understanding of how their workcontributes value and links to strategy execution and achievement.
The assurance work emphasis necessitated by regulatory requirements could also result in a negativereputation effect. For example, IAA stakeholders may develop a negative perception that is revertingback to the stereotypes of compliance duties in earlier periods. Gray (2004) argues that the imageof internal auditors may be regressing to that of “police” as they identify negative findings in theirassessment and tests of internal controls. This is a serious reputation issue that the IAA mustaddress. Internal auditors must understand when this is happening and neutralize or eliminate suchnegative perceptions if they are to be effective in their assurance and consulting activities, relationshipwith key stakeholders, and in their role as supporter of organizational success. Ignoring suchperceptions can result in reduced effectiveness of the IAA in its assurance and consulting activitiesand with stakeholders.
Finally, an outcome of the expanding regulatory requirements is that internal auditors work closelywith internal management and external auditors. Critics question whether this might damage theobjectivity of the IAA (Krell, 2005). Since independence and objectivity are the cornerstones ofthe definition of internal auditing, there is a need for development of holistic models in which theIAA can maintain its objectivity and independence despite the close working relationships withinternal management and external auditors. To do so may require internal auditors to use effectiveinterpersonal skills such as relationship management and team building, concepts that are widelyresearched and discussed in management science.
376 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Risk Assessment
A recent survey shows that regulatory requirements diverted internal audit resources from otherimportant internal audit activities such as risk-based audits to assurance work (PwC, 2005A).Failure to address key strategic and operational risks as well as compliance risk in an annual auditprogram undermines the effectiveness of the IAA. It diminishes its strategic value to keystakeholders and exposes the enterprise to greater operational and financial risks in the future.Balancing all risks that an organization faces is imperative to the success of the IAA and theorganization as a whole (Krell, 2005).
Internal auditors must not only be able to assess risks in their larger organizations, they must alsobe able to complete complex risk analyses in their own IAA. Being able to self-evaluate is importantto the success of the IAA. To accomplish this, internal auditors need to possess increasing levelsof critical thinking, analysis, decision making, and logic. These are among the skills included in theCBOK 2006 study.
Increased Demands on the IAA
Balancing the complex, competing demands of stakeholder needs with limited IAA resources alsorequires effective management by the chief audit executive (CAE) (PwC, 2006). To be perceivedto add value, the internal audit activity must strategically align with the needs and priorities of all ofits key stakeholders, including the audit committee, executive management, and external auditors.Communicating the needs of the audit function, both orally and in writing, to key stakeholders iscritical to successfully maximizing resources. Effective risk analysis, time management, andprioritization of tasks are important skills for internal auditors to ensure effective utilization ofscarce resources.
The increased demand for the IAA services places strain on many departments’ limited timebudgets resulting in outsourcing and/or co-sourcing of activities. Rittenberg and Covaleski (1997)argue that outsourcing would be viable for functions that are not unique. For areas with specializedneeds or competencies, outsourcing may be a viable alternative. Outsourcing reduces the demandfor a scarce resource but requires management of external contract workers and their employers.CAEs must ensure that their management of internal audit staff is a transferable skill that can beused for the management of external co-sourcing relationships.
_____________________________ Chapter 10: Research Method and Literature Review 377
The Institute of Internal Auditors Research Foundation
Information Technology
The information technology (IT) used by companies is becoming increasingly more complex. TheIAA must embrace technology, understand it, and be able to effectively audit the processes anduse it as an audit tool. Internal auditors will have to provide increased assurance by providing ITcontrol assessment within the system of internal controls. If IT controls are selected and implementedproperly on the basis of the risks they are designed to manage, then a methodology to continuouslymonitor IT control effectiveness and validity could provide the assurances needed (Le Grand,2005). Knowledge of IT controls, IT auditing techniques, and the current trends in IT enhancesunderstanding and efficient utilization of IAA resource.
While the complexity of IT makes auditing more challenging, it also provides an opportunity tostreamline internal audit activities by designing and utilizing continuous IT controls. This can relievesome of the stress of limited IAA resources that were noted previously. The use of continuousauditing may reduce the need for detailed annual reviews that have been typical in the past.Continuous auditing gives internal auditors the ability to monitor key business systems for bothanomalies at the transaction level and for data-driven indicators of control deficiencies and emergingrisk. This can also be incorporated into other aspects of the audit process (Coderre, 2005). Undercontinuous auditing, technology is an enabler, but must be initiated and managed by the IAA (Warren,2003). Continuous auditing should not be confused with continuous monitoring, which may bemanagement driven (COSO, 2004).
Computer-assisted audit tools (CAATs) can also expand audit coverage when there are finiteresources. Maintenance of existing resource levels while expanding the scope of continuousmonitoring and reporting of organizational effectiveness can be accomplished by utilization ofautomated testing capabilities. Effectively enhancing the extent of audit coverage would reducethe risks that arise with constrained resource allocation (PwC, 2005B). Training for computer skillsfor the internal audit staff would ensure IT expertise as an alternative to traditional manual audittechniques.
Risk-based Internal Auditing
The IIA’s Standards require the establishment of risk-based plans to determine that the prioritiesof the IAA are consistent with organizational goals. For example, the risk of noncompliance withthe regulatory requirements of Sarbanes-Oxley and other laws is a risk to the organization thatshould be assessed along with other risks when finalizing audit plans. Sarbanes-Oxley requiresmanagement’s development and monitoring of procedures and controls for making their requiredattestation regarding the adequacy of internal controls over financial reporting.
378 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The Standards require that internal audit activities evaluate and contribute to the improvement ofthe organization’s risk management, control, and governance processes through consulting andassurance activities. Thus, after the first few years of compliance, the role of internal auditingactivity for Sarbanes-Oxley compliance should be one of support through consulting and assuranceactivities as outlined in the Standards (The IIA, 2004). This should allow the IAA to go back to abroader scope of services and provide more consulting than assurance services.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) releasedEnterprise Risk Management - Integrated Framework to help businesses respond to enterpriserisk management issues in their own organizations (COSO, 2004). The COSO definition of internalcontrol differs a bit from The IIA’s definition but the two are substantively similar enough that theyseek to accomplish the same purpose. Since assessing the effectiveness of risk management iscore to the globally accepted definition of internal auditing, the role of internal auditors must beclearly defined by organizations to ensure that they do not set the risk appetite, impose riskmanagement processes, or make decisions about risk responses. These are the duties ofmanagement. The IAA must not be accountable for risk management decisions for the organization(The IIA, 2005). The IAA must be objective and independent if it is to perform its value-addedduties and continue to contribute efficiently and effectively to corporate success.
The current emerging business trend appears to be that the business environment challenges manyorganizations to simultaneously strengthen their internal controls and sustain compliance withSarbanes-Oxley while also operating efficiently. After the first year of material compliance costs,organizations are faced with trying to reduce these costs. A top down risk-based approach to costcutting may help companies cut costs while identifying the most effective and efficient controlsneeded to both achieve compliance and reduce efforts (Deloitte, 2006). If this impacts the internalaudit activity in the future, concern about objectivity, independence, and risk may occur but mustinstantly be mitigated. By working independently and organizing the audit plan to focus on theneeds identified in a risk-based assessment in conjunction with discussion with key stakeholders,the IAA will be able to perform objective and independent audits.
Objectivity
Internal audit’s role is critical in assurance audits because it provides objective assurance (PwC,2005B). The assurance function of internal audit has always been perceived as an independentand continuing appraisal of an organization’s internal control system, providing appropriate assurancethat the systems were adequate, effective, and could be relied upon (The IIA, 2002). This isimportant because the internal control system comprises the entire network of systems establishedin an organization to provide reasonable assurance that organizational objectives will be achievedwith particular reference to risk; effective operations; economical and efficient use of resources;
_____________________________ Chapter 10: Research Method and Literature Review 379
The Institute of Internal Auditors Research Foundation
compliance with procedures, laws, and regulations; safeguarding against loss, including fraud; andthe integrity and reliability of information and data (PwC, 2006). If auditors are to succeed in thisenvironment, they must be comfortable with governance, fraud, and ethical audits as they performan objective evaluation of the control environment.
New regulation has elevated internal auditing and moved it to the forefront of executive consciousnessand corporate governance. Internal auditors are now being viewed as the “go-to” group andmanagement is more receptive to changes and recognition of those individuals who help minimizethe negative consequences of disruption caused by the new regulations (Gray, 2004). Objectivityand professionalism are necessary for effective internal audit services. A change in the traditionalservices offered leads to an increase in the risks related to objectivity and independence. Managingthese risks requires auditors to be competent, have integrity, and to use due care when performingtheir duties. Training and education provide the foundation for the objectivity needed for auditorcompetence and adherence to moral values avoids the perception of deception (Mutchler, 2001).
Strategic Perspective
Due to the demands for increased corporate governance by external stakeholders, managementhas been demanding a more tangible explanation of value-added contributions from various functions(Zoellick, 2005). To be perceived to add value, the IAA must strategically align with the needs andpriorities of its key stakeholders, including the audit committee, executive management, and externalauditors. Strategic implementation has become increasingly important as organizations must competewith other, often more nimble, entities. Therefore, value for internal auditors may be defined assupporting the execution of strategy and those that lead its implementation (Simons, 2000).
To achieve this goal, foundational knowledge for internal auditors includes an understanding of thebusiness, the competitive nature of the industry, and the linkages of all functional and operationalareas in the company. The importance of academic training in foundational business subjects anda focus on the functions and skills learned in upper-level management courses appear critical fortoday’s new auditors. Without such knowledge, misunderstanding the strategic orientation ofstakeholders could impact perceived value added by and the success of the IAA.
Summary
The main message from this literature review is that understanding how internal audit activitiescreate value in an organization is of critical importance. Also important is the recognition that thecontemporary IAA is positioned to strategically align its goals with those of its many stakeholders,and yet must remain independent and objective. Another important message from this review isthat the IAA must position itself to be actively involved with risk assessment, control, and governance.
380 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Given the regulatory requirements in the United States that have absorbed approximately 50 percentof the IAA’s limited resources, resource allocation has become a key activity of the IAA. Internalauditors need to take full advantage of new technologies such as continuous auditing and softwareinnovations in IAA department management. The IAA must use its limited resources to supportkey activities and organizational needs. Strategic alignment requires that the internal audit functionposture itself as vital to a rigorous, sustainable organizational vision of responsiveness to bothinternal and external needs. Enterprise risk assessment, and the subsequent allocation of resourcesto provide assurance about the adequacy of the control environment to key stakeholders, is adaunting task. Audits for all scope areas require a broad set of specialized skills.
Asia Pacific Literature Review on Internal Auditing3
Overview
Most available literature relates to Australia, New Zealand, China, Malaysia, Singapore, and HongKong. The approach in this literature review is to review the Asia Pacific developments inapproximate chronological order rather than country by country.
Early 1980s
The first known empirical study on the role of internal auditing in the Asia Pacific region was thatundertaken by Cooper and Craig (1983). This seminal research on internal auditing in Australiafound a number of issues that were of concern to the profession. It was found that there were anumber of misconceptions about what internal auditors were doing and what their chief executiveofficers (CEOs) perceived was being done, and in fact there were expectations by the CEOs thatinternal auditors could do more than the traditional financial auditing work mainly being done at thetime. There was nevertheless strong support for internal audit by CEOs and at the time it was seenas offering long-term career prospects. However, the profession in Australia in the early 1980ssuffered from an image problem, it did not have a strong professional body to represent its interestsas it has now, and there were no generally accepted professional qualifications recognized asnecessary to practice as an internal auditor. This study was undertaken before the development ofmodern internal auditing.
3The Asia Pacific literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal(MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portionsof the following article: Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,”Managerial Auditing Journal 21 (8), 2006, pp. 822-834.
_____________________________ Chapter 10: Research Method and Literature Review 381
The Institute of Internal Auditors Research Foundation
Early 1990s
Cooper’s et al. (1989) Hong Kong study surveyed both CEOs and internal audit managers withrespective reasonable response rates of 25.8% and 23.1% in a survey of 485 organizations. At thetime, this was a very good response rate from business people as the culture in Hong Kong is notgenerally conducive to responding to surveys.
The Hong Kong study was aimed at determining the (then) current state of internal audit practicein Hong Kong, the level of professionalism evident in internal audit departments, and their trainingneeds. The majority of CEOs (45.6%) saw the main role of internal auditing as being an independentappraisal of the internal control system; 21.6% perceived internal auditing’s main role as anindependent review of the efficient operation of the organization; and 19.2% were more concernedwith proper safeguarding of assets and preventing and detecting fraud and error. From the perspectiveof internal audit managers, they saw their main role in financial auditing (including internal controlreviews), representing up to 50% of the activity in 94% of the internal audit departments respondingto the survey. The other major activity was the audit of operational areas to improve operationalefficiency, in line with the expectations of the CEOs as noted above. This study also found thatonly a minority of internal audit managers were members of The IIA and that on-the-job trainingwas mainly relied upon to develop internal audit skills.
During 1992, Cooper, et al. (1994) sent a major survey to the internal audit profession in Australia.He mailed questionnaires to CEOs and internal audit managers of a wide range of organizations inboth the private and public sectors. The research aimed to provide a profile of internal auditing inAustralia in the 1990s. It also addressed a number of issues, including attitudes and recognition;professionalism; role and scope of internal audit work; career opportunities; education and training;and the future role of internal auditing. A total of 687 organizations were surveyed with separatesurveys being sent to CEOs and internal audit managers, with usable response rates of 31.0% and30.9% respectively.
Although the overall view was a positive one in terms of attitudes and recognition, there was someconfusion between perceptions by CEOs and the reality as seen by the internal audit managers.Findings included:
• The perceived high profile of internal auditing as reported by the CEOs was not necessarilyborne out by their understanding of the audit process; for example, their strong support forthe “mechanical” aspects of the process rather than a more management-oriented role forinternal auditing.
382 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
• Reporting levels were generally less than ideal and the confusion between perceived statusand the reality of the situation was further reinforced by internal audit managers’ views onhow their role was seen by clients, particularly with respect to a perceived policing function.
• The survey did uncover some concerns over the number of internal audit managers whoare not members of The IIA and confusion about the value of the existing internal auditqualifications such as the CIA designation.
• Regarding the role and scope of internal auditing, the CEOs appeared to place the greatestemphasis on the audit of financial areas, and yet most internal auditors were by thenconcentrating on operational areas.
• There was general overall support for education and training, but there was apparentconfusion among internal audit managers as to whether internal auditing is a training groundor a career position.
• 85 percent of them agreed that management usually implemented audit recommendations.• 80 percent agreed that there was adequate feedback from management on audit
recommendations.• 85 percent agreed (including 24 percent strongly agreeing) that the internal audit activity
would become increasingly important to management in the future.
The Mid-1990s
In 1996, the first study on benchmarking internal auditing in the region was published by Cooper,Leung, and Mathews (1996). The three countries compared were Australia, Malaysia, and HongKong. The paper was based on the aforementioned studies of Australia in 1992, Hong Kong in1989, and a study by Mathews, Cooper, and Leung in Malaysia in 1994, which was based on acomparable methodology to the Australian and Hong Kong studies. These comparative studiesshowed that CEOs in Malaysia were very positive in their perceptions of internal auditing as wereCEOs in Australia. The perceptions were less positive with CEOs in Hong Kong.
CEOs’ understanding of internal audit activities in Malaysia and Australia appeared to set positivebenchmarks, with Malaysian CEOs particularly positive in their view of internal auditing as anindependent review of the efficient operation of the organization. However, the CEOs in HongKong were more concerned with internal audit resources being devoted to appraisal of internalcontrol, which is reinforced by their views of internal auditing being more exploitative and authoritativethan consultative.
An important benchmark is ensuring that audit recommendations are well thought through anduseful for management and this will normally be evidenced by the extent to which managementtakes notice of, and implements, internal audit findings. In this comparative study, 79.6% of Australian
_____________________________ Chapter 10: Research Method and Literature Review 383
The Institute of Internal Auditors Research Foundation
internal audit managers agreed (with 19.1 % strongly agreeing) that CEOs recognize theiraccomplishments, compared with 80.1% in Malaysia and 83.3% in Hong Kong (although in thiscase, only 13.6% strongly agreed). With respect to the implementation of internal auditrecommendations by management, 85.5% of internal audit managers in Australia were in agreement,compared with 84.4% in Malaysia and 84.9% in Hong Kong. With regard to the adequacy offeedback from management on audit findings and recommendations, more than 75% of internalaudit managers in all countries were positive on this issue.
The Late 1990s
In 1997, a special edition on internal auditing in China was published by Managerial AuditingJournal, with papers by a number of practitioners and academics. Although none of the paperspresented empirical data, they did provide an insight into internal audit practice in China at the time.It is important to understand that the internal audit activity in China is an agent of the State, unlikein Western countries. Tang, Chow, and Cooper (2000) provide a background on how internalauditing operates in China in their book Accounting and Finance in China - A Review of CurrentPractice. In 1983, the State Council in China established the Audit Administration of the PeoplesRepublic of China (AAPRC) to supervise all auditing activities in the republic, and in 1988 issuedthe Regulation on Audit of the People’s Republic of China, the first comprehensive statute onstate audit, which dictated that state auditing, internal auditing, and public auditing are all to beguided by the AAPRC. In 1994, the Eighth National People’s Congress adopted the Audit Law ofthe People’s Republic of China, which provided for an audit organizational framework consistingof government audit institutions (departments), internal audit institutions, and public audit institutionsset up at various levels with varying degrees of authority.
Under the system in China, the designated scope of work carried out by internal audit institutionsincludes the audit of financial revenues and expenditures; the audit of economic contracts; theaudit of construction projects; and the audit of internal control. An additional audit area is the auditof economic responsibility, which ensures that management assumes its economic responsibilities,including the maintenance of assets, observance of economic laws and regulations, and fulfillmentof operational budgets.
Cai (1997) agrees with the categorization of internal audit roles as noted by Tang, Chow, andCooper (2000), but observes that as the socialist economy continues to develop in China, it is thelatter role of the audit of economic responsibility that is assuming major importance. As the economydevelops, different challenges will face internal auditing, and as management and state ownershipseparate in formerly State-owned enterprises, the role of internal auditing to help managementmake the transition and still protect the interests of the State will become more important. Wang
384 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
(1997) also points out that with the development of the market economy, enterprises need toimprove internal control systems, management and production technology, and reduce productioncosts; therefore, market competition requires the strengthening of internal auditing.
In addition, the Chinese have a practice called “guanxi” in business. In the Chinese language,“guanxi” is the term for a personal relationship. It refers to the networks of informal relationshipsand exchanges of favors that dominate all business and social activities that occur throughoutChina (Lovett, et al., 1999; Lou, 1997). Guanxi works on the basic, unspoken word. Individualsseek to meet their guanxi responsibilities, and failure to do so results in damaged prestige. InChina, business people first strive to build personal relationships with a potential customer and,once admitted to the clan/guanxi family, business follows. Thus, trust must be established beforebusiness may be conducted. Guanxi is nurtured by the exchange of gifts and favors. However,such gifts strike ethical nerves in Western society as gifts are contrary to at least the spirit if not theletter of the laws such as Sarbanes-Oxley and make it hard to follow internal auditing standards.
2000 Onward
A major study has been undertaken in New Zealand by Van Peursem (2004) on internal auditors’role and authority. In this study, internal auditors were asked to come to a view on whether functionsthey perform in connection with internal audit engagements are essential, and to what degree theyfeel they enjoy the authority over, and independence from, management that we might expect of aprofessional. The research constituted a survey of New Zealand auditors, all of whom were membersof the New Zealand affiliate of The IIA. A very high response rate of 73% was achieved over theoriginal and follow-up survey. The study found that characteristics of a “true” profession exist butdid not dominate. Significantly, and as subgroups, Van Peursem (2004) also observed that publicpractice and experienced auditors may enjoy greater influence over management, and accountancy-trained auditors may enjoy greater status owing to the “mystique” of their activities emanatingfrom their membership of well-known accountancy professional bodies.
Van Peursem (2004) also notes that Cooper et al. (1996) identified a potential issue in confusionbetween expectations that internal auditors will both independently evaluate management’seffectiveness, and also aid management. More recent observations by Glascock (2002) and McCall(2002) have expressed similar concerns. Van Peursem (2004) also concludes that a key issue isthat internal auditors will assume whatever position is in the best interests of their employer and bereluctant to counter management, irrespective of the consequences, which is potentially damagingin terms of image for the internal audit profession.
_____________________________ Chapter 10: Research Method and Literature Review 385
The Institute of Internal Auditors Research Foundation
In a follow-up study in New Zealand, Van Peursem (2005) examined the role of the New Zealandinternal auditor and conceptualized on the auditor’s influence over that role. The fundamentalquestion is how an effective internal auditor can overcome the tension of working with managementto improve performance, while also remaining sufficiently distant from management in order toreport on their performance. The research found that there are three concepts characteristic ofthose who best balanced their role: the internal auditor’s external professional status; the presenceof a formal and informal communication network; and the internal auditors’ place in determiningtheir own role. Informing these concepts is the auditor’s ability to manage ambiguity. This was aqualitative study using a multiple case-based approach in which the researcher made observations,examined documents, and interviewed senior internal auditors in six New Zealand organizations.
In a Singaporean study reported by Goodwin and Yeo (2001), factors that may impact on theindependence and objectivity of internal auditing were investigated. In particular, the researchersconsidered the relationship of internal auditors and the audit committee and the use of the internalaudit activity as a management training ground, in terms of the potential effect on the independenceand objectivity of internal auditing. A survey of chief internal auditors found a strong relationshipbetween internal auditing and the audit committee, particularly where the committee was comprisedsolely of independent directors. Chief internal auditors were generally found to have regular andprivate access to the audit committee and this was supported by the regulatory framework inSingapore, which provided support for the independence and objectivity of internal auditors.
The use of internal auditing as a management training ground was also found to be widespread. Itwas also more common where an audit committee existed and where the organization was a largerentity. This existence of an audit committee minimized any negative impact on independence andobjectivity of the internal audit activity in situations where internal auditing was used as a managementtraining ground.
A study undertaken by Goodwin (2004) explored similarities and differences between public sectorinternal auditing and its counterpart in the private sector. Features examined include organizationalstatus, outsourcing, using internal auditing as a “tour of duty” function, audit activities, andrelationships with the external auditor. The study is based on a survey of chief internal auditors inorganizations in Australia and New Zealand. Results suggest that there are differences in statusbetween the internal audit activity in the two sectors, with public sector internal auditors generallyreporting to a higher level in the organization. While a similar amount of work is outsourced, publicsector organizations are more likely than those in the private sector to outsource to the externalauditor. There is little difference between internal audit activities and interactions with externalaudit in the two sectors. However, private sector internal auditing is perceived to lead to a greaterreduction in external audit fees compared to that in the public sector.
386 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Goodwin-Stewart and Kent (2006) explored the voluntary use of internal auditing by Australianpublicly listed companies and sought to identify factors that lead listed companies to have aninternal audit activity. The study predicted that internal audit use is associated with factors relatedto risk management, strong internal controls, and strong corporate governance. To test the predictions,the study combined data from a survey of listed companies with information from corporate annualreports. The results indicate that only one-third of the sample companies use internal auditing.While size appears to be the dominant driver, there was also a strong association between internalauditing and the level of commitment to risk management. However, the study found only weaksupport for an association between the use of internal auditing and strong corporate governance.The study indicates that a large proportion of Australian listed companies do not use internalauditing and many of those firms that do have only one or two internal audit staff, a finding supportedby research by Leung, Cooper, and Robertson (2004). The implications of these findings for soundcorporate governance are serious, as it has been suggested that it is difficult for audit committeesto be effective without the support of internal auditing. It would appear that there is considerablescope for strengthening the relationship between internal auditing, audit committees, and externalauditors.
Leung et al. (2004) researched the role of internal auditing in corporate governance and managementin Australia. The specific objectives of the research were to identify the accountability structuresand internal audit objectives of organizations; determine the nature and extent of internal auditpractice; determine the management and governance relationships of chief audit executives (CAEs)within organizations; assess the application of the redefined internal audit activity; identify financialreporting risks and governance issues encountered by internal auditors; assess the effectiveness ofinternal auditing’s role in management accountability in a world actively concerned with corporategovernance issues; and recommend improvements in internal auditing. The researchers used atwo-pronged approach to ascertain information pertinent to the objectives. First, the total populationof CAEs in Australia was surveyed using an e-mail survey. The population total, based mainly onmembership of The Institute of Internal Auditors – Australia, was 397 and a 21.4% response rateyielded 85 usable responses. Second, eighteen CAEs were interviewed to gain a deeper insightinto issues that internal audit faces in Australia. To minimize any selection bias, an additional sevensenior business representatives from listed companies and the governmental sectors, includingregulatory bodies, were also interviewed.
This Australian study found that CAEs were generally very positive about the performance of theinternal audit activity. They see themselves as a key part of the management team, and that theycan influence decisions, maintain a sufficient level of objectivity, integrity, and competence in theirjobs, and are able to provide good support for their own staff. They view the culture and supportof management as a key factor in ensuring the effectiveness of their role.
_____________________________ Chapter 10: Research Method and Literature Review 387
The Institute of Internal Auditors Research Foundation
A high percentage of respondents indicated that they perceived management recognized their rolein enhancing good corporate governance and that management appeared to take an interest in theirwork. On the other hand, there were views expressed that they should have a greater role in theorganization’s governance processes, although some were concerned that they did not have sufficientresources to discharge such additional work effectively. Many were also unsure about how theyshould actually go about making an effective contribution to the improvement of corporate governancein their organizations. What this Australian study indicates is that despite the universal concernsabout the need to enhance good corporate governance and the contribution that the internal auditingprofession can make, the internal auditor’s role in contributing to the process cannot be taken forgranted.
Ernst & Young et al. (2005) undertook a benchmarking study of internal audit services in thecommunications and entertainment sectors in both Australia and New Zealand. The study foundthat 63% of respondents indicated they had entered into a co-sourcing relationship with an externalparty and 13% had completely outsourced their internal audit function. With regard to reportingrelationships, 72% report primarily to the chair of the audit committee and 62% have increased thesize of their internal audit activities in the prior 12 months. With respect to corporate governance,63% of respondents are involved in providing assurance or monitoring compliance with the AustralianStock Exchange (ASX) Corporate Governance Principles.
Fadzil et al. (2005) undertook a study in Malaysia to determine whether the internal audit departmentof the companies listed on the Bursa Malaysia (Malaysian Stock Exchange) comply with theStandards and whether compliance with the Standards affects the quality of the internal controlsystem of the company.
It was found that management of the internal audit department, professional proficiency, objectivity,and review processes significantly influence the monitoring aspect of the internal control system.The scope and performance of audit work significantly influences the information and communicationaspects of the internal control system, while performance of audit work, professional proficiency,and objectivity significantly influence the control environment aspect of the internal control system.The study also shows that management of the internal audit department, performance of auditwork, the audit program, and audit reporting significantly influence the risk assessment aspect ofthe internal control system. Lastly, performance of audit work and audit reporting significantlyinfluences the control activities aspect of the internal control system.
A study in Malaysia by Ali, et al. (2004) looked at internal auditing in the state and local governmentsof Malaysia. Based on a series of semi-structured interviews, the authors found that only a minorityof local governments in Malaysia have an internal audit activity. The presence of quite a small
388 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
number of local governments with internal auditing may be due to the fact that in at least twostates, the internal audit activity of their local government departments is conducted by the internalaudit departments or units attached to the two state governments. There is no comfort, however,for such an arrangement – though it is certainly better than having no internal audit done at all atthe local government level. This is because internal auditing in so many of the state governmentsand their statutory bodies is operating with numerous limitations. The severest problems areconcerned with a shortage of audit staff and staff lacking in audit competencies. In manyorganizations, the non-audit personnel and top management are generally unsupportive of internalauditing.
Another study in Malaysia by Ernst & Young (2004) was undertaken to develop an understandingof the practice of internal auditing following the tightening of regulations and the increasingimportance of risk management and corporate governance practices in Malaysia. The survey wasgiven to participants of The IIA Malaysia’s National Conference held in September 2004 in KualaLumpur. Responses were received from 292 out of more than 600 participants. A total of 87% ofthe respondents stated that the primary function of internal auditing is to provide assurance ofinternal control and risk management processes and systems. The secondary role of the internalaudit activity is focused on three areas, namely, operational reviews (32%), efficiency of operations/cost savings (20%), and risk management (11%). The majority of respondents indicated havingstaff levels ranging from less than 5 to 25, although 50% of the respondents indicated that the sizeof internal auditing has increased in the past 12 months. The increase in the number of internalaudit staff could be the result of the rising importance of corporate governance in Malaysia.
Respondents reported that more than half of the internal audit staff are qualified auditors (53%),complemented by staff with a commercial background (26%) and information technology specialists(12%). Most of the respondents (in excess of 70%) indicated that their methodology commonlyincluded risk assessment, control evaluation, and process analysis. However, about 13% and 15%of the respondents respectively reported not having a risk assessment and control evaluation process.Only 30% of respondents reported internal auditing having commissioned an independent review.Of the 30% of respondents who indicated that a review had been conducted, 46% indicated thatthe review was conducted by peer companies while 44% engaged a professional services firm.
Ernst & Young (2005) also conducted a survey of internal auditing in Australia and New Zealandof the Australian Stock Exchange’s (ASX) top 200 companies in Australia and the top 100 listedcompanies in New Zealand and received 173 responses. The aim of the survey was to further theunderstanding of how internal audit activities in both the public and private sectors are continuingto evolve to meet ever-increasing demands and expectations. In total, 39% of respondents increasedthe size of their internal audit activities over the previous 12 months and 78% of internal auditactivities now report to either the audit committee chair or the CEO. Just 54% of internal audit
_____________________________ Chapter 10: Research Method and Literature Review 389
The Institute of Internal Auditors Research Foundation
staff have a financial background, suggesting that internal audit teams are increasingly undertakingnon-financial reviews and recruiting more commercial and other specialist skills; 77% of respondentshave at least part of their internal audit conducted by an external party, mostly due to the need forspecialist skills.
Over half the organizations surveyed have changed the coverage of internal auditing to help supportthe ASX Principles of Good Corporate Governance. These internal audit teams are undertakingmore detailed controls testing and increasing their focus on providing assurance around riskmanagement frameworks to underpin compliance with the principles. In New Zealand, 76% ofprivate sector respondents have audit committees that satisfy the requirements of the updatedNew Zealand Stock Exchange Listing Rules. In both countries, 84% of internal audit activities arebasing their annual audit plan on generally accepted risk management principles.
Carey et al. (2006) undertook a study to investigate the determinants of internal audit outsourcingusing survey data on 99 companies listed on the Australian Stock Exchange. It was noted that54.5% of companies fully rely on an in-house internal audit activity, with the others outsourcing allor some of their internal audit activities. Outsourcing is associated with perceived cost savings andthe technical competence of the provider. However, it was also observed that 75% of those companiesoutsourcing did so to their external auditor, which may have implications for perceptions about theindependence of the external auditor.
Summary
The above provides a summary of the trend and literature covering internal auditing in the AsiaPacific region from the seminal work by Cooper and Craig in 1983 until the most recently reportedstudies in the academic and professional literature. In reviewing the above literature, a fewobservations can be noted:
• While internal auditing has been strongly supported by management, including the CEOs,conclusive consensus as to the role of internal auditors has not yet emerged.
• The function of internal auditors has changed from a more financially oriented role intoone that focuses on internal controls and risk assessment through the last two decades.CEOs have generally perceived internal auditing as having a financial function, whileinternal auditors moved their emphasis into systems and risks.
• There was, and still is, confusion regarding the independence of internal auditors. This ismade more complex by the definition of internal auditing which encompasses both theexpectations of the consulting role and the assurance role. Internal auditors are uncertainas to how to balance independence in both roles.
390 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
• During the 1990s, the increasing use of international accounting firms in consulting andassurance engagements overshadowed the internal audit function.
• The U.S. Sarbanes-Oxley Act of 2002 added the dimension of internal financial reportingassurance expected of internal auditors and audit committees.
• With the apparent lack of a structured approach to the body of knowledge, a clearlydefined role, and an apparent lack of status underpinned by a rigorous generally acceptedprofessional program (the CIA program has had limited uptake in Asia Pacific), internalauditing has suffered from lack of prominence in Asia Pacific.
• The Common Body of Knowledge 2006 study is timely and highly significant in shapingthe internal auditing profession in Asia Pacific in the years to come.
European Literature Review on Internal Auditing4
Overview
This section summarizes the major studies addressing internal auditing and related corporategovernance issues in Europe and is drawn from work carried out by authors from Belgium, Italy,the Netherlands, and the United Kingdom.
Physically, Europe can be described as a continent that contains approximately 45 separate nationsranging in size from the smallest states in the world to among the largest. Politically and economically,there is a diversity that includes former centralized economies (former USSR states such as Russiaand Ukraine), economies where state intervention is active (France), and free market capitalisteconomies (such as the U.K.). There is also a range of developmental status from post-industrialthrough to agrarian-based. Culturally, Europeans speak more than 200 different languages (withmany states being as a minimum bilingual and trilingual). Given that each state also has its ownlegal system and business traditions it is not surprising that there can be no “one size fits all” codeof corporate governance. The following is a summary of the major European studies on internalauditing.
4The European literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ),Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of thefollowing article: Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literature review oninternal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853.
_____________________________ Chapter 10: Research Method and Literature Review 391
The Institute of Internal Auditors Research Foundation
Institut Français de l’Audit et du Contrôle Internes (2005)
This French study followed up a previous version in 2002 that was conducted in conjunction withErnst & Young. The survey was sent to 508 chief audit executives (CAEs), with a response rate of37%. Both the private and public sectors were included. Statistics include detailed descriptiveresults illustrated with charts and tables completed with results from interviews with the six majorCAEs. By conducting this survey, Institut Français de l’Audit et du Contrôle Internes (IFACI)wanted to assess the recent evolution in internal auditing in France, investigate the impact of newlaws and regulations, and assess the future of internal auditing. Major findings are discussed below.
Internal Audit Role in Corporate Governance
The independence and objectivity of internal auditors are guaranteed by their double reporting linesto top management and the audit committee. About 50% of the internal audit departments in thisstudy have a formal meeting with their top management every quarter, whereas 40% of the CAEshave private meetings with the head of the audit committee. The audit committee is primarilyinterested in the internal audit activities and mainly the implementation of their recommendations.More than half of the internal audit departments are involved with activities related to corporategovernance.
Internal Audit: Still Strongly Focused on Assurance
Assurance engagements are still dominant, representing 73% of the working agenda of internalauditors. These engagements mainly deal with the evaluation of internal controls, as well ascompliance audits. With respect to consulting engagements, internal auditors give advice andparticipate in specific projects or working teams.
Internal Audit’s Role in the Implementation of New Laws and Regulations
It is interesting to see that internal auditors play a key role in implementing laws such as the “Loi deSécurité Financière” and Sarbanes-Oxley. More than two-thirds of the internal audit departmentshave developed a project on internal control reporting and 74% have dedicated a part of theirworking time on the implementation of Sarbanes-Oxley. These two laws have slightly changedinternal audit’s work in that it has become more risk-based. In those companies that have tocomply with Sarbanes-Oxley, internal auditors currently spend more time on the evaluation offinancial controls and regularly conduct financial audits.
392 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Internal Auditors as Credible, Objective, and Professional Partners
A large majority (82%) of the internal audit departments have an internal audit charter, formallyapproved by top management and the audit committee. In order to guarantee their objectivity, mostof the internal auditors adhere to the Code of Ethics defined by the profession. Even when theinternal audit plan is strongly influenced by specific requests from top management and the auditcommittee, the internal audit plan is, in a majority of the cases, also based on a risk assessment. Itwas observed that a significant number of CAEs have difficulty finding people with the rightcompetencies. This is one of the main reasons why internal audit is calling more and more forexpertise coming from other internal departments or from external providers.
Internal Audit has Sufficient Financial and Human Resources
On average, companies have 2.85 internal auditors for every 1,000 employees, with large differencesbetween sectors. In a majority of the companies, the internal audit budget remains stable, whereasin 42% of the companies, the internal audit budget increased. About 25% of the internal auditdepartments have existed for less than five years and 74% of the departments have less than 10internal auditors. The profile of an internal auditor did not change during the last three years.
IIA Belgium (2006)
IIA Belgium carried out a survey of its members from November 2005 until March 2006. Thissurvey was strongly inspired by the IFACI study in France. Internal audit departments in 260Belgian private companies were contacted. The response rate was 31%, which is quite good for afirst general survey about internal auditing in Belgium.
The survey addressed issues with respect to the internal audit department, the internal audit activities,risk management and the role of internal auditing, the relationship with stakeholders, and the futureevolution of internal auditing. The survey illustrates that, in Belgium, internal auditing is still arelatively young profession. The main findings are illustrated below.
Internal Audit Department Review
In terms of age of the internal audit department, more than 50% were created less than 5 yearsago. Most internal auditors have working experience in finance, operations, or external audit.Internal auditors’ education level is at least at the bachelor’s degree level. On average, internalauditors remain in internal auditing for less than four years (53% of the respondents). The recruitmentchannel for internal auditors is equally spread between internal and external sources. CAEs have
_____________________________ Chapter 10: Research Method and Literature Review 393
The Institute of Internal Auditors Research Foundation
a relatively short experience in audit, with 64% of the CAEs having less than 10 years experiencein audit. Only 37% of the internal audit departments observed are conducting satisfaction surveyswith their auditees. Networking is important for internal auditors as more than 80% have regularcontacts with colleagues from other companies.
Internal Audit Activities
Integrated and operational audit represent globally more than 50% of the activities of the respondinginternal audit departments. Consulting activities remain low (on average 12% of the annual workingtime), but a majority of the responding internal audit departments expected an increase in consultingactivities in the next two years.
An internal audit charter is used in more than 90% of the cases. On average, 65% of the internalaudit plan is based on a risk analysis, but discrepancies have been observed by sector. In 42% ofthe cases, the yearly internal audit plan is adapted more than twice a year to take new requirementsand priorities into consideration. On average, 65% of the recommendations are implemented withinone year after the audit. In general, 61% of the responding internal audit departments do not useoutsourcing or co-sourcing today, but they expect to use, to some extent, more external serviceproviders in the future.
Role of Internal Auditing in Risk Management
Seventy percent of the respondents’ organizations have set up a risk measurement process. It isalso remarkable to notice that in a lot of companies, not everyone knows the policies and procedureshe or she has to follow. Gaps are observed by sector in terms of risk management practices. Onaverage, 29% of the respondents’ IAAs are responsible for the risk management process for theirorganizations.
Relationship with Stakeholders
Seventy-four percent of the CAEs report functionally to the audit committee. In 74% of the internalaudit departments reviewed the audit committee is in charge of dismissing the CAE, and in 51% ofthe cases the audit committee approves the internal audit budget. In second position, it is the CEOwho dismisses the CAE (44%) or approves the budget (49%). Some deviations have been observedby sector. It is interesting to see that the relationship with the audit committee is positively perceivedby most responding internal audit departments. Furthermore, there are exchanges between internalaudit and external audit (audit reports and audit planning). However, the relationship is less intensivein the other direction. Overall, the responding internal audit departments are satisfied with their
394 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
interaction with the CEO. Although CAEs are generally satisfied about their interaction with theCFO, this relationship is less intensive than the one with the CEO.
Challenges for Internal Auditing
The relationship with the audit committee and the board of directors needs to be reinforced and theassurance provided by internal auditing should become the best independent and objective assessmentin terms of risk management, internal controls, and corporate governance. The activities of internalauditors will be adapted to the new requirements and evolve with the new legislation and the newchallenges of the organization. The profile of the internal auditor is evolving in order to meet thebroader scope of activities. The profession still needs to become more recognized within thecompanies. Moreover, internal auditors need to aspire to a longer career in internal auditing.
Sarens and De Beelde (2006)
This study addressed internal auditors’ perception about their role in risk management, and comparedUnited States (US) and Belgian companies. The purpose of the study was to describe and comparein a qualitative way how internal auditors perceive their current role in risk management withinU.S. and Belgian companies, and was based on ten case studies (interviews with CAEs andanalysis of relevant documents).
In the Belgian cases, internal auditors’ focus on acute shortcomings in the risk management systemcreates opportunities to demonstrate their value. Internal auditors are playing a pioneering role inthe creation of a higher level of risk and control awareness and a more formalized risk managementsystem. In the U.S. cases, internal auditors’ objective evaluations and opinions are a valuable inputfor the new internal control review and disclosure requirements of Sarbanes-Oxley. In Belgium,the internal auditing profession is actually in a kind of “transition phase.” In order to survive thisphase, internal auditors need to assume a “teaching role” vis-à-vis the different management levelsto make them aware of their responsibilities in risk management. After this transition period, internalauditors will be able to focus more on their core activities.
Arena and Azzone (2006)
This study explores the relationship between enterprise risk management (ERM) and internalauditing. Particularly, this study analyzed internal auditing’s role with respect to ERM systems andthe integration of ERM and internal audit activities. The results are based on multiple case studiesapplying semi-structured interviews.
_____________________________ Chapter 10: Research Method and Literature Review 395
The Institute of Internal Auditors Research Foundation
The results show a high diversity in risk management systems with respect to the actual adoptionof an integrated risk management system, the techniques that companies apply to identify risks,and the methodologies applied for risk assessment. Internal auditors mainly provide assurance onthe ERM process, and in some cases they support the implementation and management of theprocess. In half the cases, they found a partial integration between ERM and internal audit activities.More specifically, this integration concerns the comparison of risk maps made by managers andthose made by internal auditors, the integration of evidence that arises from self-assessment tosupport the internal audit plan, and the incorporation of the ERM process in the internal auditreports.
Allegrini and D’Onza (2003)
Based on a survey of the top 100 companies listed on the Italian stock exchange, this studyinvestigates internal auditing and risk assessment practices in large Italian companies. The analysisof the survey answers indicates the existence of three different approaches to internal auditing inthe Italian context. Some companies (25%) have a small internal audit department that carries outtraditional assurance activities. The internal auditor is still perceived as an inspector. These companiesdo not integrate the COSO methodology into their audit process, and have a control system entirelybased on hard variables. The annual audit planning generally follows an audit-cycle approach. Thismodel is often found in smaller companies.
In most companies (67%) internal auditors are providing some contributions to the risk managementprocess and are trying to incorporate the COSO model in the internal control policies and proceduresas well as in the audit process. In this context, internal auditors perform mainly operational auditsand make use of risk assessment findings in planning the annual schedule of audits (macro level).In planning the individual audits, they generally start from the recognition of significant risks inherentto the activity in order to limit or expand the test of controls. The internal audit department offinancial institutions generally follows this model.
Moreover, it is possible to identify a few large companies (8%) in which the internal audit unit isalso focused on consulting activities. Internal auditors attempt to add value through a more activesupport to risk management at different levels and to align internal audit objectives with the strategicgoals of the organization. This group includes the “early pioneers” in control and risk self-assessment(CRSA) projects, insofar as they try to strengthen the accountability at all levels of managementfor risk and control. They focus their work on significant risks, and they are trying to adopt acollaborative approach with line management. A risk-based approach is applied both at the macroand the micro levels so that we can assume they are embracing the risk paradigm as suggested bySelim and McNamee (1998). Furthermore, internal auditors focus on monitoring activities and softcontrols.
396 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The survey results also show that, in Italy, control and risk self-assessment may be considered in a“start-up phase,” since it is possible to identify a few “early pioneers” implementing self-assessmentthroughout their entire organization. Some other companies claim to have started applying CRSAonly in a few business areas while others reveal their willingness to introduce it within the next fewyears.
Tettamanzi (2003)
This study, based on a questionnaire sent to 150 private companies, describes the historical evolution,current state, and prospects for future developments of internal audit practices in Italy and theUnited Kingdom. Tettamanzi found that the percentage of time spent on financial auditing is lowerthan the other types of activities (like compliance or operational reviews). In Italy, as well as theU.K., it was found that if internal auditing has existed for a period of time, its activities mainlyfocus on operational and management auditing. If the internal audit unit has been recently set up,they mainly focus on financial auditing. Nevertheless, the relevance of financial auditing washigher in the past. Currently, more resources have been devoted to operational and managementaudit and this will increase in the future. The study also reveals that in the U.K., many companieshave introduced an internal audit department to comply with the Cadbury Code. Similarly, in Italy,the Preda Code has determined the introduction and improvement of internal auditing in listedcompanies.
Arena, Azzone, Casati, and Mello (2004)
This study is based on a survey within 365 private Italian companies and investigates the existenceand characteristics of an internal audit activity and the activities performed. It was found that 74%of the responding companies have introduced an internal audit activity. The existence of an internalaudit activity differs between industries and can be linked with the company size. For thosecompanies that did not have an internal audit activity at that time, 30% had intentions to introduceone in the future.
However, 50% are not willing to introduce an internal audit activity in the future, whereas 20%have removed their internal audit activity. More than 50% of the internal audit departments in thisstudy have less than five internal auditors. With respect to the internal audit agenda, they foundthat operational audits, compliance audits, and the monitoring of the internal control system are themost prevalent activities.
_____________________________ Chapter 10: Research Method and Literature Review 397
The Institute of Internal Auditors Research Foundation
Allegrini and Bandettini (2006)
This study replicated an earlier study by Selim and Woodward (2004) in the U.K. and Ireland andfocuses on internal audit and consulting assignments. The questionnaire was adapted to the Italiancontext and sent to the members of the Italian Institute of Internal Auditors. The results reveal thatthe new definition of internal auditing changed consistently the percentage of time allocated toconsulting assignments, which moved from 7% to 26%.
The perceptions regarding internal auditors’ involvement in consulting activities are positive orvery positive in 73% of the responding companies. It is interesting to see that 69% of the respondentsindicate that they perform consulting assignment regarding the Law number 231 (issued in 2001),which requires companies to set up a structured internal control system. More than half of therespondents (53%) declared to work on consulting assignments regarding corporate governanceand risk management.
Other Studies on Internal Auditing that Address European Issues
Rittenberg and Covaleski (1999) addressed outsourcing of internal auditing services in a governmentenvironment and provided insight into the methods and reasons for outsourcing. Melville (1999)addressed the current state of the art of control self-assessment (CSA) practice in the U.K. Theoverview was based on a survey of the top 50 companies listed on the FTSE, while the other twoelements were based on structured interviews. The conclusions drawn were that CSA is widelyseen as a beneficial practice, although it may not be repeated after the first exercise.
Hopkins (1997) discussed the fundamental differences in perceptions of internal audit quality betweenproviders of internal audit services and their prospective clients. The study was based on the U.K.public sector. Selim and Yiannakis (2001) addressed the various levels and methods of outsourcingin private and public sector organizations and discussed the various levels of success. Melville(2003) undertook a study based on an international survey of internal auditors, of which Europeanresponses were approximately 12% of the sample. The results showed that internal auditors werehighly geared toward making a contribution to strategic management, especially where a balancedscorecard type of system was used.
Selim, et al. (2003) found that based on a survey of six countries, internal auditors already play akey role in the mergers and acquisitions process, though it was also found that they would preferthis role to be further developed. Paape, Scheffe, and Snoep (2003) reviewed a survey carried outby the European Confederation of Institutes of Internal Auditing (ECIIA). While the authors were
398 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
unsure about the rigor of their research (due to problems with distribution of the questionnairesrather than a fundamental flaw in methodology), it is clear that there is a wide variety of internalaudit responses to corporate governance issues.
South African Literature Review on Internal Auditing5
Twenty years ago internal auditing in South Africa was not well known as a profession. In SouthAfrica, a number of factors contributed to the changes, development, and growth of the country’sinternal auditing profession. During the past five years, there were three major contributors to thelarge unexpected growth of the profession in South Africa. The first was the reports of the Kingcommission on corporate governance (King I: 1994 and King II: 2002). The second was the PublicFinance Management Act (SA 1999. Section 38), which made it a legal requirement for all formsof public organizations to have an internal audit activity in line with the Standards.
As internal auditing is a relative new profession in South Africa, limited formal research publicationswere found on internal auditing within the country. The following briefly discusses the variousresearch publications found about internal auditing in South Africa.
Communication Skills
During his research, Fourie (2006) attempted to find answers to two research questions. The firstwas whether tertiary institutions (universities) in South Africa teach sufficient communicationskills to enable aspiring internal auditors to perform their internal audit assignments professionally.The second question was whether internal auditors in practice regard themselves as having sufficientcommunication skills in order to conduct their internal audit assignments professionally.
The results of the study revealed that universities in South Africa do not teach adequatecommunication skills to aspiring internal auditors. The respondents indicated that they do not possessadequate communication skills to professionally conduct their internal audit engagements.
New Standards Address Challenges Faced by the Profession
Coetzee & du Bruyn (2001) investigated the limitations of the previous Standards and the changesin the new Standards. They found that change in auditing required by the new Standards was
5South Africa’s literature review was written by Houdini Fourie of the Tshwane University of Technology, SouthAfrica and Elmarie Sadler of University of South Africa.
_____________________________ Chapter 10: Research Method and Literature Review 399
The Institute of Internal Auditors Research Foundation
difficult to analyze because the new Standards were to be used in conjunction with the previousStandards at the time of the paper’s publication. Coetzee & Du Bruyn are of the opinion that thenew Standards successfully address the challenges faced by internal auditors in the profession.
Effectiveness of Public Service Audit Committees
The question for this research was the effectiveness of public service audit committees in improvingaccountability in the South African public service as perceived by the independent external auditorsof government (Van der Nest, 2007). Van der Nest stated that “the audit committee is a keyaccountability instrument, playing a crucial role in the financial management and control environmentsof public corporations.” Audit committees are increasingly regarded as integral to modern controlstructures and governance practices in both the private sector and public service. The establishmentof audit committees is recognized as best practice with respect to good corporate governance. Theestablishment of audit committees is legislated in the financial management legislation in SouthAfrica.
Importance of Quality Control
In her study, Marais (2003) investigated the importance of quality control within internal auditactivities as prescribed by the Standards and guidelines of The IIA. The study also attempted todetermine to what extent these Standards and guidelines are applied in internal audit activities inSouth Africa.
The study concluded that quality control is not adequately applied within all IAAs in South Africa.Compliance with the Standards that were implemented during January 2002 should help to improvethe situation. Marais further concluded that The IIA should take action to motivate IAAs to exercisequality control according to the Standards.
Compliance with Good Practice and Legal Requirements by Audit Committees
In his paper, Van der Nest (2005) evaluated the compliance with good practice and legal requirementsby audit committees in South Africa’s government departments. The performance in four of theaudit committees’ important areas of responsibility was also measured.
The initial general observation by Van der Nest was that there is sufficient compliance with thelegal framework within which the South African public sector audit committees function. A furtherobservation was that there is general compliance with good practice for audit committees in theSouth African public sector. According to Van der Nest, evidence shows that “…there is apreoccupation with control issues and internal audit reports.” Van der Nest is concerned about the
400 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
absence or lack of other critical issues that should be addressed by audit committees, including riskmanagement, processes, financial reporting, and corporate governance.
Summary
The literature indicates many changes in the activities performed by internal auditors over the past30 years. The increasing complexity of business transactions, a more dynamic regulatory environment,and significant advances in information technology are developments that have resulted inopportunities and challenges for internal auditors. One of the objectives of CBOK 2006 was togather information on the current state of internal auditing around the world to determine thecurrent state of the art for the practice of internal auditing to add to the growing literature andstudy of the internal auditing profession.
References
1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body ofknowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,”Managerial Auditing Journal 21 (8), 2006, pp. 811-821.
2. Albrecht, W.S, J.D. Stice, and K.D. Stocks, A Common Body of Knowledge for the Practiceof Internal Auditing (Altamonte Springs, Florida: The Institute of Internal Auditors ResearchFoundation), 1992.
3. Ali, A.M., S.Z. Saidin, M.Z. Ghazali, M.S. Rahim, M.H. Sahdan, A. Ali, and A. Ahmi, InternalAudit in the State and Local governments of Malaysia, Working Paper, Universiti Utara Malaysia,2004.
4. Allegrini, M., and E. Bandettini, Internal Auditing And Consulting Assignments In Italy: AnEmpirical Research, Fourth European Conference on Internal Audit and Corporate Governance,2006b.
5. Allegrini, M., and G. D’Onza, “Internal Auditing and Risk Assessment in Large Italian Companies:an Empirical Survey,” International Journal of Auditing 7 (3), 2003, pp. 191-208.
6. Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literaturereview on internal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853.
7. Anderson, U., “Assurance and Consulting Services,” In Research Opportunities in InternalAuditing, Ch. 4, Bailey, A.D., A.A. Gramling, and S. Ramamoori (eds.) (Altamonte Springs,FL: The Institute of Internal Auditors Research Foundation), 2003.
8. Arena, M., and G. Azzone, “Internal Audit in Large Italian Companies: adoption, developmentand evolution,” Fourth European Academic Conference on Internal Audit and CorporateGovernance, 2006.
9. Arena, M., G. Azzone, P. Casati, and F. Mello, Rapporto di ricerca, Italian Institute of InternalAuditors, 2004.
_____________________________ Chapter 10: Research Method and Literature Review 401
The Institute of Internal Auditors Research Foundation
10. Barrett, M.J., G.W. Lee, S.P. Roy, and L. Verastigu, A Common Body of Knowledge forInternal Auditors: A Research Study (Altamonte Springs, FL: The Institute of Internal Auditors),1985.
11. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal Auditing:The Global Landscape (Altamonte Springs, FL: The Institute of Internal Auditors), 1999a.
12. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal AuditingKnowledge: Global Perspectives (Altamonte Springs, FL: The Institute of Internal Auditors),1999b.
13. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P. J. Roebuck, Competency:Best Practices and Competent Practitioners (Altamonte Springs, FL: The Institute of InternalAuditors), 1999c.
14. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, The Future ofInternal Auditing: A Delphi Study (Altamonte Springs, FL: The Institute of Internal Auditors),1999d.
15. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, AssessingCompetency in Internal Auditing: Structures and Methodologies (Altamonte Springs, FL:The Institute of Internal Auditors), 1999e.
16. Burnaby, P.A., S. Hass and M.J. Abdolmohammadi, “A survey of internal auditors to establishthe scope of the common body of knowledge study in 2006,” Managerial Auditing Journal21 8, 2006, pp. 854-868.
17. Cai, C., “Internal audit under the socialist market economy system,” Managerial AuditingJournal 12 (4/5), 1997, pp. 210-213.
18. Carey, P., N. Subramanaim, and K. Ching, “Internal audit outsourcing in Australia,” Accountingand Finance 46 (1), 2006, pp. 11-30.
19. CIA World FactBook, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.20. Chapman, C., and U. Anderson, Implementing the Professional Practices Framework
(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation) 2002.21. Coderre, D., Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),2005.
22. Coetzee, G.P., and Du Bruyn, “The relationship between the new IIA standards and the internalauditing profession,” Meditari 9(6), 2001, pp. 1-79.
23. Cooper, B.J., and J. Craig, A Profile of Internal Audit in Australia (Melbourne: RoyalMelbourne Institute of Technology), 1983.
24. Cooper, B.J., P. Leung, and C. Mathews, “Benchmarking – a comparison of internal audit inAustralia, Malaysia and Hong Kong,” Managerial Auditing Journal 11 (1), 1996, pp. 23-19.
25. Cooper, B.J., P. Leung, and C. Mathews, “Internal Audit: An Australian Profile,” ManagerialAuditing Journal 9 (3), 1994, pp. 13-19.
402 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
26. Cooper, B.J., P. Leung, and G. Chau, A Survey of Internal Auditing in Hong Kong (HongKong: Department of Accountancy, Hong Kong Polytechnic), 1989.
27. Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,”Managerial Auditing Journal 21 (8), 2006, pp. 822-834.
28. COSO, Enterprise Risk Management – Integrated Framework Executive Summary (TheCommittee of Sponsoring Organizations of the Treadway Commission), 2004.
29. Deloitte & Touche, Lean and Balanced – How to Cut Costs Without CompromisingCompliance, Deloitte & Touche, 2006.
30. Ernst & Young, Internal Audit in Malaysia, Kuala Lumpur, (Malaysia), Ernst & Young, 2004.31. Ernst & Young and IIA New Zealand and Australia, Trends in Australian and New Zealand
Auditing Second Annual Benchmarking Survey 2005, Ernst & Young and IIA New Zealandand Australia, 2005.
32. Fadzil, F.H., H. Haron, and M. Jantan, “Internal auditing practices and internal control system,”Managerial Auditing Journal 20 (8), 2005, pp. 844-866.
33. Fourie, H., Internal auditing and communication: a South African perspective, M. Techdissertation, Pretoria, Tshwane University of Technology, 2006.
34. Glascock, K.L., “Auditees or clients?” Internal Auditor, 59 (4), 2002, pp. 84-85.35. Gobeil, R.E., “The Common Body of Knowledge of Internal Auditors,” The Internal Auditor,
November/December 1972, pp. 20-29.36. Goodwin, J., “A comparison of internal audit in the private and public sectors,” Managerial
Auditing Journal 19 (5), 2004, pp. 640-650.37. Goodwin, J., and Y.T. Yeo, “Two factors affecting internal audit independence and objectivity:
evidence from Singapore,” International Journal of Auditing 5, 2001, pp.107-125.38. Goodwin-Stewart, J., and P. Kent, “The use of internal audit by Australian companies,”
Managerial Auditing Journal 21 (1), 2006, pp. 81-101.39. Gramling, A.A., M.J. Maletta, A. Schneider, and B.K. Church, “The Role of the Internal Audit
Activity in Corporate Governance: A Synthesis of the Extant Internal Auditing Literature andDirections for Future Research,” Journal of Accounting Literature 23, 2004, pp. 194-244.
40. Gray, G., Changing Internal Audit Practices in the New Paradigm: The Sarbanes-OxleyEnvironment (Altamonte Springs, FL: The Institute of Internal Auditors), 2004.
41. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, “The Americas literature review on internalauditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
42. Hofstede, G., Culture’s consequences: International differences in work-related values(London, UK: Sage), 1980.
43. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B.Deregowski, S. Dziurawiec, and R.C. Annis (Eds.), Explications in Cross-Cultural Psychology,Swets and Zeitling, 1983.
_____________________________ Chapter 10: Research Method and Literature Review 403
The Institute of Internal Auditors Research Foundation
44. Hopkins, R., “The nature of audit quality - a conflict of paradigms? An empirical study ofinternal audit quality throughout the United Kingdom Public Sector,” International Journalof Auditing 1 (2), 1997, pp. 117-133.
45. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: SagePublications), 2004.
46. IFACI (Institute de L’Audit Interne), Resultat de l’enquete sur la pratique de l’audit interne enFrance en 2005 (The Institute of Internal Auditors France), 2005.
47. IIABEL (The Institute of Internal Auditors Belgium), Internal audit in Belgium: the shaping ofinternal audit today and the future expectations – survey results (The Institute of InternalAuditors Belgium), www.iiabel.be.
48. King Committee on Corporate Governance, King report on corporate governance for SouthAfrica, Institute of Directors, 1994.
49. King Committee on Corporate Governance, King report on corporate governance for SouthAfrica, Institute of Directors, 2002.
50. Krell, E., “Is Sarbanes-Oxley Compromising Internal Audit?” Business Finance, August, 2005.51. Krogstad, J., A.J. Ridley, and L.E. Rittenberg, “Where We’re Going,” Internal Auditor. October
1999.52. Le Grand, C.H., Information Technology Controls (Altamonte Springs, FL: The Institute of
Internal Auditors Research Foundation), 2005.53. Leung, P., B.J. Cooper, and P. Robertson, The Role of Internal Audit in Corporate
Governance and Management (Melbourne: RMIT Publishing), 2004.54. Lou, Y., “Guanxi: principles, philosophies, and implications,” Human Systems Management 16
(1), 1997, pp. 43-51.55. Lovett, S., L.C. Simmons, and R. Kali, “Guanxi versus the market: ethics and efficiency,”
Journal of International Business Studies 30 (2), 1999, pp. 231-47.56. Marais, M., Quality control within internal audit functions and the application thereof in South
Africa, M. Comm. Dissertation, Pretoria, University of South Africa, 2003.57. McCall, S.M., “The auditor as consultant,” Internal Auditor 59 (6), 2002, pp. 35-39.58. McIntosh, E.R., Competency Framework for Internal Auditing: An Overview (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation), 1999.59. Melville, R., “Control self assessment in the 1990s: the UK perspective,” International Journal
of Auditing 3 (3), 1999, pp. 191-206.60. Melville, R., “The Contribution Internal Auditors Make to Strategic Management,” International
Journal of Auditing 7 (3), 2003, pp. 209-222.61. Mutchler, J., Independence and Objectivity: A Framework for Internal Auditors (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation), 2001.
404 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
62. Paape, L., J. Scheffe, and P. Snoep, “The Relationship between the Internal Audit Activity andCorporate Governance in the EU - a Survey,” International Journal of Auditing 7 (3), 2003,pp. 247-262.
63. PCAOB (Public Company Accounting Oversight Board), Auditing Standard No. 2: An Auditof Internal Controls over Financial Reporting Performed in Conjunction with an Audit of FinancialStatements, (Washington, DC: Public Company Accounting Oversight Board), 2004.
64. PricewaterhouseCoopers LLP, “Internal Audit Global Best Practices: #2 in a series,” TheInternal Audit Newsletter, 2005A, pp.5-6.
65. PricewaterhouseCoopers LLP, “How Computer Assisted Audit Tools Can Be Used in aFiduciary Audit Environment,” The Internal Audit Newsletter, 2005B, pp. 2-3.
66. PricewaterhouseCoopers LLP, PricewaterhouseCoopers’ State of the Internal AuditProfession: Internal Audit Post Sarbanes-Oxley (New York), 2006.
67. RGTF (Report of the Guidance Task Force to The IIA’s Board of Directors), A Vision for theFuture: Professional Practices Framework for Internal Auditing (Altamonte Springs, FL:The Institute of Internal Auditors Research Foundation), 1999.
68. Rittenberg, L., and M. Covaleski, “Outsourcing the internal audit activity: the British governmentexperience with market testing,” International Journal of Auditing 3 (3), 1999, pp. 225-235.
69. Rittenberg, L.E., and B.J.Covaleski, The Outsourcing Dilemma: What’s Best for InternalAuditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),1997.
70. Roth, J., Adding Value: Seven Roads to Success (Altamonte Springs, FL: The Institute ofInternal Auditors Research Foundation), 2002.
71. Roth, J., and D. Espersen, Internal Audit’s Role in Corporate Governance: Sarbanes-Oxley Compliance (Altamonte Springs, FL: The Institute of Internal Auditors ResearchFoundation), 2003.
72. Sarens, G., and I. De Beelde, “Internal Auditors’ Perception about Their Role in RiskManagement: A Comparison Between US and Belgian Companies,” Managerial AuditingJournal 21 (1), 2006, pp. 63-80.
73. Selim, G., and A. Yiannakas, “Outsourcing the Internal Audit Activity: A Survey of the UKPublic and Private Sectors,” International Journal of Auditing 5 (1), 2001, pp. 213-226.
74. Selim, G., and D. McNamee, Risk Management: Changing the Internal Auditor’s Paradigm,(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1998.
75. Selim, G., and S. Woodward, “Internal Auditing and Consulting Practice: UK and Ireland Survey,”British Academy of Management Annual Conference (UK: University of St. Andrews), 2004.
76. Selim, G., S. Sudarsanam, and M. Lavine, “The Role of Internal Auditors in Mergers, Acquisitionsand Divestitures: An International Study,” International Journal of Auditing 7 (3), 2003, pp.223-246.
_____________________________ Chapter 10: Research Method and Literature Review 405
The Institute of Internal Auditors Research Foundation
77. Simons, R., Performance Measurement & Control Systems for Implementing Strategy(Upper Saddle River, NJ: Prentice Hall), 2000.
78. South Africa, The Public Finance Management Act, Act 1 of 1999, Pretoria, GovernmentPrinters, 1999.
79. U.S. Sarbanes Oxley Act of 2002 (One Hundred Seventh Congress of the United States ofAmerica, HR 3763), 2002.
80. Tang, Y.W., L. Chow, and B.J. Cooper, Accounting and Finance in China – A Review ofCurrent Practice, 4th, Sweet and Maxwell Asia, (Hong Kong), 2000.
81. Tettamanzi, P., “Internal auditing: evoluzione storica, stato dell’arte e tendenze di sviluppo:Italia e Regno unito a confronto,” Egea, 2003.
82. The Institute of Internal Auditors, A Vision for the Future: The Professional PracticesFramework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal AuditorsResearch Foundation), 1999.
83. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,FL: The Institute of Internal Auditors Research Foundation), 2002.
84. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,FL: The Institute of Internal Auditors Research Foundation), 2005.
85. The Institute of Internal Auditors, The IIA Research Foundation Request for Proposal (AltamonteSprings, FL: The Institute of Internal Auditors Research Foundation), 2005.
86. Van der Nest, D.P., Audit committees in government departments: an internal audit perspective,The South African Journal of Accountability and Audit Research 6, 2005, pp. 75-83.
87. Van der Nest, D.P., Audit committees and accountability in the South African public service,D. Tech dissertation, Pretoria, Tshwane University of Technology, 2007.
88. Van Peursem, K.A., “Conversations with internal auditors - The power of ambiguity,”Managerial Auditing Journal 20 (5), 2005, pp. 489-512.
89. Van Peursem, K.A., “Internal auditors’ role and authority - New Zealand evidence,” ManagerialAuditing Journal 19 (3), 2004, pp. 378-393.
90. Wang, X., “Development trends and future prospects of internal audit,” Managerial AuditingJournal 12 (4/5),1997, pp. 200-204.
91. Warren, J.D., and X.L. Parker, Continuous Auditing: Potential for Internal Auditors(Altamonte Springs, FL: The Institute of Internal Auditors), 2003.
92. Zoellick, B., and T. Frank, Governance, Risk Management, and Compliance: AnOperational Approach (The Compliance Consortium), 2005.
406 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APPENDIX 10-A
Pre-scope Questionnaire for CBOK
Do you agree that the global CBOK scope should include the following: Yes NoDemographics for respondents and companies. 53 7Percentage of time spent on different types of audit (scope) in 2005:
• Operational 60 2• Financial (include work with external auditor) 58 2• Governance (ethics, control framework, Sarbanes-Oxley, linkage of 61 1
strategy, and company performance)o The role of internal auditing in organizational governance
• Consulting 60 3• Enterprise risk management (ERM) Need more specification 59 3• Fraud investigations (forensic accounting/auditing) 59 3• Work done by consultants (outsourcing) 57 5• Other:• Belgium
o Procedures developmento Benchmark analyses (meant to steer company decisions and action
plans for performance improvement)o Role of internal audit in project managemento IT audit (!)o Direct operational responsibilities (even limited)
• U.K. Irelando Work done by consultants (co-sourcing)o Assurance work
• U.S.o I think the work spent with the external auditor should be its own
classificationo With respect to Sarbanes Oxley, the governance component should
be separate from the work done in an advisory capacity(i.e., monitoring separate from management documentation, testing,and assessment)
o Outsourced work may be better defined as subject matter expertiserequired versus outsourced internal auditing (i.e., is the internal auditactivity outsourced or complemented?)
o Compliance (non-Sarbanes-Oxley)
_____________________________ Chapter 10: Research Method and Literature Review 407
The Institute of Internal Auditors Research Foundation
Percentage of time spent on different types of audit (scope) Yes Noin 2005: (Cont.)
o Regulatoryo Technologyo Audit of IT function
• Asiao IT audito Probity auditingo Information technology audito Ad hoc/special audit
• Italyo Compliance programs for the prevention of corporate crime: risk
assessment, compliance audit, monitoring, compliance programsupdating.
• South Africao Integrated assurance services (audits that combine financial,
operational, ICT, and governance).
Adherence to the International Standards for the Professional Practice Yes Noof Internal Auditing (Standards) (The IIA, 2004):
• 1000 Purpose, Authority, and Responsibility 62 1o Charter outlining nature of assurance and consulting services
• 1100 Independence and Objectivity 61 1o Reporting structure administratively and functionallyo Support of upper managemento Support of the audit committee
• 1200 Proficiency and Due Professional Care 62 0o Level of education required of entry-level auditorso Certificationso Skills required of each audit position
• 1230 Continuing Professional Development - number of hours required 53 5• 1300 Quality Assurance and Improvement Program 59 4
o How often internal quality review is performedo How often external quality review is performed
• 2000 Managing the Internal Audit Department 58 5o CAE - rotating or permanent positiono Written policies and procedureso Staff rotation policy
408 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Adherence to the International Standards for the Professional Practice Yes Noof Internal Auditing (Standards) (The IIA, 2004):
• 2010 Planning 56 7o Percentage of audit budget spent on planning activities
• 2210 Engagement Objectives 58 5o Set audit objectives during the planning stages of the audit
• 2240 Engagement Work Program 56 7o % of audit programs written specifically for each engagemento % of audit programs from prior auditso % of purchased audit programs
• 2400 Communicating Results 62 1o A written audit report is prepared for what percent of engagementso Audit report includes a grade or score for the audit process
• 2500 Monitoring Progress 62 1o Follow-up procedures are performed on what % of auditso Audit department has the support of upper management to ensure
improvements are made by auditee• Other: Belgium
o Follow-up on implementation of critical recommendationso Calculation/estimation of “return” of audit work (through
implementation of audit recommendations or through audit review assuch on e.g., double payments: savings achieved; doubledisbursements prevented or corrected; etc.)
• U.K. Irelando Adherence to the International Standards for the Professional
Practice of Internal Auditing (Standards) (The IIA)o Adherence to national or sectoral standards, based on the standardso Adherence to national or sectoral standards, not based on the
standards• U.S.
o Determination of IA as either a cost center or profit centero Calculation of cost savings and/or opportunity income gained arising
from internal audit recommendations as part of reporting (estimation)and monitoring (actual).
_____________________________ Chapter 10: Research Method and Literature Review 409
The Institute of Internal Auditors Research Foundation
Specific areas of knowledge required of internal auditors: Yes No• Traditional business school topics (finance, operations, accounting, 52 11
marketing)• Business terminology 45 16• Technology 57 6• Financial reporting 50 12• Costing methods/managerial accounting 45 17• Economic theories 25 35• Accounting standards 49 14• Auditing standards 54 8• Other:• Belgium
o Language skills (2 x mentioned)o IT knowledge and skills (company ERP package) (2 x mentioned)
• U.K. Irelando Internal auditing standardso Statistics and analytical techniqueso General management
• U.S.o Should there be more in the way of operational and compliance
auditing? The above categories seem traditional and exclusive tothe operational and compliance COSO components
o Should technology be more specific as to systems etc- should therebe some additional requirements as to ERM, ERP, etc.?
o Should there be more in the “Other” areas such as forensics, fraud,money laundering, etc.
o Statistical analyses, Six-sigma, etc.o Regulatoryo Various industrieso Fraudo Regulation relevant to the industry
• Asiao Record keeping electronico Risk management practices
• Italyo Statisticso New legislation (SOX, D.Lgs 231/01)
• South Africao Legislation
410 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Role of the board of directors and audit committee: Yes No• How often the CAE reports to the audit committee 60 2• Board’s role in governance issues 57 5• Audit committee/board role in review of annual audit plan 59 3• Other:• Belgium
o Board’s role in the definition of “risk” as used by the internal auditorin his risk assessmento Audit committee support for internal audit activity, internal audit
recommendations• U.S.
o Directors Loan Committee & Trust Committee interactiono Board appointment of CAE, salary determination, etc.o Administrative chain of commando AC structure and experienceo Reporting relationships, agendas
• Asiao Induction program for AC memberso Board review of IA performance
• Italyo Audit committee/board role in budget definition
Evaluation of staff: Yes No• Questionnaire at end of audit by client 53 10• Staff evaluated at end of each audit 55 8• Other:• Belgium
o Staff evaluations mid-year and year-end: rotation/career opportunitiesinside the company or audit staff
o Evaluation of the overall internal audit activity• U.S.
o Staff evaluation at certain minimum hours if audit is long term?o Other internal audit quality metrics and measurementso Core competency developmento Goal achievement (results)o Performance evaluation (annual or more frequent).
• Asiao Preference for annual survey of branch performance
• South Africao Ethics
_____________________________ Chapter 10: Research Method and Literature Review 411
The Institute of Internal Auditors Research Foundation
Emerging trends in internal auditing: Yes No• Laws requiring companies to have an internal audit activity 56 7• Internal auditors in advisory role for strategy development 50 11• Implemented an internal control framework (COSO, COSO-ERM, 57 4
Cadbury, or CoCo)• Utilize self-directed, integrated work teams. 48 14• Involved in corporate directives to introduce ERP - Enterprise Resource 45 16
Planning software such as SAP, Oracle, Peoplesoft, BAAN, and JDEdwards
• Implement computer library (Web or CD-ROM) for audit reports, 55 7workpapers, and reference materials
• Implement knowledge management systems 49 13• Work with management to develop ERM system 52 11• Provide training to audit committee 47 14• Share audit programs with “Other” companies’ internal audit departments 53 8• Introduce improvements in cycle time 44 19• Utilize groupware such as Lotus Notes 36 26• Review electronic commerce applications 43 19• Utilize CAATs 56 6• Develop intranet site to educate company personnel about internal 55 7
controls, risk management, Sarbanes-Oxley requirements, etc.• Other:• Belgium
o Provide control awareness trainings to managers (new recruitedmanagers: as part of company introduction program; newlypromoted managers - individually; newly acquired companymanagement team; etc.)
o Implementing total quality related frameworks (e.g., EFQM)• U.K. Ireland
o Refocused internal audit on role of providing objective assurance incontext of organization's overall assurance framework
o Introducing full risk-based internal auditing• U.S.
o Analytical (audit) reviewso Is there a need to address independence if internal audit is used to
“introduce erp,” implement knowledge systems and develop erm-how to audit?
o Regulatoryo Attorney client privilege work
412 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Emerging trends in internal auditing: (Cont.) Yes No• Asia
o Audit time recording system of allocation of audit hours• Italy
o Supporting internal control system definition in BPR projectso Web-based training for personnel according to D.Lgs 231/01
requirements
Certification: Yes No• Need for certification exams for audit managers and CAEs above 45 17
CIA certificate. Already part of the “adherence to Standards”?• Other:• Belgium
o Need for a CIA more oriented toward non-profit organizations• U.K. Ireland
o Need for specific qualification or certification for internal auditorso Need for certification for practicing internal auditors
• U.S.o Certifications for seniors (level below mgrs)o Skills needed - CISA, CFE, etc.
• Asiao Specialized internal auditing certifications CGAP for public sector,
CFSA for financial services auditor• Italy
o CPA, ACFE, CSA
Salaries: Yes No• Entry-level salary at each audit position 42 18• How internal audit salaries compare with managers at similar levels 45 16
in the organization• Other:• U.K. Ireland
o How internal audit salaries for those with internal audit qualificationscompare
• U.S.o Does IA have possibility to rotate to another position within the
company? How often does it happen? What is the average time IAstays within the IA function?
o Staff levels to include bonus and option programs
_____________________________ Chapter 10: Research Method and Literature Review 413
The Institute of Internal Auditors Research Foundation
Salaries: (Cont.) Yes Noo Mobility within the organization - how many transfers to the
departments, functions?o Changes too often and varies globallyo Incentive compensation - bonuses, stock options
• Asiao Essential criteria for CAEs and staff, i.e., degree
• Italyo Other benefits
Audit Methods, Tools, and Techniques: Yes No• ACL, Idea, SAS 59 3• Control self-assessment 57 6• Continuous auditing 52 11• Electronic workpapers 58 3• Sampling 59 4• Data mining 54 8• Whistle-blowing hot line 49 13• Comparisons of performance measures to targets in entity’s objectives 52 9• Flowchart software 46 15• Other:• Belgium
o Generic office IT tools/groupware• U.S.
o Outsourcing of highly technical/specialized reviewso Lotus Noteso Issue tracking repositorieso Intranet portalso Knowledge management
• Asiao PowerPoint presentations for audit
• Italyo Process Modeling Softwareo Risk assessment (No: control risk self-assessment)
• South Africao Include ERM, benchmarking, QAR, the IA process - procedures,
e.g., compliance, substantive and analytical - Refer PA 2320
414 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Auditee Skill Set (at each level): Yes No• Organization 56 7• Interpersonal 57 6• Writing 57 5• Critical thinking 56 7• Ability to do root cause analysis 53 9• Negotiation 56 7• Conflict resolution 57 6• Interview 57 5• Other:• Belgium
o IT skills (knowledge of company ERP capabilities and controlfeatures + use of system to prepare projects and substantiate findings)
o Synthesis: know how to extract just that information that is necessaryto put context around a finding and recommendation
• U.K. Irelando Influencingo Presentation of complex results
• U.S.o Computer skillso Foreign languageso Strategic agilityo Facilitationo Consensus buildingo Teamwork
• Asiao Communicationo Time managemento Judgmento Business acumen
• Italyo Corporate crime, fraud
• Franceo Courage
_____________________________ Chapter 10: Research Method and Literature Review 415
The Institute of Internal Auditors Research Foundation
Other: Please list “Other” topics that you would like to include in the survey: Yes No• Belgium
o Interaction between internal and external audito Co-sourcing/outsourcingo Auditor’s career: recruitment into internal audit and/or internal move
“in”/career path with internal audit and/or internal move “out”/externalmove “out”
• U.K. Irelando Knowledge areas are too narrow: should include governance, ethics,
ethnographic methodso Involvement in corporate social responsibilityo Benchmarking regarding I.A. size (i.e., no. of employees, mixture of
qualified and non-qualified staff, types of qualification of I.A. staff, etc.)• U.S.
o How is the internal audit plan developed, on the basis of what information(scoping using risk assessment, particular needs of BU, fraudinvestigation, what is the % of each component)?
o What is the duration of the audit plan (1 year, 3 years, etc.)? How oftenis it revised?
o Whom does the IA report to (audit committee, CEO, CFO, etc…arethey independent?
o How is the IA founded: special budget, re-invoiced to BU, etc…?What is the budget?
o What are the yearly training expenses?o Does IA use any indicator to measure its performance? If yes, what are
they?o The views expressed are solely my own and do not necessarily reflect
to the position of Fidelity Investments or its associateso Trend toward outsourcing/partneringo Resource management and planningo Internal audit department structure and geographic locationso Global focuso Reporting relationship of CAE to board/audit committee, CEO, CFO,
“Other”o Frequency of private meeting of CAE and board/audit committee
chair/committee - never, once per year, etc.o Asset size of company/annual saleso Number of internal auditors
416 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Other: Please list “Other” topics that you would like to include in Yes Nothe survey: (Cont.)
o Annual audit department salaries & benefitso Public/private/other org.o Core competency frameworko Soft skill developmento Training and developmento Career pathingo Knowledge management
• Asiao Will 1312 review be completed by Jan 1, 2007o Probity auditingo Project managemento Standardization of audit reportso Freedom of information/privacy concernso Performance indicators for internal audito Standardization of ranking audito Balanced scorecards for internal audito Disclosure and confidentiality principles for internal audito International auditing standards (Global)o Globalization of auditing professiono Academic qualifications for internal audit in tertiary institutionso Career planning for internal audito Marketing of the internal audit activityo “Recognized Professional Association”o Benchmarking of internal audito Introduce CAE within organization for signoff on internal controlso Ratio of internal audit cost vs. external audit costo Boardroom skillso Personnel management skillso Managerial skillso Split information required for financial audit between financial control
work and supporting/interacting on external audit worko Emerging new technology and trends in business that impact audito New business organizational formations that affect audit capability
_____________________________ Chapter 10: Research Method and Literature Review 417
The Institute of Internal Auditors Research Foundation
Other: Please list “Other” topics that you would like to include in Yes Nothe survey: (Cont.)
• Italyo Information about staff and outsourcingo Role of the Collegio sindacale
− The relationship between the collegio sindacale and the internal auditunit (collegio sindacale is a specific body of the Italian corporategovernance system). The features involves in this relationship couldconcern:∗ The support of the collegio sindacale to the internal audit
independence.∗ The review of the audit plan.∗ The communication of audit results to the collegio sindacale.∗ Other.
o Planning and priority settingo Role of the collegio sindacale in the Italian corporate governance
system and the relationship with the internal audit department.• France
o How do IA, MA, compliance, quality control, and “Other” controlfunctions fit together?
o What are the job positions in internal auditing?o How can we go from one position to another?o How to be prepared to get out of the audit department to disseminate
the control culture.• South Africa
o Environmental auditingo QARo ISO standards relating to internal auditing, e.g., ISO 14000, etc.
418 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
APPENDIX 10-B
Topical Areas That Are Addressed inPast and Current IIA CBOK Studies
Gabeil Barrett et al. Albrecht et al. Birkett et al. CBOK(1972) (1985) (1991) (1999) (2006)
Accounting Accounting* Accounting** Accounting Accounting***Auditing Auditing Auditing Auditing Auditing@
Audit Committee/Oversight CommitteeAudit Plan
Behavioral Behavioral Skills/Sciences Technical
Skills/CompetenciesCommunications Communications Communications Communications Communications
Competency Benchmarks/QualityAssessment, AssessmentBenchmark,CompetencyStandards
Government Compliance/ Compliance/Government RegulationsCorporate CorporateGovernance Governance
Computers Basis Computer SoftwareUsed in the Audit
Computers & Computer & Computers & Computers & InformationSystems Information Information Information Technology
Systems Systems SystemsConsulting/AdvisoryServices
Data Gathering Data Data Mining& Delivery Warehousing
*Specifies as financial, management, and government accounting**Specifies as financial and managerial accounting***Financial and managerial accounting as well as specialized accounting appropriate for the type of organization
_____________________________ Chapter 10: Research Method and Literature Review 419
The Institute of Internal Auditors Research Foundation
Topical Areas That Are Addressed inPast and Current IIA CBOK Studies (Cont.)
Gabeil Barrett et al. Albrecht et al. Birkett et al. CBOK(1972) (1985) (1991) (1999) (2006)
Economics Economics EconomicsEthics Ethics Ethics/Ethics Audits
Expertise Expertise (Experience,(Experience, Knowledge, Skills)Knowledge, Skills)
ExternalRelationsFinance & Finance Finance Finance FinanceControl
Forensic ForensicAccounting/ Accounting/Auditing Auditing
Fraud FraudFuture of the Emerging IssuesProfession andInfluencing FactorsIA Staff Position IAA Position in thein Organizations OrganizationInternal Auditor’s Internal Auditor’sWork Environment, Work Environment,Context, Population, Context, Population,and Scope of Work and Scope of Work
International International/culture International/Globalization/Culture
Legal Aspects Legal Aspects Legal Aspects Legal Regulationsof Business of Business (Commercial and
Regulatory Law)Secretarial& LegalManagement Management Management Managementand theManagementFunctions
420 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Topical Areas That Are Addressed inPast and Current IIA CBOK Studies (Cont.)
Gabeil Barrett et al. Albrecht et al. Birkett et al. CBOK(1972) (1985) (1991) (1999) (2006)
Marketing Marketing & Marketing Marketing MarketingDistributionOrganizations Organizations/
IndustriesOrganizational Organizational OrganizationalBehavior Behavior Behavior
Outsourcing/Co-sourcing theAudit/AuditFunction
PersonnelAdministration
Professional ProfessionalQualification, Qualifications,Education, Education,Development, Development,Training Training
ProductionNeed for a Global ProfessionalValidated PracticesFramework Framework(CommonLanguage, GlobalProfession ofInternal Auditing)
Quantitative Statistics Quantitative Quantitative StatisticsMethods Methods Methods
& Statistics & StatisticsResearch & R&D AuditDevelopment
Reasoning Reasoning Reasoning ReasoningRisk Control/ Risk ManagementInternal Control and Control/Internal
ControlRole of the CAE
Taxes Taxes Taxes
_____________________________ Chapter 10: Research Method and Literature Review 421
The Institute of Internal Auditors Research Foundation
APPENDIX 10-CCBOK 2006 CAE AND PRACTITIONER
QUESTIONNAIRE
Note: This is the final English Questionnaire. On the next two pages is a summary ofwhich questions were on both, on just CAE, or on just Practitioner questionnaire. TheIIA combined the two questionnaires as some of the questions appeared on bothquestionnaires.
The Institute of Internal Auditors Research FoundationCOMMON BODY OF KNOWLEDGE (CBOK) 2006
Chief Audit Executive (CAE) or Service Provider Equivalent,Head of Internal Audit Activity,
Engagement Leader, or Service Provider Principal
Welcome to the Common Body of Knowledge (CBOK) 2006! You are about to participate in oneof the most important projects ever undertaken by The IIA Research Foundation. CBOK will helpUnderstand, Guide, and Shape the future of Internal Auditing! Your participation will ensure thisproject is a success.
We anticipate that this survey will take approximately 40 minutes of your valuable time. All of youranswers will be strictly confidential and will not be associated with your personal information ororganization information. Please answer the questions honestly.
Please complete the survey in one session. If you have any technical problems or questions, pleasesend an e-mail to [email protected].
At the end of the survey you will be given the opportunity to enter an optional drawing for twenty-five US$200 VISA Gift Cards.
422 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Questions for CAE and Practitioner (Per Word file version)
Question Question Description Both CAE PractitionerNumber
Part I Personal/Background Information1a How long member *1b Affiliate/Chapter *2 Age *3 Level of Education *4 Academic Major *5 Organization Position *6 Professional Qualification *7 Total Professional Experience *8 Total Years as CAE, GA, TAP, VP *9 Reporting Status *10 Training hours over last 36 months *11 Training hours over last 12 months *12 Type of organization you work in *13 Classification of the industry you offer *
internal audit services14 Organization Size - (total employees, assets, *
revenue)15 Area Served *16 How long has your organization existed? *17a Does organization have an Internal Audit Activity *
(IAA)?17b How long has the IAA existed? *18 Organization Documents *19 Who is involved in appointing the CAE? *20 Who evaluates CAE’s performance *21 Is there an Audit Committee? *22a Number of Audit Committee meetings *22b Number of Audit Committee meeting invitations *22c Number of Audit Committee meetings attended *22d Meet Audit Committee in addition to regular *
meetings?23 Have appropriate access to Audit Committee? *24 How is value added by IAA measured? *
_____________________________ Chapter 10: Research Method and Literature Review 423
The Institute of Internal Auditors Research Foundation
Question Question Description Both CAE PractitionerNumber
25a How many times is the audit plan updated? *25b How do you establish audit plan *26a Provide IA services to external organizations? *26b External Organizations that receive IA services *26c Do you agree with the statements below? *27 Number of Staff in IAA *28 Incentives to hire IA professionals *29 Methods to fill staff vacancies *30 Methods to compensate for missing skills *31 Percentage of activities out or co-sourced *32 Will budget for out/co-sourced activities change? *33 Number of Members who have Certifications *34 Need additional certification beyond CIA? *35 Method of staff evaluation *36 Frequency of training *37 Use IIA’s Int’l Standards in whole or part? *38 Guidance from International standard Adequate? *39 Standard of Professional Practices Framework *
adequate?40 Reasons for not using The IIA’s Int’l Standards *41 IAs have quality assessment and improvement *
program?42 When was last formal internal quality *
assessment?43 When was last formal internal quality *
assessment?44 Activities performed as part of IAA quality *
assessment45 Who performs following activities/audits? *46 Percentage time spent on the following activities *47 Resolution of major differences *48 Who reports auditing findings to management *49 Who monitors corrective actions? *50 How much is IA going to use the following *
audit tools?
424 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Question Question Description Both CAE PractitionerNumber
51 Behavioral skills for staff *52 Technical skills for staff *53 Competencies for staff *51a Important behavioral skills *52a Important technical skills *53a Important competencies *53b Importance of certain knowledge *54 Will changes in the IAA scope occur? *55 Roles of IAA *56 Indicate whether statements apply to *
organization
I. Personal/Background Information
Note: Background information will be used anonymously for aggregate data analysis. No individualinformation will be revealed in research reports.
1a. How long have you been a member of The IIA?1-5 years6-10 years11 years or moreI am not a member of The IIA (Skip to question 2.)
1b. Please select your IIA Affiliate or if you are located in North America or the Caribbean, pleaseselect your Chapter. Affiliate: _______________ Chapter: ________________
2. Your age: _________
3. Your highest level of formal education (not certification) completed:Secondary/High School EducationBachelors/Diploma in BusinessBachelors/Diploma in fields other than BusinessMasters/Graduate Degree/Diploma in BusinessMasters/Graduate Diploma in fields other than BusinessDoctoral DegreeOther
_____________________________ Chapter 10: Research Method and Literature Review 425
The Institute of Internal Auditors Research Foundation
4. Your academic major(s): (Please mark all that apply.)AccountingArts or HumanitiesAuditingComputer ScienceEconomicsEngineeringFinanceGeneral Business/ManagementInformation SystemsInternal AuditingLawMathematics/StatisticsScience or Technical FieldOtherNo degree
5. Your position in the organization:Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service Provider EquivalentInternal Audit Management/Service Provider ManagementInternal Audit Senior or Supervisor/Service Provider Senior or SupervisorInternal Audit Staff/Service Provider StaffSupport Staff (administration, secretarial, and clerical)Other
6. Your professional qualification(s): (Please mark all that apply.)Internal Auditing (such as CIA/MIIA/PIIA)Information Systems Auditing (such as CISA/QiCA/CISM)Government Auditing/Finance (such as CIPFA/CGAP/CGFM)Control Self-Assessment (such as CCSA)Public Accounting/Chartered Accountancy (such as CA/CPA /ACCA/ACA)Management/General Accounting (such as CMA/CIMA/CGA)Accounting - technician level (such as CAT/AAT)Fraud Examination (such as CFE)Financial Services Auditing (such as CFSA/CIDA/CBA)Fellowship (such as FCA/FCCA/FCMA)Certified Financial Analyst (such as CFA)Other
426 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
7. Specify your total years of professional experience using the following categories: (Use wholenumbers.)
Service Years in Years in Years in Years inProvider Private Publicly/ Govern- Not-for-
Company Listed mental ProfitCompany
a. Accounting _____ _____ _____ _____ ______b. Engineeringc. External (Independent)
Auditing _____ _____ _____ _____ ______d. Financee. Information Technology _____ _____ _____ _____ ______f. Internal Auditing _____ _____ _____ _____ ______g. Management _____ _____ _____ _____ ______h. Other Professional
Experience _____ _____ _____ _____ ______
Total Professional Experience _____ _____ _____ _____ ______
8. How many total years have you been the Chief Audit Executive/General Auditor/Top AuditPosition/Vice President - Audit/Service Provider equivalent at your current organization andprevious organizations you have worked for? Years: __________
9. Your reporting status in your organization is:Staff position reporting to a managerManagerial position reporting to executive management/high-level government officialOfficer position reporting to the executive management/high-level government officialIndependent position reporting to the audit committee of the board/oversight boardOther
10. On average, how many hours of formal training have you received over the last 36 monthperiod or while you have been in the Internal Audit Activity if less than three years? Trainingincludes, but is not limited to seminars, conferences, workshops, and in-house informationsessions provided by either your organization or another organization.Hours: ____________
11. How many hours of training over a 12-month period are required by law/statute where youwork?Hours: ____________
_____________________________ Chapter 10: Research Method and Literature Review 427
The Institute of Internal Auditors Research Foundation
II. Your Organization
Note: Organization information will be used anonymously for aggregate data analysis. No individualorganization information will be revealed.
12. The type of organization for which you currently work:Service Provider/ConsultantPublicly Traded (Listed) CompanyPrivately Held (Non-listed) CompanyPublic Sector/GovernmentNot-for-Profit OrganizationOther
13. The broad industry classification(s) of the organization for which you work or provide internalaudit services: (Please mark all that apply.)
Agricultural/ForestryBanking/Financial Services/Credit UnionBuilding and ConstructionCommunication/TelecommunicationConsumer GoodsEducationFinancial, Accounting, and/or Business ServicesHealthcareHospitality/Leisure/TourismInsuranceManufacturingMining and OilNon-Professional ServicesPharmaceutical/ChemicalProfessional ServicesReal EstateRetail/WholesaleTechnologyTrade ServicesTransport and LogisticsUtilitiesOther
428 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
14. Size of the entire organization for which you work as of December 31, 2005 or the end of thelast fiscal year: (Please use whole numbers and no abbreviations: use 1,000,000 not 1M.)
Total Employees (Full-time Equivalent):Employees: ___________________
Total Assets (U.S. Dollar Equivalent):Assets: _______________________
Total Revenue or Budget if Government or Not-for-Profit (U.S. Dollar Equivalent)Revenue: _____________________
15. Is your organization:LocalState/ProvincialRegionalNationalInternational/Multinational
16. How long has your organization been in existence?Years: _________________
III. Internal Audit Activity
17a. Does your organization have an Internal Audit Activity or provide Internal Audit services?YesNo (Skip to question 18.)
17b. If yes, for how long? (Please use whole numbers only.)Years:
18. Which of the following documents exist in your organization? (Please mark all that apply.)Corporate Governance CodeLong-term Strategic Plan for the OrganizationAudit Oversight/Committee CharterInternal Audit CharterMission Statement for the Internal Audit ActivityInternal Audit Operating Manual/Policy Statement
_____________________________ Chapter 10: Research Method and Literature Review 429
The Institute of Internal Auditors Research Foundation
Corporate Ethics Policy/Code of Ethics/Code of ConductAnnual Internal Audit Plan/Rolling Audit Plan/Quarterly Audit PlanLong-term Audit Plan (longer than 1 year)Internal Audit Risk Assessment (to determine what areas to audit)
19. Who is involved in appointing the Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service Provider equivalent? (Please mark all that apply.)
Chairperson of the BoardChief Executive OfficerAudit Committee/Oversight Committee/Committee ChairpersonChief Financial OfficerAnother person reporting to CFOOther
20. Who evaluates your performance? (Please mark all that apply.)Board of DirectorsChairperson of the BoardChief Executive OfficerAudit Committee/Oversight Committee/Committee ChairpersonSenior ManagementAuditee/Client at the end of auditSupervisor periodicallyPeers/Subordinates periodicallyNot evaluated
21. Is there an Audit Committee/Oversight Committee or equivalent in your organization?YesNo (Skip to question 24.)
22a. Number of Audit Committee/Oversight Committee meetings held in the last fiscal year:Number: _______________
22b. Number of Audit Committee/Oversight Committee meetings you were invited to attend (entirelyor in part) during the last fiscal year:Number: ______________
22c. Number of Audit Committee/Oversight Committee meetings you attended (entirely or in part)during the last fiscal year:Number: ______________
430 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
22d. Do you meet with the Audit Committee/Oversight Committee/Chairperson in addition to theregularly scheduled meetings?
Yes No
23. Do you believe that you have appropriate access to the Audit Committee/Oversight Committee?Yes No
24. How does your organization measure the value added by the Internal Audit Activity? (Pleasemark all that apply.)
Customer/Auditee surveys from audited departmentsRecommendations accepted/implementedCost savings and improvements from recommendations implementedNumber of management requests for internal audit assurance or consulting projectsReliance by external auditors on the Internal Audit ActivityBudget to actual audit hoursCycle time from entrance conference to draft reportNumber of major audit findingsOtherNo formal measurement of value added
25a. How frequently do you update the audit plan?Multiple times per yearEvery yearEvery two yearsMore than every two yearsNo audit plan (Skip to question 26.)
25b. How do you establish your audit plan? (Please mark all that apply.)Use of a risk-based methodologyConsult previous years audit planConsultation with divisional or business headsRequests from managementAudit Committee/Oversight Committee requestsCompliance/regulatory requirementsRequests from or consultation with external auditorsOther
26a. Are you currently a service provider of internal audit services to external organizations?YesNo (Skip to question 27.)
_____________________________ Chapter 10: Research Method and Literature Review 431
The Institute of Internal Auditors Research Foundation
26b. What is the number of external organizations to which you provide internal audit services?Number: ________________
Note: If you have identified yourself as a provider of internal audit services to externalorganizations, whenever you see the phrase “Internal Audit Activity” please answerthe question based on your experiences as a service provider, not as an internalauditor for your organization.
26c. Please indicate your agreement with the following statements as they relate to your currentorganization or organizations that you audit.
1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree
____ a. Your Internal Audit Activity is an independent objective assurance and consultingactivity.
____ b. Your Internal Audit Activity adds value.____ c. Internal Audit brings a systematic approach to evaluate the effectiveness of risk
management.____ d. Your Internal Audit Activity brings a systematic approach to evaluate the
effectiveness of internal controls.____ e. Your Internal Audit Activity brings a systematic approach to evaluate the
effectiveness of governance processes.____ f. Your Internal Audit Activity proactively examines important financial matters,
risks, and internal controls.____ g. Your Internal Audit Activity is an integral part of the governance process by
providing reliable information to management.____ h. The way our Internal Audit Activity adds value to the governance process is
through direct access to the Audit Committee.____ i. Your Internal Audit Activity has sufficient status in the organization to be effective.____ j. Independence is a key factor for your Internal Audit Activity to add value.____ k. Objectivity is a key factor for your Internal Audit Activity to add value.____ l. Your Internal Audit Activity is credible within your organization.____ m. Compliance with The IIA’s International Standards for the Professional
Practice of Internal Auditing is a key factor for your Internal Audit Activity toadd value to the governance process.
____ n. Compliance with The IIA’s Code of Ethics is a key factor for your Internal AuditActivity to add value to the governance process.
432 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
IV. Staffing
27. How many staff are in your Internal Audit Activity? Temporary or co-sourced staff should beincluded to the nearest full-time equivalent.
Full-time Part-time
CAE/General Auditor/Top Audit Position/Service ProviderEquivalent/Vice President - Audit ______ ____
Internal Audit Managers ______ ____
Internal Audit Supervisors ______ ____
Internal Audit Staff ______ ____
External Auditors (co-sourced) ______ ____
Contract Audit Staff (co-sourced) ______ ____
Support Staff (Administrative, Secretarial, and Clerical) ______ ____
Other ______ ____
28. Is your organization currently offering any special incentives to hire internal audit professionals?(Please mark all that apply.)
Relocation expensesSigning bonusStock optionsAccelerated raisesVehicle provided by the organizationTransportation allowanceOther
29. What methods do you use to make up for staff vacancies? (Please mark all that apply.)Facilitate Control Self-assessments in place of auditsReduce areas of coverageIncreased use of audit software
_____________________________ Chapter 10: Research Method and Literature Review 433
The Institute of Internal Auditors Research Foundation
Borrowing staff from other departmentsCo-sourcing from internal audit service providersNo vacanciesOther
30. What methods is your organization employing to compensate for missing skill sets (e.g., ITaudit, statistical analysis)? (Please mark all that apply.)
Reduce areas of coverageMore reliance on audit softwareBorrowing staff from other departmentsCo-sourcing/outsourcingNo missing skill setsOther
31. What percentage of your Internal Audit Activity activities are currently outsourced / co-sourced?
No outsourcing/co-sourcing0-10 %11-20%21-30%31-40%41-50%51-60%61-70%71-80%81-90%91-100%
32. Do you anticipate that your budget for outsourced/co-sourced activities will change in the nextthree years?
IncreaseDecreaseRemain the same
434 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
33. How many members of the Internal Audit Activity hold the following certifications? If a staffmember has more than one certification, include them in all applicable categories.
NumberInternal Auditing (such as CIA/MIIA/PIIA)
Information Systems Auditing (such as CISA/QiCA/CISM)
Government Auditing/Finance (such as CIPFA/CGAP/CGFM)
Control Self-Assessment (such as CCSA)
Public Accounting/Chartered Accountancy (such as CA/CPA/ACCA/ACA)
Management/General Accounting (such as CMA/CIMA/CGA)
Accounting - technician level (such as CAT/AAT)
Fraud Examination (such as CFE)
Financial Services Auditing (such as CFSA/CIDA/CBA)
Fellowship (such as FCA/FCCA/FCMA)
Certified Financial Analyst (such as CFA)
Other
34. Do you see a need for additional certification beyond the CIA for audit managers and CAEs?a. Need for additional certification exams for audit managers Yesb. Need for additional certification exams for CAEs No
35. What method of staff evaluation do you use? (Please mark all that apply.)By supervisor periodically Customer/auditee feedbackPeers/subordinates periodically Other
_____________________________ Chapter 10: Research Method and Literature Review 435
The Institute of Internal Auditors Research Foundation
36. How frequently do you and your staff receive the following types of training?
More frequently than annuallyAnnuallyLess frequently than annuallyAs neededNever
a. Standards and professional practices ___________________________________
b. Basic/advanced technology ___________________________________
c. Anti-fraud techniques ___________________________________
d. Ethics training ___________________________________
e. Communication skills ___________________________________
f. Team-building skills ___________________________________
V. Internal Auditing Standards
37. Does your organization use The IIA’s International Standards for the Professional Practiceof Internal Auditing in whole or in part? If you are a service provider do you use The IIA'sInternational Standards for the Professional Practice of Internal Auditing in whole or inpart for your audits of your clients?
YesNo (Skip to question 40.)
436 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
38. If your Internal Audit Activity follows any of The IIA’s International Standards for theProfessional Practice of Internal Auditing, please indicate if the guidance provided bythese standards is adequate for your Internal Audit Activity and if you believe your organizationcomplies with the Standards.
[provide links to all below] Guidance is Your OrganizationAdequate is in Compliance
Yes Yes, fullNo complianceDo not use Yes, partialI do not complianceknow No, not in
complianceI do not know
AS 1000 - Purpose, Authority, and Responsibility
AS 1100 - Independence and Objectivity
AS 1200 - Proficiency and Due Professional Care
AS 1300 - Quality Assurance and Improvement
PS 2000 - Managing the Internal Audit Activity
PS 2100 - Nature of Work
PS 2200 - Engagement Planning
PS 2300 - Performing the Engagement
PS 2400 - Communicating Results
PS 2500 - Monitoring Progress
PS 2600 - Resolution of Management’s Acceptance of Risks
_____________________________ Chapter 10: Research Method and Literature Review 437
The Institute of Internal Auditors Research Foundation
39. If your Internal Audit Activity uses any of the Practice Advisories provided by The IIA in theInternational Professional Practices Framework, indicate if they are adequate for your InternalAudit Activity. If your organization does not use any of the Practice Advisories, skip to question40.
[provide links to all below] Guidance isAdequate
YesNoDo Not Use
AS 1000 - Purpose, Authority, and Responsibility
AS 1100 - Independence and Objectivity
AS 1200 - Proficiency and Due Professional Care
AS 1300 - Quality Assurance and Improvement
PS 2000 - Managing the Internal Audit Activity
PS 2100 - Nature of Work
PS 2200 - Engagement Planning
PS 2300 - Performing the Engagement
PS 2400 - Communicating Results
PS 2500 - Monitoring Progress
PS 2600 - Resolution of Management’s Acceptance of Risks
438 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
40. What are the reasons for not using The IIA’s International Standards for the ProfessionalPractice of Internal Auditing, in whole or in part? (Please mark all that apply.) Skip toquestion 41 if your organization is in full compliance with The IIA’s International Standardsfor the Professional Practice of Internal Auditing.
Standards or Practice Advisories are too complexNot appropriate for small organizationsToo costly to complyToo time consumingSuperseded by local/government regulations or standardsNot appropriate for my industryCompliance not supported by management/boardNot perceived as adding value by management/boardInadequate Internal Audit Activity staffCompliance not expected in my countryOtherPlease explain: _______________________________________________________
41. Does your Internal Audit Activity have a quality assessment and improvement program inplace in accordance with The IIA’s International Standards for the Professional Practiceof Internal Auditing Standard 1300?
Yes, currently in placeTo be put in place within the next twelve monthsNo plans to put in place in the next twelve monthsYour quality assurance program is not in accordance with Standard 1300I do not know
42. When was your Internal Audit Activity last subject to a formal internal quality assessment,periodic or ongoing, in accordance with The IIA’s International Standards for the ProfessionalPractice of Internal Auditing Standard 1311 on internal assessments?
Scheduled to be completed prior to January 1, 2007, but not yet completedWithin the last 12 months1-3 years ago4-5 years agoMore than 5 years agoNeverThe internal review was not done in accordance with Standard 1311I do not know
_____________________________ Chapter 10: Research Method and Literature Review 439
The Institute of Internal Auditors Research Foundation
43. When was your Internal Audit Activity last subject to a formal external quality assessment inaccordance with The IIA International Standards for the Professional Practice of InternalAuditing Standard 1312 on external assessments?
Scheduled to be completed prior to January 1, 2007, but not yet completedWithin the last 12 months1-3 years ago4-5 years agoMore than 5 years agoNeverThe external review was not done in accordance with Standard 1312I do not know
44. For your Internal Audit Activity, which of the following activities are performed as part of yourinternal audit quality assessment and improvement program? (Please mark all that apply.)
Verification that the Internal Audit Activity is in compliance with The IIA’s InternationalStandards for the Professional Practice of Internal AuditingCompliance with non-IIA standards or codesInternal audit professionals are in compliance with The IIA’s Code of EthicsChecklists/manuals to provide assurance that proper audit processes are followedEngagement supervisionFeedback from audit customers at the end of an auditReviews by other members of the Internal Audit ActivityReview by external partyI do not knowNot applicable
440 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
VI. Audit Activities
45. Please indicate who performs the following activities and/or audits: (Please mark all that apply.)
Internal AuditActivityOtherdepartmentin theorganizationCo-sourcedOutsourcedNot Performed
a. Administrative (audit plan, assign tasks)
b. Business viability assessments
c. Compliance with company privacy policies
d. Compliance with corporate governance and regulatorycode requirements
e. Control framework monitoring and development
f. Corporate takeovers/mergers
g. Enterprise risk management
h. Ethics audits
i. External audit assistance
j. Health, safety, and environment
k. Financial auditing
l. Information risk assessment
_____________________________ Chapter 10: Research Method and Literature Review 441
The Institute of Internal Auditors Research Foundation
m. Information technology department assessment
n. Internal auditing
o. Internal control testing/systems evaluation
p. Investigations of fraud and irregularities
q. Linkage of strategy and company performance
r. Management effectiveness review/audit
s. Operational audits
t. Project management
u. Quality assessment of internal audit activity
v. Quality/ISO audits
w. Resource management and controls
x. Security issues
y. Social and sustainability audits
z. Special projects
aa. Technical competency training for auditors
442 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
46. Please estimate the percentage of time spent by the Internal Audit Activity on each of thefollowing activities for the most recent fiscal year:
3 Years Currently 3 YearsAgo From Now
a. Compliance audits (laws, regulations,and policy ______ ______ ______
b. Consulting/Advisory ______ ______ ______
c. Financial process audits (includingassistance to the external auditor) ______ ______ ______
d. Fraud investigations (forensicaccounting/auditing) ______ ______ ______
e. Governance (ethics, control framework,regulatory, linkage of strategy andcompany performance) ______ ______ ______
f. Information technology audits ______ ______ ______
g. Operational ______ ______ ______
h. Management audits ______ ______ ______
i. Other ______ ______ ______
Total should add to 100% in each column ______ ______ ______
_____________________________ Chapter 10: Research Method and Literature Review 443
The Institute of Internal Auditors Research Foundation
47. If major differences arise around audit issues (audit results versus policy or between auditorand auditee/client), when are they resolved?
NeverRarelySometimesUsuallyAlways
During planning
During audit fieldwork
During audit reporting
After audit report is issued
Never
48. After the release of an audit report in the organization, who has the primary responsibility forreporting findings to senior management?
Auditee/clientChief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/ServiceProvider equivalentInternal auditor managerBoth internal audit manager and auditee/clientBoth Chief Audit Executive and auditee/clientOtherNo formal reporting of results
49. After the release of an audit report with findings that need corrective action, who has theprimary responsibility to monitor that corrective action has been taken?
Auditee/clientInternal auditorBoth internal audit and auditee/clientNo formal follow-upOther
444 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
VII. Tools, Skills, and Competencies
50. Indicate the extent the Internal Audit Activity uses or plans to use the following audit tools /techniques on an audit engagement:
1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used
Currently Plan to useUsed in the next
3 years1 12 23 34 45 5
a. Analytical review
b. Balanced scorecard or similar framework
c. Benchmarking
d. Computer Assisted Audit Techniques
e. Continuous/real-time auditing
f. Control Self-assessment
g. Data mining
h. Electronic workpapers
i. Flowchart software
j. Other electronic communication (e.g., Internet, e-mail)
k. Process mapping application
l. Process modeling software
_____________________________ Chapter 10: Research Method and Literature Review 445
The Institute of Internal Auditors Research Foundation
m. Risk-based audit planning
n. Statistical sampling
o. The IIA’s Quality Assessment Review tools
p. Total quality management techniques
51. Please mark the five most important of the following behavioral skills for each professionalstaff level to perform their work. (Behavioral skills are actions towards others measured bycommonly accepted standards and management of one’s own actions).
Staff Supervisor Management Head ofAudit
Activity
a. Confidentiality
b. Facilitating
c. Governance and ethics sensitivity
d. Interpersonal skills
e. Leadership
f. Objectivity
g. Relationship building
h. Staff management
i. Team building
j. Team player
k. Working independently
l. Work well with all levelsof management
446 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
52. Please mark the five most important of the following technical skills for each level of professionalstaff to perform their work. (Technical skills are using terminology or subject matter in aparticular field)
Staff Supervisor Management Head ofAudit
Activity
a. Data collection and analysis
b. Financial analysis
c. Forensic skills/Fraud awareness
d. Identifying types of controls(e.g., preventative, detective)
e. Interviewing
f. ISO/quality knowledge
g. Negotiating
h. Research skills
i. Risk analysis
j. Statistical sampling
k. Total Quality Management
l. Understanding business
m. Use of information technology
_____________________________ Chapter 10: Research Method and Literature Review 447
The Institute of Internal Auditors Research Foundation
53. Please mark the five most important of the following competencies for each level of professionalrank to perform their work. (Competencies are skills essential to perform certain tasks).
Staff Supervisor Management Head ofAudit
Activity
a. Ability to promote the InternalAudit Activity within theorganization
b. Analytical (ability to workthrough an issue)
c. Change management
d. Communication
e. Conflict resolution
f. Critical thinking
g. Conceptual thinking
h. Foreign language skills
i. Keeping up to date withprofessional changes inopinions, standards andregulations
j. Organization skills
k. Presentation skills
l. Problem identificationand solution
448 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
Staff Supervisor Management Head ofAudit
Activity
m. Project planning andmanagement
n. Report development
o. Time management
p. Training and developing staff
q. Understanding complexinformation systems
r. Writing skills
51a. Please indicate the importance of the following behavioral skills for you to perform your workat your position in the organization. (Behavioral skills are actions towards others measured bycommonly accepted standards and management of one's own actions).
Rank from 1 (minimally important) to 5 (very important)
___ a. Confidentiality
___ b. Facilitating
___ c. Governance and ethics sensitivity
___ d. Interpersonal skills
___ e. Leadership
___ f. Objectivity
___ g. Relationship building
___ h. Staff management
_____________________________ Chapter 10: Research Method and Literature Review 449
The Institute of Internal Auditors Research Foundation
___ i. Team building
___ j. Team player
___ k. Working independently
___ l. Work well with all levels of management
52a. Please indicate the importance of the following technical skills for you to perform your workat your position in the organization (Technical skills means using terminology or subject matterin a particular field).
Rank from 1 (minimally important) to 5 (very important)
___ a. Data collection and analysis
___ b. Financial analysis
___ c. Forensic skills/Fraud awareness
___ d. Identifying types of controls (e.g., preventative, detective)
___ e. Interviewing
___ f. ISO/quality knowledge
___ g. Negotiating
___ h. Research skills
___ i. Risk analysis
___ j. Statistical sampling
___ k. Total Quality Management
___ l. Understanding business
___ m. Use of information technology
450 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
53a. Please indicate the importance of the following competencies for you to perform your work atyour position in the organization (Competencies are skills essential to perform certain tasks).
Rank from 1 (minimally important) to 5 (very important)
___ a. Ability to promote the Internal Audit Activity within the organization
___ b. Analytical (ability to work through an issue)
___ c. Change management
___ d. Communication
___ e. Conflict resolution
___ f. Critical thinking
___ g. Conceptual thinking
___ h. Foreign language skills
___ i. Keeping up to date with professional changes in opinions, standards, and regulations
___ j. Organization skills
___ k. Presentation skills
___ l. Problem identification and solution
___ m. Project planning and management
___ n. Report development
___ o. Time management
___ p. Training and developing staff
___ q. Understanding complex information systems
___ r. Writing skills
_____________________________ Chapter 10: Research Method and Literature Review 451
The Institute of Internal Auditors Research Foundation
53b. How important are the following areas of knowledge for satisfactory performance of your jobat your position in the organization?
Rank from 1 (minimally important) to 5 (very important)
___ a. Accounting
___ b. Auditing
___ c. Business law and government regulation
___ d. Business management
___ e. Changes to professional standards
___ f. Enterprise risk management
___ g. Ethics
___ h. Finance
___ i. Fraud awareness
___ j. Governance
___ k. Human resource management
___ l. Internal auditing standards
___ m. Information technology
___ n. Managerial accounting
___ o. Marketing
___ p. Organization culture
___ q. Organizational systems
452 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
___ r. Strategy and business policy
___ s. Technical knowledge for your industry
VIII. Emerging Issues
54. Do you perceive likely changes in the role of the Internal Audit Activity in the organization overthe next 3 years?
IncreaseDecreaseStay the same
a. Review of financial processes
b. Risk management
c. Governance
d. Regulatory compliance
e. Operational auditing
55. Please identify the roles that the Internal Audit Activity currently has in your organization orwill have in the next 3 years. Role means that it is within the scope of your work.
Currently have a roleLikely to have a role withinthe next 3 yearsUnlikely to have a roleNot applicable
a. Alignment of strategy and performancemeasures (e.g., Balanced Scorecard)
b. Benchmarking
c. Corporate governance
d. Corporate social responsibility
_____________________________ Chapter 10: Research Method and Literature Review 453
The Institute of Internal Auditors Research Foundation
e. Develop training and education oforganization personnel (e.g., internalcontrols, risk management, regulatoryrequirements)
f. Disaster recovery
g. Evidential issues
h. Emerging markets
i. Environmental sustainability
j. Executive compensation
k. Fraud prevention/detection
l. Globalization
m. Intellectual property and knowledgeassessment
n. IT management assessment
o. Knowledge management systemsdevelopment review
p. Mergers and acquisitions
q. Project management
r. Provide training to the audit committee
s. Regulatory compliance assessment monitoring
t. Risk management
u. Strategic frameworks
454 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
56. Please indicate if the following statements apply to your organization now, in the next 3 yearsor will not apply in the foreseeable future.
Currently ApplyLikely to Apply Withinthe Next 3 YearsWill Not Apply in theForeseeable FutureNot Applicable
a. Internal auditing is required by law or regulationwhere the organization is based.
b. Internal auditors in the organization have anadvisory role in strategy development.
c. The organization complies with a corporategovernance code.
d. The organization has implemented an internalcontrol framework.
e. The organization has implemented a knowledgemanagement system.
f. The Internal Audit Activity has provided trainingto audit committee members.
g. The Internal Audit Activity assumes an importantrole in the integrity of financial reporting.
h. The Internal Audit Activity educates organizationpersonnel about internal controls, corporategovernance, and compliance issues.
i. The Internal Audit Activity places more emphasison assurance than consulting services.
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 455
The Institute of Internal Auditors Research Foundation
THE WILLIAM G. BISHOP III, CIA,MEMORIAL FUNDCONTRIBUTORS
DIAMOND LEVELAssociation of Certified Fraud ExaminersThe Institute of Internal Auditors (IIA)IIA BaltimoreIIA DallasIIA New YorkIIA Washington, DC
EMERALD LEVELThe Bishop FamilyJane Lee and William L. TaylorThomas J. Warga, CIAJCPenney Company Inc.Jefferson Wells International Inc.Protiviti IncIIA Central IllinoisIIA Central PennIIA Houston
RUBY LEVELRobert Antoine, CIADennis K. Beran, CIA, CCSAJohn J. Fernandes, CIA, CCSAJohn J. Flaherty, CIAJean-Pierre Garitte, CIA, CCSAEric HespenheideAl HolzingerBruce MeiklePatricia K. Miller, CIASandra L. Pundmann
Sridhar Ramamoorti, Ph.D., CIA, CPA,CFE, CFSA, CGAP
Anthony J. Ridley, CIAC. Wayne Rose, CIARichard M. Serafini, CIA, CFSAAmerican Institute of Certified Public
Accountants (AICPA)Asian Confederation of Institute of Internal
Auditors (ACIIA)Association of Healthcare Internal AuditorsFannie MaeMicrosoft CorporationIIA Ak-Sar-BenIIA AlbanyIIA AustinIIA AustraliaIIA Birmingham (AL)IIA Green Mountain (VT)IIA Los AngelesIIA MilwaukeeIIA MontrealIIA NashvilleIIA New ZealandIIA North JerseyIIA NorwayIIA Orange County (CA)IIA PhoenixIIA Southern New EnglandIIA United Kingdom and IrelandIIA VancouverIIA Wichita
456 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
FRIEND LEVELUrton L. Anderson, Ph.D., CIA, CCSAAudley L. Bell, CIAAndrew J. Dahle, CIAStephen D. Goepfert, CIATimothy R. HolmesHoward J. Johnson, CIACarman Lapointe-Young, CIA, CCSAJohn M. Polarinakis, CIARalph E. PurpurLarry E. Rittenberg, Ph.D., CIARoderick M. Winters, CIAAssociation of Credit Union
Internal Auditors (ACUIA)MIS Training InstituteSalt River ProjectIIA BaltimoreIIA Central FloridaIIA Central IowaIIA Central KentuckyIIA DetroitIIA Greater BostonIIA IndianapolisIIA Kansas CityIIA Long IslandIIA MadisonIIA MalaysiaIIA MiamiIIA Ocean State (RI)IIA Salem (OR)IIA SaskatchewanIIA St. LouisIIA SwedenIIA TallahasseeIIA TidewaterIIA TulsaIIA Twin CitiesIIA Westchester FairfieldIIA Winnipeg
DONOR LEVELRonald W. Acker, CIABruce Alan Adamec, CIAAugusto BaetaThomas J. BeirneJoanna BerensLucia B. BishopSten Bjelke, CIALeRoy E. Bookal, CIAKaty BrownRobert BullenJudith K. Burke, CCSARichard F. Chambers, CIA, CCSA, CGAPNicolette CreatoreProf. Mortimer Dittenhofer, CIAWilliam J. Duane, CIA, CFSAEdward M. Dudley, CIACharles B. EldridgeIvy N. EstesRobert A. Ferst, CIARobert B. FosterHal A. Garyn, CIAKimberly Parker Gavaletz, CIAGaston L. Gianni, Jr., CGAPAudrey A. Gramling, CIATrish HarrisRudy Hernandez, Jr., CIAGlenn P. Hoffman, CIA, CFSAJohn Gregory HutsellCynthia HuysmanSteven Earl Jameson, CIA, CCSA, CFSAThomas A. Johnson, CIAWendy W. Kerins, CIADonald E. Kirkendall, CIAJoel F. KramerKevin KuntzDaniel B. Langer, CIA, CCSASusan B. Lione, CIA, CCSA, CFSA, CGAPPhilip B. Livingston
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 457
The Institute of Internal Auditors Research Foundation
Melani P. Lovik, CIAMarjorie A. Maguire-Krupp, CFSAStacy M. Mantzaris, CIA, CCSA, CGAPCarlo L. MastropaoloDorick V. MauroJill E. Mayhew, CIASam Michael McCall, CIARobert N. McDonald, CIABetty L. McPhilimy, CIAGuenther MeggenederT. Fred MillerJames A. MolzahnPerry Glen Moore, CIAWayne G. Moore, CIAKevin M. MorrisseyD. Richard Moyer, CIAJane F. MutchlerDonald J. Nelson, CIAFrank M. O’Brien, CIAAmy B. OwenPaula W. Parker, CIADolores C. Pasto-Ziobro, CIABasil H. Pflumm, CIAJarred and Shannon PittmanDavid PolanskyRobert B. PowellCharity A. Prentice, CIA, CCSA, CGAPWalter D. PughMichael S. Raphael, CIARichard K. RobinsonAnastasia Rodriguez Ford, CIAH. David RosensteinJames P. Roth, Ph.D., CIA, CCSACharles T. Saunders, Jr., CIA, CCSAMitchell James SmithPaul J. Sobel, CIADonald E. SparksPeteris Strazdins, CIAMargaret G. Summers
Johanna S. Swauger, CIA, CCSA, CFSADeborah L. SwordDeborah Wheless Tanju, CIADavid A. Tenney, CIAArchie R. Thomas, CIABena G. Tinsley, CIABonnie L. UlmerDallal Helen Van Hoeck, CIACurtis C. Verschoor, CIADominique Vincenti, CIAH.C. Warner, CIAJohn K. Watsen, CIABilly G. WeathersScott D. White, CIA, CFSADouglas E. Ziegenfuss, Ph.D., CIA, CCSAMichael A. ZowineAmerican International GroupAssociation of College and University Auditors
(ACUA)Board of Environmental, Health & Safety
Auditor Certifications (BEAC)JPA International Inc.Junior Achievement of Central FloridaKraus-Manning Inc.Majestic Star CasinoMemphis Blues Rugby ClubOffice Depot Inc.Omni Hotels CorporationPaisley Consultants/CARDdecisions Inc.PBD Worldwide Fulfillment Services Inc.Shenandoah GroupSimon Operation Services Inc.IIA AtlantaIIA CalgaryIIA Central VirginiaIIA Chattanooga AreaIIA ChicagoIIA Chinese TaiwánIIA Coastal Georgia
458 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
IIA Downeast MaineIIA EdmontonIIA El PasoIIA Granite State (NH)IIA Lansing (MI)IIA Las VegasIIA Monroe
IIA OzarksIIA RochesterIIA Santa FeIIA Sioux FallsIIA SpokaneIIA TucsonIIA U.S. Pacific
THE IIA RESEARCH FOUNDATIONCHAIRMAN’S CIRCLE
Cargill Inc.Chevron
Deloitte & Touche LLPErnst & Young LLP
ExxonMobil CorporationJCPenney Company
Lockheed Martin CorporationMicrosoft Corporation
PricewaterhouseCoopers LLPProtiviti Inc.
Raytheon CompanyDavid A. Richards, CIA
Paul J. Sobel, CIARod and Donna Winters
_________________________________ The IIA Research Foundation Board of Trustees 459
The Institute of Internal Auditors Research Foundation
The IIA Research FoundationBoard of Trustees
PresidentRoderick M. Winters, CIA, CPA
Microsoft Corporation
Vice President - StrategyEric J. Hespenheide, CPADeloitte & Touche LLP
Vice President - ResearchRobert B. Foster, CFEFidelity Investments
Vice President - DevelopmentDennis K. Beran, CIA, CCSA, CPA, CFE
JCPenney Company, Inc.
TreasurerStephen W. Minder, CIA
Archer Daniels Midland Company
SecretaryOliver Ray Whittington, Ph.D., CIA
DePaul University
Members
Mark HamillProtiviti Inc.
Michael A. HerzogErnst & Young LLP
Robert B. Hirth, CPA, CAProtiviti Inc.
Howard J. Johnson, CIA, CPA.
Michael Lickteig, CIA, CCSASusan J. Komen Breast Cancer Foundation
Marjorie A. Maguire-KruppAmerican International Group
Wayne G. Moore, CIA, CPA
Johannes (Hans) NieuwlandsNUON
Sridhar Ramamoorti, Ph.D., CIA, CPA, CFE,CFSA, CGAP
Grant Thornton Chicago
Gregory C. RedmondChevron Corporation
Paul J. Sobel, CIA, CPAMirant Corporation
Jay R. Taylor, CIAGeneral Motors Corporation
William L. Taylor, CPA, CGFM
Donald E. Tidrick, Ph.D., CIANorthern Illinois University
Susan D. UlreyKPMG LLP
Anton B. van Wyk, CIA, CFAPricewaterhouseCoopers LLP
Shi XianNanjing Audit University
Douglas Ziegenfuss, Ph.D., CIA, CCSAOld Dominion University
460 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
The IIA Research FoundationBoard of Research and Education Advisors
ChairmanRobert B. Foster, CFE, Fidelity Investments
Vice ChairmanSusan D. Ulrey, KPMG LLP
Members
George R. Aldhizer III, Ph.D., CIA, Wake ForestUniversity
Lalbahadur Balkaran, CIA, FCMA, KPMG LLPKevin W. Barthold, CPA, CISA, San Antonio Credit
UnionEdmund Beemer, HudsonThomas J. Beirne, CFSA, CPA, CBA, Protiviti Inc.Audley L. Bell, CIA, CPA, CFE, CISA, Habitat for
Humanity InternationalIva Cerna, CIA, Zentiva a.s.Thomas J. Clooney, CCSA, CPA, CBA, CSP, KPMG
LLPKathryn Constantopoulos, Deloitte & Touche LLPJean Coroller, Ernst & Young LLPMary Christine Dobrovich, Jeffersonwells
InternationalHelen Dozois, CIA, Burger King CorporationSusan Page Driver, CIA, CPA, CISA, Comptroller
of Public AccountsDonald A. Espersen, CIA, CBA, despersen &
associatesGareth Evans, MIIA, United KingdomPhilip E. Flora, CIA, CCSA, CFE, CISA, Texas
Guaranteed Student LoanJohn M. Furka, CPA, Brown Brothers Harriman &
Co.John C. Gazlay, CPA, CCP, Freddie MacDan B. Gould, CIA, JCPenney Company, Inc.Peter M. Hughes, Ph.D., CIA, CPA, CFE, Orange
County
Ronald W. Lackland, University of Central EnglandRichard B. Lanza, CPA, Cash Recovery Partners
LLCDavid J. MacCabe, CIA, CGAP, Teacher Retirement
System of TexasGary J. Mann, Ph.D., CPA, University of Texas at El
PasoTrevor B. Martin, National Oilwell VarcoGary R. McGuire, CIA, CPA, Lennox International
Inc.John D. McLaughlin, Smart and Associates LLPSteven S. Mezzio, CIA, CCSA, CFSA, CPA, CISSP,
CBA, Resource ConnectionAnna Rebecca Nicodemus, CIA, CPA, CFE, Belo
CorporationClaire Beth Nilsen, CFSA, CRCM, CFE, CRP,
Yardville National BankJacob Nuss, Israel Aircraft Industries Ltd.Daniel Pantera, The Methodist HospitalMark R. Radde, CIA, CPA, Buffets Inc.M. Rajeshwaran, EID Parry India Ltd.Alan Reinstein, Ph.D., CPA, PBA, Wayne State
UniversityDavid G. Royal, Texas Department of InsuranceMark L. Salamasick, CIA, CISA, CDP, CSP,
University of Texas at DallasJesus Antonio Serrano Nava, CIA, Banco AztecaKatherine E. Sidway, Ernst & Young LLPJames G. Swearingen, CPA, Weber State University