A GLOBAL SUMMARY OF THE COMMON BODY OF KNOWLEDGE 2006 … Documents/2006-CBOK-Summary.pdf · iv A Global Summary of the Common Body of Knowledge 2006 _____ The Institute of Internal

_________________________________________________________ Table of Contents 1

A GLOBAL SUMMARYOF THE

COMMON BODYOF KNOWLEDGE 2006

Principal ResearchersPriscilla A. Burnaby, PhD, CPA

Susan Hass, CPAMohammad J. Abdolmohammadi, DBA, CPA

Rob Melville, PhD, MIIA, FIIAMarco Allegrini, PhD, CPA

Giuseppe D’Onza, PhDLeen Paape, PhD, RA, RO, CIA

Gerrit Sarens, PhDMarinda M. Marais, M Com Auditing, CIA

Elmarie Sadler, DCompt CAHoudini Fourie, M Tech: Internal Auditing

Barry J. Cooper, PhDPhilomena Leung, PhD

William L. Taylor, CPA, CGFMChairman, CBOK Steering Committee

2 CGAP Examination Study Guide ___________________________________________

DisclosureCopyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 MaitlandAvenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United Statesof America. No part of this publication may be reproduced, stored in a retrieval system, or transmittedin any form by any means — electronic, mechanical, photocopying, recording, or otherwise —without prior written permission of the publisher.

The IIARF publishes this document for informational and educational purposes. This document isintended to provide information, but is not a substitute for legal or accounting advice. The IIARFdoes not provide such advice and makes no warranty as to any legal or accounting results throughits publication of this document. When legal or accounting issues arise, professional assistanceshould be sought and retained.

The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprisesthe full range of existing and developing practice guidance for the profession. The IPPF providesguidance to internal auditors globally and paves the way to world-class internal auditing.

The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring,disseminating, and promoting research and knowledge resources to enhance the development andeffectiveness of the internal auditing profession.

ISBN 978-0-89413-611-507538 12/07First Printing

________________________________________________________________ Contents iii

The Institute of Internal Auditors Research Foundation

CONTENTS

Acknowledgments ........................................................................................................................ ix

Chapter 1: Introduction ............................................................................................................. 1CBOK 2006 ............................................................................................................................ 1Overview ................................................................................................................................. 1CBOK 2006 - Benefits to the Profession ............................................................................... 3Prior IIA CBOK Studies ......................................................................................................... 4Project Teams ......................................................................................................................... 5CBOK 2006 Questionnaires .................................................................................................... 6Clustering for Groups ............................................................................................................ 10Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires .......................... 12Appendix 1-B: Clustering of Groups and Number of Responses .......................................... 19

Chapter 2: A Worldwide Picture of the Internal Audit Activity ......................................... 25Introduction ........................................................................................................................... 25Survey Demographics Summary ........................................................................................... 26Compliance with Internal Auditing Standards ...................................................................... 29Staffing and Professional Development ................................................................................ 43Internal Auditor Skills ............................................................................................................ 44Internal Auditor Competencies and Knowledge Areas ......................................................... 48Emerging Roles of the Internal Audit Activity ....................................................................... 53Summary ............................................................................................................................... 58

Chapter 3: Survey Demographics .......................................................................................... 61Introduction ........................................................................................................................... 61Staff Levels of Respondents ................................................................................................. 63IIA Membership .................................................................................................................... 64Age of the Respondents ........................................................................................................ 67Highest Level of Formal Education ....................................................................................... 70Professional Qualifications .................................................................................................... 76Areas of Professional Experience ......................................................................................... 80Years of Existence of IAA and Years of CAE Experience .................................................. 81Types of Organizations .......................................................................................................... 86Service Providers of Internal Audit Services ........................................................................ 89Age of Organizations ............................................................................................................ 90

iv A Global Summary of the Common Body of Knowledge 2006 ______________________


Industry Classification(s) ....................................................................................................... 91Geographical Area Served by Organization .......................................................................... 96Appendix 3 ............................................................................................................................ 99

Chapter 4: The Professional Practices Framework .......................................................... 105Introduction ......................................................................................................................... 105CBOK 2006 Survey Questions Related to the Standards .................................................. 107Use of the Standards in Whole or in Part .......................................................................... 108Compliance with the Standards ...........................................................................................110Adequacy of the Guidance Provided by the Standards .......................................................115Use of and Adequacy of the Guidance Provided by the Practice Advisories ...................... 118Reasons for Not Complying with the Standards ................................................................ 121Quality Assurance and Improvement Program ................................................................... 128Compliance with The IIA’s Code of Ethics ......................................................................... 146Appendix 4-A: The IIA’s Standards, Practice Advisories, and

Glossary to the Standards as of September 2006 ........................................................ 147Appendix 4-B ...................................................................................................................... 165

Chapter 5: Current Status of the Internal Audit Activity ................................................. 183Introduction ......................................................................................................................... 183The IAA’s Relationship within the Organization ................................................................. 184Relationship with the Audit Committee ............................................................................... 191External Relationships - Legislation Affecting Internal Auditing ......................................... 192Organizations’ and CAEs’ Perceptions About the IAA ...................................................... 194Methods Used to Measure the Value Added by the IAA ................................................... 197Internal Audit Activity ......................................................................................................... 200Managing the Internal Audit Activity .................................................................................. 202Creating the Audit Plan ....................................................................................................... 204Allocation of IAAs’ Time .................................................................................................... 207Performing the Engagement - The Use of Tools ................................................................ 214Current Usage of Audit Tools and Techniques ................................................................... 216Predictive Changes in the Use of Audit Tools and Techniques

Over the Next Three Years .......................................................................................... 227Resolution of Major Differences ......................................................................................... 233Reporting of Findings .......................................................................................................... 235Monitoring Corrective Action .............................................................................................. 237Summary ............................................................................................................................. 239Appendix 5 .......................................................................................................................... 240

________________________________________________________________ Contents v


Chapter 6: Staffing and Professional Development ........................................................... 251Introduction ......................................................................................................................... 251Staffing ................................................................................................................................ 252Service Providers ................................................................................................................ 259Continuing Professional Development ................................................................................. 266Summary ............................................................................................................................. 271Appendix 6 .......................................................................................................................... 272

Chapter 7: Internal Audit Skills ........................................................................................... 279Introduction ......................................................................................................................... 279Technical Skills .................................................................................................................... 281Behavioral Skills .................................................................................................................. 289Summary ............................................................................................................................. 299Appendix 7 .......................................................................................................................... 300

Chapter 8: Internal Auditor Competencies ........................................................................ 305Introduction ......................................................................................................................... 305Competencies ...................................................................................................................... 307Areas of Knowledge ........................................................................................................... 323Summary ............................................................................................................................. 331Appendix 8 .......................................................................................................................... 332

Chapter 9: Emerging Roles of Internal Audit Activities .................................................. 339Introduction ......................................................................................................................... 339Years That the IAA and Organizations Have Existed ........................................................ 340Changing Emphasis on Types of Audits .............................................................................. 344Emerging Roles in Organizations’ Activities ........................................................................ 346Organizational Environment and Key Activities of the IAA ............................................... 352Summary ............................................................................................................................. 357

Chapter 10: Research Method and Literature Review ................................................... 359Research Method ................................................................................................................ 359

Project Teams ............................................................................................................... 359Pilot Test and Literature Review .................................................................................. 361CBOK 2006 Questionnaires ......................................................................................... 363Clustering for Groups .................................................................................................... 364

vi A Global Summary of the Common Body of Knowledge 2006 ______________________


Literature Review ............................................................................................................... 367Introduction ................................................................................................................... 367Prior IIA CBOK Studies .............................................................................................. 367North American Literature Review on Internal Auditing ............................................. 372

Summary ............................................................................................................................. 379Asia Pacific Literature Review on Internal Auditing .......................................................... 380European Literature Review on Internal Auditing ............................................................... 390South African Literature Review on Internal Auditing ........................................................ 398Appendix 10-A: Pre-scope Questionnaire for CBOK ........................................................ 406Appendix 10-B: Topical Areas That Are Addressed in Past and Current

IIA CBOK Studies ....................................................................................................... 418Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire ................................... 421

The William G. Bishop III, CIA, Memorial Fund Contributors .................................................. 455The IIA Research Foundation Chairman’s Circle ..................................................................... 458The IIA Research Foundation Board of Trustees ..................................................................... 459The IIA Research Foundation Board of Research and Education Advisors ............................ 460

_________________________________________________________ Table of Contents 7


DEDICATION

This research is dedicated to the memory ofWilliam G. Bishop III, CIA

William G. Bishop III, CIA, served as president of The Institute of Internal Auditors (IIA) fromSeptember 1992 until his untimely death in March 2004. With a motto of “I’m proud to be aninternal auditor,” he strived to make internal auditing a truly global profession. He was the drivingforce behind the rapid growth of The IIA to over 120,000 members in approximately 100 countries.Bill Bishop advocated quality research for the enhancement of the stature and practice of internalauditing. To help enhance the future of this profession, it is vital for the profession to document theevolution of the similarities and differences in the Common Body of Knowledge (CBOK) of internalauditing worldwide.

8 A Global Summary of the Common Body of Knowledge 2006 — Preview Edition ______


_________________________________________________________ Acknowledgments ix


ACKNOWLEDGMENTS

With a project of this magnitude and importance, there are literally thousands of people who havecontributed to the successful completion of the Common Body of Knowledge (CBOK) 2006 researchreport. I would like to start by thanking William Taylor, chair of the CBOK Steering Committee,who was the heart of the project. His goal was to make sure that this report honored the memoryof William G. Bishop III, CIA, past president of The Institute of Internal Auditors (IIA) who wasthe driving force behind the rapid growth of The IIA to over 120,000 members in approximately100 countries. At The IIA, the entire staff provided guidance and input. Special thanks to JeffreySwerdlow, PMP, chair of the CBOK Oversight Committee and the director of project managementfor The IIA Research Foundation. He worked tirelessly to keep the project on time and performednumerous duties such as monitoring the translations of the questionnaires into 16 additional languages,keeping all of us on track, and coordinating the many needs and demands of those involved at TheIIA and on the research teams. It is a true tribute to his skills that this expansive project wascompleted on time with such a quality product. Two other key people on The IIA staff that I wouldlike to recognize are Donna Batten, director of Global Audit Information Network (GAIN), andSylvia Boyd, director of affiliate relations. Both were instrumental in the success of the project. Iwould also like to thank all the IIA members who participated by completing the pilot study, thequestionnaires, and editing the text.

Team Americas was truly blessed with four wonderful graduate research assistants. On the firstphase of the project, Lisa Hsi was instrumental with the literature review, development of thequestionnaires, and creation of a database for the affiliates. After Lisa graduated, we were fortunateto hire Diana Tien. She helped with data cleansing, completing the report for the affiliates, andtransferring the data into tables. Yi Zhou worked on the tables and the editing process to make surethat all the references and numbers were correct in the text. On the final phase of writing thereport, Shubin Liang converted tables into figures. From Bentley’s Academic Technology Center,Maria Skaletsky and Gaurav Shah helped with the many software packages needed to completethis product.

The cooperation and sharing among the three research teams made this project a truly collaborativeeffort. On the two occasions when we had summits, we all agreed it was extremely exciting andexhilarating to have so many professors who selected internal auditing as their primary field ofteaching and research together in one room. As team coordinators, Barry Cooper and Rob Melvilledid a great job getting participants for the pilot study and working with local affiliates. All themembers of both teams made significant contributions to the research project.

x A Global Summary of the Common Body of Knowledge 2006 ______________________


I saved the members of my team to thank last. Both Mohammad (Ali) Abdolmohammadi andSusan Hass made significant contributions to the planning and construction of the CBOK 2006. Alidid a hero’s job on the data cleansing and analysis. He worked tirelessly to provide data for thetables. Susan Hass and I did most of the work on the development of the questionnaires, datapresentation for the tables, writing many of the chapters, and editing the other teams’ contributionsto the final text. Each did an extraordinary job under a great deal of pressure. Audrey Gramling andRichard Cleary contributed in a consulting capacity.

This report owes its contents to thousands of IIA members all over the world, each of whomcontributed to The IIA’s Common Body of Knowledge 2006. Thank you all!

Priscilla A. Burnaby, PhD, CPAProfessor of AccountancyBentley CollegeWaltham, MA, USACoordinator of CBOK 2006

_________________________________________________________ Acknowledgments xi


It has been my pleasure to be the chair of the CBOK Steering Committee and The William G.Bishop III, CIA, Memorial Fund from which this project was funded. As a former IIA chair of theboard, I recognize the importance of this project as we seek to further understand our profession,how it is practiced throughout the world, and how we will continue to add value to our organizationsin the future.

Completing this project has been a monumental accomplishment. We were fortunate to have atremendously talented group of IIA committees, volunteers, and IIA staff working with us. I wouldlike to personally thank several people and groups without whom this project would not have beenpossible.

The IIA Research Foundation Board of Trustees provided sound guidance and advice throughoutthe project. Their input, feedback, and suggestions ensured that the project lived up to its expectations.A special thank you goes to Roderick Winters, CIA, president of The Research Foundation andvice chair of The IIA Board. Rod provided a great deal of support to this project and truly establishedthe vision for what we accomplished.

The CBOK Steering Committee was an active participant throughout the project. This committeeprovided valuable guidance and overall direction to the project. I am proud that the Steering Committeeis comprised of individuals from throughout the world. Members of the Steering Committee areJackie Cain, Phil Tarling, Warren Hersch, Sri Ramamoorti, Urton Anderson, Louis Vaurs, ChrisMcRostie, Thijs Smit, Charity Prentice, and Jeffrey Swerdlow.

The Research Foundation’s Board of Research and Education Advisors (BREA) played a criticalrole throughout the project. This extremely dedicated committee is responsible for reviewing allproposals received and reviewing all research and educational products produced by The ResearchFoundation. Throughout the course of the project, BREA provided valuable opinions and helped toshape the format of the complete research report. Bob Foster has been the chair of BREA duringthis project and has contributed immensely to our success.

Considering the importance of this project, we wanted to ensure that we received a wide variety ofinput and feedback. To this end, we recruited almost 100 volunteers from all of The IIA’s internationalcommittees to review and provide feedback on the early first drafts of the complete researchreport. The reviewers provided us with candid and valuable feedback which helped shape thereport. To manage a review effort of this magnitude, six members of BREA graciously volunteeredtheir time to act as review team leaders. Thomas Clooney, Susan Driver, Don Espersen, DanGould, Raj Muthu Venkatachalam, and Mark Radde deserve special recognition for performingthis vital role.

xii A Global Summary of the Common Body of Knowledge 2006 ______________________


Dominique Vincenti, CIA, chief advocacy officer of The IIA and executive director of The ResearchFoundation, dedicated a great deal of her time to the project. Dominique was able to bring herbackground as a CAE to the project. She provided feedback and leadership at all stages of theproject and her contribution was critical to its success.

Jeffrey Swerdlow, PMP, director of project management for The Research Foundation, was theprimary reason the project was completed on time and within budget. He proved that managingsuch an expansive project required participation from not only all worldwide affiliates and membersbut also the knowledge leaders of The IIA and staff. His overall plans and programs requiredparticipation from many interested groups and he performed in an exemplary manner, truly indicatingthat a project of this magnitude requires not only audit leaders, but a dedicated and professionalproject manager.

I would be remiss if I did not thank each and every person and organization that donated to TheWilliam G. Bishop III, CIA, Memorial Fund. This fund underwrote the cost of CBOK 2006. Thanksto the generous donations we received, CBOK was funded to ensure a top quality result.

William L. Taylor, CPA, CGFMFormer IIA Chair of the BoardMcLean, Virginia, U.S.A.CBOK Steering Committee Chair

_____________________________________________________ Chapter 1: Introduction 1


CHAPTER 1INTRODUCTION

CBOK 2006

The Common Body of Knowledge (CBOK) 2006 study is part of an ongoing global researchprogram funded by The Institute of Internal Auditors Research Foundation (IIARF) to broaden theunderstanding of how internal auditing is practiced throughout the world. The overall purpose ofthe CBOK 2006 project is to develop the most comprehensive database ever to capture a currentview of the global state of the internal audit profession. The database contains information aboutcompliance with The Institute of Internal Auditors’ (IIA) International Standards for theProfessional Practice of Internal Auditing (Standards), the state of the internal audit activity(IAA), staffing, skills, competencies, and the emerging roles of the IAA. Some information wascollected about the influences of cultural and legal factors about the development and practice ofinternal auditing around the world. The objective is to establish a baseline for comparison when theCBOK study is repeated in the future. The database will be updated to understand the evolution ofglobal internal audit practices. Future studies will build upon this baseline, allowing for comparison,analysis, and trending.

Overview1

The objectives of this chapter are to introduce CBOK 2006, provide a brief overview of pastCBOK studies, review actions taken to perform the study, and to explain how the groupings ofchapters and affiliates were determined. Within the United States and Canada, local groups of TheIIA’s members are called chapters. Affiliates are independent organizations outside North Americathat provide services to members in their geographic locations. IIA affiliates are now referred toas “chapters and institutes.” This change officially took place after the CBOK 2006 survey wasconducted. It was approved by The IIA’s Board of Directors on July 14, 2007, for implementationon January 1, 2008. For this reason, the use of “affiliates” is maintained throughout the CBOK2006 report.

1The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue ofManagerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher ofMAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “Areview of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby,“The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.

2 A Global Summary of the Common Body of Knowledge 2006 ______________________


At the core of the CBOK 2006 study were three surveys sent to internal auditors worldwide togather information concerning how they comply with the Standards, how their IAAs function, andemerging roles of the IAA. One survey was sent to chief audit executives (CAEs), another to allother levels of internal auditing Practitioners, and a third to the leadership of The IIA’s affiliates.Since the Standards were first promulgated, internal auditors have had the opportunity to applythem to create a high level of standardization resulting in best practices for internal auditorsworldwide. While the Standards provide a unifying mechanism for enhancing value and consistencyacross diverse legal and economic environments, research suggests that cultural, legal, and economicdifferences influence the practice of internal auditing in each country. The CBOK 2006 study hasproduced a body of data for the continuing study of the evolution of the global practice of internalauditing.

As discussed in The IIARF’s Competency Framework for Internal Auditing: An Overview,core competencies change over time (McIntosh, 1999). Some of the major factors influencingthese changes are the needs of organizations, technology, and the complexity of business transactionsand systems. CBOK 2006 adds to this body of literature and expands the scope by extending thepopulation surveyed to the entire international membership of The IIA. To include current practicesand explore emerging roles for the profession, CBOK 2006 added several topical areas that werenot included in prior CBOK studies. In Chapter 10, Appendix 10-B lists the topics studied in thecurrent and past CBOK studies. As described below in The IIA’s 1999 definition of internal auditing,CBOK 2006 uses the expanded scope of the IAA as the basis for its focus.

The IIA’s 1999 vision for the future task force recommended that the new Professional PracticesFramework should be “a more comprehensive and elastic framework.” Based on thisrecommendation, the task force provided the following definition of internal auditing which wasadopted by The IIA’s Board of Directors in June 1999:

Internal auditing is an independent, objective assurance and consulting activity designed toadd value and improve an organization’s operations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control, and governance processes.

The expanded definition of internal auditing includes consulting activities and value-added servicesfor evaluation and improvement of the effectiveness of the risk management and governanceprocesses. Since the CBOK 2006 questionnaires were sent out in September 2006, all referencesto The IIA’s Standards are as of that date.



The expansion of the internal audit scope has necessitated that internal auditors continuously developnew skills and learn new audit tools and technologies. There is very little information about thecurrent state of skills, tools, and technologies used on engagements in existing internal auditingliterature. The CBOK 2006 database includes the skills, tools, and techniques respondents indicateare necessary for internal auditors currently, and in the future, to perform their jobs and enhanceaudit efficiency and effectiveness. It also identifies emerging roles that The IIA will need to addressin support of its members and the profession. The resulting CBOK 2006 database and researchreport can be used to improve the understanding of the current state of internal audit practices,anticipate the use of new skills, tools, and technologies, and promote the enhancement ofstandardization and performance of internal auditing worldwide.

Chapter 2 provides a brief summary of selected CBOK 2006 data. Chapters 3 through 9 providedetails of all the data collected in total from all respondents and by staff level and/or by groups asapplicable. Chapter 10 contains the process used to collect the data and a detailed literature reviewof previously published articles about internal auditing around the world.

CBOK 2006 - Benefits to the Profession

The Standards have three purposes: educating internal auditors about the role and responsibilitiesof internal auditing, providing a basis for measuring performance, and improving the practice ofinternal auditing. Internal auditing is performed in diverse economic and cultural environmentswithin organizations that vary in purpose, size, and structure. These differences affect compliancewith the Standards. CBOK 2006 identifies some of these diverse environments and groups culturallysimilar chapters and affiliates together. The groups’ usage of the Standards and the scope of theIAA are then compared.

The information gathered in CBOK 2006 can be useful in many different ways. For example, theresults of the study can be used as a resource, reference, or comparison mechanism by internalauditors and other stakeholders of the internal audit profession. Where there is a need for knowledgeand skills to be enhanced, the CBOK 2006 results can be used as a guide for The IIA to developcontinuing education materials so their members can acquire and then implement the appropriateknowledge and skills in their work.

CBOK results can also provide useful information when periodically updating the competencyframework. The IIA has expressed interest in conducting CBOK studies at regular intervals in thefuture to provide a mechanism for comparison and improvement. The CBOK 2006 results willcontribute to future internal audit Standards and practices as well as identify important newknowledge and skills to be included in the CIA exam. The results can also be utilized during anIAA’s self-assessment program and/or the completion of external quality assessments.



Prior IIA CBOK Studies

The IIA has sponsored four prior CBOK studies. Table 1-1 compares the number of participatingcountries and usable questionnaire responses used in each CBOK study. While all prior CBOKstudies were only conducted in English, CBOK 2006 translated the questionnaires into 16 additionallanguages.

Table 1-1Comparison of CBOK’s Number of Countries

and Number of Respondents

CBOK Year Number of Number of UsableNumber Countries Respondents

I 1972 1 75II 1985 2 340III 1991 2 1,163IV 1999 21 136V 2006 91 9,366

CBOK 2006 is the first study that invited The IIA’s entire worldwide membership to participate.The participation of members from 91 countries and 9,366 usable respondents makes CBOK 2006the most comprehensive study in The IIA’s history.



Project Teams

The research team was comprised of three international teams that were selected from the responsesto the CBOK Request for Proposals. Based on the location of the selected research teams, theinternational affiliates and North American chapters were broken down into three broad geographicalareas. Table 1-2 lists the members of the three CBOK 2006 teams.

Table 1-2Research Teams

Teams General Areasof Responsibilities

Lead Team• Priscilla A. Burnaby (Bentley College, United States) - North, Central, and

Project Coordinator and Team Coordinator South America and• Susan Hass (Simmons College, United States) the Caribbean• Mohammad J. Abdolmohammadi (Bentley College,

United States)• Rob Melville (Cass Business School, United Kingdom) - Europe and Africa

Team Coordinator• Marco Allegrini and Giuseppe D’Onza

(University of Pisa, Italy)• Leen Paape (Erasmus University, Netherlands)• Gerrit Sarens (University of Ghent, Belgium)• Marinda M. Marais (University of South Africa)• Elmarie Sadler (University of South Africa)• Houdini Fourie (Tshwane University of

Technology, South Africa)• Barry J. Cooper (Deakin University, Australia) - Asia and Pacific

Team Coordinator• Philomena Leung (Deakin University, Australia)



CBOK 2006 Questionnaires

To gain an understanding of what had been published about internal auditing and to develop aninventory of questions to use as a basis for developing the global CBOK 2006 questionnaires, anextensive literature review was conducted. Each team prepared a literature review for their generalareas of responsibility. Based on this work, the teams then prepared a pilot study to poll membersabout the types of questions that should be included in the final survey. The three literature reviewsand the results of the pilot study can be found in the CBOK 2006 issue of Managerial AuditingJournal (MAJ), Volume 21, Issue 8, published in October 2006. A summary is included in Chapter10 of this research report. Based on the results of the pilot study, the survey questions were refinedand finalized. The CBOK Steering Committee decided that the surveys should take a respondentapproximately 40 minutes to complete. As a result, it was decided to create three CBOK 2006questionnaires:

1. Affiliates: The IIA is fortunate to have numerous affiliates around the world that provideservices to their geographic area in cooperation with The IIA headquarters. This questionnaireasked affiliate leaders questions about regulatory and cultural differences affecting the applicationof ethics and The IIA Standards in their area. One questionnaire was sent to each participatingaffiliate.

2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest positionwithin the organization responsible for the internal audit activity (IAA). Data on the status ofthe IAA within the organization, application of the Standards, skills needed at each staff level,and emerging audit roles were collected from CAEs worldwide.

3. Practitioners: For purposes of this study, Practitioners are all other internal auditors who arenot CAEs. Data about the application of the Standards, how an audit is performed, skill setsneeded, and the emerging role of internal auditing were collected from internal auditorsworldwide.

The three detailed questionnaires developed by the CBOK 2006 teams were subjected to carefulscrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, thequestionnaires were reviewed by a group of over 100 internal auditors worldwide to ensurecompleteness and validity. Based on their comments, the final questionnaires were developed inEnglish. The IIA translated them into 16 additional languages for the convenience of The IIAmembership (Arabic, Bulgarian, Czech, Simplified Chinese, Unsimplified Chinese, French, German,Indonesian, Italian, Japanese, Polish, Portuguese, Russian, Spanish, Swedish, and Turkish). Thecombined CAE and Practitioner questionnaires are in Appendix 10-C in Chapter 10.



In September 2006, using the survey software Perseus, the CAE and Practitioner questionnaireswere distributed electronically to members outside North America by participating internationalaffiliates and by IIA headquarters to members within North America. The questionnaire to affiliateleadership was distributed by The IIA in December 2006. The Glossary in Appendix 1-A wasprovided with the questionnaires so respondents could reference definitions of key terms andwords. This glossary is a combination of the glossary from The IIA’s Professional PracticesFramework dated January 2005 and other key words used in the questionnaires.

Number of Respondents

The total number of responses to the CAE and Practitioner questionnaires was 15,028. Afterconsultation with an independent statistical expert, responses were determined to be not useablefor reasons such as a blank reply or the respondent did not answer enough questions on importantsections such as the use and application of the Standards. Upon completion of this process, 9,366useable responses remained. This results in an overall 7.3% response from the 127,735 IIA membersas of September 30, 2006. Due to some affiliates not participating and some members who haveopted not to receive e-mail from The IIA, the invitation to participate in the survey was sent toapproximately 99,000 members resulting in an estimated 9.5% response rate.

Table 1-3 indicates the chapters (United States, Canada, and Caribbean) and affiliates (organizationsaround the world that serve their geographical area) listed on The IIA’s Web site as of September2006 and notes the number that participated in this study for each one. A total of 133 United Stateschapters, all of the Canadian chapters, and 7 of the Caribbean chapters had at least one memberwho participated in CBOK 2006. Eighty-three affiliates had at least one usable CAE or Practitionerresponse. Forty-six affiliate leaders returned the CBOK Affiliate questionnaire by the January 15,2007, cutoff date for data collection.



Table 1-3Number of Participating Chapters and Affiliates

Area Number of 1 or More Usable Number ofChapters/Affiliates* Responses from Affiliates that

Chapters/Affiliates Returned CBOKAffiliate

Questionnaire

U.S.A. 143 133 Not ApplicableCanada 11 11 Not ApplicableCaribbean 9 7 Not Applicable

IIA Affiliates 94 83 46

*Tallied from The IIA’s Web site

The number of respondents answering a specific question will often differ from the 9,366 totalrespondents in this study. This is due to the following reasons:

• Not all of those that participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.

• Not all questions were asked of all respondents.o Some questions were asked only of CAEs (those in the highest position within the

organization responsible for internal audit activities).o Some questions were asked only of Practitioners (all other internal auditors who are

not CAEs).o Some questions were asked of both CAEs and Practitioners.



Below is a list of all the affiliates, the United States, Canada, and Caribbean chapters, from whichone or more usable responses were received. Please note that the individual chapters within theUnited States and Canada from which responses were received are not listed here.

AlgeriaArgentinaArubaAustraliaAustriaAzerbaijanBahamasBangladeshBarbadosBelgiumBermudaBoliviaBotswanaBrazilBulgariaCameroonCanadaChileChinaChinese TaiwanColombiaCongo-KinshasaCosta RicaCyprusCzech RepublicDenmarkDominican RepublicEcuadorEgyptEstoniaEthiopia

FinlandFranceGermanyGhanaGreeceGuatemalaHong Kong, ChinaIcelandIndiaIndonesiaIsraelItalyJamaicaJapanKenyaKoreaLatviaLebanonLithuaniaLuxembourgMalawiMalaysiaMexicoNetherlandsNew ZealandNicaraguaNigeriaNorwayOmanPakistan-IslamabadPakistan-Karachi

Pakistan-LahorePanamaParaguayPeruPhilippinesPolandPortugalPuerto RicoQatarRomaniaRussia-MoscowSingaporeSloveniaSouth AfricaSpainSri LankaSwedenSwitzerlandThailandTrinidad and TobagoTunisiaTurkeyUgandaUkraineUnited Arab EmiratesUnited Kingdom andIrelandUnited States of AmericaVenezuelaZambiaZimbabwe



Clustering for Groups

As data was collected from numerous affiliates and chapters, a methodology was sought to combinethem into groups for the comparison of responses. Clustering literature was reviewed for plausibleways to combine affiliates and chapters by cultural classification. Hofstede (1980; 1983) introducedthis concept and proposed a number of dimensions to classify 50 countries into cultural clusters.Expanding on Hofstede’s work, House et al. (2004) classified 62 societies into various culturalclusters.

Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62societies was insufficient for complete classification of the CBOK 2006 participants. By usingadditional information from the Central Intelligence Agency World Fact Book (2006), language(s)spoken in the affiliate’s geographical area, geographical location, and discussions with The IIAstaff and leadership, the affiliates and chapters were classified into 12 groups. Respondents whodid not indicate membership in a specific affiliate or chapter were clustered into a 13th group thatwas included in statistical summaries for the aggregate results but not in discussions of affiliate orchapter cultural cluster group results. Appendix 1-B lists the 13 groups used for the discussion ofresponses for CBOK 2006. WHENEVER GROUPS ARE MENTIONED IN THE TEXT TODETERMINE WHICH CHAPTERS OR AFFILIATES ARE IN EACH GROUP, PLEASEREFER TO EITHER APPENDIX 1-B OR THE INSIDE BACK COVER OF THIS REPORT.



References

1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body ofknowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,”Managerial Auditing Journal 21 8, 2006, pp. 811-821.

2. CIA World Fact Book, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.3. Hofstede, G, Culture’s consequences: International differences in work-related values

(London, UK: Sage), 1980.4. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B.

Deregowski, S. Dziurawiec and R.C. Annis (Eds.), Explications in Cross-CulturalPsychology, Swets and Zeitling, 1983.

5. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: SagePublications), 2004.

6. McIntosh, E.R, Competency Framework for Internal Auditing: An Overview (AltamonteSprings, FL: The Institute of Internal Auditors Research Foundation), 1999.

7. The Institute of Internal Auditors, A Vision for the Future: Professional Practices Frameworkfor Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors ResearchFoundation), 1999.

8. The Institute of Internal Auditors, Professional Practices Framework (Altamonte Springs, FL:The Institute of Internal Auditors Research Foundation), 2005.



APPENDIX 1-AGLOSSARY OF TERMS SENT WITH

CBOK 2006 QUESTIONNAIRES

Add ValueValue is provided by improving opportunities to achieve organizational objectives, identify operationalimprovement, and/or reducing risk exposure through both assurance and consulting services.

Adequate ControlPresent if management has planned and organized (designed) in a manner that provides reasonableassurance that the organization’s risks have been managed effectively and that the organization’sgoals and objectives will be achieved efficiently and economically.

Advisory RoleA position having or exercising the power to advise and function purely as a consultative role.

Assurance ServicesAn objective examination of evidence for the purpose of providing an independent assessment onrisk management, control, or governance processes for the organization. Examples may includefinancial, performance, compliance, system security, and due diligence engagements.

Audit CommitteeAn audit committee assists the board of directors in discharging its responsibilities with respect tothe accounting policies, internal controls, and financial reporting of the entity.

Balanced ScorecardA concept for measuring a company’s activities in terms of its vision, strategies, and performancemeasures. It gives managers a comprehensive view of the performance of a business. It balancesa financial perspective with customer, internal process, and learning and growth perspectives.

BoardA board is an organization’s governing body, such as a board of directors, supervisory board, headof an agency or legislative body, board of governors or trustees of a nonprofit organization, or anyother designated body of the organization, including the audit committee, to whom the chief auditexecutive may functionally report.



CharterThe charter of the internal audit activity is a formal written document that defines the activity’spurpose, authority, and responsibility. The charter should (a) establish the internal audit activity’sposition within the organization; (b) authorize access to records, personnel, and physical propertiesrelevant to the performance of engagements; and (c) define the scope of internal audit activities.

Chief Audit Executive (CAE)Top position within the organization responsible for internal audit activities. Normally, this would bethe internal audit director. In the case where internal audit activities are obtained from outsideservice providers, the chief audit executive is the person responsible for overseeing the servicecontract and the overall quality assurance of these activities, reporting to senior management andthe board regarding internal audit activities, and follow-up of engagement results. The term alsoincludes such titles as general auditor, chief internal auditor, and inspector general.

Code of EthicsThe Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the professionand practice of internal auditing, and rules of conduct that describe behavior expected of internalauditors. The Code of Ethics applies to both parties and entities that provide internal audit services.The purpose of the Code of Ethics is to promote an ethical culture in the global profession ofinternal auditing.

ComplianceConformity and adherence to policies, plans, procedures, laws, regulations, contracts, or otherrequirements.

Conflict of InterestAny relationship that is or appears to be not in the best interest of the organization. A conflict ofinterest would prejudice an individual’s ability to perform his or her duties and responsibilitiesobjectively.

Consulting ServicesAdvisory and related client service activities, the nature and scope of which are agreed with theclient and which are intended to add value and improve an organization’s governance, riskmanagement, and control processes without the internal auditor assuming management responsibility.Examples include counsel, advice, facilitation, and training.



Continuous MonitoringContinuous monitoring is an ongoing systematic process for acquiring, analyzing, and reporting onbusiness information to identify and respond to operational business risks.

Contract Audit StaffAudit staff that has been hired to perform specific internal audit projects. Members of the contractaudit staff are not employed as permanent audit staff at the organization.

ControlAny action taken by management, the board, and other parties to manage risk and increase thelikelihood that established objectives and goals will be achieved. Management plans, organizes, anddirects the performance of sufficient actions to provide reasonable assurance that objectives andgoals will be achieved.

Control EnvironmentThe attitude and actions of the board and management regarding the significance of control withinthe organization. The control environment provides the discipline and structure for the achievementof the primary objectives of the system of internal control. The control environment includes thefollowing elements:

• Integrity and ethical values• Management’s philosophy and operating style• Organizational structure• Assignment of authority and responsibility• Human resource policies and practices• Competence of personnel

Control ProcessesThe policies, procedures, and activities that are part of a control framework, designed to ensurethat risks are contained within the risk tolerance established by the risk management process.

Control Self-assessmentCSA is a process through which internal control effectiveness is examined and assessed. Theobjective is to provide reasonable assurance that all business objectives will be met.

Co-sourcingWorking with external professionals to meet requirements for the organization’s audit plan andobtaining value-added solutions from the cooperative effort.



Corporate GovernanceThe set of processes, customs, policies, laws, and institutions affecting the way a corporation isdirected, administered, or controlled.

Emerging MarketIs a term used to refer to markets in newly industrialized or developing countries with capitalmarkets at early stages of institutional development.

EngagementA specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasksor activities designed to accomplish a specific set of related objectives.

Engagement ObjectivesBoard statements developed by internal auditors that define intended engagement accomplishments.

Engagement Work ProgramA document that lists the procedures to be followed during an engagement, designed to achieve theengagement plan.

Enterprise Risk Management (ERM)A continuous process that establishes risk management objectives and develops tolerances andlimits for all the enterprise’s significant risks.

Environmental SustainabilityIn compliance with International Standard for Environmental Management System (ISO 14001certified).

External Quality Assurance ReviewExternal assessment should be conducted at least once every five years by a qualified, independentreviewer or review team from outside the organization.

External Service ProviderA person or firm, outside of the organization, who has special knowledge, skill, and experience in aparticular discipline.



FraudAny illegal acts characterized by deceit, concealment, or violation of trust. These acts are notdependent upon the application of threat of violence or of physical force. Frauds are perpetratedby parties and organizations to obtain money, property, or services; to avoid payment or loss ofservices; or to secure personal or business advantage.

Global Audit Information Network (GAIN)The information network enables organizations to compare their audit department’s size, experience,expertise, and other metrics against the aggregated averages of similar-sized organizations in theirindustry.

GovernanceThe combination of processes and structures implemented by the board in order to inform, direct,manage, and monitor the activities of the organization toward the achievement of its objectives.

ImpairmentsImpairments to individual objectivity and organizational independence may include personal conflictof interest, scope limitations, restrictions on access to records, personnel, and properties, andresource limitations (funding).

IndependenceThe freedom from conditions that threaten objectivity or the appearance of objectivity. Such threatsto objectivity must be managed at the individual auditor, engagement, functional, and organizationallevels.

Information Risk AssessmentAssessment of information threats and opportunities to ensure proper controls are in place tominimize the risks to the organization’s information assets.

Internal Audit Activity or Internal Audit FunctionA department, division, team of consultants, or other practitioner(s) that provides independent,objective assurance and consulting services designed to add value and improve an organization’soperations. The internal audit activity helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of risk management,control, and governance processes.



Internal Quality Assurance ReviewInternal assessments include: ongoing reviews of the performance of the internal audit activity andperiodic reviews performed through self-assessment or by other persons within the organizationwith knowledge of internal auditing practices and the Standards.

Knowledge Management SystemA distributed system in organizations supporting creation, capture, storage, and dissemination ofexpertise and information.

Management EffectivenessThe metrics used to evaluate management effectiveness include: leadership, delegation, motivation,return on investment, return on assets, and return on equity.

ManagerA manager is normally an advanced senior rank position.

Managerial AccountingThe branch of accounting that uses both historical and estimated data in providing information thatmanagement uses in conducting daily operations in planning future operations, and in developingoverall business strategies.

ObjectivityAn unbiased mental attitude that allows internal auditors to perform engagements in such a mannerthat they have an honest belief in their work product and that no significant quality compromisesare made. Objectivity requires internal auditors not to subordinate their judgment on audit mattersto that of others.

PartnerThis is the highest professional rank in an accounting firm. By achieving this rank, a partner isadmitted as a co-owner of the firm.

Residual RiskThe risk remaining after management takes action to reduce the impact and likelihood of an adverseevent, including control activities in responding to a risk.



RiskThe possibility of an event occurring that will have an impact on the achievement of objectives.Risk is measured in terms of impact and likelihood.

Risk ManagementA process to identify, assess, manage, and control potential events or situations to provide reasonableassurance regarding the achievement of the organization’s objectives.

Semi-governmentThe semi-government sector comprises the corporations, statuary boards, authorities, and statebanks under the central government.

ShouldThe use of the word “should” in the Standards represents a mandatory obligation.

StaffThe position of a staff accountant (also called assistant) is the entry-level position.

StandardA professional pronouncement promulgated by the Internal Auditing Standards Board that delineatesthe requirements for performing a broad range of internal audit activities, and for evaluating internalaudit performance.

Total Quality Management (TQM)Total Quality Management is a management approach that emphasizes superior quality in all aspectsof the company’s operations. It is an ongoing process that utilizes synergistic relationships to exercisecontinuous improvement and self evaluation.



APPENDIX 1-BCLUSTERING OF GROUPS AND

NUMBER OF RESPONSES

Affiliate or Primary IIA Usable PercentageChapter Language(s) Members Responses of MembersGroup Spoken 9/30/06 12-15-06

Group 1**Aruba English 8 4 50.0**Bahamas English 59 3 5.1**Barbados English 70 17 24.3**Bermuda English 73 5 6.9**Canada French/English 5,255 430 8.2**Jamaica English 327 17 5.2**Trinidad and English 169 13 7.7Tobago**Puerto Rico Spanish 386 17 4.4*United States English 54,686 3,139 5.7of AmericaTotal 61,033 3,645 6.0Group 2*+Australia English 2,602 177 6.8*+New Zealand English 486 38 7.8Total 3,088 215 7.0Group 3**+South Africa English 4874 464 9.5*+UK and Ireland English 7185 271 3.8Total 12,059 735 6.1Group 4*China Chinese 2,248 62 2.8*+Chinese Taiwan Chinese 3,144 239 7.6*+Hong Kong, English 375 6 1.6China*+Japan Japanese 2,053 66 3.2*Korea Korean 557 1 0.2Total 8,377 374 4.5

*House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership, and Organizations: TheGLOBE Study of 62 Societies (Thousand Oaks, CA: Sage Publications), 2004.**Classification by Team Americas in consultation with The IIA, world map, and CIA World Factbook, https://www.cia.gov/cia/publications/factbook/fields/2145.html+Responded to the Affiliate CBOK questionnaire.



APPENDIX 1-B (Cont.)CLUSTERING OF GROUPS AND

NUMBER OF RESPONSES


Group 5**+Azerbaijan Azari/Russian 133 1 0.8**+Bulgaria Bulgarian 357 71 19.9**+Cyprus Greek/Turkish 276 30 10.9**Czech Republic Czech/English 886 166 18.7**Estonia Estonian 135 16 11.9*+Greece Greek 456 80 17.5**Latvia Latvian 123 1 0.8**+Lithuania Lithuanian 130 3 2.3*Poland Polish 520 69 13.3**Romania Romanian 214 42 19.6*+Russia-Moscow Russian 492 129 26.2*+Slovenia Slovenian 15 1 6.7*Ukraine Ukrainian 25 2 8Total 3,762 611 16.2Group 6*+Austria German 277 84 30.3**+Belgium English/French/Dutch 1,154 102 8.8*+Germany German 1,728 131 7.6*+Luxembourg French/English 325 1 0.3*+Netherlands Dutch 1,741 112 6.4*Switzerland German/French 305 33 10.8Total 5,530 463 8.4




NUMBER OF RESPONSES


Group 7*+Argentina Spanish 562 57 10.1*+Bolivia Spanish 215 8 3.7*+Brazil Portuguese 1,358 97 7.1**Chile Spanish 33 4 12.1*+Colombia Spanish 432 94 21.8*Costa Rica Spanish 186 40 21.5**+Dominican Republic Spanish 213 3 1.4*Ecuador Spanish 531 7 1.3*Guatemala Spanish 75 4 5.3*+Mexico Spanish 842 91 10.8**+Nicaragua Spanish 136 6 4.4**Panama Spanish 69 6 8.7**Paraguay Spanish 114 3 2.6**+Peru Spanish 328 72 22.0*+Venezuela Spanish 376 36 9.6Total 5,470 528 9.7Group 8*+France French 2,937 235 8.0*+Israel Hebrew 1,028 4 0.4*+Italy Italian 2,531 456 18.0*Portugal Portuguese 375 84 22.4*+Spain Spanish 1,556 249 16.0Total 8,427 1,028 12.2Group 9**Algeria French 45 4 8.9*Egypt Arabic/English 61 4 6.6**+Lebanon Arabic/English 105 13 12.4**Oman Arabic/English 176 5 2.8**+Qatar Arabic/English 233 8 3.4**Tunisia Arabic/French 306 2 0.7*+Turkey Turkish 554 80 14.4**United Arab Emirates English 349 16 4.6Total 1,829 132 7.2




NUMBER OF RESPONSES


Group 10*+Denmark Danish 390 3 0.8*+Finland Finnish 584 43 7.4**Iceland Icelandic 100 3 3.0**+Norway Norwegian 662 45 6.8*+Sweden Swedish 542 52 9.6Total 2,278 146 6.4Group 11**Bangladesh English 116 1 0.9*India English 2,795 57 2.0*Indonesia Indonesian/English 654 11 1.7*+Malaysia English 2,150 60 2.8**Pakistan - Karachi English 172 3 1.7**Pakistan –Islamabad English 186 3 1.61**Pakistan - Lahore English 339 1 0.3*+Philippines English 1,280 5 0.4**+Singapore English 1,343 74 5.5**+Sri Lanka Sinhala/English 50 6 12.0*+Thailand Thai 1,446 29 2.0Total 10,531 250 2.4Group 12**Botswana English 134 1 0.8**Cameroon French 161 1 0.6**+Congo-Kinshasa French 37 1 2.7**Ethiopia English 288 16 5.7**Ghana English 57 2 3.5**Kenya English 589 4 0.7**+Malawi English 169 1 0.6*Nigeria English 48 4 8.3**+Uganda English 117 13 11.1*Zambia English 63 2 3.2*Zimbabwe English 557 3 0.5Total 2,220 48 2.2




NUMBER OF RESPONSES


Group 13Not Classified – 1,191respondent did notspecify affiliate orchapter

Affiliates that did 3,131not participateTotal Membership 127,735 9,366 7.3Less members that werenot sent an invitationto participate:Membership of affiliates (3,131)that did not participateEleven affiliates with (2,098)only one response(2,109 members –11 respondents)39% of U.S. members (21,328)who have opted not toreceive e-mail fromThe IIA (54,686 x .39 =21,328)39% of Canadian (2.049)members who have optednot to receive e-mailfrom The IIA(5,255 x .39 = 2,049)Total estimated 99,129 9,366 9.5membership that wassent an invitation toparticipate and estimatedresponse rate



_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 25


CHAPTER 2A WORLDWIDE PICTURE OF THE

INTERNAL AUDIT ACTIVITY

Introduction

Who would have thought that internal auditors would be described by the media as rock stars?The current demand for qualified internal auditors is greater than the supply. Business scandalsaround the world have not only reminded organization fiduciaries and management of theirresponsibilities in the areas of governance, control, and risk management, but have also resulted inincreased legislation and regulation. The internal audit activity (IAA) has become a necessary ormandatory activity in organizations around the world. Some organizations are over 100 years oldwith large, well established IAAs, while many younger companies are just starting to develop andutilize their IAAs. Regardless of the size, type, or age of an organization, the role of internalauditing is evolving into a value-added activity that helps an organization manage its risks and takeadvantage of opportunities to improve. With the increase in scope of audit responsibility since1999, the IAA must act to monitor the adequacy and effectiveness of management’s internalcontrol framework and contribute to the integrity of corporate governance, risk assessment, andthe financial, operating, and IT systems.

Since 1941, The IIA has grown tremendously. Between June 2003 and September 2006, The IIA’smembership grew from 82,645 members to 127,735 members, a 54.6% increase in just over threeyears. The November 2006 IIA Insight stated that there are members in 165 countries and territories.Also, as of September 2006 there are 6,000 new Certified Internal Auditors (CIAs) for a total of60,000 CIAs worldwide. There are 90 countries with CIA exam sites.

What do internal auditors really need to know to perform their jobs with due care and to add valueto their organizations? This CBOK 2006 research report summarizes the information gatheredfrom respondents around the world regarding the current state of the internal auditing profession.It identifies the attributes of an effective IAA; internal auditor skills, competencies, and knowledge;internal audit tools and techniques; and emerging roles of the IAA. This informs the profession andthose who benefit from its activities and services as well as serving as a basis for educating andtesting the competence of those who enter and want to succeed in the profession.



Since the CAE and Practitioner CBOK 2006 questionnaires were released in September 2006,adherence to The IIA’s International Standards for the Professional Practice of InternalAuditing (Standards) as of September 2006 provides the basis for this study. The overall purposeof the CBOK 2006 project is to develop the most comprehensive database ever to capture acurrent view of the global state of the internal audit profession. The database will be updated torecognize the evolution of global internal audit practices. Future studies will build upon this baseline,allowing for comparison, analysis, and trending.

The major topics covered in this chapter are a summary of the demographics of respondents andtheir organizations, compliance with the Standards, current status of the IAA, staffing andprofessional development, internal auditor skills, internal auditor competencies and knowledge,internal audit tools and techniques, and the emerging roles of the IAA.


• Not all of those who participated in the survey answered all of the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.



not CAEs).o Some questions were asked of all respondents: both CAEs and Practitioners.

Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose positions are not captured bythe traditional job titles included in the survey. They may be members of the IAA, employed byservice providers, or in organizations where their titles are less traditional but with duties withininternal auditing.

Survey Demographics Summary

The following is a brief summary of the demographics of the respondents and their organizations.Detailed tables and a discussion of the demographics are presented in Chapter 3. Respondents’



represent the following staff levels: CAEs (26.5%), Audit Managers (22.8%), Audit Seniors/Supervisors (25.2%), Audit Staff (18.2%), and Others (7.3%).

Duration of Respondents’ IIA and/or Affiliate Membership and Respondents’ Age

Survey results indicate that 58.6% of respondents have been members of The IIA for five years orless, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or moreyears. Although distribution of the original survey instrument was only to IIA members, 6.9% ofthe respondents indicated they are not members of The IIA.

When asked about their age, respondents indicated 3.5% are 25 years old or under, 27.8% arebetween 26 and 34 years old, 34.8% are between the ages of 35 and 44, and 24.2% are between45 and 54 years old. Only 9.3% are 55-64 years old and .4% are older than 65. The largestpercentage of Audit Managers (41.5%) is between 35 and 44 years old.

Highest Level of Formal Education and Academic Major

Thirty-eight point one percent of the respondents have obtained their bachelor’s (undergraduate)degree in business, and 28.9% have obtained a master’s (graduate) degree in business. Fourteenpoint three percent have a bachelor’s degree in a non-business subject and 9.4% have a master’sdegree in a non-business field. There appears to be no pronounced relationship between therespondent’s highest level of education and their current position in the IAA. It also appears thatfor most respondents, a bachelor’s degree or comparable level of education is necessary to enterthe profession.

The top six academic majors of respondents are accounting (55.8%), general business/management(27%), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%) (NOTE:since respondents could mark all that apply, percentages exceed 100%). A higher percentage ofCAEs (60.0%) and Audit Managers (59.9%) have an accounting major than members of the AuditStaff (45.0%).

Professional Qualification(s) and Area(s) of Professional Experience

There are many professional organizations that have qualifying tests and certifications for thoseemployed in accounting and auditing. Survey respondents were asked about their own qualifications.More than one-third (39.4%) of the respondents have a specific certification in internal auditingand about one-fourth (26.7%) of the respondents have a certification in public accounting/charteredaccountancy. A much smaller number of respondents have certifications in information systemsauditing (10.2%), management/general accounting (5.4%), and fraud examination (5.3%). Internal



auditing is the most common certification for respondents followed by public accounting/charteredaccountancy. The possession of additional qualifications appears more common as individualsmove up in the IAA.

The five areas in which respondents have the most business experience are internal auditing (6.1years), management (5.4 years), accounting (5.3 years), other professional experience (4.9 years),and finance (4.4 years). This pattern is consistent for those currently employed by service providers,privately held (non-listed) companies, publicly traded (listed) companies, and public sector. Serviceproviders, for the purpose of this study, are defined as those who work on a contractual basis to aidorganizations with assurance and consulting engagements. The not-for-profit sector respondentsindicated less overall work experience.

Years of Existence of IAA and Years of CAE Experience

The largest numbers of respondents work for IAAs that have been in existence for 0-5 years(28.4%) and another 21% of the respondents work for IAAs that have been in existence for 6-10years. A total of 13.8% of respondents’ organizations have IAAs that have been in existence for31 or more years. This is a very positive development for internal auditing as it shows that growthhas accelerated in the past 10 years. Given the corporate governance issues and regulatorydevelopments in recent years, this could be a reflection of the recognition by organizations andtheir boards of the need for internal auditing.

When CAEs were asked about their years of experience as a CAE, more than half (56%) indicatedthey had been a CAE for 5 years or less and one-fourth of CAE respondents have between 6 and10 years of CAE experience. Nineteen percent of CAE respondents have more than 10 years ofexperience in this position.

Organization Type, Service Providers, and Industry Classifications

When asked about their current employers, 38% of all respondents indicate that they work for apublicly traded (listed) company, while 19.5% work for a privately held (non-listed) company.Twenty-three percent of all respondents currently work in the public sector. Ten point five percentof the respondents work for a service provider or as a consultant. Internal auditing is performed bymembers of the IAA as well as by external service providers.

The survey population covered a broad range of industries. Since the respondents were asked toselect all industries that applied to their organization, the total of industries selected is greater than100%. The top 10 industries indicated by respondents are: banking/financial services/credit union(24.5%), other (13.9%), manufacturing (13.4%), financial, accounting, and/or business services



(11.1%), insurance (9.3%), utilities (7.9%), education (7.0%), communication/telecommunication(7.0%), healthcare (6.4%), and retail/wholesale (6.2%).

Geographical Areas and Legislation Affecting Internal Auditing

Recognizing that organizations operate differently, in part based on the locations they service, datawas collected on geographical areas served by the respondents’ organizations. Of the respondents,39.2% indicate that their employer operates on an international/multinational scale, while 29.1% ofemployers operate on a national scale. The remaining 31.7% operate on a local, state/provincial, orregional basis.

In the CBOK Affiliate questionnaire, affiliate leaders were asked about local and federal regulationsand legislation affecting the profession of internal auditing. Of the 46 affiliates that responded, 36(78%) indicate that their countries have legislation or regulations that affect the internal auditingprofession in the public sector. In most of these affiliates, financial entities, banks, and insurancecompanies are subject to legislation that prescribes the establishment of, or the role of, internalauditing in an organization. The United States and Canada also have legislation affecting internalauditing.

In 22 (61%) of the 36 affiliates where legislation or regulation affecting internal auditing exists,The IIA affiliate had an influence on the final form of the legislation or regulation. Those IIAaffiliates that assisted in the development of the legislation or regulations took part in the discussionsor provided input through participation in committees, work groups, and conferences. IIA affiliatesalso regularly issue their own opinions on drafts of local and national laws and regulations. Thepublication of position papers and articles reflecting their members’ ideas and opinions is a commonmethod of participation in the evolution of local and national laws and regulations.

Compliance with Internal Auditing Standards

Most of the participants in this study indicate that their IAAs are using the Standards and PracticeAdvisories. They also believe that the guidance provided to them by the Standards and PracticeAdvisories is adequate. Standards 1300, Quality Assurance and Improvement Program, and 2600,Resolution of Management’s Acceptance of Risk, received lower adequacy responses indicatingthat more or clearer guidance may be appropriate in the fields of quality assurance and improvementand resolution of management’s acceptance of risk. The respondents are using these two standardsto a lesser extent when compared to the other standards. Overall, the guidance provided by theAttribute Standards is perceived by respondents to be better than that provided in the PerformanceStandards.



Respondents at all staff levels indicate that 81.9% of their IAAs use the Standards in whole or inpart. In Figure 2-1, CAEs report the highest level of usage (85.1%) of the Standards by their IAA,while all other respondents report usage between 72.2% and 84.3.

Figure 2-1Organizations’ Use of the Standards in Whole or in Part by Staff Level

All Respondents (8,647) in Percentages

The most common reasons given by those respondents whose IAA does not adhere to the Standardsare:

• Inadequate IAA staff (12.6%).• Management of organization does not think it adds value (12.2%).• Too time-consuming to comply with the Standards (12.2%).

Percentage of Respondents



• Compliance not supported by management of organization (11.9%).• Superseded by local/government regulations/standards (10.7%).

Quality Assurance and Improvement Programs

To supplement the research on compliance with the Standards, respondents were asked specificquestions about their compliance with Standards 1300, 1311, and 1312 which require quality assuranceand improvement programs, internal quality assessments, and external quality assessments. Standard1300 requires the CAE to “develop and maintain a quality assurance and improvement programthat covers all aspects of the internal audit activity and continuously monitors its effectiveness.”

The level of compliance is lowest for Standard 1300, Quality Assurance and Improvement Program.Approximately one-third of the respondents currently have a quality assurance and improvementprogram in accordance with Standard 1300. Approximately one-third of the respondents have hadan internal assessment. One-third has never had an internal assessment. Almost one quarter of therespondents do not plan to have a quality assurance and improvement program in place within thenext 12 months in accordance with Standard 1300, although approximately one-third of therespondents have such a program currently in place. Forty percent indicate that no externalassessment has been performed.

Less than 50% of the respondents indicate that their quality assessment and improvement programsinclude certain activities to monitor the effectiveness of these programs as suggested by PA1300-1, Quality Assurance and Improvement Program. Monitoring activities most often includeengagement supervision and checklists to provide assurance that proper audit processes are followed.Approximately 30% of the respondents indicate that compliance with The IIA’s Standards orCode of Ethics are explicitly monitored as part of these activities.

According to Standard 1311, Internal Assessments, the IAA should adopt a process to monitor andassess the overall effectiveness of the quality program. The process should include both internaland external assessments. There is no formal requirement mentioned in the standard regarding thefrequency of the self-assessment, only that it be ongoing. The respondents were requested toindicate when their IAAs were last subject to a formal internal assessment. Of those responding,23.6% have had an internal review within the last 12 months and an additional 8.7% had an internalreview within the last five years. The CAE respondents indicated that 47.4% of their IAAs havenever had an internal assessment.

According to Standard 1312, External Assessments, the IAA should have an external assessmentat least once every five years by a qualified, independent reviewer or review team external to the



organization. All IAAs that existed on January 1, 2002, when this standard became effectiveshould have had an external assessment performed by January 1, 2007. Of all respondents, 39.7%have never had an external assessment. When analyzing this response by staff level, 53.7% ofCAE respondents indicate that their organizations have not been subject to a formal externalquality assessment and are not in compliance with Standard 1312. Note in Figure 2-2 that 28.4% ofthe respondents’ IAAs are five years old or less. This could be the reason why some of the IAAshave not had an external assessment.

Compliance with The IIA’s Code of Ethics

As The IIA’s Code of Ethics must be followed by all those that provide internal auditing services,affiliate leaders were asked whether they required their members to follow The IIA’s Code ofEthics. Forty-six affiliate leaders responded to this question and all answered in the affirmativeexcept for one which adopted a local version. When the affiliate leaders were asked how theyhandled ethical complaints against their members, the wide variety of responses ranged from theuse of an ethics or disciplinary committee to action being left to the affiliate’s full board of directors.

Current Status of the Internal Audit Activity

The IAA adds value in multiple ways. It helps the organization achieve its goals by providingsuggestions for improvements to vital systems, processes, and procedures. The IAA helps ensurethat controls are in place to provide safety and security for transactions and activities. Consultingservices assist management in planning for the future and addressing difficult strategic and operationalissues. The IAA is vital to the success and health of any organization operating today.

Some parts of the world are just starting to recognize the importance of internal auditing andbeginning to develop the internal auditing activity. Many IAAs are small or have been in existencefor less than five years. Newer IAAs and/or those with smaller audit staffs may not have sufficientstaff or personnel with all of the necessary skills and competencies to meet the needs of theirorganizations. Depending upon priorities and availability of resources, some audits or audit skillsmay need to be outsourced.



Years That the IAA and the Organization Have Existed

To gain a perspective on the length of time respondents’ organizations have had IAAs, Figure 2-2lists the number of years the respondents’ IAAs have been in existence. The largest number ofrespondents work for IAAs that have been in existence for 0-5 years (28.4%). Another 21% ofthe respondents work for IAAs that have been in existence for 6-10 years. Respondents indicatethat 13.8% work in IAAs that have been in existence for 31 or more years. Given the corporategovernance issues and regulatory developments in recent years, the large number of newer IAAscould be a reflection of the recognition by organizations of the need for the IAA and the need toconduct audits in these areas. A new IAA could also be the result of a corporate merger oracquisition. Although a newer IAA may not be as developed or have the same level of experienceor expertise as a more mature one, a younger department does not necessarily equate to a weak orunskilled department.

Figure 2-2Number of Years the IAA Has Existed in the Organization


0-5 Years28.4%

41+ Years8.1%

31-40 Years5.7%

21-30 Years14.1%

11-20 Years22.7%6-10 Years

21.0%



Figure 2-3 reports how long respondents’ organizations have been in existence. A separate correlationtest performed by the researchers confirms that there is a relationship between how long anorganization has been in existence and how long the organization has had an IAA. Older companiestend to have established IAAs longer than younger companies.

Figure 2-3Number of Years Organizations Have Existed


IAA’s Relationships within the Organization

Relationship with the Audit/Oversight Committee

To maintain independence, the IAA should have a charter approved by the audit committee of itsgoverning board. An internal audit charter is required by The IIA’s Attribute Standard 1000, Purpose,Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal Audit Charter. Thecharter provides the power from which the IAA can insist that they have the authority to conduct

0-5 Years7.2%

6-10 Years10.5%

11-20 Years14.0%

21-30 Years9.3%

31-40 Years8.0%

41+ Years51.0%



the audits deemed necessary. The survey confirms that this practice is generally the case in themajority of IAAs with 72.3% of the respondents indicating their organization has an internal auditcharter. IAAs without a charter may be less empowered from the audit customers’ perspective.

The reporting relationships of the respondent CAEs are generally in accordance with the Standardsand Practice Advisories. There is also a high level of input by the audit committee in the appointmentand performance evaluation of CAEs. In the majority of cases, CAEs are reporting to the auditcommittee of the board and/or to a member of senior management. The survey did not allow theCAE to indicate a dual reporting relationship as recommended by The IIA. Dual reporting allowsthe IAA to build organizational independence while also serving senior management.

Practice Advisory 2060-2, Relationship with the Audit Committee, defines the IAA’s and the auditcommittee’s relationship. As noted in Table 2-1, CAEs confirm that an audit/oversight committeeexists in 72.6% of their organizations. The CAE’s relationship with the audit committee chairpersonis very important. Of the respondent CAEs with audit committees, 63.2% meet regularly with theaudit committee chair in addition to regular audit committee meetings. It is notable that of thosethat have audit committees, 91.3% of CAEs believe they have appropriate access to the auditcommittee. Public sector IAAs often do not have an audit committee structure in their organizations.

Table 2-1CAE’s Relationship with Audit/Oversight Committee

CAE Respondents Percentage of Yes Responses

Question Total Respondents YesPercent of

Total Responses

Is there an audit/oversightcommittee in your organization? 2,315 72.6Does the CAE meet with theaudit/oversight committeechairperson in addition to theregularly scheduled meetings? 1,669 63.2Does the CAE believe thathe/she has appropriate accessto the audit committee? 1,671 91.3



Organizations’ and CAEs’ Perceptions of the IAA

A set of general questions asked all respondents to rank their perceptions about how their IAA isperceived by their organization. All respondents were asked to rank their level of agreement withthe statements in Table 2-2 on a scale of 1 to 5 from Strongly Disagree (1) to Strongly Agree (5).The mean response for each question was calculated for the four levels of audit staff respondingto the survey.

Table 2-2Relationship of IAA to the Organization

All Respondents in Means*

CAE Audit Manager Audit Senior/ Audit StaffStatement (Mean of (Mean of 2,033 Supervisor (Mean of 1,626

2,374 Responses) (Mean of 2,251 Responses)Responses) Responses)

Your internal audit activity is an 4.45 4.34 4.25 4.10independent objective assuranceand consulting activity.Your internal audit activity adds 4.41 4.32 4.26 4.20value.Internal audit brings a systematic 4.03 3.99 3.98 3.95approach to evaluate theeffectiveness of risk management.Your internal audit activity brings 4.35 4.27 4.21 4.11a systematic approach to evaluatethe effectiveness of internal controls.Your internal audit activity brings a 3.80 3.73 3.71 3.74systematic approach to evaluate theeffectiveness of governanceprocesses.Your internal audit activity 4.10 4.05 3.96 3.88proactively examines importantfinancial matters, risks, andinternal controls.Your internal audit activity is an 4.10 4.04 3.97 3.91integral part of the governanceprocess by providing reliableinformation to management.

*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.



Table 2-2 (Cont.)Relationship of IAA to the Organization


CAE Audit Manager Audit Senior/ Audit StaffStatement (Mean of (Mean of 2,033 Supervisor (Mean of 1,626

2,374 Responses) (Mean of 2,251 Responses)Responses) Responses)

The way our internal audit activity 3.52 3.81 3.66 3.51adds value to the governanceprocess is through direct accessto the audit committee.Your internal audit activity has 4.07 3.97 3.86 3.75sufficient status in the organizationto be effective.Independence is a key factor for 4.46 4.40 4.32 4.29your internal audit activity to addvalue.Objectivity is a key factor for 4.58 4.47 4.42 4.36your internal audit activity to addvalue.Your internal audit activity is 4.30 4.17 4.08 3.99credible within your organization.Compliance with The IIA’s 3.86 3.90 3.89 3.90International Standards for theProfessional Practice of InternalAuditing is a key factor for yourinternal audit activity to add valueto the governance process.Compliance with The IIA’s Code 4.03 4.04 3.98 3.99of Ethics is a key factor for yourinternal audit activity to add valueto the governance process.


With the majority of means above 4.0, respondents, who are all members of the IAA giving theiropinion about how others see the IAA, indicate that they believe their organizations perceive thatIAAs are independent, objective, add value, and effectively evaluate internal controls. There isless certainty among respondents concerning their perceptions about the effectiveness of the IAA’sapproach to risk management and evaluation of the effectiveness of governance processes. These



two areas are specifically addressed in the 1999 definition of internal auditing. Respondents’perceptions indicate strong support for the IAA’s independence, objectivity, and credibility. Whilethe IAA appears to be highly credible within the organization, there is less agreement aboutcompliance with The IIA’s Standards and Code of Ethics.

Statements with means around 4.0 indicate respondents’ agreement that the IAA has an effectiveapproach to risk management; is proactive in looking at important financial matters, risks, andinternal controls; has sufficient status in the organization; and compliance with The IIA’s Code ofEthics is a key factor for the IAA to add value to its organization.

The statements ranked under 4.0 but above 3.5 indicate respondents have less support for thestatements about effectiveness in the evaluation of corporate governance and compliance with theStandards. Overall, the perceptions by the respondents provide a very positive view of the IAAwithin their organizations.

Methods Used to Measure the Value Added by the IAA

The responses to the questions about the methods used to measure the value added to the organizationby the IAA show a variety of methods being used. These include self-assessment and assessmentby others in the organization. The measures used include acceptance of recommendations (51.4%),auditee (customer) surveys (34.6%), and the number of management requests (26.8%). Relianceby the external auditors on the IAA is also used as a value indicator (33.5%). No formal measurementof value added exists in 32.6% of respondents’ IAAs.

Internal Audit Activity

Managing the IAA

Standard 2000 requires that the CAE, “should effectively manage the internal audit activity toensure it adds value to the organization.” These activities include administrative activities such asdeveloping an audit plan and assigning audit tasks. Performance Standard 2200 states, “Internalauditors should develop and record a plan for each engagement, including the scope, objectives,timing, and resource allocations.” Over 91.5% of all respondents believe that their IAA performsthese administrative tasks.

Creating the Audit Plan

Eighty-one point three percent of respondents follow Practice Advisories PA 2010-2, Linking theAudit Plan to Risk and Exposures, and PA 2040-1, Policies and Procedures, indicating that most



IAAs use a proper planning process. Of the organizations served by the IAA, 73.3% have acorporate ethics policy/code of conduct. Internal audit risk assessments are performed by 69.5%of the respondents. In the IAA, 63.0% have an internal audit operating manual/policy statement.These are all positive indicators of effective internal audit processes.

To comply with IIA Standard 2010, Planning, the IAA should create an audit plan using a risk-based technique. Respondents indicate that 95.6% of their IAAs create a plan for their auditactivities at least annually, while 36.4% plan or revise their intentions multiple times a year. The useof risk-based methodology to determine the audit plan is required by IIA Performance Standard2010 and elaborated in Practice Advisory PA 2010-1, Planning. Of CAE respondents, 86.7% userisk-based techniques in audit planning. When preparing their audit plans, requests from managementare an additional consideration used by 73.1% of CAEs.

Scope of Work and Who Performs the Audits

The definition of internal auditing and Standard 2100 includes three broad areas of responsibilityfor IAAs “to evaluate and contribute to the improvement of risk management, control, and governanceprocesses.” The respondents were asked what percentage of the audits their IAAs performed andwhat percent are outsourced or done by other departments in the organization. The IAA performs85.6% of the internal audits, 79.1% of the operational auditing, 56.3% of the investigations of fraudand irregularities, and 56% of the financial audits. IAAs also perform 47.1% of the ethics auditsand 48.5% of the management effectiveness audits.

Other types of work performed include control framework monitoring and development (58.9%)and compliance with corporate governance and regulatory code requirements (51.4%). Informationrisk assessment (47.5%), internal control testing and evaluation engagements (70.8%), and enterpriserisk management (37.6%) are also performed by the IAA to determine what areas may need to bemade more effective and efficient.

The three largest audit areas that are outsourced/co-sourced outside the IAA are financial auditing(27.2%), information technology department assessment (18.8%), and quality/ISO audits (14.1%).The three areas where fewer audits are performed by the IAA are social and sustainability audits(40%), quality/ISO audits (32.5%), and ethics audits (27.4).

Risk management work performed within organizations includes business viability assessments,enterprise risk management support and information risk assessment. The majority of businessviability assessments are performed by other departments within the organization (51.6%). IAAsperform 24.6% of these audits while 16.8% of the respondents report that these audits are notperformed at all. For enterprise risk management assessment activities, IAAs perform 37.6% of



these activities, other departments within the organization perform 43.6%, and 6.5% of theseactivities are co-sourced or outsourced. In the area of information risk assessment, the IAA performs47.5% of the activities and other departments perform 30.9%.

Practice Advisory 2120.A1-1, Assessing and Reporting on Control Processes, states that testing“compliance with laws, regulations, and contracts” is part of the IAA’s study and evaluation ofinternal controls. Two areas where the IAA performs compliance activities are compliance withcompany privacy policies (43.1%) and health, safety, and environment (22.1%).

The definition of internal auditing includes consulting in its scope of acceptable audit activities.Areas of consulting included in the study indicate that 11.3% of the activities for corporate takeovers/mergers are performed by IAAs while 50.4% are handled by other departments in the organization.The IAA provides 46.2% of the support for external auditors, while other departments provide28.1% and co-sourced or outsourced work accounts for 14% of the activities required. Projectmanagement activities are performed mainly by other departments (58.3%) with 27.7% of theseactivities provided by the IAA. Both the IAA and other departments in the organization provide39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.

Performing the Engagement

The demands on the IAA and its staff are increasing as the significance and usefulness of thework of the IAA become better known and valued. This can strain the resources of most IAAs asthey enhance their presence in the organization. The use of tools and techniques helps the auditorsuccessfully plan, monitor progress, document, analyze data, complete the audit, and determine themagnitude of audit findings. The objective for this area of the study was to determine which toolsthe IAA finds necessary for internal auditors to successfully perform their engagements.

The tools and techniques included in this survey were identified by reviewing the Standards andPractice Advisories, internal auditing literature, past CBOK studies, and the current CBOK’s pilotstudy. Based on this review, 16 tools and techniques were identified as being important for the IAAand its staff when performing the audit. Some tools/techniques are in the area of audit administration(planning or managing) while others relate to helping internal auditors perform their engagements(analyzing data or statistical sampling). Respondents could not add to or amend the list that wasincluded in the CBOK 2006 survey. The respondents were asked to indicate which listed tools andtechniques their IAAs currently use or plan to use in the next three years by rating all the tools/techniques listed on a five point scale: 1, Not Used, through 5, Extensively Used. Results areshown in Table 2-3, indicating the ranking of response means by position in the IAA.



The results in Table 2-3 show that that all respondents, regardless of their position, almost uniformlyrank the same three tools as most used by the IAA. Other electronic communications was thehighest ranked tool. Risk-based audit planning uniformly ranked second with a mean approximatelyone-half a percentage point less than that of electronic communications. Other than electroniccommunications (e.g., Internet, e-mail) and risk-based audit planning, only analytical review has amean above 3.00 for all respondents. These three tools match the core tasks of the IAA: planning,documenting fieldwork, and communication. Documentation and communication can be verylabor intensive when completed without technological support. As such, it is appropriate that theIAA would have first invested and developed tools in these areas.

Table 2-3Extent the IAA Currently Uses Audit Tools and Techniques

All Respondents by Rank*

Tools/Techniques Overall CAE Audit Audit Senior/ Audit OtherManager Supervisor Staff

Other electronic communication 1 1 1 1 1 1(e.g., Internet, e-mail)Risk-based audit planning 2 2 2 2 2 2Analytical review 3 3 4 3/4 4 3Electronic workpapers 4 4 3 3/4 3 4Statistical sampling 5 5 6 5 5 5Computer-assisted audit 6 6 5 6 6 6techniquesFlowchart software 7 8 7 7 8/9 7/8Benchmarking 8 7 8 9/10 11 7/8Process mapping application 9 9 9 8 8/9 10Control self-assessment 10 11 10 9/10 10 9Data mining 11 10 11 12 12 12Continuous/real-time auditing 12 12 13 11 7 11The IIA’s quality assessment 13 13 12 14 14 14review toolsBalanced scorecard or similar 14 14 14 13 15 15frameworkTotal quality management 15 15 15 15 13 13techniquesProcess modeling software 16 16 16 16 16 16

*In some cases the rankings were tied. For example, rankings of Benchmarking and Control self-assessment at the AuditSenior/Supervisor level were tied.



Process modeling software is a tool that is generally not used (ranked 16 of 16) by the respondents.Based on ranks and means, other tools and techniques not currently used by many respondents aretotal quality management techniques, the balanced scorecard, the IIA’s quality assessment reviewtools, continuous/real-time auditing, data mining, and control self-assessment.

Respondents were also asked to indicate their planned use of the listed tools and techniques in thenext three years. Results show that in the next three years a higher number of CAEs and Practitionerswill extensively use the listed tools and techniques, more than they presently do. Significant increasesin usage were indicated for risk-based audit planning and computer-assisted audit techniques.Increased usage was also noted for The IIA’s quality assessment review tools, process modelingsoftware, the balanced scorecard or similar frameworks, continuous real-time auditing, data mining,and control self-assessment.

These findings are very important since these are the tools and techniques suggested by theStandards, practice advisories, and best practices.

Resolution of Major Differences

Practice Advisory 2410-1, Communication Criteria, suggests, “As part of the internal auditor’sdiscussions with the engagement client, the internal auditor should try to obtain agreement on theresults of the engagement and on a plan of action to improve operations, as needed.” CAErespondents were asked to indicate at what points in the audit process major differences areresolved. Several categories could be selected by each respondent indicating major issue resolutionin multiple phases of the audit process. Of those responding, 44.5% usually resolve major differencesduring audit fieldwork and 45.2% usually resolve them during the audit reporting phase. Thirty-twopoint four percent sometimes resolve audit issues during planning, while 28.5% indicated thatresolution rarely happens during the planning stage.

Reporting of Findings

Standard 2440, Disseminating Results, states, “The chief audit executive should communicateresults to the appropriate parties.” The majority of the respondents agree that the responsibility ofreporting audit findings rests with the CAE. CAEs believe they should report the findings alone(75.1%) or jointly with the client (10.3%), while Audit Managers indicate they should report thefindings alone (28.2%) or with the client (9.4%).



Monitoring Corrective Action

In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain asystem to monitor the disposition of results communicated to management.” Standard 2500.A1goes on to require “a follow-up process to monitor and ensure that management actions have beeneffectively implemented or that senior management has accepted the risk of not taking action.” Ofthe respondents in varying positions in the IAA, 37.5% to 54.5% believe that both the internalauditor and client together have the primary responsibility to monitor adoption of needed correctiveaction. From 25.8% to 35.7% of the respondents indicated that the internal auditor has the primaryresponsibility. The majority of respondents indicated that their organizations have some formalmonitoring system. With the exception of the Other respondents (8.5%), only 2.0% to 3.4% indicatedthey had no formal follow-up procedures. Although these results indicate that this responsibility isoften shared with management, the Standards state that the CAE is responsible for monitoringcorrective action.

Staffing and Professional Development

Staffing

In most organizations, in-house internal auditors cover over 90% of the work. Publicly listedcompanies average the highest in-house audits with 95.4% coverage. Despite the opportunity foroutsourcing and co-sourcing, most organizations are conducting their internal audits with in-housestaff. Consultants are the largest group of service providers for IAAs. Thirty-three percent ofCAEs indicated that their budget for co-sourcing and outsourcing will increase in the next threeyears.

The survey responses indicate that most respondents’ IAAs are relatively small operations interms of staffing but that staff is skewed to more experienced internal auditors. In 44% of theorganizations, there are only two to five general Audit Staff members. The two main methodsCAEs use to cover staff vacancies are reduction in areas of coverage (30.7%) and co-sourcingwith internal audit service providers (28.7%).



Continuing Professional Development and Certification in Internal Auditing

The IIA requires 80 hours of continuing professional development (CPD) every two years. TheIIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to“enhance their knowledge, skills, and other competencies through continuing professionaldevelopment.” Respondents were asked how many hours of formal training they received over thelast 36 months or while they have been working in their IAA if less than 3 years. Training includes,but is not limited to, seminars, conferences, workshops, and in-house information sessions providedby either the respondent’s organization or other organizations.

The range in hours of formal training reported is from none to more than 240 hours. There is anexpectation that all respondents would have taken at least 120 hours of CPD over the prior three-year period. Of the CAEs, 48.2% achieved or exceeded 120 hours of CPD. Another 16.4% of theCAEs attained the 80-119 hour level of CPD. The percentages of respondents at the other stafflevels that achieved 120 or more hours of formal training are: 49.1% for Audit Managers, 42.4%for Audit Seniors/Supervisors, 35.5% for Audit Staff, and 34.1% for Others.

Compliance with the Standards mandates 40 hours of CPD annually. In some parts of the world,due to the small size of the internal auditor population, it may be difficult to find the continuingprofessional development needed to upgrade skills. There are many ways that IAAs can obtainCPD for their staff even if funding or scarcity of local CPD courses are a concern. With the useof the Internet, members can attend online conferencing events provided by The IIA, downloadIIA position statements, and research online how to perform such activities as control self-assessment.The IIA has monographs and other materials on multiple topics to aid in training internal auditors.

Of the respondents, 39.4% have a certification in internal auditing (e.g., CIA, MIIA), and aboutone-fourth of the respondents have a certification in public accounting/chartered accountancy.Possession of additional certification appears more common as individuals progress professionallyin the IAA.

Internal Auditor Skills

Since the scope of audit responsibilities outlined in the definition of internal auditing expanded in1999, the types of audits and consulting activities performed by IAAs have increased. Skills usedby internal auditors have evolved and changed to meet the challenges of performing these newtypes of audits.



Standard 1220, Due Professional Care, requires internal auditors to “apply the care and skill expectedof a reasonably prudent and competent internal auditor.” The objective for this question is todetermine the behavioral and technical skills necessary for internal auditors to successfully performtheir jobs at their position in the IAA. Recognizing the evolutionary nature of the profession, thefollowing two sections summarize the skills internal auditors are currently expected to possess asthey perform their roles.

All respondents were provided a list of technical and behavioral skills developed from the Standardsand Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK2006 pilot survey . Respondents were unable to amend or change the list of skills provided. CAEswere asked to identify the five most important technical and behavioral skills they and their staffneed to possess in order to be successful at their position in the IAA. Practitioners were asked toindicate the importance of the listed skills to perform their work at their current staff position byranking the skills on a scale of 1 (minimally important) to 5 (very important). As a guide whenanswering the survey questions, respondents were given the following definition of technical skills:“using terminology or subject matter in a particular field.” Behavioral skills were defined in thesurvey as “actions towards others measured by commonly accepted standards and managementof one’s own actions.”

Technical Skills

CAEs believe that understanding the business and risk analysis are skills that are most importantfor themselves. There is no individual technical skill that is highly rated by CAE respondents for allstaff levels in the IAA. Technical skills that are considered more important for the Audit Staff butless critical for CAEs are identifying types of controls, use of information technology, statisticalsampling, and data collection and analysis. Other skills, such as forensic skill/fraud awareness, riskanalysis, and negotiating, are considered more important for CAEs and not as vital for the AuditStaff or Audit Seniors/Supervisors.

As shown in Table 2-4, when reviewing the mean ranking of technical skills by Practitioners, theconsistency in rankings among the three traditional staff levels (Audit Manager, Audit Senior/Supervisor, and Audit Staff) is very noticeable. The decreasing importance of certain skills as oneachieves higher levels in the IAA is indicated for some technical skills, but the direction of thechange is more significant than the magnitude of the decrease. Statistical sampling and data collectionand analysis have the largest changes between professional ranks.



Table 2-4Importance to Respondent of Technical Skills to Perform Work

Practitioner Respondents by Means*

Technical Skills Audit Audit AuditManager Senior/ Staff

Supervisor

Data collection and analysis 4.1 4.3 4.4Financial analysis 3.8 3.9 3.7Forensic skills/fraud awareness 3.6 3.6 3.6Identifying types of controls 4.3 4.2 4.1(e.g., preventative, detective)Interviewing 4.3 4.3 4.3ISO/quality knowledge 2.9 2.9 3.0Negotiating 3.7 3.6 3.5Research skills 3.9 4.0 4.0Risk analysis 4.4 4.3 4.2Statistical sampling 3.2 3.3 3.5Total quality management 2.9 2.9 3.0Understanding the business 4.5 4.4 4.3Use of information technology 4.1 4.1 4.1

*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.

Behavioral Skills

The results show that CAEs and Practitioners almost uniformly consider confidentiality and objectivityamong the five most important behavioral skills. The CAEs’ responses for other behavioral skillsindicate a difference among the skills needed based on the professional levels analyzed (CAE,Audit Manager, Audit Senior/Supervisor, and Audit Staff). While leadership is considered the mostimportant skill that CAEs should possess, CAEs indicate that for the Audit Staff, interpersonalskills and being a team player are most important. From the CAE’s perspective, when viewing theimportance of behavioral skills across the array of hierarchical positions in the IAA, leadership,governance and ethics sensitivity, and staff management show a trend of increasing importance.As one progresses to higher levels of professional responsibility and status, being considered ateam player and being able to work independently decline in importance.



Practitioners were asked to indicate the importance of the same 12 behavioral skills for performingtheir work at their current position in the organization. Respondents indicated importance on ascale of 1 (minimally important) to 5 (very important). Analysis broken up into three professionallevels (Audit Manager, Audit Senior/Supervisor, and Audit Staff) is shown in Table 2-5. As indicatedby a mean of 4.0 and above, practitioners consider almost all the behavioral skills listed to beimportant to perform their work at their current position in the IAA.

Table 2-5Importance of Behavioral Skills to Perform Work

Practitioner Respondents by Mean*

Behavioral Skills Audit Audit AuditManager Senior/ Staff

Supervisor

Confidentiality 4.8 4.8 4.7Facilitating 4.1 4.0 3.9Governance and ethics sensitivity 4.4 4.3 4.3Interpersonal skills 4.6 4.5 4.5Leadership 4.3 4.1 3.9Objectivity 4.8 4.8 4.7Relationship building 4.4 4.4 4.3Staff management 4.1 3.8 3.5Team building 4.2 4.0 3.9Team player 4.3 4.2 4.2Work well with all levels of management 4.6 4.6 4.5Working independently 4.2 4.2 4.2

*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.

No one person can possess all the behavioral and technical skills needed by the IAA to perform thedifferent types of audits and consulting engagements necessary to fulfill all the needs of theorganization. Although many of the staff can be generalists, IAAs may need to hire specialists and/or outsource audits as needed.



Internal Auditor Competencies and Knowledge Areas

Competency and knowledge areas are essential for the success of an individual internal auditor,the completion of an audit, and the overall success of the IAA. Standard 1210, Proficiency, requiresthe “internal audit activity collectively should possess or obtain the knowledge…and othercompetencies needed to perform its responsibilities.” Standard 1230, Continuing ProfessionalDevelopment, indicates that these competencies and knowledge areas must be continually updatedand current. Internal auditors at all levels need to obtain and develop a range of competencies andknowledge areas that enable them to perform their work effectively and enable the IAA to functionproperly.

Competencies

Competencies range from generally applicable individual skills such as time management andpresentation skills to qualities that are specific to internal auditors such as the ability to promote theIAA within the organization. Internal auditors also must have different competencies for satisfactoryperformance at various hierarchical positions in the IAA. As a guide for respondents, competencieswere defined in the survey as “skills essential to perform certain tasks.” The importance ofcompetencies is highlighted since it is one of four principles in The IIA’s Code of Ethics. The Codeof Ethics states that competency is when “internal auditors apply the knowledge, skills, andexperience needed in the performance of internal auditing services.” Respondents were unable toamend or add to the list of competencies that was given.

CAEs were asked to identify the five most important competencies they need to possess in orderto be successful as the leader of their IAA. They were also asked to identify the five most importantcompetencies that Audit Managers, Audit Seniors/Supervisors, and Audit Staff each need to performtheir jobs.

As shown in Table 2-6, CAEs commonly indicated as their most important competency the abilityto promote the IAA within the organization. This is consistent with the Standards. Standard 2000,Managing the Internal Audit Activity, states that the CAE “should effectively manage the internalaudit activity to ensure it adds value to the organization.” CAEs view the ability to be analytical andcommunicate as the most important competencies for Audit Seniors/Supervisors and the AuditStaff. Based on the CAEs’ responses, writing and analytical skills decline in importance as oneadvances in positional responsibility and status.



Table 2-6Most Important Competencies by Staff Level

CAE Respondents (2,092 ) in Percentages

Competencies CAE Audit Audit AuditManager Senior/ Staff

Supervisor

Ability to promote the internal audit activity within 78.1 28.3 10.9 9.3the organizationAnalytical (ability to work through an issue) 24.9 31.5 47.7 63.9Change management 34.7 20.4 7.6 4.1Communication 60.3 46.7 43.2 51.9Conceptual thinking 38.0 20.7 16.1 17.8Conflict resolution 41.2 35.3 20.2 7.2Critical thinking 31.3 26.3 31.0 43.9Foreign language skills 13.4 10.8 8.1 12.4Keeping up to date with professional changes in 41.3 31.0 22.9 22.5opinions, standards, and regulationsOrganization skills 30.3 27.9 22.0 20.9Presentation skills 37.4 25.5 15.5 13.0Problem identification and solution 21.6 23.8 34.5 47.0Project planning and management 24.7 35.7 24.3 7.1Report development 13.0 23.0 27.3 22.1Time management 15.8 18.7 28.2 40.2Training and developing staff 30.1 38.2 20.9 2.6Understanding complex information systems 12.4 14.9 16.1 16.3Writing skills 23.6 24.2 32.0 51.0

Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.



Table 2-7Importance of Competencies to Perform Work

Practitioner Respondents in Means*

Competencies Audit Audit AuditManager Senior/ Staff

Supervisor

Ability to promote the internal audit activity 4.32 4.15 4.11within the organizationAnalytical (ability to work through an issue) 4.52 4.53 4.45Change management 4.03 3.89 3.72Communication 4.61 4.59 4.54Conceptual thinking 4.33 4.29 4.25Conflict resolution 4.27 4.24 4.13Critical thinking 4.48 4.43 4.36Foreign language skills 2.59 2.54 2.66Keeping up to date with professional changes 4.05 4.01 4.02in opinions, standards, and regulationsOrganization skills 4.15 4.13 4.13Presentation skills 4.13 4.03 4.02Problem identification and solution 4.50 4.48 4.44Project planning and management 4.13 4.02 3.84Report development 4.31 4.27 4.19Time management 4.26 4.25 4.21Training and developing staff 4.06 3.74 3.56Understanding complex information systems 3.79 3.73 3.65Writing skills 4.49 4.47 4.39

*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and4,735.

Practitioners, when asked to indicate the importance of the eighteen competencies to their own jobperformance at their current position in the organization, considered almost all of the competenciesequally important across the positional levels in the IAA. This is indicated by only marginal differencesacross staff levels in the means on Table 2-7. CAEs appear to be viewing competencies appropriatefor a positional level from a department manager’s perspective, while Practitioners appear to viewa variety of competencies necessary for their success.



Knowledge Areas

This section looks at 19 areas of knowledge to determine which are important to internal auditorsfor the satisfactory performance of their job in the IAA. As indicated in Table 2-8, Practitionerswere asked to indicate the importance of these 19 areas of knowledge to perform their work attheir current position in their organization on a scale of 1 (minimally important) to 5 (very important).They were unable to amend or add to the list. Knowledge of auditing is overwhelmingly rankedfirst for Practitioner respondents at all levels, and Ethics is ranked second by all levels except forAudit Seniors/Supervisors where it is ranked third. Other knowledge areas consistently ranked inthe top five for all Practitioner respondents are internal auditing standards, technical knowledge foryour industry, and fraud awareness. There is an overall consistency of means for knowledge areasat all staff levels.



Table 2-8Importance of Areas of Knowledge to Perform Work


Areas of Knowledge Audit Audit AuditManager Senior/ Staff

Supervisor

Accounting 3.83 3.77 3.71Auditing 4.68 4.66 4.61Business law and government regulation 3.68 3.70 3.68Business management 3.75 3.60 3.53Changes to professional standards 3.71 3.64 3.68Enterprise risk management 3.85 3.74 3.71Ethics 4.21 4.18 4.26Finance 3.70 3.68 3.64Fraud awareness 4.00 3.93 3.91Governance 3.95 3.80 3.77Human resource management 3.44 3.23 3.15Internal auditing standards 4.19 4.19 4.24Information technology 3.85 3.84 3.79Managerial accounting 3.35 3.30 3.27Marketing 2.70 2.60 2.64Organization culture 3.91 3.79 3.82Organizational systems 3.75 3.76 3.78Strategy and business policy 3.73 3.61 3.60Technical knowledge for your industry 3.97 3.92 3.96

*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and4,751.



Emerging Roles of the Internal Audit Activity

Changing Emphasis on Types of Audits

This section focuses on the anticipated changes in the demand for general types of audits that willbe performed by the IAA in the next three years. The definition of internal auditing in The IIA’s1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,acknowledges the importance of assurance services and consulting engagements in the areas ofrisk management, governance, and controls. With this expansion of scope, audits are expected tobe performed by IAAs in these three areas. In order to assess the amount of staff, their requiredcompetencies, and the skills needed in the near future, the profession needs to anticipate changesin the demand for the IAA’s services. The IAA also must consider changes in their organizations’risk maturity profiles and stakeholder requirements. Table 2-9 shows the opinions of all respondentsto the question about whether they perceive the general types of audits performed by the IAA willincrease, decrease, or stay the same over the next three years.

Table 2-9Anticipated Changes in Types of Audits to Be Performed

Within the Next Three YearsAll Respondents in Percentages

Activity Total Increase Decrease Stay the TotalResponses Same Percent

Risk management 6,728 79.5 2.3 18.2 100.0Governance 6,704 63.2 4.0 32.8 100.0Regulatory compliance 6,698 46.9 11.7 41.4 100.0Operational auditing 6,715 46.2 14.7 39.1 100.0Review of financial processes 6,724 43.5 14.6 41.9 100.0



Of respondents, 79.5% predict that the greatest increase in the type of audits performed in the nextthree years will be for risk management and 63.2% predict an increase in governance audits. Theincrease in these types of audits will need to be reflected in the IAA’s internal audit plan, resourcesallocated, and in the audit staff’s competencies. For many of the respondents, reviews of financialprocesses (43.5%), regulatory compliance (46.9%), and operational auditing (46.2%) show increases.Some respondents anticipate that less time will be spent on operational audits (14.7%), review offinancial processes (14.6%), and regulatory compliance audits (11.7%).

IAAs’ Emerging Roles in Organizations’ Activities

To gain an understanding of what roles IAAs have and will have in various types of activitiesperformed within the organization, respondents were provided with a list of important tasksperformed by organizations. They were asked to indicate if their IAA currently has a role in thearea, if the IAA will likely have a role in the next three years, or if it is unlikely that the IAA willhave a role. Role was defined as being within the IAA’s scope of work. The list was created byreviewing internal auditing literature and from the CBOK 2006 pilot survey. An overview of allresponses is shown in Table 2-10.

The respondents’ IAAs do some type of work in many of the areas listed. The four highest-ratedareas where respondents indicate that their IAAs currently perform audits are fraud prevention(69% of respondents), risk management (66.6%), regulatory compliance assessment monitoring(64%), and corporate governance (52.2%). Areas where respondents’ IAAs currently have lessdeveloped roles are globalization (15.3%), environmental sustainability (14%), and emerging markets(11.5%). For areas where there is no current IAA involvement, respondents indicate that 17.7% to38.1% of their IAAs plan some engagements in the next three years. Areas where the IAA’scurrent involvement is low and is expected to remain low are executive compensation (45.4%),environmental sustainability (39.9%), emerging markets (39.5%), globalization (35.2%), intellectualproperty and knowledge assessment (35.1%), and mergers and acquisitions (30.8%).



Table 2-10Emerging Roles of the IAA

Total Responses in Percentages

Roles Total Currently Likely to Have Unlikely to Not TotalRespon- Have a Role a Role Within Have a Role Applicable

dents the Next 3Years

Alignment of strategy 6,500 23.1 35.2 30.1 11.6 100.0and performancemeasures (e.g., BalancedScorecard)Benchmarking 6,476 28.6 35.7 26.0 9.7 100.0Corporate governance 6,511 52.2 31.2 11.4 5.2 100.0Corporate social 6,415 23.6 31.6 33.8 11.0 100.0responsibilityDevelop training and 6,522 46.6 34.4 15.3 3.7 100.0education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 6,490 34.0 26.1 29.0 10.9 100.0Evidential issues 6,385 39.8 23.9 23.5 12.8 100.0Emerging markets 6,426 11.5 22.5 39.5 26.5 100.0Environmental sustainability 6,436 14.0 24.7 39.9 21.4 100.0Executive compensation 6,429 16.0 17.7 45.4 20.9 100.0Fraud prevention/detection 6,530 69.0 22.9 5.7 2.4 100.0Globalization 6,431 15.3 21.1 35.2 28.4 100.0Intellectual property and 6,391 19.2 28.4 35.1 17.3 100.0knowledge assessmentIT management assessment 6,453 46.1 32.2 16.8 4.9 100.0Knowledge management 6,387 26.1 38.1 26.9 8.9 100.0systems development reviewMergers and acquisitions 6,437 18.4 23.7 30.8 27.1 100.0Project management 6,410 39.8 27.6 25.1 7.5 100.0Provide training to the 6,436 31.2 34.4 21.7 12.7 100.0audit committeeRegulatory compliance 6,442 64.0 23.0 9.2 3.8 100.0assessment monitoringRisk management 6,509 66.6 25.5 5.6 2.3 100.0Strategic frameworks 6,407 27.0 36.8 27.7 8.5 100.0



Changing Legal Environment, Organization Systems, and Role of the IAA

Table 2-11 captures CAE and Audit Manager respondents’ agreement with statements about theirorganizations and their IAA. The question asked if a statement currently applies, is likely to applywithin the next three years, or will not apply in the foreseeable future. The respondents indicatethat 61.2% of the IAAs currently reside in countries that have mandatory laws or regulations thatrequire organizations to have an IAA and 13.1% anticipate their countries will have such requirementsin the next three years. Corporate governance codes are complied with in 67.7% of the organizationswith 22.7% of the respondents’ organizations anticipating compliance with corporate governancecodes in the next three years. In 70.5% of the respondents’ organizations, there is an internalcontrol framework and 24.3% indicate that their organizations will have a framework in the nextthree years. Assurance audits receive more emphasis than consulting services in 71.5% of theorganizations.



Table 2-11How Statements Apply to Your Organization

CAEs’ and Audit Managers’ Agreement with Statements in Percentages

Statement Number of Currently Likely to Will Not Not TotalRespondents Applies Apply Apply in the Applicable

Within the ForeseeableNext 3 FutureYears

Internal auditing is required 3,464 61.2 13.1 12.9 12.8 100by law or regulation wherethe organization is based.Internal auditors in the 3,445 28.9 32.7 30.3 8.1 100organization have anadvisory role in strategydevelopmentThe organization complies 3,447 67.7 22.7 4.3 5.3 100with a corporate governancecode.The organization has 3,443 70.5 24.3 3.5 1.7 100implemented an internalcontrol framework.The organization has 3,423 25.6 43.9 20.6 9.9 100implemented a knowledgemanagement systemThe internal audit activity 3,424 34.0 32.3 18.5 15.2 100has provided training toaudit committee members.The internal audit activity 3,437 55.7 25.6 13.8 4.9 100assumes an important rolein the integrity of financialreporting.The internal audit activity 3,437 64.3 25.3 7.3 3.1 100educates organizationpersonnel about internalcontrols, corporategovernance, and complianceissues.The internal audit activity 3,448 71.5 15.2 8.4 4.9 100places more emphasis onassurance than consultingservices.



The IAAs (64.3% currently, 25.3% more in three years) educate the organizations’ personnelabout internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,25.6% more in three years) have an important role in the integrity of their organizations’ financialreporting. Internal auditors have growing advisory roles in strategy development (28.9% currently,32.7% more in three years) and training of audit committee members (34% currently, 32.3% morein three years). The top three statements that some respondents selected as will not apply in theforeseeable future are that internal auditors have a role in strategy development (30.3%), in thetraining of audit committee members (18.5%) and in the integrity of financial reporting (13.8%).

Summary

Compliance with The IIA’s International Standards for the Professional Practice of InternalAuditing is essential if the responsibilities of internal auditors to their organizations are to be met.Respondents strongly believed that their organizations comply overall with the Standards. Reasonsfor not using the Standards related to organizational attributes, such as management’s perceptionsthat the Standards do not add value, lack of adequate IAA staff, and that it is too time-consumingto comply with them. IAAs should strive to fully comply with the Standards. It appears thatStandard 1300, Quality Assurance and Improvement Program, is a barrier to full compliance formany organizations worldwide. Additional guidance with suggestions for less costly ways to complywith this standard could result in more members fully complying with the Standards.

The CBOK 2006 database provides information about the evolving role of internal auditing as avalue-added activity that helps an organization manage its risks and take advantage of opportunities.The profession of internal auditing is a rich resource for organizations as the IAA monitors theadequacy and effectiveness of management’s internal control framework and contributes to theintegrity of corporate governance; risk assessment; and financial, operating, and IT systems. TheCBOK 2006 database identifies the attributes of an effective IAA; internal auditor skills,competencies, and knowledge; internal audit tools and techniques; and the emerging roles of theIAA. This database can be used to inform the business community about what resources andservices the internal auditor can provide and what skills and knowledge are needed by internalauditing professionals. The database will be updated to document the evolution of global internalaudit practices. Future studies will build upon this baseline, allowing for comparison, analysis, andtrending.



References

1. Morton, Peter, The New York Stars, camagazine.com,www.camagazine.com/index.cfm?ci_id=33982&la_id=1&print=true

2. Sams, Rachel, “New Accounting Laws Make Internal Auditors ‘Rock Stars,’” BaltimoreBusiness Journal, June 5, 2006,baltimore.bizjournals.com/baltimore/stories/2006/06/05/story3.html

3. The Institute of Internal Auditors, “By the Numbers,” IIA Insight, Vol. 1/November 2006, pp.8-9.

4. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,FL: The Institute of Internal Auditors Research Foundation), 2005.



_____________________________________________ Chapter 3: Survey Demographics 61


CHAPTER 3SURVEY DEMOGRAPHICS

Introduction

The following is a summary of the demographics of the CBOK 2006 respondents and theirorganizations. The total number of responses to the CAE and Practitioner questionnaires was15,028. After consultation with an independent statistical expert, responses were determined to benot useable if the reply was blank or the respondent did not answer enough questions on importantsections such as the use and application of the Standards. Upon completion of this process, 9,366useable responses remained. This results in an overall 7.3% response from the 127,735 IIA memberson September 30, 2006. Due to some affiliates not participating and some members who haveopted not to receive e-mails from The IIA, the survey was sent to approximately 99,000 membersresulting in an estimated 9.5% response rate.

The overall purpose of the CBOK 2006 project is to develop the most comprehensive databaseever to capture a current view of the global state of the internal audit profession. The database willbe updated to recognize the evolution of global internal audit practices. Future studies will buildupon this baseline, allowing for comparison, analysis, and trending.


• Not all of those who participated in the survey answered all the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.



not CAEs).o Some questions were asked of both CAEs and Practitioners

Some participants’ responses are presented according to the respondents’ position in the internalaudit activity (IAA). These more detailed summaries of results may be provided for the five



categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, andOther. The respondents in the Other category consist primarily of other professional staff whosepositions are not captured by the traditional job titles included in the survey. A review of theircredentials indicates they may be members of the IAA, employed by service providers, or inorganizations where their titles are less traditional but with duties within internal auditing.

When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additionaldetails. For example, Table 3-2 is the total of all respondents for that question with a related Table3-2-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be Table 3-2-2. Additional related tables may be located in Appendix 3at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at theend of its number. For example, Table 3-6-1-A is located in Appendix 3.

Included in this chapter is information about the respondents, their IAA, and their organizations inthe areas of:

• Duration of respondent’s IIA membership.• Age.• Highest level of formal education.• Academic major(s).• Professional qualification(s).• Area(s) of professional experience.• Hierarchical position of the IAA.• Years of experience as CAE.• Years organizations have had an IAA.• Organization type.• Service providers.• Industry classifications.• Geographical area(s) served by respondent organizations.• Legislation affecting internal auditing.



Staff Levels of Respondents

Respondents were asked about their position in their organization. As indicated in Figure 3-1,26.5% of the respondents are CAEs, 22.8% are Audit Managers, and 25.2% are Audit Seniors/Supervisors. These three highest positional levels combined represent 74.5% of respondents.Members of the Audit Staff comprise 18.2% of the respondents and Others 7.3%. As indicated inTable 3-5, the Other respondents have as many credentials or more credentials as those respondentswho identify themselves as Audit Seniors/Supervisors or Audit Staff.

Figure 3-1Staff Level


Audit Staff18.2%

Other7.3%

Chief AuditExecutive

26.5%

Audit Manager22.8%

Audit Senior/Supervisor

25.2%



IIA Membership

Figure 3-2 shows that 58.6% of the respondents became members of The IIA within the last 5years, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or moreyears. This relatively high number of new members can be linked to the surge in importance of theprofession. In June 2003, IIA membership was 82,645. It grew to 127,735 in September 2006, a54% increase in three years. D.L. Clemmons noted in The IIA’s November 2006 edition of IIAInsight that, “Since 2005 The IIA’s strategic objectives have been to raise the profile of internalauditing and The IIA itself through strong advocacy efforts, globalization, and service tomembers...membership has risen 20 percent.” Although distribution of the original survey instrumentwas only to IIA members, 6.9% of the respondents indicated they are not members of The IIA.

Figure 3-2Number of Years as a Member of The IIAAll Respondents (8,874) in Percentages




Table 3-1 indicates that more than three-fourths (76.5%) of the Audit Staff respondents have beenmembers of The IIA for 5 years or less. Forty-six point six percent of CAEs have been membersfor 5 years or less. Approximately one-fourth of the CAEs (24.3%) and Audit Managers (23.9%)and only 16.7% of the Other respondents have been IIA members for 6 to 10 years. One-fourth ofCAEs (25.7%), 17.1 % of Audit Managers and 21.7% of the Other respondents have been membersfor 11 or more years.

Table 3-1Number of Years as a Member of The IIA

All Respondents in Percentages

Number CAE Audit Audit Audit Staff Other Averageof Percent of Managers Senior/Supervisor Percent of Percent of Percent of

Years 2,357 Percent of Percent of 2,240 1,617 642 8,874Respondents 2,018 Respondents Respondents Respondents Total

Respondents Responses

5 or less 46.6 53.2 65.2 76.5 51.8 58.66 to 10 24.3 23.9 19.8 7.6 16.7 19.511 or 25.7 17.1 8.4 3.3 21.7 15.0moreNot a 3.4 5.8 6.6 12.6 9.8 6.9MemberTotal 100.0 100.0 100.0 100.0 100.0 100.0



Table 3-1-1 provides an overview of the duration of IIA membership in each of the 13 groups. Thenumber of relatively new IIA members (5 years or less) is higher than the overall average ingroups 9 (83.5%), 7 (80.6%), 5 (74.8%), 12 (74.5%), 4 (72.5%), and 8 (72.4%). These groups mayrepresent a large number of countries where the internal audit profession is relatively new. Thenumber of respondents with a longer membership history in The IIA (6 years or more) are ingroups 10 (51.4%), 2 (48.6%), 6 (43.9%), 1 (43.4%), and 3 (43.0%). These groups appear torepresent countries where the internal audit profession is more established.

Table 3-1-1Number of Years as a Member of The IIA by Groups*


Years 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

5 or less 56.6 51.4 57.0 72.5 74.8 56.1 80.6 72.4 83.5 48.6 68.2 74.5 18.56 to 10 20.4 19.2 25.6 23.4 23.4 25.0 14.8 19.6 10.2 31.3 20.2 14.9 5.111 or 23.0 29.4 17.4 4.1 1.8 18.9 4.6 8.0 6.3 20.1 11.3 10.6 3.4moreNot a 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.4 0.0 73.0MemberTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.



Age of the Respondents

Figure 3-3 provides an overview of the age of the survey respondents. The figure indicates that34.8% of the survey respondents are between the ages of 35 and 44, 27.8% are between 26 and34 years old, and 24.2% are between 45 and 54 years old. Only 9.3% are 55-64 years old, 3.5%are 25 years old or under, and as seen in Figure 3-3, 0.4% are older than 64.

Figure 3-3Age of Respondents





Table 3-2 breaks down the respondents’ age information into the 5 categories of survey respondents.Based on this information, a positive relationship between the respondent’s age and position in theIAA can be ascertained. More than half of the audit staff (52.4%) is younger than 35 years old,while slightly more than half of the CAEs (50.4%) are older than 44 years old. The largest percentageof Audit Managers (41.5%) are between 35 and 44 years old.

Table 3-2Age of Respondents


Number CAE Audit Audit Senior/ Audit Staff Other Averageof Percent of Manager Supervisor Percent of Percent of Percent of

Years 1,944 Percent of Percent of 1,376 535 7,356Respondents 1,653 1,848 Respondents Respondents Total

Respondents Respondents Responses

25 or less 0.4 0.5 3.3 11.2 4.7 3.526 to 34 11.0 25.8 39.2 41.2 20.2 27.835 to 44 38.2 41.5 32.1 26.4 33.8 34.845 to 54 34.5 23.6 18.9 16.3 27.3 24.255 to 64 15.1 8.5 6.2 4.8 12.5 9.365 or 0.8 0.1 0.3 0.1 1.5 0.4moreTotal 100.0 100.0 100.0 100.0 100.0 100.0



Table 3-2-1 specifies the average age of the respondents in each of the 13 groups. Group 9consists of relatively young respondents (35.2 years on average). Group 10 consists of relativelyolder respondents (46.1 years on average). This compares with the overall average age for allsurvey respondents of 40.5 years.

Table 3-2-1Average Age of Respondents by Group*


Group* Average Age of theRespondents

1 41.62 42.93 37.44 39.95 38.26 42.67 39.98 40.89 35.210 46.111 38.812 37.3

N/C** 39.8Total 40.5




Highest Level of Formal Education

The survey asked about the educational background of the respondents. Figure 3-4 shows thehighest level of formal education indicated by the respondents. Of the respondents, 38.1% haveobtained their bachelor’s degree in business, and 28.9% have obtained a master’s degree in business.Fourteen point three percent have a bachelor’s degree in a non-business subject and 9.4% have amaster’s degree in a non-business field.

Figure 3-4Respondents’ Highest Level of EducationAll Respondents (8,920) in Percentages


Doctoral Degree



Table 3-3 presents an overview of the highest level of education for each of the 5 categories ofrespondents surveyed. There appears to be no pronounced relationship between the respondents’highest level of education and their current position in the IAA. It also appears that for mostrespondents, a bachelor’s degree or comparable level of education is necessary to enter theprofession.

Table 3-3Respondents’ Highest Level of Education


Level of CAE Audit Audit Senior/ Audit Staff Other AverageEducation Percent of Managers Supervisor Percent of Percent of Percent of

2,370 Percent of Percent of 1,623 649 8,920Respondents 2,029 2,249 Respondents Respondents Total


Secondary/ 5.1 4.1 4.0 7.0 5.6 5.0High SchoolBachelor’s/ 36.1 37.7 40.3 40.3 33.3 38.1BusinessBachelor’s/ 12.1 14.0 15.4 16.8 13.1 14.3Not BusinessMajorMaster’s/ 32.8 30.9 27.4 21.4 33.4 28.9Graduate/Diploma inBusinessMaster’s/ 9.0 9.7 9.5 9.4 9.7 9.4Graduate/Diploma inOther FieldsDoctoral 2.4 1.5 0.6 0.9 3.4 1.6DegreeOther 2.5 2.1 2.8 4.2 1.5 2.7Total 100.0 100.0 100.0 100.0 100.0 100.0



Tabl

e 3-

3-1

prov

ides

the

educ

atio

nal p

rofil

e of

the

resp

onde

nts i

n ea

ch o

f the

13

grou

ps. S

ever

al d

iffer

ence

s am

ong

the

grou

ps c

an b

e hi

ghlig

hted

. Bac

helo

r’s d

egre

es in

bus

ines

s se

em to

be

dom

inan

t in

grou

p 4

(56.

3%),

whi

lem

aste

r’s d

egre

es in

bus

ines

s ar

e m

ore

prev

alen

t in

grou

ps 6

(48.

3%),

10 (4

4.7%

), an

d 5

(40.

9%).

Gro

up 1

2, w

ith83

.3%

of r

espo

nden

ts a

nd g

roup

1 w

ith 7

8.1%

of t

hose

resp

ondi

ng h

ave

eith

er a

bac

helo

r’s o

r mas

ter’s

deg

ree

inbu

sine

ss. G

roup

9 is

the o

nly

grou

p to

hav

e les

s tha

n 50

.5%

of r

espo

nden

ts w

ith a

degr

ee (b

ache

lor’s

or m

aste

r’s)

inbu

sine

ss.

Tabl

e 3-3

-1H

ighe

st L

evel

of F

orm

al E

duca

tion

by G

roup

*A

ll R

espo

nden

ts in

Per

cent

ages

Leve

l of

12

34

56

78

910

1112

N/C

**Ed

ucat

ion

Seco

ndar

y/H

igh

1.84.7

11.2

1.913

.97.2

0.410

.31.5

6.91.2

0.05.5

Scho

olB

ache

lor’s

/49

.341

.533

.856

.311

.515

.533

.631

.626

.722

.823

.241

.735

.3B

usin

ess

Bac

helo

r’s/N

ot13

.013

.616

.614

.14.6

3.726

.316

.531

.38.3

20.3

12.5

17.4

Bus

ines

s M

ajor

Mas

ter’

s/G

radu

ate/

28.8

28.5

24.7

19.3

40.9

48.3

21.8

27.7

23.7

44.7

34.2

41.6

20.1

Dip

lom

a in

Bus

ines

sM

aste

r’s/

Gra

duat

e/5.3

8.47.0

5.420

.614

.214

.210

.815

.312

.412

.62.1

13.8

Dip

lom

a in

Oth

erFi

elds

Doc

tora

l Deg

ree

0.90.5

0.80.8

3.67.0

0.81.9

1.51.4

1.60.0

1.4O

ther

0.92.8

5.92.2

4.94.1

2.91.2

0.03.5

6.92.1

6.5To

tal

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e A

ffili

ate

or C

hapt

er m

embe

rshi

p.



Academic Major(s)

Figure 3-5 lists the top six academic concentrations/majors indicated by survey respondents.Accounting is the most popular academic major (55.8%) followed by general business/management(27 %), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%).

Figure 3-5Top Six Academic Majors


Note: Since respondents were able to select all the majors that apply, percentages may not add up to 100%.

Table 3-4 on the following page provides additional information about respondents’ academic majorsby staff level. A higher percentage of the CAEs (60.0%) and Audit Managers (59.9%) haveaccounting as a major than members of the Audit Staff (45.0%). Auditing as a major is morecommon for Audit Managers (22.1%) and CAEs (19.8%) than for the Audit Staff (12.5%).




Tabl

e 3-4

Aca

dem

ic M

ajor

(s)

All

Res

pond

ents

in P

erce

ntag

es*

Maj

orCA

EA

udit

Aud

itA

udit

Staf

f*O

ther

*Av

erag

ePe

rcen

t of 2

,374

Man

ager

s*Se

nior

/Pe

rcen

t of 1

,626

Perc

ent o

f 651

Perc

ent o

fR

espo

nden

tsPe

rcen

t of 2

,033

Supe

rviso

r*R

espo

nden

tsR

espo

nden

ts8,

935

Tota

l*R

espo

nden

tsPe

rcen

t of 2

,251

Res

pons

esR

espo

nden

ts

Acc

ount

ing

60.0

59.9

55.1

45.0

57.5

55.8

Arts

or

3.5

3.5

3.2

4.6

4.8

3.9

Hum

aniti

esA

uditi

ng19

.822

.117

.912

.516

.917

.8C

ompu

ter

4.1

4.8

4.7

4.2

4.1

4.4

Scie

nce

Econ

omic

s24

.319

.317

.916

.520

.919

.9En

gine

erin

g3.

62.

74.

33.

73.

53.

6Fi

nanc

e25

.624

.324

.219

.524

.923

.8G

ener

al29

.426

.026

.625

.726

.627

.0B

usin

ess/

Man

agem

ent

Info

rmat

ion

7.1

10.1

9.8

7.7

9.8

8.9

Syst

ems

Inte

rnal

12.7

14.9

13.2

11.3

11.4

12.7

Aud

iting

Law

6.8

6.2

6.0

6.6

6.9

6.5

Mat

hem

atic

s/5.

45.

65.

54.

75.

45.

3St

atis

tics

Scie

nce o

r3.

42.

93.

03.

52.

83.

1Te

chni

cal

Fiel

dN

o D

egre

e2.

62.

22.

43.

51.

22.

5

* N

ote:

Sin

ce r

espo

nden

ts c

ould

mar

k al

l th

at a

pply

, pe

rcen

tage

s m

ay n

ot a

dd u

p to

100

%.



Table 3-4-1 shows the rankings of the top five academic majors for the groups. Accounting is themost prevalent major in most groups, except for group 9 (2nd place), group 5 (3rd place), andgroup 8 (4th place). In six of the groups, a general business/management major is second. Theimportance of a finance major varies among the groups. Three majors, accounting, general business/management, and finance, appear in the top 5 of all groups. Auditing appears in the rankings of 11of the groups. Despite the importance of technology, data management systems, and the accepteduse of computer auditing, a major in information systems only appears in the top 5 of group 1 (5thplace).

Table 3-4-1Rankings of theTop Five Academic Major(s) by Group*

All Respondents

Major 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Accounting 1 1 1 1 3 1 1 3 2 1 1 1 1Auditing 4 2 5 4 2 5 5 5 3 4 2Economics 4 3 4 1 3 1 1 3 5 5Finance 3 5 4 3 2 5 5 4 3 4 2 2 3General Business/ 2 2 5 2 4 2 4 2 4 2 4 3 4ManagementInformation Systems 5Internal Auditing 3 5 3 5




Professional Qualifications

There are many professional organizations that have qualifying tests and certifications for individualsemployed in accounting and auditing. Survey respondents were asked about their own qualificationsand CAEs were asked about certification held by employees in their departments. The top fiveareas of respondents’ professional certification are shown in Figure 3-6. More than one-third(39.4%) of the respondents have a specific certification in internal auditing and about one-fourth(26.7%) of the respondents have a certification in public accounting/chartered accountancy. Internalauditing and public accounting are the most common areas for professional certification. A muchsmaller number of respondents have certifications in information systems auditing (10.2%),management/general accounting (5.4%), and fraud examination (5.3%).

Figure 3-6Top Five Areas of Professional Certification(s)

All Respondents in Percentages*

*Since respondents were able to select all the certifications that apply, percentages may not add up to 100%.


Fraud Examination



Tabl

e 3-5

pro

vide

s spe

cific

s abo

ut th

e pro

fess

iona

l qua

lific

atio

ns o

f the

5 ca

tego

ries o

f res

pond

ents

. Int

erna

l aud

iting

is th

e mos

t com

mon

certi

ficat

ion

for r

espo

nden

ts in

all 5

cate

gorie

s fol

low

ed b

y pu

blic

acco

untin

g/ch

arte

red

acco

unta

ncy

certi

ficat

ion.

The

pos

sess

ion

of ad

ditio

nal q

ualif

icat

ions

appe

ars m

ore c

omm

on as

indi

vidu

als p

rogr

ess p

rofe

ssio

nally

in th

e IA

A. F

or e

xam

ple,

mor

e C

AEs

(40.

6%) a

nd A

udit

Man

ager

s (4

6.4%

) hav

e an

inte

rnal

aud

iting

cer

tific

atio

nth

an m

embe

rs o

f the

Aud

it St

aff (

26.8

%).

Tabl

e 3-5

Prof

essio

nal Q

ualif

icat

ion(

s)A

ll R

espo

nden

ts in

Per

cent

ages

*

Type

of P

rofe

ssio

nal

CAE

Aud

itA

udit

Seni

or/

Aud

it St

aff*

Oth

er*

Aver

age

Qua

lific

atio

nPe

rcen

t of

Man

ager

s*Su

perv

isor

*Pe

rcen

t of

Perc

ent o

fPe

rcen

t of

2,37

4Pe

rcen

t of

Perc

ent o

f1,

625

651

8,93

4R

espo

nden

ts2,

033

2,25

1R

espo

nden

tsR

espo

nden

tsTo

tal*

Res

pond

ents

Res

pond

ents

Res

pons

es

Inte

rnal

Aud

iting

(suc

h as

CIA

/40

.646

.438

.926

.844

.239

.4M

IIA

/PII

A)

Info

rmat

ion

Syst

ems A

uditi

ng11

.012

.610

.54.

612

.410

.2(s

uch

as C

ISA

/QiC

A/C

ISM

)G

over

nmen

t Aud

iting

/Fin

ance

5.1

3.1

4.3

2.7

3.5

3.7

(suc

h as

CIP

FA/C

GA

P/C

GFM

)C

ontro

l Sel

f-as

sess

men

t (su

ch4.

85.

03.

62.

05.

24.

1as

CC

SA)

Publ

ic A

ccou

ntin

g/C

harte

red

38.3

32.7

23.0

11.0

28.7

26.7

Acc

ount

ancy

(suc

h as

CA

/CPA

/AC

CA

/AC

A)

Man

agem

ent/G

ener

al6.

26.

03.

63.

67.

85.

4A

ccou

ntin

g (s

uch

as C

MA

/C

IMA

/CG

A)

Acc

ount

ing

- Tec

hnic

ian

2.1

2.9

2.5

2.9

3.4

2.8

Leve

l (su

ch a

s C

AT/A

AT)

Frau

d Ex

amin

atio

n (s

uch

7.6

5.6

4.8

2.2

6.1

5.3

as C

FE)

* N

ote:

Sin

ce r

espo

nden

ts c

ould

mar

k al

l th

at a

pply

, pe

rcen

tage

s m

ay n

ot a

dd u

p to

100

%.



Tabl

e 3-5

Prof

essio

nal Q

ualif

icat

ion(

s)A

ll R

espo

nden

ts in

Per

cent

ages

*

Type

of P

rofe

ssio

nal

CAE

Aud

itA

udit

Seni

or/

Aud

it St

aff*

Oth

er*

Aver

age

Qua

lific

atio

nPe

rcen

t of

Man

ager

s*Su

perv

isor

*Pe

rcen

t of

Perc

ent o

fPe

rcen

t of

2,37

4Pe

rcen

t of

Perc

ent o

f1,

625

651

8,93

4R

espo

nden

ts2,

033

2,25

1R

espo

nden

tsR

espo

nden

tsTo

tal*

Res

pond

ents

Res

pond

ents

Res

pons

es

Fina

ncia

l Ser

vice

s Aud

iting

5.0

3.7

3.1

1.3

0.4

2.7

(suc

h as

CFS

A/C

IDA

/CB

A)

Fello

wsh

ip (s

uch

as F

CA

/4.

22.

01.

20.

51.

11.

8FC

CA

/FC

MA

)C

ertif

ied

Fina

ncia

l Ana

lyst

0.8

0.4

0.3

0.4

1.7

0.7

(suc

h as

CFA

)

* N

ote:

Sin

ce r

espo

nden

ts c

ould

mar

k al

l th

at a

pply

, pe

rcen

tage

s m

ay n

ot a

dd u

p to

100

%.



Table 3-5-1 presents the rankings of the top five areas of professional qualifications for the groups.In only 2 of the groups (groups 7 and 11) is certification in public accounting/chartered accountancymore prevalent than internal auditing certification. The importance of certification in the areas ofinternal auditing (1st place), public accounting (2nd place), and information systems auditing (3rdplace) is consistent for 75% of the groups.

Table 3-5-1Rankings of the Top Five Professional Qualifications by Group*

All Respondents

Qualifications 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Internal Auditing (such 1 1 1 1 1 1 2 1 1 1 2 1 1as CIA/MIIA/PIIA)Information Systems 3 3 3 3 5 3 4 5 3 2 3 3 5Auditing (such asCISA/QiCA/CISM)Government Auditing/ 3 5 4Finance (such asCIPFA/CGAP/CGFM)Control Self-assessment 4 4 4 3 5(such as CCSAPublic Accounting/ 2 2 2 2 2 2 1 2 2 3 1 2 2Chartered Accountancy(such as CA/CPA/ACCA/ACA)Management/General 4 4 5 4 5 4 5 4Accounting (such asCMA/CIMA/CGA)Accounting - 5 5 3 3Technician Level (suchas CAT/AAT)Fraud Examination 4 5 4(such as CFE)Financial Services 5Auditing (such asCFSA/CIDA/CBA)Fellowship (such as 5 4FCA/FCCA/FCMA)




Areas of Professional Experience

Table 3-6 lists the respondents’ average years of experience by business area. This data wascross-tabulated with the respondents’ current business sector.

Table 3-6Total Years of Professional Experience by Sector

All Respondents Average Responses

Type of Service Private Publicly Governmental Not-for- OverallExperience Provider Company Listed Profit Average

Company Response

Accounting 5.6 6.0 5.5 5.9 3.6 5.3Engineering 2.3 3.7 2.8 3.6 0.3 2.5External 5.4 4.5 3.1 5.6 1.1 3.9(Independent)AuditingFinance 4.7 5.1 5.1 4.7 2.2 4.4Information 4.4 5.3 5.5 4.4 1.7 4.3TechnologyInternal Auditing 5.4 6.4 6.7 7.2 4.9 6.1Management 5.2 6.1 6.0 6.4 3.4 5.4Other Professional 4.2 5.3 4.8 6.2 3.8 4.9Experience

The five areas in which respondents have the most business experience are:

• Internal auditing (6.1 years).• Management (5.4 years).• Accounting (5.3 years).• Other professional experience (4.9 years).• Finance (4.4 years).



This pattern is consistent for those currently employed by service providers, private companies,publicly listed companies, and governments. Service providers work on a contractual basis to assistorganizations with assurance and consulting engagements. The not-for-profit sector respondentsindicate less overall work experience.

In Appendix 3, Tables 3-6-1-A to 3-6-5-A provide an overview of the types of work experience foreach of the 5 categories of respondents tabulated by their current employer’s business sector.While Table 3-6-1-A shows the same top five types of professional experience for CAEs as theoverall average for all respondents in Table 3-6, CAEs have relatively more experience in each ofthe business areas.

For members of the Audit Staff, Table 3-6-4-A shows a different ranking for the top five types ofexperience than the overall average for all respondents in Table 3-6. Audit Staff members appearto have the most experience in professional areas other than those specified on the survey list. Forthe Audit Staff, accounting is the second most common area of experience and internal auditingand management are tied for third.

The respondents classified as Other in Table 3-6-5-A have significant years of experience inaccounting, internal auditing, and management. Other professional experience is also common forthese individuals. Such high levels of experience provides support that those respondents classifiedas “Other” are qualified individuals working in less traditional environments.

Years of Existence of IAA and Years of CAE Experience

Figure 3-7 on the following page lists the number of years the respondents’ IAAs have been inexistence. The largest numbers of respondents work for IAAs that have been in existence for 0-5 years (28.4%) and another 21% of the respondents work for IAAs that have been in existencefor 6-10 years. A total of 13.8% of respondent’s organizations have IAAs that have been inexistence for 31 or more years. This is a positive development for internal auditing as it shows thatgrowth has accelerated in the past 10 years. Given the corporate governance issues and regulatorydevelopments in recent years, this could be a reflection of the recognition by organizations andtheir boards of the need for internal audit.





A young department does not necessarily equate to an unskilled or weak department. NewerIAAs may employ more experienced CAEs who start an audit activity based on their priorexperiences and knowledge.

Table 3-7 provides the number of years respondent organizations have had IAAs by groups. Ingroup 5, respondents indicate that 60.5% of their IAAs are 0-5 years old and another 22.5% are 6-10 years old. Respondents in the other groups indicate between 20% - 33.9% of the IAAs arebetween 0-5 years old and an additional 16.1% - 33.1% indicate their IAAs are between 6-10years old. A review of the countries in each group and historical events explain some of thesedifferences since in some areas of the world, economies are more developed than others. InAppendix 3, Table 3-7-1-A shows the number of years respondent organizations have had IAAsby industry.

0-5 Years28.4%

41+ Years8.1%

31-40 Years5.7%

21-30 Years14.1%

11-20 Years22.7%6-10 Years

21.0%



Table 3-7Number of Years the IAA Has Existed by Groups*


Morethan

Group Respon- 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50dents Years Years Years Years Years Years Years Years Years Years Years Total

1 3,025 23.8 16.1 10.9 12.6 9.2 8.9 3.1 4.8 .7 4.5 5.4 100.02 188 26.1 20.7 17.0 13.3 5.9 6.9 2.7 2.7 1.1 1.1 2.5 100.03 636 25.8 26.6 11.9 10.2 5.8 7.1 2.7 1.9 .5 4.2 3.3 100.04 347 25.6 33.1 15.9 13.3 3.2 3.5 1.2 2.0 .6 .8 .8 100.05 550 60.5 22.5 8.0 2.7 1.5 1.3 .0 1.1 .2 1.3 .9 100.06 423 23.6 18.0 10.4 7.6 8.0 11.6 3.1 2.6 .9 5.2 9.0 100.07 467 23.1 20.3 13.1 9.9 8.4 11.8 2.8 3.2 .6 2.6 4.2 100.08 910 32.7 25.3 14.3 11.1 5.5 3.7 1.9 1.3 .2 1.3 2.7 100.09 118 33.9 29.7 15.3 7.6 5.1 .8 .0 .0 .8 3.4 3.4 100.0

10 125 22.4 25.6 11.2 8.0 6.4 4.8 3.2 6.4 .0 3.2 8.8 100.011 226 28.8 24.3 11.9 10.2 5.8 8.4 1.3 4.0 .9 2.2 2.2 100.012 40 20.0 27.5 10.0 10.0 5.0 12.5 2.5 .0 7.5 2.5 2.5 100.0

N/C** 692 27.6 23.3 11.6 13.0 4.8 7.4 1.4 3.6 .6 3.3 3.4 100.0Overall 7,747 2,194 1,628 914 847 529 566 181 255 48 257 328Respondentsin CategoryOverall 28.4 21.0 11.8 10.9 6.8 7.3 2.4 3.3 .6 3.3 4.2 100.0Percent inCategory

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.



Figure 3-8 summarizes the respondents’ years of experience as CAEs. More than half (56%)indicated they have been a CAE for 5 years or less, 25% of CAE respondents have between 6 and10 years of CAE experience, and 19% of CAE respondents have more than 10 years of experiencein this position.

Figure 3-8Years of Experience as a CAE

CAE Respondents in Percentages

16 to 20 Years6%

21 or MoreYears3%

5 Years or Less56%

11 to 15 Years10%

6 to 10 Years25%



Figure 3-9 lists the average years of work experience for CAEs by groups. The overall averagenumber of years of experience as a CAE is 6.6 years. The CAEs in groups 5 (4.5 years) and 12(4.7 years) have less experience as a CAE than their peers. The CAEs in groups 6 (8.2 years), 10(8.1 years), and 11 (8.1 years) have relatively more experience as a CAE than the overall average.

Figure 3-9Average Years of Experience as a CAE by Groups*

CAE Respondents

*For a list of groups, please see the inside back cover. **N/C = Respondents did not indicate Affiliate or Chapter membership.

Average Years of Experience



Types of Organizations

As indicated in Figure 3-10, when asked about their current employers, 38% of all respondentsindicate that they work for a publicly traded (listed) company, while 19.5% work for a privatelyheld (non-listed) company. Twenty-three percent of all respondents currently work in the publicsector and 10.5% work for a service provider or as a consultant. Internal auditing is performed bymembers of the IAA as well as by external service providers and consultants.

Figure 3-10Types of Organizations

All Participants (8.848) in Percentages

6.2%

23.0%

19.5%

38.0%

10.5%

2.8%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Other

Not-for-Profit Organization

Public Sector / Government

Privately Held (Non-listed) Company

Publicly Traded (Listed) Company

Service Provider / Consultant




While Table 3-8 shows that sector representation is relatively consistent for all 5 categories ofrespondents, only 44.5% of the Other respondents work in traditional public or private companies.Publicly traded and private (non-listed) employers tend to represent approximately 53% to 60% ofthe other four categories. The Other four respondent categories have the highest percentage(17.3%) of respondents working for service providers. This is approximately double that of CAEs,Senior/Supervisors, and Audit Staff members.

Table 3-8Types of Organizations


Type of CAE Audit Audit Audit Staff Other OverallOrganization Percent of Managers Senior/ Percent of Percent of Average

2,356 Percent of Supervisor 1,608 637 of Percent ofRespondents 2,016 Percent of Respondents Respondents 8,848

Respondents 2,231 TotalRespondents Responses

Service 8.8 13.5 9.2 8.3 17.3 10.5Provider/ConsultantPublicly 34.9 42.2 40.7 37.1 29.7 38.0Traded(Listed)CompanyPrivately 24.9 18.3 18.4 16.2 14.8 19.5Held(Non-listed)CompanyPublic Sector/ 21.9 18.5 23.7 30.3 20.6 23.0GovernmentNot-for-Profit 7.1 5.4 6.3 5.2 7.1 6.2OrganizationOther 2.4 2.1 1.7 2.9 10.5 2.8Total 100.0 100.0 100.0 100.0 100.0 100.0



Table 3-8-1 summarizes information about the types of organizations represented within the groups.Compared to the overall average of respondents working for service providers/consultants (shownin Table 3-8 as 10.5%), group 4 (4.1%) is well below the overall average and group 11 (18.3%) issignificantly above the overall average. Publicly traded company representation is considerablybelow the overall average of 38% in group 2 (24.9%), while much above the overall average ingroups 4 (68.8%) and 11 (49.3%). Privately held company representation is greatly above theoverall average of 19.5% in groups 9 (38.1%) and 8 (30.8%). Compared to the public sectoroverall average of 23%, groups 4 (4.4%), 9 (10.3%), and 11 (12.9%) are much lower, and groups2 (42.7%), 10 (35.4%), and 3 (35.3%) are well above the overall average. Not-for-profit organizationsare represented significantly below the overall average of 6.2% in groups 5 (1.9%) and 10 (2.1%),but much above the overall average in group 12 (17.0%).

Table 3-8-1Types of Organizations by Group*All Respondents in Percentages

Type of 1 2 3 4 5 6 7 8 9 10 11 12 N/C**Organization

Service Provider/ 10.0 12.2 13.8 4.1 11.8 12.0 11.9 9.5 7.1 8.3 18.3 10.6 9.4ConsultantPublicly Traded 41.6 24.9 31.3 68.8 27.4 35.5 28.6 37.5 31.8 36.1 49.3 27.7 31.8(Listed) CompanyPrivately Held 14.8 11.3 12.0 16.9 23.5 25.6 28.7 30.8 38.1 14.6 13.7 19.2 23.9(Non-listed)CompanyPublic Sector/ 22.7 42.7 35.3 4.4 31.3 19.9 20.4 17.6 10.3 35.4 12.9 23.4 23.2GovernmentNot-for-Profit 8.9 7.0 4.4 3.3 1.9 5.7 5.6 3.4 3.2 2.1 3.3 17.0 5.3OrganizationOther 2.0 1.9 3.2 2.5 4.1 1.3 4.8 1.2 9.5 3.5 2.5 2.1 6.4Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0




Service Providers of Internal Audit Services

Internal auditing is performed by members of the IAA as well as by external service providers. Asshown in Figure 3-11, 14% of the survey respondents provide internal audit services to clientorganizations. As some respondents did not answer all the questions, this percentage is close to butnot totally consistent with Figure 3-10, which indicates that 10.5% of respondents work for aservice provider or consulting company.

Figure 3-11Service Provider of Internal Audit Services


ServiceProvider14.0%

In-houseInternal

Audit Activity86.0%



Age of OrganizationsTable 3-9 reports on how long respondents’ organizations have been in existence. A separatecorrelation test performed by the researchers confirmed that there is a relationship between howlong an organization has been in existence and how long the organization has had an IAA.

Table 3-9Number of Years Organizations Have Existed


Number of Years Total Responses Percentage of TotalRespondents

0-5 590 7.26-10 856 10.511-15 648 7.916-20 496 6.121-25 321 3.926-30 442 5.431-35 299 3.736-40 355 4.341-45 165 2.046-50 461 5.6

More than 50 years 3,532 43.4Total 8,165 100.0

In Appendix 3, Table 3-9-1-A lists the number of years the respondents’ organizations have existedby group. Groups 1, 2, 6, and 10 have a large number of respondents (43.5% - 59.3%) working inorganizations that are more than 50 years old. Groups 4, 5, and 11 have respondents whoseorganizations have greater than 24% of their organizations (24.1% - 29.4%) that are less than 11years old. Respondents for group 12 indicate that none of their employer organizations are over 70years old.



Industry Classification(s)

The survey population covers a broad range of industries. Since the respondents were asked toselect all industries that applied to their organization, the total of the industries selected is greaterthan 100%. Figure 3-12 on the following page classifies survey respondents by the industry inwhich they work. The top 10 industries indicated by respondents are:

1. Banking/Financial Services/Credit Union (24.5%).2. Other (13.9%).3. Manufacturing (13.4%).4. Financial, Accounting, and/or Business Services (11.1%).5. Insurance (9.3%).6. Utilities (7.9%).7. Education (7.0%).8. Communication/Telecommunication (7.0%).9. Healthcare (6.4).

10. Retail/Wholesale (6.2%).



Figu

re 3

-12

Indu

stry

Cla

ssifi

catio

nA

ll R

espo

nden

ts (8

,934

) in

Perc

enta

ges*

Perc

enta

ge o

f Res

pond

ents

*Res

pond

ents

wer

e ab

le t

o se

lect

all

the

clas

sifi

catio

ns t

hat

appl

y, r

esul

ting

in a

tot

al g

reat

er t

han

100%

.



Table 3-10 indicates that this pattern is basically consistent for all 5 categories of respondents.

Table 3-10Industry Classification


Industry CAE* Audit Audit Senior/ Audit Staff* Other* AverageClassification Percent of Manager* Supervisor* Percent of Percent of Percent of

2,374 Percent of Percent of 1,625 651 8,934Respondents 2,033 2,251 Respondents Respondents Total

Respondents Respondents Responses*

Agricultural/ 2.9 3.0 2.7 2.7 3.8 3.0ForestryBanking/ 25.3 25.3 24.8 26.5 20.6 24.5FinancialServices/Credit UnionBuilding and 5.4 5.3 3.8 3.1 3.4 4.2ConstructionCommunication/ 6.8 9.0 6.6 6.5 6.0 7.0Telecommuni-cationConsumer 5.6 6.5 4.1 3.1 4.6 4.8GoodsEducation 8.1 5.3 5.0 5.0 11.7 7.0Financial, 7.8 10.1 10.2 10.3 17.2 11.1Accounting,and/or BusinessServicesHealthcare 6.4 7.7 6.3 5.4 6.0 6.4Hospitality/ 4.3 4.6 2.6 2.5 2.9 3.4Leisure/TourismInsurance 9.2 10.3 11.2 10.3 5.4 9.3Manufacturing 14.3 14.4 13.1 11.5 13.8 13.4Mining and Oil 4.5 5.0 5.4 3.0 4.5 4.5Non- 1.0 1.7 0.8 0.7 1.7 1.2professionalServices

*Note: Since respondents could mark all that apply, percentages may not add up to 100%.



Table 3-10 (Cont.)Industry Classification


Industry CAE* Audit Audit Senior/ Audit Staff* Other* AverageClassification Percent of Manager* Supervisor* Percent of Percent of Percent of

2,374 Percent of Percent of 1,625 651 8,934Respondents 2,033 2,251 Respondents Respondents Total*


Pharmaceutical/ 3.4 3.7 2.5 1.9 3.1 2.9ChemicalProfessional 4.7 4.9 3.6 3.2 5.8 4.4ServicesReal Estate 4.0 4.1 2.8 2.4 2.5 3.2Retail/Wholesale 6.7 8.8 6.4 4.3 4.6 6.2Technology 5.5 6.1 4.3 3.9 5.2 5.0Trade Services 2.6 2.7 1.6 1.3 1.7 2.0Transport and 7.0 5.9 5.3 5.5 4.8 5.7LogisticsUtilities 7.5 8.4 8.3 7.6 7.8 7.9Other 14.2 12.1 12.5 14.8 16.1 13.9

*Note: Since respondents could mark all that apply, percentages may not add up to 100%.

Table 3-10-1 provides an overview of the industry representation in each of the groups. The largestgroup of respondents overwhelmingly work in the manufacturing sector in groups 4 (46.8%) and11 (31.3%). These are significantly larger percentages than the total respondents’ average formanufacturing of 13.4% shown in Figure 3-12. The banking/financial services/credit union sectoris considerably above the total respondents’ average of 24.5% in groups 7 (37.9%) and 6 (36.7%)but considerably below the average in group 4 (9.1%). The education sector is well represented ingroup 2 (15.8%) which is well above the total respondents’ average of 7%. In groups 4 (3.8%) and7 (5.3%), the financial, accounting, and/or business services industry is less prevalent than elsewherewhen compared with the total respondents’ average of 11.1%. The insurance industry has muchless representation in groups 11 (4.0%), 5 (4.9%), and 4 (5.9%) than the total respondents’ averageof 9.3%. In groups 4 (2.2%) and 9 (3%), organizations with employees in the utilities sector ismuch lower than the average of 7.9% for all respondents.



Table 3-10-1Industry Classification by Group*All Respondents in Percentages

Industry 1 2 3 4 5 6 7 8 9 10 11 12 N/C**Classification

Agricultural/ 2.6 5.1 4.9 0.8 3.3 2.2 5.9 1.6 1.5 4.1 2.4 8.3 1.6ForestryBanking/Financial 22.2 20.5 22.3 9.1 25.0 36.7 37.9 27.3 30.3 25.3 21.3 22.9 21.1Services/CreditUnionBuilding and 3.3 8.4 5.3 3.0 5.6 2.4 6.6 4.5 8.3 6.2 10.4 2.1 2.9ConstructionCommunication/ 4.6 6.1 7.4 5.4 9.1 5.8 10.0 13.1 5.3 8.9 10.4 10.4 5.2TelecommunicationConsumer Goods 3.8 6.1 3.4 3.2 4.3 3.9 8.9 5.6 14.4 4.8 13.7 2.1 3.4Education 8.1 15.8 9.4 2.2 3.3 3.7 5.5 1.7 2.3 8.2 8.0 12.5 3.2Financial, 10.8 11.2 15.0 3.8 9.1 8.9 5.3 8.2 9.1 10.3 14.1 16.7 6.7Accounting,and/or BusinessServicesHealthcare 8.7 13.0 7.8 1.3 3.6 6.7 5.1 3.2 4.6 5.5 5.2 4.2 2.5Hospitality/ 3.4 5.6 4.9 2.2 2.8 1.5 2.3 3.9 7.6 3.4 9.2 2.1 1.7Leisure/TourismInsurance 11.3 10.7 8.6 5.9 4.9 10.4 7.0 13.3 10.6 15.1 4.0 6.3 5.7Manufacturing 11.8 9.3 8.4 46.8 11.7 10.6 12.1 9.1 13.6 13.7 31.3 6.3 10.6Mining and Oil 3.4 5.6 6.8 2.7 8.1 1.9 9.1 4.6 6.1 4.8 7.2 10.4 1.9Non-professional 0.6 5.1 1.5 1.3 0.5 0.7 1.5 1.5 0.0 1.4 1.6 2.1 1.2ServicesPharmaceutical/ 2.0 1.9 2.2 1.9 3.1 5.0 4.4 4.2 4.6 1.4 5.6 0.0 3.0ChemicalProfessional 4.4 9.3 4.5 4.8 2.8 2.8 6.1 2.4 2.3 4.1 5.2 4.2 3.7ServicesReal Estate 3.0 3.7 3.3 1.9 2.6 2.6 4.0 3.4 4.6 8.9 4.0 4.2 2.9Retail/Wholesale 7.0 8.4 7.2 4.8 6.9 4.3 7.6 4.1 12.9 4.8 9.2 2.1 4.2Technology 5.2 6.1 4.9 4.0 2.8 3.7 4.2 5.3 3.8 4.8 14.1 2.1 3.0Trade Services 0.9 2.8 2.3 2.7 3.3 0.9 4.4 3.0 5.3 1.4 7.2 0.0 1.4Transport and 4.0 9.8 7.5 3.2 6.4 7.1 4.9 9.6 4.6 7.5 9.6 16.7 4.2LogisticsUtilities 7.7 10.2 5.4 2.2 12.2 5.8 9.7 12.1 3.0 5.5 6.4 4.2 4.8Other 13.3 23.3 20.3 6.2 14.5 13.0 11.0 10.7 15.2 15.8 12.9 12.5 9.0

Note: Since respondents could mark all that apply, percentages may not add up to 100%.*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate Affiliate or Chapter membership.



Geographical Area Served by Organization

Recognizing that companies compete differently, in part based on the locations they serve, datawas collected on the geographical areas served by the respondents’ organizations. Their responsesare shown in Figure 3-13. Of the respondents, 39.2% of the respondents indicate that their employeroperates on an international/multinational scale, while 29.1% of employers operate on a nationalscale. The remaining 31.7% operate on a local, state/provincial, or regional basis.

Figure 3-13Geographical Area Served by the Organization


Table 3-11 indicates that the geographical regions served by the organizations employing therespondents are fairly consistent. Table 3-11-1 provides more detail on the geographical areaserved by the organizations for each of the 13 groups. Comparing these two tables, international/multinational companies represent more than half of the respondents in groups 6 (58.6%) and 8(53.4%) compared to the average percentage of 39.2% for all respondents. National companiesseem to be more prevalent than the total average percentage of 29.1% in groups 10 (42.6%) and12 (41.2%), while group 6 (19.7%) is well under the average percentage. Companies servingstate/provincial regions are significantly above the average percentage response (10.9%) in group2 (23.1%).




Tabl

e 3-1

1G

eogr

aphi

cal A

rea

Serv

ed b

y th

e Org

aniz

atio

nA

ll R

espo

nden

ts in

Per

cent

ages

Are

aCA

EA

udit

Man

ager

sA

udit

Seni

or/

Aud

it St

aff

Oth

erAv

erag

ePe

rcen

t of

Perc

ent o

fSu

perv

isor

Perc

ent o

fPe

rcen

t of

Perc

ent o

f2,

326

2,00

4Pe

rcen

t of

1,58

862

08,

750

Tota

lR

espo

nden

tsR

espo

nden

ts2,

212

Res

pond

ents

Res

pond

ents

Res

pond

ents

Res

pond

ents

Loc

al14

.68.

99.

411

.116

.612

.1St

ate/

Prov

inci

al11

.88.

910

.311

.911

.610

.9Re

gion

al10

.76.

89.

38.

28.

78.

7N

atio

nal

27.0

29.7

27.3

32.9

28.4

29.1

Inte

rnat

iona

l/35

.945

.743

.735

.934

.739

.2M

ultin

atio

nal

Tota

l10

0.0

100.

010

0.0

100.

010

0.0

100.

0

Tabl

e 3-1

1-1

Geo

grap

hica

l Are

a Se

rved

by

Gro

up*

All

Res

pond

ents

in P

erce

ntag

es

Are

a1*

23

45

67

89

1011

12N

/C**

Loca

l14

.69.

413

.519

.46.

84.

87.

22.

37.

45.

021

.313

.013

.2St

ate/

Prov

inci

al17

.323

.18.

23.

214

.47.

91.

90.

82.

54.

31.

72.

26.

6Re

gion

al11

.04.

35.

19.

18.

59.

07.

86.

012

.32.

88.

84.

69.

3N

atio

nal

22.4

33.0

33.4

26.1

34.6

19.7

36.9

37.5

37.7

42.6

28.0

41.2

34.9

Inte

rnat

iona

l/M

ultin

atio

nal

34.7

30.2

39.8

42.2

35.7

58.6

46.2

53.4

40.1

45.3

40.2

39.0

36.0

Tota

l10

0.0

100.

010

0.0

100.

010

0.0

100.

010

0.0

100.

010

0.0

100.

010

0.0

100.

010

0.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e A

ffili

ate

or C

hapt

er m

embe

rshi

p.



References

1. Clemmons, D.L., “2006 A year of growth and change,” IIA Insight, Vol. 1/November 2006, p. 5.



APPENDIX 3

Table 3-6-1-ATotal Years of Professional Experience by Sector

CAEs’ Average Responses

Type of Service Private Publicly Governmental Not-for- AverageExperience Provider Company Listed Profit Response

Company

Accounting 7.3 6.9 6.8 6.9 4.5 6.5Engineering 5.0 4.9 3.8 4.6 1.0 3.9External 7.1 6.2 4.4 7.5 1.8 5.4(Independent)AuditingFinance 6.1 6.8 6.8 6.1 2.7 5.7Information 5.8 6.1 4.9 4.2 3.5 4.9TechnologyInternal Auditing 6.9 8.1 8.3 8.9 7.1 7.9Management 6.9 7.5 7.2 8.2 5.2 7.0Other Professional 5.2 6.7 5.4 6.7 4.4 5.7Experience


Audit Managers’ Average Response

Type of Service Private Publicly Listed Governmental Not-for- AverageExperience Provider Company Company Profit Response

Accounting 6.0 6.2 5.7 5.7 4.0 5.5Engineering 1.9 3.3 3.5 4.7 0.5 2.8External 4.9 4.8 3.0 5.4 1.0 3.8(Independent)AuditingFinance 4.7 5.0 4.7 4.6 1.7 4.1Information 4.4 5.8 7.1 5.8 1.8 5.0TechnologyInternal 5.9 7.4 7.8 8.0 4.8 6.8AuditingManagement 5.0 6.1 6.5 6.2 3.9 5.5Other 3.4 4.7 4.7 6.9 3.6 4.7ProfessionalExperience



Table 3-6-3-ATotal Years of Professional Experience by SectorAudit Supervisors’/Seniors’ Average Response




Audit Staffs’ Average Response






Others’ Average Response


Accounting 7.3 6.8 5.5 6.9 6.2 6.5Engineering 3.5 3.3 2.7 2.5 0 2.4External 6.4 3.1 3.1 7.1 1.1 4.2(Independent)AuditingFinance 6.1 6.5 5.6 4.6 4.4 5.4Information 4.4 4.7 5.1 4.6 1.5 4.1TechnologyInternal 5.4 7.0 7.0 6.3 4.8 6.1AuditingManagement 5.7 6.9 6.4 5.4 4.8 5.8Other 4.6 4.7 4.8 6.5 7.8 5.7ProfessionalExperience



Tabl

e 3-7

-1-A

Num

ber o

f Yea

rs th

e IA

A H

as E

xist

ed b

y In

dust

ryA

ll R

espo

nden

ts in

Per

cent

ages

0-5

6-10

11-1

516

-20

21 -2

526

-30

31-3

536

-40

41-4

546

-50

Mor

eYe

ars

Year

sYe

ars

Year

sYe

ars

Year

sYe

ars

Year

sYe

ars

Year

sth

an 5

0Y

ears

Num

ber

of R

espo

nden

ts2,

191

1,62

891

484

752

956

618

125

548

257

328

Agr

icul

tura

l/For

estry

2.6

3.1

3.1

2.2

1.9

3.5

2.8

3.5

4.2

3.5

2.4

Ban

king

/Fin

anci

al S

ervi

ces/

Cre

dit U

nion

17.4

21..9

26.7

27.3

27.8

32.7

26.5

34.9

41.7

37.7

44.5

Bui

ldin

g an

d C

onst

ruct

ion

5.8

4.8

4.5

5.1

1.7

3.4

2.2

5.5

6.3

3.1

3.4

Com

mun

icat

ion

and

Tele

com

mun

icat

ions

8.8

9.4

7.4

5.4

6.2

4.6

6.6

6.7

0.0

3.5

4.9

Con

sum

er G

oods

5.8

5.8

4.8

5.3

2.5

2.3

3.3

5.5

2.1

3.5

4.3

Educ

atio

n5.

15.

86.

37.

76.

47.

49.

99.

08.

35.

44.

0Fi

nanc

ial,

Acc

ount

ing,

or B

usin

ess

10.2

10.4

9.8

7.8

7.9

9.2

9.4

9.8

6.3

8.9

9.8

Serv

ices

Hea

lthca

re7.

97.

05.

46.

74.

75.

75.

05.

52.

14.

35.

2H

ospi

talit

y/Le

isur

e/To

uris

m3.

65.

04.

93.

21.

71.

9.6

3.5

2.1

1.6

1.8

Insu

ranc

e7.

48.

512

.412

.311

.710

.47.

712

.26.

38.

910

.7M

anuf

actu

ring

16.1

16.0

14.0

13.1

8.5

8.3

9.4

12.9

8.3

12.8

11.6

Min

ing

and

Oil

5.5

3.9

4.2

5.8

3.2

5.7

1.1

3.9

6.3

4.3

2.4

Non

-pro

fess

iona

l Ser

vice

s1.

1.7

1.4

1.4

.8.5

1.7

1.2

4.2

.41.

2Ph

arm

aceu

tical

/Che

mic

al3.

62.

92,

73.

31.

71.

93.

94.

32.

12.

32.

7Pr

ofes

sion

al S

ervi

ces

4.6

5.4

4.3

3.4

2.3

3.4

2.2

3.1

0.0

2.7

3.0

Rea

l Est

ate

4.3

2.8

3.5

3.8

2.3

1.9

2.2

4.3

4.2

1.6

3.0

Ret

ail/W

hole

sale

7.2

7.2

6.3

5.9

4.5

5.3

3.3

11.0

12.5

5.8

8.5

Tech

nolo

gy5.

95.

94.

55.

02.

54.

13.

34.

70.

03.

55.

8Tr

ade S

ervi

ces

2.4

2.9

1.9

1.8

.91.

22.

22.

70.

0.8

2.1

Tran

spor

t and

Log

istic

s6.

87.

06.

55.

04.

36.

06.

67.

12.

14.

73.

4U

tiliti

es8.

75.

87.

87.

47.

09.

98.

810

.68.

313

.29.

5O

ther

15.0

13.1

13.9

12.6

11.2

12.2

14.9

10.6

10.4

8.9

11.9



Table 3-9-1-ANumber of Years Organizations Have Existed by Groups*


Group Respondents 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More TotalYears Years Years Years Years Years Years Years Years Years than

50Years

1 3241 4.4 6.8 4.7 4.8 3.9 5.0 3.7 4.8 1.7 5.7 54.5 100.02 189 8.5 11.1 3.7 6.3 3.7 6.9 4.2 2.6 2.1 7.4 43.5 100.03 648 8.3 13.1 9.3 5.9 5.4 5.1 3.1 5.2 1.4 5.7 37.5 100.04 354 11.6 17.8 9.9 12.7 3.4 9.0 5.9 5.1 4.0 3.7 16.9 100.05 552 12.0 17.4 24.8 6.7 2.2 3.1 2.2 3.1 1.1 4.3 23.1 100.06 434 4.8 8.5 6.0 2.5 1.8 4.4 2.5 3.7 .9 8.5 56.4 100.07 504 6.0 14.1 10.3 5.0 4.0 6.7 5.0 3.4 3.6 6.5 35.4 100.08 954 11.3 10.6 7.0 6.2 3.6 5.8 2.5 4.8 1.5 5.6 41.1 100.09 125 8.0 9.6 7.2 13.6 11.2 3.2 7.2 1.6 5.6 8.0 24.8 100.0

10 135 6.7 6.7 3.7 4.4 3.0 3.7 5.2 1.5 3.7 2.2 59.2 100.011 228 11.4 12.7 10.1 11.0 8.3 6.1 5.7 6.1 4.8 4.8 18.8 100.012 39 5.1 10.3 7.7 10.3 5.1 15.4 10.3 10.3 7.7 0.0 17.8 100.0

N/C** 762 8.7 14.3 9.4 7.9 3.5 6.2 3.1 3.3 1.8 5.4 36.4 100.0Total/ 8165 590 856 648 496 321 442 299 355 165 461 3532

OverallRespondentsin Category

OverallPercent inCategory 7.2 10.5 7.9 6.1 3.9 5.4 3.7 4.3 2.0 5.6 43.4 100.0

*For a list of affiliate groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.



_______________________________ Chapter 4: The Professional Practices Framework 105


CHAPTER 4THE PROFESSIONAL PRACTICES

FRAMEWORK

Introduction

The Institute of Internal Auditors’ (IIA) (2005) Professional Practices Framework (PPF) consistsof the Definition of Internal Auditing, The IIA’s Code of Ethics, International Standards for theProfessional Practice of Internal Auditing (Standards), and Practice Advisories.” The IIA’sCode of Ethics and the Standards are considered mandatory by The IIA for all those who provideinternal auditing services. Guidance regarding how the Standards might be applied is included inPractice Advisories that are issued by The IIA’s Professional Issues Committee. The PracticeAdvisories are endorsed by The IIA and are strongly recommended.

This chapter first summarizes the extent to which respondents use and are in compliance with TheIIA’s Standards and the related Practice Advisories as of September 2006, when the CBOKquestionnaires were distributed. Next, respondents’ opinions regarding the adequacy of the guidanceprovided in the Standards and Practice Advisories is presented. Then there is a discussion of thereasons why some respondents do not comply with the Standards. Another section reviewsrespondents’ compliance with Standard 1300, Quality Assurance and Improvement Program. Thechapter concludes with a brief discussion about affiliate responses concerning their areas’compliance with The IIA’s Code of Ethics. For reference, The IIA’s Standards, Practice Advisories,and Glossary to the Standards as of September 2006 are included in Appendix 4-A located at theend of this chapter. The Standards employ terms that have been given specific meanings that areincluded in the Glossary.

Diverse legal and cultural variations together with the purpose, size, and structure of organizationsmay affect the practice of internal auditing. The IIA regards full compliance with the Standards asessential for internal audit activities (IAAs) to meet their responsibilities to their organizations. Ifinternal auditors are prohibited by law or regulation from complying with certain parts of theStandards, The IIA believes they should comply with all other parts of the Standards and makeappropriate disclosures.



The Standards were developed to serve the following purposes:

• Delineate basic principles that represent the practice of internal auditing as it should be.• Provide a framework for performing and promoting a broad range of value-added internal

audit activities.• Establish the basis for the evaluation of internal audit performance.• Foster improved organizational processes and operations.

The Standards are continuously reviewed to determine when a revision is necessary. The lastmajor revision occurred when the Board of Directors of The IIA voted to approve a new definitionof internal auditing in 1999 and to update the PPF. The IIA considered the new Standards mandatoryfor all those that provide internal auditing services as of January 1, 2004. In December 2005, TheIIA’s Executive Committee approved a plan to revise The IIA’s current guidance structure.

The Standards consist of Attribute Standards, Performance Standards, and ImplementationStandards. The Attribute Standards address the characteristics of organizations and partiesperforming internal audit services. The Performance Standards describe the nature of internalaudit services and provide quality criteria against which the performance of these services may beevaluated. Implementation Standards expand on the Attribute and Performance Standards byproviding guidance on specific types of engagements for assurance and consulting. The Attributeand Performance Standards apply to all internal audit activities and are divided into the followingcategories:

Attribute Standards

1000 – Purpose, Authority, and Responsibility1100 – Independence and Objectivity1200 – Proficiency and Due Professional Care1300 – Quality Assurance and Improvement Program

Performance Standards

2000 – Managing the Internal Audit Activity2100 – Nature of Work2200 – Engagement Planning2300 – Performing the Engagement2400 – Communicating Results2500 – Monitoring Progress2600 – Resolution of Management’s Acceptance of Risks



CBOK 2006 Survey Questions Related to the Standards

The main objective of the CBOK 2006 study is to develop a summary of the global practice ofinternal auditing around the world. The questions included in the CBOK survey pertaining to theStandards were developed to determine the following:

• The extent to which internal auditors and their internal audit activities (IAAs) comply withthe Attribute Standards, Performance Standards, and Practice Advisories.

• The level of compliance by internal auditors and their IAAs with individual Standards andPractice Advisories.

• Whether or not the guidance in the Standards is perceived by users to be adequate.• The reasons for noncompliance with the Standards.• Whether internal auditors and IAAs comply with the standards relating to quality assurance

and improvement program.



• Not all questions were asked of all respondents:o Some questions were asked only of CAEs (those in the highest position within the



Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose position is not captured by thetraditional job titles included in the survey. A review of their credentials indicates they may bemembers of the IAA, employed by service providers, or in organizations where their titles are lesstraditional but with duties within internal auditing.



When relevant, results are given for each of the groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additionaldetails. For example, Table 4-14 is the total of all respondents for that question with a related Table4-14-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be Table 4-14-2. Additional related tables may be located in Appendix4-B at the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” atthe end of its number. For example, Table 4-3-1-A is located in Appendix 4-B.

Use of the Standards in Whole or in Part

All respondents were asked if their organizations use the Standards in whole or in part. Of the9,366 potential respondents, 8,647 responded to this question. A total of 7,085 (81.9%) of thoseresponding noted that they use the Standards in whole or in part and 1,562 (18.1%) noted that theydo not comply with the Standards. Those respondents that do not use the Standards were told toskip the questions on compliance and go directly to the questions asking why they do not use theStandards.

Figure 4-1 shows the replies to this question by the respondents’ position in the IAA. While verysimilar results are reported by the respondents in other positions in the department, the highestincidence of use in whole or in part is reported by CAEs (85.1%) who should be in the best positionin the IAA to judge whether the Standards are being applied.

Figure 4-1Organizations’ Use of the Standards in Whole or in Part by Staff Level





Use of the Standards by Industry in Whole or in Part

Table 4-1 provides a list of the respondents’ use of the Standards in whole or in part by industryand by position in the IAA. The four industries where respondents indicate the most usage of theStandards in whole or in part are:

• Trade Services (88%).• Professional Services (87.1%).• Building and Construction (86.8%).• Utilities (86.7%).

The five industries where the respondents indicate the least usage of the Standards in whole or inpart are:

• Pharmaceutical/Chemical (80.2%).• Real Estate (80.4%).• Non-professional Services (81.3%).• Manufacturing (82.2%).• Healthcare (82.2%).

Overall, there is a high level of usage of the Standards in whole or in part by all industries.



Table 4-1Use of the Standards in Whole or in Part by Industry and Position in the IAA


Industry Number of CAE Audit Audit Audit Other AverageRespondents Manager Senior/ Staff

Supervisor

Agricultural/Forestry 254 88.1 91.7 78.3 88.4 75.0 85.4Banking/Financial Services/ 2,178 84.8 86.4 83.2 84.1 81.5 84.4Credit UnionBuilding and Construction 387 89.8 89.7 77.9 91.8 77.8 86.8Communication/ 626 88.7 87.8 76.9 88.5 88.9 85.6TelecommunicationConsumer Goods 427 86.4 84.8 76.1 78.7 83.3 82.7Education 554 89.4 81.0 85.8 86.3 64.2 83.6Financial, Accounting, 870 92.3 87.6 85.0 81.5 79.6 85.9and/or Business ServicesHealthcare 566 87.2 83.0 84.4 77.9 59.5 82.2Hospitality/Leisure/Tourism 306 87.3 86.8 74.1 80.0 86.7 83.7Insurance 861 88.9 88.5 83.0 83.8 86.2 86.1Manufacturing 1,166 86.5 86.8 77.7 77.1 75.0 82.2Mining and Oil 396 92.4 88.2 77.3 84.4 84.0 85.4Non-professional Services 96 95.8 85.3 76.5 70.0 54.5 81.3Pharmaceutical/Chemical 257 83.8 82.7 72.7 82.8 72.2 80.2Professional Services 372 90.1 94.8 80.2 83.7 77.1 87.1Real Estate 291 84.0 84.1 79.0 73.7 60.0 80.4Retail/Wholesale 568 87.2 85.3 78.3 74.2 80.8 82.6Technology 439 88.5 91.1 75.0 73.3 80.0 83.6Trade Services 183 93.4 96.3 77.8 81.0 63.6 88.0Transport and Logistics 511 88.3 84.9 73.7 81.8 85.7 83.0Utilities 694 88.0 88.0 88.0 85.2 76.1 86.7Other 1,181 83.3 83.4 78.5 78.7 61.5 79.5

Compliance with the Standards

For those 7,085 respondents that indicate they use the Standards in whole or in part, the nextsurvey question asked if their organizations were in full compliance, partial compliance, not incompliance, or they did not know their organizations’ level of compliance for each of the individual



standards. According to The IIA’s Tool 19, Standards Compliance Evaluation Summary, of theQuality Assessment Manual, 5th Edition, the extent of compliance with the Standards is expressedas either “generally conforms,” “partially conforms,” or “does not conform.” General conformance(full compliance in the questionnaire) implies that the “relevant structures, policies, and proceduresof the activity, as well as the processes by which they are applied, comply with the requirements ofthe individual Standard…in all material aspects.” Partial conformance (partial compliance in thequestionnaire) means the “activity is making good-faith efforts to comply with the requirements ofthe individual Standard.” Does not conform (not in compliance in the questionnaire) means “theactivity is not aware of, is not making good-faith efforts to comply with, or is failing to achievemany/all of the objectives of the individual Standard.”

For those that indicate their organizations use the Standards in whole or in part, Table 4-2 summarizesall respondents’ input and compares the responses of the CAEs and Practitioners concerningwhether their IAAs fully comply, partially comply, or do not comply with an individual standard.Eighty-five percent (85.5%) of the 7,085 respondents’ IAAs that noted standards usage eitherfully comply (57.2%) or partially comply (28.3%) with the Standards. Of the respondents, 10.6%do not know whether their IAAs comply with any of the Standards.

Table 4-2*Organizations Compliance Levels with the Standards

CAE, Practitioner, and All Respondents in Percentages

CAE Practitioner All Respondents

Full compliance 59.9 56.1 57.2Partial compliance 31.6 26.8 28.3Not in compliance 4.2 3.8 3.9Do not know 4.3 13.3 10.6Total 100.0 100.0 100.0

*Table 4-2 was compiled from Tables 4-3-1-A, 4-3-2-A and 4-3-3-A in Appendix 4-B.

The percentage of CAEs who do not know whether their IAAs comply with the Standards ismuch lower (4.3%) than that of Practitioners (13.3%). This may be due to the CAEs’ position asleader of the IAA providing them with more insight into the use of the Standards. It would appearthat CAEs have more direct access to judge the use of the Standards than other members of theIAA.



As shown in Table 4-2, when asked about compliance to individual standards, 59.9% of CAErespondents and 56.1% of Practitioner respondents say that they are in full compliance with theStandards when in fact they are not. Table 4-3 shows that only 33.2% of CAE respondents and43% of Practitioner respondents indicate they comply with Standard 1300. The IIA’s position isthat full compliance means full compliance with all the Standards.

Table 4-3 reveals that for CAE respondents, the four standards with the highest percentage of fullcompliance are Standards 1100 (73.6%), 2400 (68.6%), 1000 (68.1%), and 1200 (67%). Thismakes sense as three of the standards, 1100, Independence and Objectivity, 2400, CommunicatingResults, 1000, Purpose, Authority, and Responsibility, are all direct responsibilities of CAEs. Allwork, regardless of who performs it, should be done in accordance with Standard 1200, Proficiencyand Due Professional Care.

Table 4-3Full or Partial Compliance with the Standards


Standard CAE Practitioner All RespondentsFull Partial Full Partial Full Partial

1000 – Purpose, Authority, and 68.1 26.7 60.8 24.2 63.0 25.0Responsibility1100 – Independence and 73.6 22.0 64.1 22.2 66.9 22.2Objectivity1200 – Proficiency and Due 67.0 28.3 61.1 25.1 62.9 26.1Professional Care1300 – Quality Assurance and 33.2 45.0 43.0 31.7 40.0 35.7Improvement Program2000 – Managing the Internal 61.8 32.0 55.8 27.5 57.6 28.9Audit Activity2100 – Nature of Work 59.3 32.8 56.8 26.9 57.5 28.72200 – Engagement Planning 60.4 32.5 56.7 27.5 57.7 29.02300 – Performing the Engagement 62.1 31.8 58.7 26.7 59.7 28.22400 – Communicating Results 68.6 26.2 62.3 23.8 64.1 24.62500 – Monitoring Progress 56.1 35.5 51.3 30.6 52.6 32.12600 – Resolution of Management’s 49.0 35.0 46.1 28.8 46.9 30.7Acceptance of RisksOverall Average 59.9 31.6 56.1 26.8 57.2 28.3



The two standards with less than 50% full compliance according to CAE respondents are 2600,Resolution of Management’s Acceptance of Risks (49.0%), and 1300, Quality Assurance andImprovement Program (33.2%). Reasons for noncompliance with Standard 1300 are discussed inmore detail in a later section of this chapter. Standard 2600 requires CAEs and senior managementto discuss with the board any areas where the CAE feels that management has accepted residualrisk that is unacceptable to the organization. It involves skills requiring CAEs to analyze manytypes of risks and reporting to the board disagreements with management over acceptable levelsof risk for the organization.

In Table 4-3, the order of the four highest standards (1100, 2400, 1000, 1200) for full complianceare the same for the categories All Respondents and CAEs. For Practitioners, the four standardswith the highest percentages are the same, but the order differs, 1100 (64.1%), 2400 (62.3%), 1200(61.1%), and 1000 (60.8%).

Standard 1000 (63% full compliance and 25% partial compliance for all respondents) requires thatthe purpose, authority, and responsibility of the IAA be formally defined in an audit charter. Havingthe internal audit charter accepted by the board and management should be one of the first actionstaken by a CAE when an IAA is established. The charter establishes the authority for IAAs toperform the scope of work as outlined in the Standards. Standard 1100 (66.9% full complianceand 22.2% partial compliance for all respondents), which deals with the independence and objectivityof the IAA, shows the highest incidence of full compliance by the respondents.

Standard 2400 (64.1% full compliance and 24.6% partial compliance for all respondents) addressesthe required communication of the results of the work performed by the IAAs at the end of eachengagement. In Appendix 4-B, Tables 4-3-1-A (all respondents), 4-3-2-A (CAE), and 4-3-3-A(Practitioner) contain additional details of respondents’ compliance with each individual standard.These tables contain the respondents’ indication of full compliance, partial compliance, not incompliance, and do not know for each category of the Standards.

Table 4-3-4-A to Table 4-3-6-A in Appendix 4-B lists by groups full compliance by IAAs for therespondents, partial compliance for all respondents, and the percentages for not in compliance withthe Standards for all respondents. Refer to the inside back cover of this report for the list ofgroups. Groups 1, 2, 3, 7, 8, and 11 indicate consistently high compliance with the Standards.Although group 4 has consistently lower compliance with the Standards, it also has the highestpartial compliance of any group. Group 9 has the highest overall percentages for noncompliancewith the Standards. Standard 1300, Quality Assurance and Improvement Program, had the highestpercentages of noncompliance ranging from groups 1 and 2 with 9.1% to a high of 24.2% in group12.



Compliance by Types of Organization

Table 4-4 shows the percentage of respondents by type of organization that indicate their organizationsare in full compliance with specific standards. Service provider/consultant respondents have thehighest level of full compliance with Standard 1300, Quality Assurance and Improvement Program(49.6%), and with Standard 2600, Resolution of Management’s Acceptance of Risks (53.1%).Publicly traded (listed) companies place a close second in full compliance for Standard 2600 (50.6%).

Table 4-4Full Compliance to Standards by Type of Organization

Percentage of All Participants

Standard Service Publicly Privately Public Not-for- OtherProvider/ Traded Held Sector/ Profit

Consultant (Listed) (Non- Government OrganizationCompany listed)

Company

1000 – Purpose, Authority, 62.7 66.8 56.6 62.5 64.4 49.3and Responsibility1100 – Independence 69.6 69.7 63.5 64.1 71.8 48.6and Objectivity1200 – Proficiency and 66.2 64.9 57.3 62.6 67.3 50.7Due Professional Care1300 – Quality Assurance 49.6 42.8 30.2 40.1 37.9 32.8and Improvement Program2000 – Managing the 62.1 59.6 53.4 56.6 58.8 43.3Internal Audit Activity2100 – Nature of Work 61.6 58.9 51.2 59.8 61.1 45.22200 – Engagement 61.1 60.0 50.2 58.4 60.2 41.7Planning2300 – Performing the 63.5 60.1 54.3 62.2 62.8 45.6Engagement2400 – Communicating 68.0 64.5 59.3 66.0 67.5 52.2Results2500 – Monitoring Progress 57.0 55.0 47.9 51.1 55.8 37.02600 – Resolution of 53.1 50.6 38.8 44.9 49.6 31.5Management’sAcceptance of Risks



Adequacy of the Guidance Provided by the Standards

The development and issuance of the Standards is an ongoing process. The IIA’s Internal AuditingStandards Board engages in extensive consultation and discussions prior to the issuance or revisionof the Standards. This includes worldwide solicitation of public comment through the exposuredraft process. Although this process should provide assurance that the guidance provided by theStandards is supported by the profession, it is important to determine the views of current usersregarding the adequacy of the guidance provided. Respondents who indicated that they use theStandards were asked to give their opinion about whether the guidance provided by individualstandards is adequate for their IAA to apply that standard or if more guidance is needed.

As presented in Table 4-5, an overall average of 83.2% of the respondents consider the guidanceprovided by the Standards to be adequate. The four standards that received the highest percentagefor adequacy are 1100 (88.1%), Independence and Objectivity, 1200 (87%), Proficiency and DueProfessional Care, 1000 (86.2%) Purpose, Authority, and Responsibility, and 2400 (85.2%)Communicating Results. These are the same four standards that have the highest complianceindicated by respondents in Table 4-3. In Table 4-5 all but two standards are rated above 80% foradequacy.

Table 4-5Standards Guidance is AdequateAll Respondents in Percentages

Standard Total Yes No Do Not Do NotNumber of Use Know

Respondents

1000 – Purpose, Authority, and Responsibility 5,857 86.2 1.2 2.7 9.91100 – Independence and Objectivity 6,015 88.1 1.7 1.7 8.51200 – Proficiency and Due Professional Care 5,994 87.0 1.7 2.3 9.01300 – Quality Assurance and Improvement Program 5,968 77.3 5.1 6.3 11.32000 – Managing the Internal Audit Activity 5,970 83.7 3.1 3.3 9.92100 – Nature of Work 5,916 82.2 3.2 3.5 11.12200 – Engagement Planning 5,950 83.6 3.3 3.2 9.92300 – Performing the Engagement 5,931 83.8 3.6 3.0 9.62400 – Communicating Results 5,941 85.2 3.1 2.6 9.12500 – Monitoring Progress 5,903 81.8 4.1 4.0 10.12600 – Resolution of Management’s Acceptance 5,908 76.0 5.6 5.3 13.1of RisksOverall Average 83.2 3.2 5.7 9.3



Such a high percentage of positive responses indicates that the guidance provided meets theexpectations of the users of the Standards. The slightly lower response for Standards 1300 (77.3%),Quality Assurance and Improvement Program, and 2600 (76%), Resolution of Management’sAcceptance of Risk, in Figure 4-2 may indicate that more or clearer guidance may be appropriatein the areas of quality assurance and improvement and resolution of management’s acceptance ofrisk.

Figure 4-2Standards Guidance is AdequateAll Respondents in Percentages




Table 4-6 shows that a higher percentage of CAEs (overall average 89%) than Practitioners(overall average 80.7%) regard the guidance provided by the Standards to be adequate. This maybe due to CAEs having more experience with the Standards.

Table 4-6Adequacy of Guidance Provided by Each of the Standards


Standard CAE Practitioner AllRespondents

1000 – Purpose, Authority, and Responsibility 93.3 83.2 86.21100 – Independence and Objectivity 94.1 85.6 88.11200 – Proficiency and Due Professional Care 92.9 84.5 87.01300 – Quality Assurance and Improvement Program 81.5 75.6 77.32000 – Managing the Internal Audit Activity 90.0 81.0 83.72100 – Nature of Work 88.0 79.8 82.22200 – Engagement Planning 89.4 81.2 83.62300 – Performing the Engagement 89.3 81.5 83.82400 – Communicating Results 91.3 82.6 85.22500 – Monitoring Progress 88.4 79.1 81.82600 – Resolution of Management’s Acceptance of Risks 81.3 73.8 76.0Overall Average 89.0 80.7 83.2

In Appendix 4-B, Tables 4-6-1-A (CAEs) and 4-6-2-A (Practitioners) list respondents’ responsesby standard indicating whether the guidance provided is adequate, not adequate, do not use, or donot know. When asked about the adequacy of the guidance provided, a higher percentage of thePractitioner respondents replied “Do Not Know” than CAEs. For all of the Standards, Practitionerresponses for “Do Not Know” range from 11.1% to 16.3%. In contrast, the CAE responses rangeis from a low of 2.3% to a high of 5.3%. This data indicates that CAEs in this study appear to findthe guidance more adequate than do Practitioners.

In Appendix 4-B, Tables 4-6-3-A (all respondents by groups), 4-6-4-A (CAEs by groups), and 4-6-5-A (Practitioners by groups) show respondents’ answers by groups to the question about theadequacy of guidance provided by the Standards. In the groups, CAEs consistently find theStandards guidance to be more adequate than Practitioners. Table 4-6-3-A indicates that a significantpercentage of all respondents in all groups perceive the guidance provided by each of the Standards



to be adequate. On average, groups 7, 8, and 12 have the highest percentage of satisfaction withthe guidance provided, while groups 1, 2, and 9 have the lowest average percentage of satisfaction.

Table 4-6-6-A in Appendix 4-B provides a summary of all respondents by group who indicate thatthe guidance provided by the Standards is not adequate. Indicating a range of 11.6% to 14.5% forguidance is not adequate, group 9 has the highest level of dissatisfaction with Standards 2200 to2500. With this group’s exception, the overall low percentages in this table support a high level ofsatisfaction with the adequacy of the guidance provided.

Use of and Adequacy of the Guidance Provided by the Practice Advisories

Practice Advisories are continuously developed and issued. The purpose of the Practice Advisoriesis to provide guidance on the application of the Standards. Compliance with Practice Advisoriesis endorsed by The IIA and strongly recommended but not considered mandatory. The 7,085respondents who use the Standards in whole or in part were asked whether their IAA uses thePractice Advisories in the PPF and to indicate whether they regard the guidance to be adequate.Figure 4-3 shows the percentages of all respondents to this question that use each of the PracticeAdvisories.

Figure 4-3Respondents That Use the Practice Advisories





Table 4-7 indicates that on average 85.8% of the respondents that use the Standards also use thePractice Advisories. The Audit Staff (88.7%) report the highest overall use of the Practice Advisories.Ninety percent or more of the Audit Staff indicate that they use the Practice Advisories for Standards1000, 1100, 1200, and 2300.

Table 4-7Respondents That Use the Practice Advisories

By Staff Level in Percentages

Practice Advisory CAE Audit Audit Audit Other AverageManager Senior/ Staff

Supervisor

1000 – Purpose, Authority, and 88.8 88.2 84.8 90.1 84.7 87.3Responsibility1100 – Independence and Objectivity 89.3 88.5 86.3 90.7 86.9 88.31200 – Proficiency and Due Professional 88.6 88.4 85.1 90.2 86.1 87.7Care1300 – Quality Assurance and 82.7 82.8 80.5 86.5 79.2 82.3Improvement Program2000 – Managing the Internal Audit 87.7 87.2 83.7 89.7 84.1 86.5Activity2100 – Nature of Work 86.4 85.9 83.8 89.7 83.8 85.92200 – Engagement Planning 87.4 87.1 84.5 89.4 84.1 86.52300 – Performing the Engagement 87.8 86.9 85.2 90.0 84.9 87.02400 – Communicating Results 88.6 87.2 84.6 87.5 83.4 86.32500 – Monitoring Progress 87.5 85.3 82.3 88.4 83.0 85.32600 – Resolution of Management’s 81.4 82.2 78.4 83.6 79.0 80.9Acceptance of RisksAverage 86.9 86.3 83.6 88.7 83.6 85.8

In Appendix 4-B, Table 4-7-1-A shows the percentage of respondents who do not use the PracticeAdvisories for all respondents. Groups 6, 1, 2, and 9 use the Practice Advisories the least.



The respondents were asked if they considered the guidance provided by the Practice Advisoriesto be adequate. Table 4-8 shows that for all respondents the overall average satisfaction withPractice Advisories is 82.5%. Standards 1300 (77.2%) and 2600 (75.4%) are the two standardsthat received the lowest percent of satisfaction. This corresponds to the lower level of compliancewith these two Standards by all respondents in Table 4-3.

Table 4-8Practice Advisory Guidance is Adequate


Practice Advisory CAE Practitioner AllRespondents

1000 – Purpose, Authority, and Responsibility 86.7 85.7 86.01100 – Independence and Objectivity 86.7 86.2 86.31200 – Proficiency and Due Professional Care 86.2 85.1 85.41300 – Quality Assurance and Improvement Program 76.2 77.7 77.22000 – Managing the Internal Audit Activity 83.5 83.4 83.42100 – Nature of Work 81.8 82.5 82.32200 – Engagement Planning 83.5 83.1 83.22300 – Performing the Engagement 83.9 83.3 83.52400 – Communicating Results 84.4 83.8 84.02500 – Monitoring Progress 82.6 80.5 81.12600 – Resolution of Management’s Acceptance of Risks 75.2 75.4 75.4Overall Average 82.7 82.4 82.5

In Appendix 4-B, Tables 4-8-1-A (all respondents), 4-8-2-A (CAE), and 4-8-3-A (Practitioner)show the respondents’ perception of the adequacy of the guidance provided by the Practice Advisoriesand the percentages that do not use each individual Practice Advisory.

Table 4-8-4-A in Appendix 4-B shows all respondents’ perception of the adequacy of the guidanceprovided by the Practice Advisories by groups. This group table also indicates less satisfactionwith the guidance provided to support for Standards 1300 and 2600. Respondents in groups 12, 7,and 8 indicate the highest levels of satisfaction with the adequacy of the Practice Advisories.While still indicating a high level of satisfaction with the guidance, groups 6 and 2 show the lowestrelative levels of satisfaction with the guidance provided by the Practice Advisories.



Reasons for Not Complying with the Standards

All respondents were asked their reasons for not using the Standards in whole or in part. Thequestion listed possible reasons for noncompliance and allowed for individual comments.Respondents could select more than one reason for noncompliance. Figure 4-4 shows the averagepercentage for all respondents for the reasons provided in the question regarding why they do notcomply in whole or in part with the Standards.

Figure 4-4Reasons for Not Complying in Whole or in Part with the Standards

All Respondents (8,159) in Percentages*


*Respondents who do not comply with the Standards could select more than one reason for noncompliance so thetotals could add to more than 100%.



Table 4-9 shows the reasons respondents selected for not using the Standards in whole or in partby staff position.

Table 4-9Reasons for Not Using the Standards in Whole or in Part

All Respondents by Staff Position in Percentages*

Reason Number CAE Audit Audit Senior/ Audit Staff Other AverageW h o % of 2263 Managers Supervisor % of 1442 % of 569 % of 8159

Selected Respondents % of 1845 % of 2040 Respondents Respondents RespondentsCategory Respondents Respondents

Standards or 473 7.1 5.5 5.4 4.4 6.2 5.8PracticeAdvisories aretoo complexNot 846 16.4 8.5 7.4 7.1 11.4 10.4appropriatefor smallorganizationsToo costly to 765 13.3 8.9 7.9 6.2 8.6 9.4complyToo time- 992 16.1 12.1 11.4 8.6 8.1 12.2consumingSuperseded by 875 10.3 10.0 12.6 9.6 11.1 10.7local/governmentregulationsor standardsNot 342 4.4 3.3 4.1 4.7 5.3 4.2appropriatefor myindustryCompliance 970 11.9 12.0 12.6 11.0 11.1 11.9not supportedby manage-ment/boardNot perceived 996 13.6 11.4 13.5 9.9 10.5 12.2as addingvalue bymanagement/boardInadequate 1,026 14.4 11.9 11.7 11.6 13.2 12.6IAA staffCompliance 467 5.9 5.3 6.6 4.9 5.3 5.7not expectedin my countryOther 983 11.4 12.7 12.8 8.7 17.9 12.0

*Respondents who do not comply with the Standards could select more than one reason for noncompliance so thetotals could add to more than 100%.



There appears to be three primary causes for noncompliance. The first relates to practitioners’experiences in application and implementation of guidance or constraints within the IAA. Specificreasons related to this include the following:

• Inadequate staff (12.6%)• Too time-consuming (12.2%)• Not appropriate for small organizations (10.4%)• Too costly to comply (9.4%)• Standards or Practice Advisories are too complex (5.8%)

The second primary cause concerns lack of support by the organization’s management and includesthe following specific reasons:

• Not perceived as adding value by management/board (12.2%)• Compliance not supported by management/board (11.9%)

The third primary cause involves the regulations or standards in the respondents’ countries orcompany, and includes the following reasons:

• Superseded by local/government regulations or standards (10.7%)• Compliance not expected in my country (5.7%)• Not appropriate for my industry (4.2%)

This knowledge should aid The IIA in formulating future guidance and in marketing the profession.



Open-ended Question for Noncompliance

Respondents were provided with space to list other reasons why they did not comply with theStandards in whole or in part. Of the 417 respondents who provided a written response to theopen-ended part of this question, most did not add any new reasons beyond those listed in Table 4-9, but expanded upon why they selected a particular reason. Table 4-10 categorizes these responsesand lists the percentages of the 417 respondents that gave a particular response. Because sevenrespondents gave two reasons why they are not in full compliance with the Standards, there are atotal of 424 responses.

Table 4-10Reasons for Not Complying with the Standards in Whole or in Part

From Open-ended Question for All Participants

Reasons for Noncompliance Number of Percentage ofRespondents* 417

Respondents

Other standards are used (GAGAS/Yellow Book; 94 22.5Own standards based on IIA’s; CICA; ISACA;CIPFA; GAAS; INTOSAI)Informal/partial use of the Standards 57 13.7Do not have the knowledge to implement 54 12.9Standards are not: 41 9.8adequate/relevant/practical/accepted/value addedWorking toward full implementation 40 9.6Newly established IAA or newly appointed in position 36 8.6Do not know 23 5.5Management does not support 21 5.0Not applicable as function is outsourced or 13 3.1respondents not in internal audit departmentUnderstaffed 10 2.4Full compliance to the Standards 5 1.2No IAA 4 1.0Other 26 6.2

*Since 7 of the 417 respondents provided two reasons for noncompliance with the Standards, there are 424 totalresponses.



One respondent suggests that the local affiliate should perform an awareness campaign in hiscountry for non-listed and small companies to show the need for IAAs to comply with the Standards.

Factors Affecting Compliance

To better understand why some respondents are not in full compliance with the Standards, threefactors were reviewed. First, since The IIA’s membership grew 54.6% from June 2003 toSeptember 2006, Table 4-11 compares the number of years respondents have been members ofThe IIA to respondents’ compliance with the Standards in whole or in part. For those respondentswho are members of The IIA, the longer they have been members the more likely they are tocomply with the Standards in whole or in part.

Table 4-11Compliance with the Standards in Whole or in Part

Compared to theNumber of Years as a Member of The IIA


Number of Years as Number of Percentage ofMember of IIA Respondents Respondents in

Compliance in Wholeor in Part

5 or less 5,044 80.76 to 10 1,694 86.2

11 or more 1,307 88.4Not a Member 568 64.8

Total/Overall Average 8,613 81.9



The second factor considered is the number of years an organization has had an IAA. Table 4-12suggests a trend indicating that the longer an organization has had an internal audit department thegreater the IAA’s compliance with the Standards in whole or in part.

Table 4-12Compliance with the Standards in Whole or in Part

Compared to theNumber of Years Organization has had an IAA


Years Having an Number of Percentage of RespondentIAA Respondents in Compliance in Whole

or in Part

0-5 2,147 81.06-10 1,586 80.911-15 902 83.916-20 835 81.821-25 523 84.926-30 561 84.331-35 180 83.336-40 250 87.241-45 48 85.446-50 254 88.2

More than 50 323 85.1



The final factor reviewed is the impact of the number of full-time staff in the IAA on compliancewith the Standards in whole of in part. Table 4-13 notes that with the exception of the 22-24 stafflevel category, the trend is that the larger the IAA’s audit staff, the higher level of compliance tothe Standards in whole or in part.

Table 4 -13Compliance with the Standards in Whole or in Part

Compared to theNumber of Full-Time Staff at Each Staff


Number of Staff Number of Percentage ofRespondents Respondents in

Compliance in Wholeor in Part

1-3 1,601 75.74-6 1,253 82.07-9 742 83.2

10-12 448 83.313-15 332 84.316-18 251 84.519-21 179 85.222-24 133 84.7

25 or more 1,707 88.0Total 6,646 82.3

In summary, all three factors, the longer a respondent has been a member of The IIA, or anorganization has had an IAA, or the larger the number of staff in the IAA, positively affect thelevel of compliance by the IAA with the Standards.



Quality Assurance and Improvement Program

Since Standard 1300, Quality Assurance and Improvement Program (QA&IP), relates to themonitoring of IAA compliance with the Standards, the survey included specific questions relatingto internal and external assessments. One of the main objectives of the QA&IP Standard is toencourage the assessment of, application, and conformance with the Standards. According toStandard 1300, the CAE should develop and maintain a QA&IP that covers all aspects of the IAAand continuously monitors its effectiveness. This program includes periodic internal assessments,external quality assessments, and ongoing internal monitoring. Standard 1300 and the PracticeAdvisories further recommend that this program:

• Provide assurance that the IAA is in conformity with The IIA’s Standards.• Provide assurance that the IAA is in conformity with the IIA Code of Ethics.• Add value and improve the organization’s operations.• Include periodic internal and external quality assessments and ongoing internal monitoring.

Each part of the program should be designed to help the IAA provide this assurance and add value.

Standard 1300

Survey participants were asked whether or not their IAAs have QA&IPs in place in accordancewith Standard 1300. Standard 1330, Use of “Conducted in Accordance with the Standards,” statesthat internal auditors are encouraged to report that their activities are conducted in accordancewith the Standards. It further stipulates that internal auditors may use this statement only ifassessment of their QA&IP demonstrates that the IAA is in compliance with the Standards. Thevalue of this statement is that it implies the credibility of the work performed by the IAA and thatthe conclusions reached can be relied upon.

The average response to the question of whether the respondent’s IAA has a QA&IP in place inaccordance with Standard 1300 is reported in Figure 4-5. Of the total respondents, 32.8% say thatthey have a QA&IP in place and thus can use the phrase “Conducted in Accordance with theStandards” in reference to their audit engagements. A further 21.9% indicate that a QA&IPwould be put in place within the next 12 months. Some respondents (7.3%) have a quality assuranceprogram in place, but the program is not in accordance with Standard 1300. Of the respondents,22.9% report that they do not have plans to put in place a QA&IP in the next 12 months.



Figure 4-5IAA Has a Quality Assurance and Improvement Program in

Accordance with Standard 1300All Respondents (7,269) in Percentages

If an IAA is not in compliance with Standard 1300, then the IAA is not in full compliance with theStandards. Of those responding, 38.8% of CAEs and 30.2% of all respondents indicate that theyeither do not have plans to put a QA&IP in place or they have quality programs that are not inaccordance with Standard 1300. These organizations will not be able to report that they are in fullcompliance with the Standards.

Table 4-14 presents the respondents’ answers to the question asking whether their IAAs haveQA&IPs in place in accordance with Standard 1300 by staff level. Of CAE respondents, 5.4%say that they do not know whether their IAA has a QA&IP in accordance with Standard 1300.The “do not know” option to this question was selected by 10.6% of Audit Managers, 18.0% of




Audit Seniors/supervisors, and 26.7% of the Audit Staff respondents. As the quality assuranceprogram is the responsibility of the CAE, practitioners at less senior levels may not know how thequality assurance requirements have been implemented. Yet, according to the Standards, qualityassurance should form a part of every activity at all levels of the IAA. All internal audit staffshould therefore be trained in the requirements of quality assurance and should be integrally involvedin the quality assessment and improvement programs of their IAAs.

Table 4-14IAA Has a Quality Assurance and Improvement Program

in Accordance with Standard 1300All Respondents by Staff Level in Percentages

QA&IP CAE Audit Audit Audit Staff Other AverageStatus % of 2082 Manager Senior/ % of 1239 % of 441 % of 7269

Respondents % of 1687 Supervisor Respondents Respondents RespondentsRespondents % of 1820

Respondents

Currently in place 26.6 36.5 36.0 36.1 24.5 32.8To be put in place 29.2 23.2 19.0 15.8 10.9 21.9within the next12 monthsNo plans to put in 29.2 22.6 19.6 17.6 23.8 22.9place in the next12 monthsQuality assurance 9.6 7.1 7.4 3.8 7.0 7.3program is not inaccordance withStandard 1300Do not know 5.4 10.6 18.0 26.7 33.8 15.1Total 100.0 100.0 100.0 100.0 100.0 100.0



Table 4-14-1 shows compliance with Standard 1300 by groups. A noticeably higher than averagepercentage (54.7%) of respondents in groups 3 (70.5%), 2 (61.6%), and 1 (61%) indicate that theyhave a QA&IP in place or will put one in place within the next 12 months. The groups that have thehighest percentages of respondents indicating that they have no plans to put a QA&IP in place aregroups 12 (34.8%), 4 (34%), 8 (33.5%), and 11 (30.7%). Group 4 (20.7%) has the highest percentageof respondents who do not know whether they have such a program in place.

Table 4-14-1IAA Has a Quality Assessment and Improvement Program

in Accordance with Standard 1300 by Groups*All Respondents in Percentages

Group Number of Yes, To Be Put in No Plans Program Do Not TotalRespondents Currently Place Within to Put in is Not in Know

in Place the Next 12 Place in AccordanceMonths the Next 12 with

Months Standard1300

1 2,974 40.1 20.9 17.6 5.1 16.3 100.02 190 35.8 25.8 16.9 8.9 12.6 100.03 600 45.3 25.2 12.7 5.5 11.3 100.04 300 19.3 14.3 34.0 11.7 20.7 100.05 502 24.4 27.5 27.7 9.8 10.6 100.06 374 30.2 21.1 24.1 16.0 8.6 100.07 439 25.1 26.9 27.6 10.8 9.6 100.08 835 24.0 20.5 33.5 6.9 15.1 100.09 97 15.5 28.9 29.8 13.4 12.4 100.010 110 30.0 26.4 26.4 7.2 10.0 100.011 199 30.2 23.1 30.7 5.5 10.5 100.012 43 23.3 27.9 34.8 7.0 7.0 100.0

N/C** 624 20.8 17.5 27.6 7.7 26.4 100.0Overall 7,287 32.8 21.9 22.9 7.3 15.1 100.0

Average/Total

*For a list of groups, please see the inside back cover.**N/C = Respondent did not indicate Affiliate or Chapter membership.



Internal Assessments

According to Standard 1311, Internal Assessments should include a process to monitor and assessthe overall effectiveness of the quality program. Internal assessments should include both:

• Ongoing review of the performance of the IAA.• Periodic reviews performed through self-assessment or by other persons within the

organization with knowledge of internal auditing practices and the Standards.

The respondents were asked when their IAAs last had a formal internal quality assessment, periodicor ongoing, in accordance with Standard 1311. Table 4-15 indicates, by staff level, when the IAAwas last subject to an internal quality assessment. On average, 23.6% of the respondents’ IAAshave had an internal review within the last 12 months and a further 8.7% had a review within thelast 5 years. By the end of 2006, an average of 8.1% additional respondents anticipate their IAAswill have had an internal quality assessment (note that the questionnaires were sent out in September2006). On average, 35.3% of the respondents indicate that they have never had an internalassessment. From predominantly lower staff levels and Other, on average 15.8% of the respondentsdo not know if their IAA had a formal internal quality assessment.

Only 5.2% of the CAE’s indicated they did not know when their IAA was last subject to a formalinternal assessment, while 26.7% of the Audit Staff indicated they did not know. This may beascribed to a lack of knowledge at their level of responsibility. A higher percentage (47.4%) ofCAEs indicates that an internal quality assessment has never been done, which may be moreaccurate as the CAE is normally the person responsible for organizing such reviews.



Table 4-15When IAA Was Last Subject to a Formal Internal Quality Assessment

in Accordance with Standard 1311All Respondents by Staff Level in Percentages

Timing CAE Audit Audit Audit Staff Other Average% of 2,083 Manager Senior/ % of 1,240 % of 430 % of 7,249Respondents % of 1,678 Supervisor Respondents Respondents Respondents

Respondents % of 1,818Respondents

Scheduled to 8.7 8.3 8.4 7.5 4.7 8.1be completedprior toJanuary 1,2007, but notyet completedWithin the 21.0 27.9 24.0 24.4 15.3 23.6last 12 months1-3 years ago 6.5 8.1 8.9 6.0 7.7 7.44-5 years ago 1.2 1.4 1.2 1.6 0.7 1.3More than 5 1.5 1.3 1.1 1.0 1.2 1.2years agoNever 47.4 32.5 30.3 26.1 35.3 35.3The internal 8.5 7.4 6.6 6.7 3.7 7.2review wasnot done inaccordancewith Standard1311Do not know 5.2 13.1 19.5 26.7 31.4 15.9



The following compares the results in Table 4-14 (the IAA has a QA&IP in place) to the percentagesin Table 4-15 (the internal assessment is scheduled to be completed prior to January 1, 2007, orcompleted a quality assessment within the last 12 months). The percentages are fairly close forboth tables. For example, Table 4-14 lists CAE respondents indicating that 26.6% have a QA&IPin place, and Table 4-15 has a total of 29.7% CAE respondents having had a formal quality assessmentin accordance with Standard 1311 scheduled before January 1, 2007, or completed in the last 12months. For all respondents in this comparison, Table 4-14 had 32.8% of respondents having aQA&IP in place, and Table 4-15 has a total of 31.7% completed within the last 12 months orscheduled by January 1, 2007.

In Appendix 4-B, Table 4-15-1-A contains the status of the internal assessment by groups. For sixof the groups, more than 40% of respondents have never had an internal assessment. For groups6, 8, and 12, more than 11% of the respondents have completed a quality assessment that was notin accordance with Standard 1311. Only group 3 respondents indicate that 43.4% of their IAAshave had an assessment in accordance with Standard 1311 in the last 5 years. Eleven point fourpercent to 14.9% of the respondents in groups 3, 10, and 12 anticipate completing an assessmentprior to January 1, 2007.

Two factors should be considered when reviewing which respondents’ organizations have had aninternal quality assessment. The first is whether the length of time the IAA has been in existencewithin the organization has any effect on compliance to Standard 1311. Table 4-16 compares thelength of time that respondents’ organizations have had an IAA with when or if they have had aninternal assessment. IAAs that have been in existence for 0 to 5 years have the highest percentage(54.2%) of never having had an internal assessment. That percentage drops to 38% for thoseorganizations whose IAAs have been in existence for 6 to 10 years. It appears that, generally, thelonger the organization has had an IAA the more likely they are to have an internal assessmentprogram in place.



Table 4-16Years the IAA has Existed in an Organization Compared to

When the IAA had an Internal AssessmentAll Respondents in Percentages

Years Number of Scheduled Within 1-3 4-5 More Never The I Do TotalIAA Respondents to Be the Last Years Years Than Internal Not Know

Existed Completed 12 Ago Ago 5 Review WasPrior to Months Years Not Done in

January 1, Ago Accordance2007, But withNot Yet Standard

Completed 1311

0-5 1,857 7.7 14.8 4.0 0.5 0.2 54.2 7.3 11.3 100.06-10 1,364 7.7 21.8 6.2 1.1 1.2 38.0 8.1 15.9 100.011-15 774 8.4 25.2 7.4 1.8 1.4 35.1 7.2 13.5 100.016-20 727 10.0 23.4 10.6 2.6 2.3 25.9 6.2 19.0 100.021-25 727 9.0 30.4 10.1 2.9 1.3 25.8 7.7 12.8 100.026-30 465 8.8 31.0 9.7 1.1 1.5 24.3 8.2 15.4 100.031-35 145 8.3 31.7 11.7 1.4 0.7 26.2 8.3 11.7 100.036-40 208 7.7 35.1 13.0 0.5 1.4 25.0 4.8 12.5 100.041-45 38 13.2 39.5 5.3 5.3 .0 15.8 7.9 13.2 100.046-50 198 6.1 31.8 12.1 3.0 3.0 18.7 6.1 19.2 100.0More 266 9.4 36.1 10.2 1.1 1.5 13.5 8.6 19.6 100.0than

50 years



The second factor to consider is the number of audit staff in the IAA. Table 4-17 shows that forstaff levels of 1-3, respondents indicate that 58.2% of their IAAs have never had an internalreview. As the size of the IAA staff increases, fewer respondents’ IAAs have never had aninternal review with one exception (organizations with a staff size of 10-12). With a staff of 25 ormore only 14.2% indicated that their IAA had never had an internal review.

It appears that the number of years the IAA has existed and the number of staff in the IAA affectwhether an IAA has had an internal assessment program.

Table 4-17Number of Audit Staff in the IAA Compared to

When the IAA had an Internal AssessmentAll Respondents in Percentages

Number Number of Scheduled Within 1-3 4-5 More Never The I Do Totalof Respondents to Be the Last Years Years Than Internal Not Know

Staff Completed 12 Ago Ago 5 Review WasPrior to Months Years Not Done in

January 1, Ago Accordance2007, But withNot Yet Standard

Completed 1311

1-3 1,859 5.9 11.5 4.1 1.0 1.0 58.2 7.0 11.3 100.04-6 1,319 8.6 18.0 6.7 1.1 1.2 42.7 8.3 13.4 100.07-9 775 7.7 26.1 8.1 1.8 1.4 30.6 7.7 16.6 100.0

10-12 451 8.2 23.5 9.1 1.3 2.0 31.9 7.3 16.7 100.013-15 351 12.3 25.4 9.7 1.1 .9 26.2 7.7 16.7 100.016-18 265 12.5 27.2 7.5 .8 1.5 24.9 9.1 16.5 100.019-21 186 8.6 30.6 9.1 2.7 .5 19.4 7.5 21.6 100.022-24 137 12.4 34.3 10.9 1.5 2.2 18.2 8.8 11.7 100.025 or 1,561 9.5 39.4 10.4 1.8 1.3 14.2 5.4 18.0 100.0more



External AssessmentsAccording to Standard 1312, External Assessments, the IAA should have an external assessmentat least once every 5 years by a qualified, independent reviewer or review team from outside theorganization. All IAAs that existed on January 1, 2002, when this standard became effectiveshould have had an external assessment performed by January 1, 2007. For external reviews,Practice Advisory 1312-1, External Assessments, recommends that an opinion on the IAA’scompliance to the Standards based on a structured rating process be communicated to the CAE.

Figure 4-6 indicates when all respondents’ IAAs were last subject to an external quality assessment.The average response for all respondents indicates that 39.7% of respondents’ IAAs have neverhad an external assessment.

Figure 4-6When the IAA was Last Subject to a Formal External Quality Assessment

in Accordance with Standard 1312All Respondents (7,230) in Percentages




Table 4-18 indicates by staff level when respondents’ IAAs were last subject to an external qualityassessment. Comparing the average response (39.7%) indicating the IAA has not had an externalreview to the different levels of staff, 53.7% of the CAE respondents indicate their IAA has nothad an external review. This is probably more reflective of the actual status as the CAE is responsiblefor arranging the external review. It appears that for more than 50% of those responding to thisquestion, their organizations have not been subject to a formal external quality assessment and arenot in compliance with Standard 1312 and are therefore not in full compliance with the Standards.

Table 4-18When the IAA was Last Subject to a Formal External Quality Assessment

in Accordance with Standard 1312All Respondents in Percentages

Timing CAE Audit Audit Audit Staff Other Average% of 2,073 Manager Senior/ % of 1,241 % of 429 % of 7,230

Respondents % of 1,674 Supervisor Respondents Respondents RespondentsRespondents % of 1,813

Respondents

Scheduled to 7.7 8.7 7.4 7.2 4.4 7.6be completedprior toJanuary 1, 2007,but not yetcompletedWithin the last 13.8 16.9 17.9 19.1 14.5 16.512 months1-3 years ago 6.9 11.2 12.0 8.8 7.5 9.54-5 years ago 2.2 1.8 2.4 1.9 1.6 2.1More than 5 1.7 2.1 1.7 1.2 1.2 1.7years agoNever 53.7 38.6 33.4 28.7 35.0 39.7The external 7.7 4.9 4.2 2.4 2.3 5.0review was notdone inaccordancewith Standard1312Do not know 6.3 15.8 21.0 30.7 33.5 17.9



Table 4-18-1 shows the results for external quality assessments for the groups. More than 40% ofthe respondents in groups 3 (48.9%), 2 (42.2%), 10 (43.9%), and 1 (41.5%) indicate that their IAAhas had a formal external assessment in the last 5 years or will have one completed by January 1,2007, in accordance with Standard 1312. More than 50% of respondents in groups 9 (59.6%), 12(59.5%), 5 (54.5%), 4 (51.9%), and 8 (51.5%) noted that they have never had an external assessment.

Table 4-18-1When the IAA was Last Subject to a Formal External Quality Assessment

in Accordance with Standard 1312 by Groups*All Respondents in Percentages

Timing 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Scheduled 8.3 7.5 11.9 3.7 8.3 6.2 6.1 5.6 5.1 18.4 9.6 7.1 4.0to becompletedprior toJanuary 1,2007Within the 19.7 12.8 19.0 15.5 11.4 13.2 17.9 11.9 14.1 13.2 16.2 14.3 12.6last 12months1-3 years ago 11.0 18.2 15.1 4.7 9.8 8.9 5.4 6.5 9.1 8.8 5.1 4.8 6.34-5 years ago 2.5 3.7 2.9 2.7 0.6 3.5 1.4 0.8 1.0 3.5 1.5 0.0 1.3More than 5 2.0 3.7 2.3 5.7 0.6 1.1 0.9 0.4 0.0 0.9 0.5 2.4 1.1years agoNever 31.1 32.6 28.7 51.9 54.5 43.5 48.0 51.5 59.6 40.4 39.6 59.5 48.0Not done in 2.3 4.3 3.2 3.4 6.8 12.1 8.8 8.2 1.0 4.4 7.7 4.8 7.2accordance withStandard 1312Do not know 23.1 17.2 16.9 12.4 8.0 11.5 11.5 15.1 10.1 10.4 19.8 7.1 19.5Total percentage 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0Total number of 2,956 187 596 297 499 372 442 827 99 114 197 42 621respondents




To determine if the length of time the IAA has been in existence within an organization has anyeffect on compliance to Standard 1312, Table 4-19 compares the length of time that respondents’organizations have had an IAA to when and if they have had an external assessment. IAAs thathave been in existence for 0 to 5 years have the highest percentage (61.2%) of never having hadan external assessment. The percentage for never having an external assessment drops to 40.4%for those organizations whose IAAs have been in existence for 6 to 10 years. It appears that,generally, the longer the organization has had an IAA the more likely they have had an externalassessment.

Table 4-19Years the IAA has Existed in an Organization Compared to

When the IAA had an External AssessmentAll Participants in Percentages

Years Number Scheduled Within 1-3 4-5 More Never The I Do TotalIAA of to Be the Last Years Years Than Internal Not

Been in Respondents Completed 12 Ago Ago 5 Review was KnowExistence Prior to Months Years Not Done in

January 1, Ago Accordance2007, with

But Not StandardYet 1312

Completed

0-5 1,853 5.8 8.9 5.0 0.8 0.2 61.2 4.6 13.5 100.06-10 1,365 8.6 14.7 8.2 2.1 1.8 40.4 5.7 18.5 100.011-15 770 7.8 16.2 10.3 2.7 2.1 40.6 5.7 14.6 100.016-20 723 7.9 17.2 11.3 3.6 3.5 29.6 4.7 22.2 100.021-25 449 8.7 26.5 11.6 1.8 2.0 30.3 5.8 13.3 100.026-30 462 8.4 22.5 11.7 3.7 2.4 27.3 7.6 16.4 100.031-35 142 7.7 16.2 21.8 3.5 0.7 28.9 6.3 14.9 100.036-40 210 11.0 27.1 13.8 1.9 1.9 27.1 1.4 15.8 100.041-45 39 23.1 20.5 12.8 5.1 .0 15.4 7.7 15.4 100.046-50 196 6.1 26.0 14.3 3.1 3.1 23.0 2.0 22.4 100.0More 266 9.8 24.4 19.5 2.3 2.6 16.9 5.6 18.9 100.0than

50 years



As shown in Table 4-20, the number of audit staff in the IAA was compared to whether the IAAhas had an external assessment. This factor appears to have a marked influence on the IAAhaving an external assessment. IAAs that have an audit staff of 1-3 indicate that 60.4% neverhave had an external assessment. This drops to 49% for a staff size of 4-6 and to 17.8% for IAAswith an audit staff of 25 or more.

Table 4-20Number of Audit Staff in the IAA Compared to

When the IAA had an External AssessmentAll Participants in Percentages

Number Number Scheduled Within 1-3 4-5 More Never The I Do Totalof of to Be the Last Years Years Than Internal Not

Staff Respondents Completed 12 Ago Ago 5 Review was KnowPrior to Months Years Not Done in

January 1, Ago Accordance2007, with

But Not StandardYet

Completed 1312

1-3 1854 5.1 7.9 4.9 1.7 1.3 60.4 5.7 13.0 100.04-6 1311 7.8 12.5 6.6 1.8 1.6 49.0 5.9 14.8 100.07-9 770 8.4 18.7 9.9 1.9 3.0 37.0 4.8 16.3 100.0

10-12 448 6.0 18.1 8.7 2.7 1.8 39.1 4.5 19.1 100.013-15 352 9.9 18.5 13.9 2.3 1.7 31.3 4.3 18.1 100.016-18 265 9.4 16.6 10.9 3.8 1.9 32.1 6.4 18.9 100.019-21 187 6.4 25.7 10.2 3.7 2.1 25.7 5.3 20.9 100.022-24 137 13.1 19.7 18.2 4.4 1.5 19.7 6.6 16.8 100.025 or 1559 10.1 26.5 16.5 2.4 1.6 17.8 3.7 21.4 100.0more

As with internal assessments, the length of time an IAA has been in existence and the number ofaudit staff in the IAA affect whether IAAs have had an external assessment.



Quality Assurance and Improvement Program Activities

Respondents were asked what types of activities their IAAs used when performing internal andexternal quality assessments. Practice Advisory 1300-1, Quality Assurance and ImprovementProgram, states that the quality assurance and improvement program should include activities thatare designed to provide reasonable assurance of compliance with the Standards such as appropriatesupervision of the audit team.

The respondents were requested to indicate which of the listed activities they performed as part oftheir internal audit quality assessment and improvement program. Figure 4-7 shows the responsesgiven by staff level. As respondents could mark more than one activity the total percentage may begreater than 100%.

On average, the activities that are included most often are engagement supervision (42.7%),checklists/manuals to provide assurance that proper audit processes are followed (40.6%), andfeedback from audit customers at the end of an audit (38.5%). The least used activities areverification that the IAA is in compliance with the Standards (28.4%), review by external party(20.4%), and compliance with non-IIA standards or codes (19.0%).



Figure 4-7Activities Performed by IAAs as Part of a QA&IP


13.4%

19.0%

20.4%

28.4%

31.1%

38.5%

40.6%

42.7%

12.2%

30.1%

0% 10% 20% 30% 40% 50%

Do not know

Not applicable

Compliance with non-IIA standards orcodes

Review by external party

Verification that the IAA is incompliance with The Standards

Reviews by other members of IAA

Internal audit professionals are in compliance with The IIA's

Code of Ethics

Feedback from audit customers at theend of an audit

Checklists/manuals to provide assurance that proper audit processes

are followed

Engagement supervision


Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.



Table 4-21 shows the responses for the types of activities performed as part of a QA&IP given bystaff level.

Table 4-21Activities Performed by IAAs as Part of a QA&IP

All Respondents by Staff Level in Percentages

Activity CAE Audit Audit Audit Staff Other Average% of 2,263 Managers Senior/ % of 1,442 % of 569 % of

Respondents % of 1,845 Supervisor Respondents Respondents 8,159Respondents % of 2,040 Respon-

Respondents dents

Engagement 48.8 54.2 47.4 38.1 24.8 42.7supervisionChecklists/ 44.8 49.9 43.9 38.0 26.7 40.6manuals toprovideassurance thatproper auditprocesses arefollowedFeedback from 41.4 47.4 41.7 38.5 23.4 38.5audit customersat the end of anauditInternal audit 37.6 38.9 31.3 28.7 19.3 31.1professionals arein compliancewith The IIA’sCode of EthicsReviews by 27.2 39.1 35.6 30.9 17.9 30.1other membersof the IAAVerification that 35.6 36.7 27.6 26.0 16.5 28.4the IAA is incompliance withthe Standards




Table 4-21 (Cont.)Activities Performed by IAAs as Part of a QA&IP

All Respondents by Staff Level in Percentages

Activity CAE Audit Audit Audit Staff Other Average% of 2,263 Managers Senior/ % of 1,442 % of 569 % of

Respondents % of 1,845 Supervisor Respondents Respondents 8,159Respondents % of 2,040 Respon-

Respondents dents

Review by 21.3 25.4 22.2 18.0 15.1 20.4external partyCompliance with 19.4 23.1 21.9 17.5 13.5 19.0non-IIAstandards orcodesNot applicable 16.4 11.8 10.9 10.1 17.8 13.4Do not know 3.4 8.2 11.9 17.5 20.0 12.2


Table 4-21-1-A in Appendix 4-B analyzes the responses by groups for the types of activitiesperformed as part of a QA&IP. Consistently throughout the groups, engagement supervision (63.9%to 32.1%), checklists/manuals (57.4% to 33.3%), and feedback from audit customers (55.3% to31.1%) are the most used activities. Least utilized items by groups include review by external party(34.0% to 12.6%) and reviews of compliance with non-IIA standards or codes (28.0% to 14.7%).These results are consistent with the summary results in Table 4-21.

Education of key personnel (audit committees and management) to make them aware of theimportance of compliance and the value that may be derived from the quality assessment processmay help to increase compliance with Standard 1300.



Compliance with The IIA’s Code of Ethics

As part of the CBOK Affiliate survey, affiliates were asked whether they require their members tofollow The IIA’s Code of Ethics. Of the 46 affiliates responding to this question, all but one answeredin the affirmative. One affiliate has adopted a local version of a code of ethics. The affiliates werethen asked how they handled ethical complaints against their members. A wide variety of responseswere received. In a number of instances no complaints had ever been received so no process hadbeen put in place. In most cases, complaints were handled by an ethics or disciplinary committee,while some actions were left to the affiliate’s board of directors. In two cases, investigations wereconducted in consultation with The IIA.

Summary

A large majority of the participants in this study indicate that their IAAs are using the Standards inwhole or in part. Compliance with the Standards is affected by the length of time an individual hasbeen a member of The IIA, the number of years an organization has had an IAA, and the numberof staff in the IAA. Compliance with Standard 1300 is influenced by the period of time an organizationhas had an IAA and the size of the audit staff. A large majority of the respondents also believe thatthe guidance provided by the Standards and most Practice Advisories is adequate. Standards1300, Quality Assurance and Improvement Program, and 2600, Resolution of Management’sAcceptance of Risks, have lower levels of usage and satisfaction with the adequacy of guidanceprovided by the Standards. More or clearer guidance may be appropriate in these areas.

References

1. The Institute of Internal Auditors, A Vision for the Future: The Professional PracticesFramework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors),1999.

2. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,FL: The Institute of Internal Auditors), 2005.

3. The Institute of Internal Auditors, Quality Assessment Manual (Altamonte Springs, FL: TheInstitute of Internal Auditors), February 2006.

4. The Institute of Internal Auditors, The Institute of Internal Auditors Executive Summary(Altamonte Springs, FL: The Institute of Internal Auditors), September 13, 2006.

5. The Institute of Internal Auditors, IIA International Professional Practices Framework –Exposure Document (Altamonte Springs, FL: The Institute of Internal Auditors), 2007.



APPENDIX 4-ATHE IIA’S STANDARDS, PRACTICE ADVISORIES,

AND GLOSSARY TO THE STANDARDSAS OF SEPTEMBER 20061

ATTRIBUTE STANDARDS

1000 – Purpose, Authority, and ResponsibilityThe purpose, authority, and responsibility of the internal audit activity should be formally defined ina charter, consistent with the Standards, and approved by the board.

1000.A1 – The nature of assurance services provided to the organization should be definedin the audit charter. If assurances are to be provided to parties outside the organization,the nature of these assurances should also be defined in the charter.

1000.C1 – The nature of consulting services should be defined in the audit charter.

1100 – Independence and ObjectivityThe internal audit activity should be independent, and internal auditors should be objective inperforming their work.

1110 – Organizational IndependenceThe chief audit executive should report to a level within the organization that allows the internalaudit activity to fulfill its responsibilities.

1110.A1 – The internal audit activity should be free from interference in determining thescope of internal auditing, performing work, and communicating results.

1120 – Individual ObjectivityInternal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

1130 – Impairments to Independence or ObjectivityIf independence or objectivity is impaired in fact or appearance, the details of the impairmentshould be disclosed to appropriate parties. The nature of the disclosure will depend upon theimpairment.

1Standards are always being updated as the profession evolves.



1130.A1 – Internal auditors should refrain from assessing specific operations for whichthey were previously responsible. Objectivity is presumed to be impaired if an internalauditor provides assurance services for an activity for which the internal auditor hadresponsibility within the previous year.

1130.A2 – Assurance engagements for functions over which the chief audit executivehas responsibility should be overseen by a party outside the internal audit activity.

1130.C1 – Internal auditors may provide consulting services relating to operations forwhich they had previous responsibilities.

1130.C2 – If internal auditors have potential impairments to independence or objectivityrelating to proposed consulting services, disclosure should be made to the engagementclient prior to accepting the engagement.

1200 – Proficiency and Due Professional CareEngagements should be performed with proficiency and due professional care.

1210 – ProficiencyInternal auditors should possess the knowledge, skills, and other competencies needed to performtheir individual responsibilities. The internal audit activity collectively should possess or obtainthe knowledge, skills, and other competencies needed to perform its responsibilities.

1210.A1 – The chief audit executive should obtain competent advice and assistance if theinternal audit staff lacks the knowledge, skills, or other competencies needed to performall or part of the engagement.

1210.A2 – The internal auditor should have sufficient knowledge to identify the indicatorsof fraud but is not expected to have the expertise of a person whose primary responsibilityis detecting and investigating fraud.

1210.A3 – Internal auditors should have knowledge of key information technology risksand controls and available technology-based audit techniques to perform their assignedwork. However, not all internal auditors are expected to have the expertise of an internalauditor whose primary responsibility is information technology auditing.

1210.C1 – The chief audit executive should decline the consulting engagement or obtaincompetent advice and assistance if the internal audit staff lacks the knowledge, skills, orother competencies needed to perform all or part of the engagement.



1220 – Due Professional CareInternal auditors should apply the care and skill expected of a reasonably prudent and competentinternal auditor. Due professional care does not imply infallibility.

1220.A1 – The internal auditor should exercise due professional care by considering the:• Extent of work needed to achieve the engagement’s objectives.• Relative complexity, materiality, or significance of matters to which assurance

procedures are applied.• Adequacy and effectiveness of risk management, control, and governance processes.• Probability of significant errors, irregularities, or noncompliance.• Cost of assurance in relation to potential benefits.

1220.A2 – In exercising due professional care the internal auditor should consider the useof computer-assisted audit tools and other data analysis techniques.

1220.A3 – The internal auditor should be alert to the significant risks that might affectobjectives, operations, or resources. However, assurance procedures alone, even whenperformed with due professional care, do not guarantee that all significant risks will beidentified.

1220.C1 – The internal auditor should exercise due professional care during a consultingengagement by considering the:• Needs and expectations of clients, including the nature, timing, and communication of

engagement results.• Relative complexity and extent of work needed to achieve the engagement’s objectives.• Cost of the consulting engagement in relation to potential benefits.

1230 – Continuing Professional DevelopmentInternal auditors should enhance their knowledge, skills, and other competencies throughcontinuing professional development.

1300 – Quality Assurance and Improvement ProgramThe chief audit executive should develop and maintain a quality assurance and improvement programthat covers all aspects of the internal audit activity and continuously monitors its effectiveness.This program includes periodic internal and external quality assessments and ongoing internalmonitoring. Each part of the program should be designed to help the internal auditing activity addvalue and improve the organization’s operations and to provide assurance that the internal auditactivity is in conformity with the Standards and the Code of Ethics.



1310 – Quality Program AssessmentsThe internal audit activity should adopt a process to monitor and assess the overall effectivenessof the quality program. The process should include both internal and external assessments.

1311 – Internal AssessmentsInternal assessments should include:• Ongoing reviews of the performance of the internal audit activity; and• Periodic reviews performed through self-assessment or by other persons within the

organization, with knowledge of internal audit practices and the Standards.

1312 – External AssessmentsExternal assessments, such as quality assurance reviews, should be conducted at leastonce every five years by a qualified, independent reviewer or review team from outsidethe organization.

1320 – Reporting on the Quality ProgramThe chief audit executive should communicate the results of external assessments to theboard.

1330 – Use of “Conducted in Accordance with the Standards”Internal auditors are encouraged to report that their activities are “conducted in accordancewith the International Standards for the Professional Practice of Internal Auditing.” However,internal auditors may use the statement only if assessments of the quality improvement programdemonstrate that the internal audit activity is in compliance with the Standards.

1340 – Disclosure of NoncomplianceAlthough the internal audit activity should achieve full compliance with the Standards andinternal auditors with the Code of Ethics, there may be instances in which full compliance isnot achieved. When noncompliance impacts the overall scope or operation of the internalaudit activity, disclosure should be made to senior management and the board.

PERFORMANCE STANDARDS

2000 – Managing the Internal Audit ActivityThe chief audit executive should effectively manage the internal audit activity to ensure it addsvalue to the organization.

2010 – PlanningThe chief audit executive should establish risk-based plans to determine the priorities of theinternal audit activity, consistent with the organization’s goals.



2010.A1 – The internal audit activity’s plan of engagements should be based on a riskassessment, undertaken at least annually. The input of senior management and the boardshould be considered in this process.

2010.C1 – The chief audit executive should consider accepting proposed consultingengagements based on the engagement’s potential to improve management of risks, addvalue, and improve the organization’s operations. Those engagements that have beenaccepted should be included in the plan.

2020 – Communication and ApprovalThe chief audit executive should communicate the internal audit activity’s plans and resourcerequirements, including significant interim changes, to senior management and to the board forreview and approval. The chief audit executive should also communicate the impact of resourcelimitations.

2030 – Resource ManagementThe chief audit executive should ensure that internal audit resources are appropriate, sufficient,and effectively deployed to achieve the approved plan.

2040 – Policies and ProceduresThe chief audit executive should establish policies and procedures to guide the internal auditactivity.

2050 – CoordinationThe chief audit executive should share information and coordinate activities with other internaland external providers of relevant assurance and consulting services to ensure proper coverageand minimize duplication of efforts.

2060 – Reporting to the Board and Senior ManagementThe chief audit executive should report periodically to the board and senior management onthe internal audit activity’s purpose, authority, responsibility, and performance relative to itsplan. Reporting should also include significant risk exposures and control issues, corporategovernance issues, and other matters needed or requested by the board and senior management.

2100 – Nature of WorkThe internal audit activity should evaluate and contribute to the improvement of risk management,control, and governance processes using a systematic and disciplined approach.



2110 – Risk ManagementThe internal audit activity should assist the organization by identifying and evaluating significantexposures to risk and contributing to the improvement of risk management and control systems.

2110.A1 – The internal audit activity should monitor and evaluate the effectiveness of theorganization’s risk management system.

2110.A2 – The internal audit activity should evaluate risk exposures relating to theorganization’s governance, operations, and information systems regarding the:• Reliability and integrity of financial and operational information.• Effectiveness and efficiency of operations.• Safeguarding of assets.• Compliance with laws, regulations, and contracts.

2110.C1 – During consulting engagements, internal auditors should address risk consistentwith the engagement’s objectives and be alert to the existence of other significant risks.

2110.C2 – Internal auditors should incorporate knowledge of risks gained from consultingengagements into the process of identifying and evaluating significant risk exposures ofthe organization.

2120 – ControlThe internal audit activity should assist the organization in maintaining effective controls byevaluating their effectiveness and efficiency and by promoting continuous improvement.

2120.A1 – Based on the results of the risk assessment, the internal audit activity shouldevaluate the adequacy and effectiveness of controls encompassing the organization’sgovernance, operations, and information systems. This should include:• Reliability and integrity of financial and operational information.• Effectiveness and efficiency of operations.• Safeguarding of assets.• Compliance with laws, regulations, and contracts.

2120.A2 – Internal auditors should ascertain the extent to which operating and programgoals and objectives have been established and conform to those of the organization.

2120.A3 – Internal auditors should review operations and programs to ascertain the extentto which results are consistent with established goals and objectives to determine whetheroperations and programs are being implemented or performed as intended.



2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors shouldascertain the extent to which management has established adequate criteria to determinewhether objectives and goals have been accomplished. If adequate, internal auditorsshould use such criteria in their evaluation. If inadequate, internal auditors should workwith management to develop appropriate evaluation criteria.

2120.C1 – During consulting engagements, internal auditors should address controlsconsistent with the engagement’s objectives and be alert to the existence of any significantcontrol weaknesses.

2120.C2 – Internal auditors should incorporate knowledge of controls gained fromconsulting engagements into the process of identifying and evaluating significant riskexposures of the organization.

2130 – GovernanceThe internal audit activity should assess and make appropriate recommendations for improvingthe governance process in its accomplishment of the following objectives:• Promoting appropriate ethics and values within the organization.• Ensuring effective organizational performance management and accountability.• Effectively communicating risk and control information to appropriate areas of the

organization.• Effectively coordinating the activities of and communicating information among the board,

external and internal auditors, and management.

2130.A1 – The internal audit activity should evaluate the design, implementation, andeffectiveness of the organization’s ethics-related objectives, programs, and activities.

2130.C1 – Consulting engagement objectives should be consistent with the overall valuesand goals of the organization.

2200 – Engagement PlanningInternal auditors should develop and record a plan for each engagement, including the scope,objectives, timing, and resource allocations.

2201 – Planning ConsiderationsIn planning the engagement, internal auditors should consider:• The objectives of the activity being reviewed and the means by which the activity controls

its performance.



• The significant risks to the activity, its objectives, resources, and operations and the meansby which the potential impact of risk is kept to an acceptable level.

• The adequacy and effectiveness of the activity’s risk management and control systemscompared to a relevant control framework or model.

• The opportunities for making significant improvements to the activity’s risk managementand control systems.

2201.A1 – When planning an engagement for parties outside the organization, internalauditors should establish a written understanding with them about objectives, scope,respective responsibilities, and other expectations, including restrictions on distribution ofthe results of the engagement and access to engagement records.

2201.C1 – Internal auditors should establish an understanding with consulting engagementclients about objectives, scope, respective responsibilities, and other client expectations.For significant engagements, this understanding should be documented.

2210 – Engagement ObjectivesObjectives should be established for each engagement.

2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevantto the activity under review. Engagement objectives should reflect the results of thisassessment.

2210.A2 – The internal auditor should consider the probability of significant errors,irregularities, noncompliance, and other exposures when developing the engagementobjectives.

2210.C1 – Consulting engagement objectives should address risks, controls, andgovernance processes to the extent agreed upon with the client.

2220 – Engagement ScopeThe established scope should be sufficient to satisfy the objectives of the engagement.

2220.A1 – The scope of the engagement should include consideration of relevant systems,records, personnel, and physical properties, including those under the control of third parties.

2220.A2 – If significant consulting opportunities arise during an assurance engagement, aspecific written understanding as to the objectives, scope, respective responsibilities, andother expectations should be reached and the results of the consulting engagementcommunicated in accordance with consulting standards.



2220.C1 – In performing consulting engagements, internal auditors should ensure that thescope of the engagement is sufficient to address the agreed-upon objectives. If internalauditors develop reservations about the scope during the engagement, these reservationsshould be discussed with the client to determine whether to continue with the engagement.

2230 – Engagement Resource AllocationInternal auditors should determine appropriate resources to achieve engagement objectives.Staffing should be based on an evaluation of the nature and complexity of each engagement,time constraints, and available resources.

2240 – Engagement Work ProgramInternal auditors should develop work programs that achieve the engagement objectives. Thesework programs should be recorded.

2240.A1 – Work programs should establish the procedures for identifying, analyzing,evaluating, and recording information during the engagement. The work program shouldbe approved prior to its implementation, and any adjustments approved promptly.

2240.C1 – Work programs for consulting engagements may vary in form and contentdepending upon the nature of the engagement.

2300 – Performing the EngagementInternal auditors should identify, analyze, evaluate, and record sufficient information to achieve theengagement’s objectives.

2310 – Identifying InformationInternal auditors should identify sufficient, reliable, relevant, and useful information to achievethe engagement’s objectives.

2320 – Analysis and EvaluationInternal auditors should base conclusions and engagement results on appropriate analysesand evaluations.

2330 – Recording InformationInternal auditors should record relevant information to support the conclusions and engagementresults.

2330.A1 – The chief audit executive should control access to engagement records. Thechief audit executive should obtain the approval of senior management and/or legal counselprior to releasing such records to external parties, as appropriate.



2330.A2 – The chief audit executive should develop retention requirements for engagementrecords. These retention requirements should be consistent with the organization’s guidelinesand any pertinent regulatory or other requirements.

2330.C1 – The chief audit executive should develop policies governing the custody andretention of engagement records, as well as their release to internal and external parties.These policies should be consistent with the organization’s guidelines and any pertinentregulatory or other requirements.

2340 – Engagement SupervisionEngagements should be properly supervised to ensure objectives are achieved, quality is assured,and staff is developed.

2400 – Communicating ResultsInternal auditors should communicate the engagement results.

2410 – Criteria for CommunicatingCommunications should include the engagement’s objectives and scope as well as applicableconclusions, recommendations, and action plans.

2410.A1 – Final communication of engagement results should, where appropriate, containthe internal auditor’s overall opinion and or conclusions.

2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance inengagement communications.

2410.A3 – When releasing engagement results to parties outside the organization, thecommunication should include limitations on distribution and use of the results.

2410.C1 – Communication of the progress and results of consulting engagements willvary in form and content depending upon the nature of the engagement and the needs ofthe client.

2420 – Quality of CommunicationsCommunications should be accurate, objective, clear, concise, constructive, complete, andtimely.



2421 – Errors and OmissionsIf a final communication contains a significant error or omission, the chief audit executiveshould communicate corrected information to all parties who received the originalcommunication.

2430 – Engagement Disclosure of Noncompliance with the StandardsWhen noncompliance with the Standards impacts a specific engagement, communication ofthe results should disclose the:• Standard(s) with which full compliance was not achieved,• Reason(s) for noncompliance, and• Impact of noncompliance on the engagement

2440 – Disseminating ResultsThe chief audit executive should communicate results to the appropriate parties.

2440.A1 – The chief audit executive is responsible for communicating the final results toparties who can ensure that the results are given due consideration.

2440.A2 – If not otherwise mandated by legal, statutory, or regulatory requirements, priorto releasing results to parties outside the organization, the chief executive should:• Assess the potential risk to the organization.• Consult with senior management and/or legal counsel as appropriate.• Control dissemination by restricting the use of the results.

2440.C1 – The chief audit executive is responsible for communicating the final results ofconsulting engagements to clients.

2440.C2 – During consulting engagements, risk management, control, and governanceissues may be identified. Whenever these issues are significant to the organization, theyshould be communicated to senior management and the board.

2500 – Monitoring ProgressThe chief audit executive should establish and maintain a system to monitor the disposition ofresults communicated to management.

2500.A1 – The chief audit executive should establish a follow-up process to monitor andensure that management actions have been effectively implemented or that seniormanagement has accepted the risk of not taking action.



2500.C1 – The internal audit activity should monitor the disposition of results of consultingengagements to the extent agreed upon with the client.

2600 – Resolution of Management’s Acceptance of RisksWhen the chief audit executive believes that senior management has accepted a level of residualrisk that may be unacceptable to the organization, the chief audit executive should discuss thematter with senior management. If the decision regarding residual risk is not resolved, the chiefaudit executive and senior management should report the matter to the board for resolution.

Practice Advisories

Attribute StandardsPA 1000-1 Internal Audit CharterPA 1000.C1-1 Principles Guiding the Performance of Consulting Activities of Internal AuditorsPA 1000.C1-2 Additional Considerations for Formal Consulting EngagementsPA 1100-1 Independence and ObjectivityPA 1110-1 Organizational IndependencePA 1110-2 Chief Audit Executive (CAE) Reporting LinesPA 1110.A1-1 Disclosing Reasons for Information RequestsPA 1120-1 Individual ObjectivityPA 1130-1 Impairments to Independence or ObjectivityPA 1130.A1-1 Assessing Operations for Which Internal Auditors Were Previously ResponsiblePA 1130.A1-2 Internal Auditing’s Responsibility for Other (Non-audit) FunctionsPA 1200-1 Proficiency and Due Professional CarePA 1210-1 ProficiencyPA 1210.A1-1 Obtaining Services to Support or Complement the Internal Audit ActivityPA 1210.A2-1 Identification of FraudPA 1210.A2-2 Responsibility for Fraud DetectionPA 1220-1 Due Professional CarePA 1230-1 Continuing Professional DevelopmentPA 1300-1 Quality Assurance and Improvement ProgramPA 1310-1 Quality Program AssessmentsPA 1311-1 Internal AssessmentsPA 1312-1 External AssessmentsPA 1312-2 External Assessments Self-assessment with Independent ValidationPA 1320-1 Reporting on the Quality ProgramPA 1330-1 Use of “Conducted in Accordance with the Standards”



Performance StandardsPA 2000-1 Managing the Internal Audit ActivityPA 2010-1 PlanningPA 2010-2 Linking the Audit Plan to Risk and ExposuresPA 2020-1 Communication and ApprovalPA 2030-1 Resource ManagementPA 2040-1 Policies and ProceduresPA 2050-1 CoordinationPA 2050-2 Acquisition of External Audit ServicesPA 2060-1 Reporting to Board and Senior ManagementPA 2060-2 Relationship with the Audit CommitteePA 2100-1 Nature of WorkPA 2100-2 Information SecurityPA 2100-3 Internal Auditing’s Role in the Risk Management ProcessPA 2100-4 Internal Auditing’s Role in Organizations Without a Risk Management ProcessPA 2100-5 Legal Considerations in Evaluating Regulatory Compliance ProgramsPA 2100-6 Control and Audit Implications of E-commerce ActivitiesPA 2100-7 Internal Auditing’s Role in Identifying and Reporting Environmental RisksPA 2100-8 Internal Auditing’s Role in Evaluating an Organization’s Privacy FrameworkPA 2110-1 Assessing the Adequacy of Risk Management ProcessesPA 2110-2 Internal Auditing’s Role in the Business Continuity ProcessPA 2120.A1-1 Assessing and Reporting on Control ProcessesPA 2120.A1-2 Using Control Self-assessment for Assessing the Adequacy of Control

ProcessesPA 2120.A1-3 Internal Auditing’s Role in Quarterly Financial Reporting, Disclosures,

and Management CertificationsPA 2120.A1-4 Auditing the Financial Reporting ProcessPA 2120.A4-1 Control CriteriaPA 2130-1 Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture

of an OrganizationPA 2200-1 Engagement PlanningPA 2210-1 Engagement ObjectivesPA 2210.A1-1 Risk Assessment in Engagement PlanningPA 2230-1 Engagement Resource AllocationPA 2240-1 Engagement Work ProgramPA 2240.A1-1 Approval of Work Programs



PA 2300-1 Internal Auditing’s Use of Personal Information in Conducting AuditsPA 2310-1 Identifying InformationPA 2320-1 Analysis and EvaluationPA 2330-1 Recording InformationPA 2330.A1-1 Control of Engagement RecordsPA 2330.A1-2 Legal Considerations in Granting Access to Engagement RecordsPA 2330.A2-1 Retention of RecordsPA 2340-1 Engagement SupervisionPA 2400-1 Legal Considerations in Communicating ResultsPA 2410-1 Communication CriteriaPA 2420-1 Quality of CommunicationsPA 2440-1 Recipients of Engagement ResultsPA 2440-2 Communications Outside the OrganizationPA 2440-3 Communicating Sensitive Information Within and Outside the Chain

of CommandPA 2500-1 Monitoring ProgressPA 2500.A1-1 Follow-up ProcessPA 2600-1 Management’s Acceptance of Risks



GLOSSARY TO THE STANDARDS

Add ValueValue is provided by improving opportunities to achieve organizational objectives, identifyingoperational improvement, and/or reducing risk exposure through both assurance and consultingservices.

Adequate ControlPresent if management has planned and organized (designed) in a manner that provides reasonableassurance that the organization’s risks have been managed effectively and that the organization’sgoals and objectives will be achieved efficiently and economically.

Assurance ServicesAn objective examination of evidence for the purpose of providing an independent assessment onrisk management, control, or governance processes for the organization. Examples may includefinancial, performance, compliance, system security, and due diligence engagements.

BoardA board is an organization’s governing body, such as a board of directors, supervisory board, headof an agency or legislative body, board of governors or trustees of a nonprofit organization, or anyother designated body of the organization, including the audit committee, to whom the chief auditexecutive may functionally report.

CharterThe charter of the internal audit activity is a formal written document that defines the activity’spurpose, authority, and responsibility. The charter should (a) establish the internal audit activity’sposition within the organization; (b) authorize access to records, personnel, and physical propertiesrelevant to the performance of engagements; and (c) define the scope of internal audit activities.

Chief Audit ExecutiveTop position within the organization responsible for internal audit activities. Normally, this would bethe internal audit director. In the case where internal audit activities are obtained from outsideservice providers, the chief audit executive is the person responsible for overseeing the servicecontract and the overall quality assurance of these activities, reporting to senior management andthe board regarding internal audit activities, and follow-up of engagement results. The term alsoincludes such titles as general auditor, chief internal auditor, and inspector general.



Code of EthicsThe Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the professionand practice of internal auditing, and Rules of Conduct that describe behavior expected of internalauditors. The Code of Ethics applies to both parties and entities that provide internal audit services.The purpose of the Code of Ethics is to promote an ethical culture in the global profession ofinternal auditing.

ComplianceConformity and adherence to policies, plans, procedures, laws, regulations, contracts, or otherrequirements.

Conflict of InterestAny relationship that is or appears to be not in the best interest of the organization. A conflict ofinterest would prejudice an individual’s ability to perform his or her duties and responsibilitiesobjectively.

Consulting ServicesAdvisory and related client service activities, the nature and scope of which are agreed with theclient and which are intended to add value and improve an organization’s governance, riskmanagement, and control processes without the internal auditor assuming management responsibility.Examples include counsel, advice, facilitation, and training.

ControlAny action taken by management, the board, and other parties to manage risk and increase thelikelihood that established objectives and goals will be achieved. Management plans, organizes,and directs the performance of sufficient actions to provide reasonable assurance that objectivesand goals will be achieved.

Control EnvironmentThe attitude and actions of the board and management regarding the significance of control withinthe organization. The control environment provides the discipline and structure for the achievementof the primary objectives of the system of internal control. The control environment includes thefollowing elements:

• Integrity and ethical values.• Management’s philosophy and operating style.• Organizational structure.• Assignment of authority and responsibility.• Human resource policies and practices.• Competence of personnel.



Control ProcessesThe policies, procedures, and activities that are part of a control framework, designed to ensurethat risks are contained within the risk tolerances established by the risk management process.

EngagementA specific internal audit assignment, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasksor activities designed to accomplish a specific set of related objectives.

Engagement ObjectivesBroad statements developed by internal auditors that define intended engagement accomplishments.

Engagement Work ProgramA document that lists the procedures to be followed during an engagement, designed to achieve theengagement plan.

External Service ProviderA person or firm, outside of the organization, who has special knowledge, skill, and experience in aparticular discipline.

FraudAny illegal acts characterized by deceit, concealment, or violation of trust. These acts are notdependent upon the application of threat of violence or of physical force. Frauds are perpetratedby parties and organizations to obtain money, property, or services; to avoid payment or loss ofservices; or to secure personal or business advantage.

GovernanceThe combination of processes and structures implemented by the board in order to inform, direct,manage, and monitor the activities of the organization toward the achievement of its objectives.

ImpairmentsImpairments to individual objectivity and organizational independence may include personal conflictsof interest, scope limitations, restrictions on access to records, personnel, and properties, andresource limitations (funding).

IndependenceThe freedom from conditions that threaten objectivity or the appearance of objectivity. Suchthreats to objectivity must be managed at the individual auditor, engagement, functional, andorganizational levels.



Internal Audit ActivityA department, division, team of consultants, or other practitioner(s) that provides independent,objective assurance and consulting services designed to add value and improve an organization’soperations. The internal audit activity helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of risk management,control, and governance processes.

ObjectivityAn unbiased mental attitude that allows internal auditors to perform engagements in such a mannerthat they have an honest belief in their work product and that no significant quality compromisesare made. Objectivity requires internal auditors not to subordinate their judgment on audit mattersto that of others.

Residual RiskThe risk remaining after management takes action to reduce the impact and likelihood of an adverseevent, including control activities in responding to a risk.

RiskThe possibility of an event occurring that will have an impact on the achievement of objectives.Risk is measured in terms of impact and likelihood.

Risk ManagementA process to identify, assess, manage, and control potential events or situations to provide reasonableassurance regarding the achievement of the organization’s objectives.

ShouldThe use of the word “should” in the Standards represents a mandatory obligation.

StandardA professional pronouncement promulgated by the Internal Auditing Standards Board that delineatesthe requirements for performing a broad range of internal audit activities, and for evaluating internalaudit performance.



APPENDIX 4-B

Table 4-3-1-AIAA is in Full Compliance with The Standards


Standard Number of Full Partial Not in Do NotRespondents Compliance Compliance Compliance Know

1000 – Purpose, Authority, 5,947 63.0 25.0 2.2 9.8and Responsibility1100 – Independence and 5,953 66.9 22.2 2.7 8.2Objectivity1200 – Proficiency and Due 5,923 62.9 26.1 2.0 9.0Professional Care1300 – Quality Assurance 5,896 40.0 35.7 12.1 12.2and Improvement Program2000 – Managing the 5,900 57.6 28.9 3.3 10.2Internal Audit Activity2100 – Nature of Work 5,844 57.5 28.7 2.3 11.52200 – Engagement Planning 5,886 57.7 29.0 2.9 10.42300 – Performing the 5,881 59.7 28.2 1.9 10.2Engagement2400 – Communicating 5,896 64.1 24.6 2.0 9.3Results2500 – Monitoring Progress 5,873 52.6 32.1 4.4 10.92600 – Resolution of 5,873 46.9 30.7 7.4 15.0Management’s Acceptanceof Risks



Table 4-3-2-AIAA is in Full Compliance with the Standards



1000 – Purpose, Authority, 1,765 68.1 26.7 2.0 3.2and Responsibility1100 – Independence and 1,772 73.6 22.0 2.1 2.3Objectivity1200 – Proficiency and Due 1,760 67.0 28.3 1.5 3.2Professional Care1300 – Quality Assurance 1,746 33.2 45.0 16.1 5.7and Improvement Program2000 – Managing the 1,754 61.8 32.0 2.7 3.5Internal Audit Activity2100 – Nature of Work 1,730 59.3 32.8 2.6 5.32200 – Engagement Planning 1,749 60.4 32.5 2.7 4.42300 – Performing the 1,743 62.1 31.8 1.9 4.2Engagement2400 – Communicating 1,738 68.6 26.2 2.1 3.1Results2500 – Monitoring Progress 1,730 56.1 35.5 4.1 4.32600 – Resolution of 1,742 49.0 35.0 8.0 8.0Management’s Acceptanceof Risks



Table 4-3-3-AIAA is in Full Compliance with the Standards

Practitioner Respondents in Percentages


1000 – Purpose, Authority, 4,169 60.8 24.2 2.3 12.7and Responsibility1100 – Independence and 4,167 64.1 22.2 2.9 10.8Objectivity1200 – Proficiency and 4,149 61.1 25.1 2.1 11.7Due Professional Care1300 – Quality Assurance 4,136 43.0 31.7 10.4 14.9and Improvement Program2000 – Managing the 4,132 55.8 27.5 3.6 13.1Internal Audit Activity2100 – Nature of Work 4,101 56.8 26.9 2.2 14.12200 – Engagement Planning 4,123 56.7 27.5 2.9 13.02300 – Performing the 4,124 58.7 26.7 1.9 12.7Engagement2400 – Communicating 4,144 62.3 23.8 2.0 11.9Results2500 – Monitoring Progress 4,130 51.3 30.6 4.5 13.62600 – Resolution of 4,117 46.1 28.8 7.0 18.1Management’s Acceptanceof Risks



Table 4-3-4-AIAA is in Full Compliance with the Standards by Groups*


Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 68.9 61.8 62.7 51.0 58.1 60.9 58.7 61.7 62.8 63.6 62.4 55.9 48.31100 70.6 66.2 65.4 54.3 61.8 71.1 66.9 66.7 66.2 70.0 73.2 63.6 54.01200 69.1 69.2 63.3 46.5 52.9 60.5 64.9 59.9 60.5 56.9 61.3 55.9 50.61300 47.2 37.7 40.2 25.9 35.5 34.3 38.7 35.2 32.0 30.0 29.5 21.2 33.32000 63.8 60.1 57.4 47.0 52.5 56.4 55.9 52.5 50.7 56.0 57.3 48.4 43.82100 64.7 61.3 55.4 44.3 46.6 50.0 57.2 56.7 51.3 49.5 57.6 44.8 45.22200 63.3 59.1 58.9 33.3 54.6 52.2 57.6 58.3 56.6 50.0 56.6 56.3 46.52300 67.3 60.4 61.5 35.0 51.0 55.6 57.8 60.5 55.8 47.7 52.4 40.6 46.72400 69.7 66.2 67.9 41.3 56.9 63.5 61.6 63.9 60.5 56.0 64.4 68.8 51.32500 60.1 57.1 51.7 31.2 48.2 53.8 47.6 47.7 50.6 39.8 53.1 50.0 40.22600 57.9 48.1 50.0 29.1 33.6 41.3 37.7 37.3 35.5 36.4 46.6 40.6 33.4


Table 4-3-5-AIAA Partially Complies with the Standards by Groups*


Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 14.2 23.7 27.8 43.7 34.8 33.2 34.9 29.9 26.9 27.3 31.5 38.2 38.31100 13.9 21.4 25.3 38.8 31.8 24.3 28.1 27.2 16.9 23.6 22.8 33.3 32.81200 15.0 20.5 28.2 46.5 39.7 33.0 29.8 34.4 28.9 33.9 32.0 41.2 37.31300 25.8 40.9 38.3 53.8 43.7 43.7 43.1 38.1 38.7 46.4 53.7 51.5 43.72000 19.0 29.4 29.8 43.7 35.2 35.4 37.6 38.7 34.7 28.4 34.0 48.4 39.72100 17.0 26.0 32.4 45.5 42.8 38.6 36.1 35.8 36.8 36.7 32.6 48.3 39.32200 18.7 27.9 30.5 57.3 35.3 37.9 37.0 34.3 31.6 38.9 33.6 40.6 38.32300 16.1 29.2 29.8 55.7 39.6 35.0 37.8 33.1 33.8 41.3 39.9 53.1 38.52400 14.5 23.4 23.6 51.0 33.2 30.9 32.6 30.1 31.6 36.7 27.4 28.1 35.32500 21.3 29.9 35.8 51.8 39.2 35.5 43.1 40.6 33.8 48.1 36.7 43.8 40.72600 19.8 33.1 32.1 48.6 42.0 37.7 43.9 37.6 34.2 37.3 36.5 37.5 38.5




Table 4-3-6-AIAA is Not in Compliance with the Standards by Groups*


Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 1.1 3.9 2.1 1.6 2.6 2.0 3.4 4.0 5.1 1.8 0.7 5.9 3.81100 1.6 3.2 3.7 4.1 3.1 1.6 3.6 3.1 11.7 0.0 0.0 3.0 5.51200 1.1 1.3 1.9 3.7 3.1 1.6 3.7 2.1 5.3 3.7 1.3 2.9 2.91300 9.1 9.1 12.9 14.2 12.6 15.3 14.3 18.2 16.0 14.5 12.1 24.2 11.92000 1.5 1.3 5.4 4.0 5.8 3.9 4.2 4.4 8.0 4.6 3.3 3.2 5.42100 1.2 1.3 3.1 3.3 2.9 3.4 3.9 2.4 6.6 4.6 2.1 3.4 3.92200 1.9 1.9 3.4 3.7 4.3 3.3 3.4 3.8 5.3 2.8 3.5 0.0 3.62300 1.2 0.6 1.7 2.8 3.6 2.0 1.7 2.3 3.9 2.8 1.4 6.3 3.92400 1.2 0.6 1.7 3.6 5.1 1.0 3.6 2.4 2.6 0.9 2.7 0.0 2.72500 2.4 0.6 5.2 8.1 6.3 4.0 6.8 6.4 7.8 5.6 4.1 6.3 7.32600 3.1 4.5 7.4 9.7 13.3 8.0 13.2 10.9 21.1 10.0 8.8 18.8 10.2




Table 4-6-1-AStandards Guidance is Adequate


Standard Number of Yes No Do Not Do NotRespondents Use Know

1000 – Purpose, Authority, and 1,791 93.3 1.1 2.7 2.9Responsibility1100 – Independence and Objectivity 1,775 94.1 2.1 1.5 2.31200 – Proficiency and Due Professional 1,767 92.9 1.7 2.5 2.9Care1300 – Quality Assurance and 1,761 81.5 6.1 8.7 3.7Improvement Program2000 – Managing the Internal Audit 1,755 90.0 3.6 3.3 3.1Activity2100 – Nature of Work 1,738 88.0 3.7 3.9 4.42200 – Engagement Planning 1,752 89.4 3.3 4.2 3.12300 – Performing the Engagement 1,744 89.3 3.9 3.7 3.12400 – Communicating Results 1,751 91.3 3.2 2.9 2.62500 – Monitoring Progress 1,732 88.4 4.0 4.1 3.52600 – Resolution of Management’s 1,729 81.3 6.5 6.9 5.3Acceptance of RisksOverall Average 89.0 3.6 4.0 3.4



Table 4-6-2-AStandards Guidance is Adequate

Practitioner Responses in Percentages

Standard Number of Yes No Do Not Do NotRespondents Use Know

1000 – Purpose, Authority, and 4,266 83.2 1.3 2.7 12.8Responsibility1100 – Independence and Objectivity 4,240 85.6 1.6 1.7 11.11200 – Proficiency and Due Professional 4,227 84.5 1.7 2.2 11.6Care1300 – Quality Assurance and 4,207 75.6 4.7 5.3 14.4Improvement Program2000 – Managing the Internal Audit 4,215 81.0 2.9 3.3 12.8Activity2100 – Nature of Work 4,178 79.8 2.9 3.3 14.02200 – Engagement Planning 4,198 81.2 3.3 2.8 12.72300 – Performing the Engagement 4,187 81.5 3.5 2.7 12.32400 – Communicating Results 4,190 82.6 3.1 2.4 11.92500 – Monitoring Progress 4,171 79.1 4.1 3.9 12.92600 – Resolution of Management’s 4,179 73.8 5.2 4.7 16.3Acceptance of RisksOverall Average 80.7 3.1 3.2 13.0



Table 4-6-3-AStandards Guidance is Adequate by Groups*


Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 81.9 83.8 88.1 90.7 91.6 90.5 90.8 92.7 93.2 91.5 88.0 100.0 81.51100 83.7 84.1 89.5 91.5 93.6 92.7 94.3 93.9 93.2 91.6 91.1 100.0 85.21200 82.6 87.3 88.3 92.7 89.9 91.1 93.1 93.2 91.5 89.5 88.4 97.1 83.81300 75.6 78.3 79.1 79.3 77.7 77.7 86.9 77.3 72.5 77.6 81.2 91.4 72.92000 80.8 82.9 83.7 86.1 85.7 89.4 90.4 89.4 80.3 85.7 83.2 97.1 78.12100 78.9 82.2 81.1 84.3 82.4 84.0 89.4 90.5 81.7 82.9 85.0 96.9 78.92200 80.1 81.0 84.8 82.7 88.2 84.1 92.2 91.3 76.8 86.7 87.5 91.2 78.82300 81.0 82.1 83.7 82.7 87.1 86.6 91.2 91.7 76.8 84.6 86.8 85.3 78.22400 81.5 83.3 86.9 86.8 88.6 88.6 92.0 91.7 78.3 88.5 88.8 97.1 80.32500 79.1 82.1 83.4 79.7 85.6 85.4 88.1 87.6 74.3 79.8 86.2 91.2 75.92600 75.7 74.4 79.3 75.2 72.6 74.8 83.6 77.3 64.8 76.9 78.4 90.9 69.8




Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 92.2 92.9 96.8 96.1 92.4 94.9 91.9 95.5 93.5 100.0 93.3 100.0 87.81100 92.4 91.2 96.7 96.1 96.5 96.6 96.0 95.9 93.5 100.0 95.0 100.0 88.51200 91.9 98.6 95.2 97.4 91.1 94.9 92.8 92.7 93.3 97.1 89.8 100.0 89.41300 82.5 83.8 86.9 87.0 75.7 76.7 89.5 74.9 75.9 82.9 86.7 100.0 78.92000 90.6 92.6 91.8 90.8 88.2 92.2 88.5 91.6 82.8 91.4 86.7 100.0 81.92100 88.2 92.6 86.9 90.5 80.6 84.8 91.6 91.0 82.1 94.3 89.7 100.0 83.92200 89.0 87.0 87.4 89.3 90.3 84.3 92.6 93.0 89.3 94.3 91.4 100.0 85.42300 89.6 89.7 88.2 89.3 88.8 87.7 89.7 92.5 79.3 94.3 91.1 87.5 82.82400 90.6 91.2 90.9 92.1 93.1 93.9 92.7 93.0 82.8 97.1 91.2 100.0 85.12500 89.1 89.6 86.9 86.5 91.5 89.6 89.5 90.0 80.0 82.4 89.3 87.5 79.82600 84.7 79.1 83.6 81.1 69.0 80.7 84.4 80.9 66.7 85.7 78.9 100.0 74.5





Practitioner Respondents in Percentages

Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 77.9 76.7 85.5 88.6 91.0 87.9 90.3 91.3 93.0 87.3 84.7 100.0 79.51100 80.4 78.7 87.3 89.8 91.8 90.4 93.7 93.0 92.9 87.5 88.7 100.0 84.01200 79.1 78.7 86.1 90.4 89.1 88.8 93.2 93.5 90.2 85.9 87.5 96.3 82.01300 73.0 74.2 76.9 76.5 78.6 78.1 86.0 78.5 70.0 75.0 77.7 88.9 71.22000 77.0 75.6 81.3 84.3 84.1 87.8 91.0 88.2 78.6 82.9 81.1 96.2 76.92100 75.3 74.2 79.3 81.8 83.2 83.5 88.6 90.3 81.4 77.1 82.1 95.8 77.32200 76.6 76.4 84.0 80.6 86.9 83.9 92.0 90.5 68.3 82.9 85.1 88.5 76.72300 77.7 76.1 82.3 79.4 85.9 85.8 91.7 91.4 75.0 79.7 84.2 84.6 77.02400 78.0 77.3 85.7 84.1 86.0 85.4 91.7 91.1 75.0 84.1 87.4 96.2 78.82500 75.2 76.4 82.3 77.4 82.1 82.8 87.6 86.4 70.0 78.6 84.4 92.3 74.92600 72.3 70.8 78.0 72.7 74.2 71.2 83.3 75.5 63.4 72.5 78.1 88.0 68.5


Table 4-6-6-AStandards Guidance is Not Adequate by Groups*


Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 0.8 1.3 1.3 2.0 1.0 1.3 1.9 1.0 0.0 0.0 2.5 0.0 3.21100 1.3 5.1 2.2 2.4 1.0 1.6 1.9 1.5 0.0 0.9 2.5 0.0 3.51200 1.5 1.9 2.4 1.2 2.5 1.0 1.7 0.4 1.4 2.9 2.6 2.9 3.21300 3.8 4.5 7.9 7.7 5.7 6.5 1.9 5.1 2.9 9.3 7.8 2.9 8.22000 2.1 5.1 4.0 4.9 3.2 2.2 2.5 2.5 9.9 4.8 7.7 0.0 4.72100 2.4 2.5 5.7 4.1 3.7 3.9 3.3 1.4 7.0 5.7 4.6 0.0 4.32200 2.4 4.4 3.8 5.3 2.9 4.2 2.5 2.1 14.5 5.7 4.6 2.9 5.62300 2.2 5.1 5.3 5.3 5.5 3.0 2.8 2.1 13.0 7.7 5.3 8.8 6.62400 2.4 3.8 3.4 3.7 4.0 3.2 3.6 2.4 11.6 3.8 3.3 0.0 4.72500 3.1 3.2 5.1 5.8 3.8 3.2 3.6 3.0 14.3 10.6 5.3 5.9 7.32600 4.1 7.1 6.1 6.2 8.5 5.9 5.3 5.0 9.9 7.7 9.2 3.0 8.7




Table 4-7-1-AIAA Does Not Use Practice Advisories by Groups*


Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 15.2 11.5 10.6 8.7 7.3 17.1 10.0 7.6 12.5 12.2 7.3 3.4 13.31100 14.6 12.3 11.0 7.3 7.0 16.0 7.1 6.7 14.3 10.2 7.3 3.4 11.61200 15.2 13.8 11.0 7.7 8.1 18.6 7.9 7.5 13.1 11.1 7.5 6.9 11.61300 17.5 18.0 12.6 15.9 16.8 20.6 16.0 20.1 27.0 16.9 15.8 13.8 16.92000 15.6 15.3 12.1 7.2 10.0 18.9 10.5 9.3 14.5 10.2 8.9 3.4 14.22100 16.4 17.0 11.6 9.6 11.8 22.2 8.6 9.3 11.1 11.4 9.0 3.4 16.42200 15.7 19.0 12.4 10.0 8.4 20.8 8.1 7.1 12.9 12.4 7.4 3.4 15.82300 15.4 17.5 11.6 10.1 7.9 18.7 8.7 7.1 11.1 11.4 6.6 6.9 15.62400 15.4 15.6 11.1 7.9 9.7 16.7 9.1 7.4 12.9 11.4 7.4 3.4 14.52500 16.4 16.1 13.3 9.4 11.1 18.3 12.8 11.0 12.7 13.8 8.3 3.4 16.62600 18.2 24.5 14.4 20.2 21.2 27.1 15.9 20.3 28.3 18.2 11.1 13.8 19.9




Table 4-8-1-APractice Advisory Guidance is Adequate


Practice Advisory Number of Yes No Do NotRespondents Use

1000 – Purpose, Authority, and Responsibility 4,801 86.0 1.7 12.31100 – Independence and Objectivity 4,792 86.3 2.2 11.51200 – Proficiency and Due Professional Care 4,779 85.4 2.4 12.21300 – Quality Assurance and Improvement 4,759 77.2 5.5 17.3Program2000 – Managing the Internal Audit Activity 4,755 83.4 3.4 13.12100 – Nature of Work 4,735 82.3 3.8 13.92200 – Engagement Planning 4,748 83.2 3.7 13.12300 – Performing the Engagement 4,739 83.5 3.7 12.82400 – Communicating Results 4,747 84.0 3.4 12.62500 – Monitoring Progress 4,731 81.1 4.5 14.42600 – Resolution of Management’s Acceptance 4,733 75.4 5.8 18.8of RisksOverall Average 82.5 3.7 13.8



Table 4-8-2-APractice Advisory Guidance is Adequate






Table 4-8-3-APractice Advisory Guidance is AdequatePractitioner Respondents in Percentages





Table 4-8-4-APractice Advisory Guidance is Adequate by Groups*


Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

1000 83.6 84.9 87.3 87.4 91.7 81.3 88.9 90.5 87.5 86.7 89.1 96.6 83.21100 84.0 81.2 86.4 89.4 90.4 81.0 92.1 91.2 85.7 87.5 89.8 96.6 84.11200 83.0 84.1 85.7 89.6 89.3 79.7 90.4 91.0 83.6 84.4 87.3 93.1 83.41300 78.4 74.8 81.0 74.2 77.6 73.9 81.5 74.4 66.7 70.8 75.2 86.2 74.32000 82.4 78.8 84.6 87.8 85.8 76.8 87.7 87.1 82.3 83.0 80.0 96.6 79.72100 81.3 78.5 84.1 84.8 82.7 73.5 87.1 88.1 81.0 77.3 82.1 93.1 78.32200 81.9 75.9 82.6 80.6 87.7 73.3 90.2 90.3 79.0 82.0 83.8 96.6 79.52300 82.2 79.6 84.4 81.0 84.9 77.4 88.7 90.1 81.0 83.0 85.3 93.1 79.12400 82.6 80.7 86.1 85.9 84.7 80.8 87.7 89.2 79.0 79.5 85.2 96.6 79.62500 80.8 77.4 81.7 83.9 81.1 77.4 82.0 84.8 79.4 81.6 85.7 93.1 75.22600 78.4 66.9 78.5 68.5 68.2 66.9 79.5 75.7 60.0 76.1 75.6 86.2 70.7




Table 4-15-1-AWhen IAA was Last Subject to a Formal Internal Quality Assessment in

Accordance with Standard 1311 by Groups*All Respondents in Percentages

Timing 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

To be 9.2 7.4 11.4 6.1 7.8 3.5 6.5 7.2 4.0 14.9 7.6 14.3 6.1completedprior toJanuary 1,2007Within the 25.5 21.6 30.2 16.4 22.2 25.1 24.8 21.1 18.2 20.3 23.0 16.7 16.5last 12months1-3 years 8.5 8.9 10.9 4.7 5.0 6.7 8.2 5.5 7.1 7.0 5.6 4.8 5.2ago4-5 years 1.4 4.2 2.3 1.3 0.8 0.9 0.9 0.7 2.0 2.6 0.0 0.0 0.8agoMore than 1.4 4.2 1.0 3.0 0.6 0.8 0.5 0.7 1.0 0.0 0.0 0.0 1.35 years agoNever 28.5 27.9 22.9 52.8 47.0 41.2 39.5 43.3 53.5 33.3 36.2 45.2 44.3Not done in 3.7 5.3 5.9 2.7 8.4 11.6 9.8 16.9 6.1 7.0 9.2 11.9 8.4accordancewithStandard1311Do not 21.8 20.5 15.4 13.0 8.2 10.2 9.8 4.6 8.1 14.9 18.4 7.1 17.4knowTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0percentageTotal 2,967 190 599 299 500 371 440 830 99 114 196 42 619respon-dents




Table 4-21-1-AActivities Performed by IAAs as Part of a Quality

Assessment and Improvement Program by Groups*All Respondents in Percentages

Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Engagement 46.0 43.7 53.7 32.1 37.8 52.4 63.9 44.7 38.8 38.5 47.1 53.2 27.1supervisionChecklists/ 44.8 48.5 51.6 38.4 38.5 52.1 48.8 33.3 34.5 38.5 52.4 57.4 23.2manuals toprovideassurancethat properauditprocessesare followedFeedback 41.6 55.3 53.4 42.9 40.4 43.3 40.0 31.1 32.8 40.0 44.0 36.2 24.0from auditcustomers atthe end of anauditInternal audit 34.6 33.0 36.9 36.0 36.8 31.2 34.7 30.1 31.0 34.8 28.9 36.2 18.1professionalsare incompliancewith The IIA’sCode ofEthicsReviews by 33.9 38.8 45.4 26.2 21.3 31.9 35.1 24.4 27.6 33.3 36.4 31.9 17.7othermembers ofthe IAA

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.



Table 4-21-1-A (Cont.)Activities Performed by IAAs as Part of a Quality

Assessment and Improvement Program by Groups*All Respondents in Percentages

Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Verification 33.3 31.6 38.6 26.8 31.4 29.3 30.8 25.5 24.1 37.0 29.3 31.9 14.0that the IAAis incompliancewith theStandardsReview by 22.6 31.1 32.7 13.4 18.8 28.1 21.0 12.6 14.7 19.3 22.2 34.0 11.3externalpartyCompliance 19.8 27.7 23.6 21.4 19.9 19.0 28.0 15.7 15.5 14.8 14.7 23.4 13.2with non-IIAstandardsor codesNot 13.3 12.1 7.9 7.7 12.9 11.7 9.8 18.1 20.7 8.1 12.9 23.4 9.2applicableI do not 14.2 7.8 9.5 7.4 4.9 4.0 2.9 9.2 4.3 10.4 5.8 0.0 7.7knowTotal 3,332 206 661 336 574 420 490 945 116 135 225 47 1,057number ofrespon-dents

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The responders were asked to mark all that apply so the total of the percentages may be more than 100.



____________________________ Chapter 5: Current Status of the Internal Audit Activity 183


CHAPTER 5CURRENT STATUS OF THE

INTERNAL AUDIT ACTIVITY

Introduction

This chapter summarizes the respondents’ perceptions about their internal audit activities’ (IAAs’)relationships within the organization and how the IAA performs the steps in the audit process. Thechapter follows the outline of the audit process. The topics covered start with respondents’ IAAsreporting relationships within their organizations, their relationships with their audit (oversight)committees, and how IAAs measure the value they add to their organizations. This chapter thenaddresses the IAA’s processes to perform an audit, including the management of the IAA; planningand scope of work; the range of internal audit tasks; types of audits that are performed; andallocation of audit time. The next section of this chapter reviews the tools that are currently used orplan to be used by internal auditors to prepare audit plans and perform engagements. The finalsection covers how respondents report audit findings and how issues are addressed and resolved.






Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose position is not captured by the



traditional job titles included in the survey. A review of their credentials indicates they may bemembers of the IAA, employed by service providers, or in organizations where their titles are lesstraditional but with duties within internal auditing.

When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of this report. Some tables have additionaldetails. For example, Table 5-17 is the total of all respondents for that question with a related Table5-17-2 showing the responses by group. Additional related tables may be located in Appendix 5 atthe end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the endof its number. For example, Table 5-3-1-A is located in Appendix 5.

The IAA’s Relationships within the Organization

Reporting Relationships

For the IAA to remain independent, the CAE’s reporting status is very important. The IIArecommends a dual reporting relationship where the CAE reports to the audit committee of theboard as well as to a senior management executive. Such matrix reporting allows the IAA to buildorganizational independence while also serving management. Survey questions asked about reportingrelationships for the CAE.

The results of the survey indicate that the reporting status of CAEs was generally in accordancewith the International Standards for the Professional Practice of Internal Auditing (Standards)Attribute Standard 1110, Organizational Independence. This standard requires the IAA to beindependent and internal auditors to be objective in performing their work. Practice Advisory 1110-2, Chief Audit Executive (CAE) Reporting Lines states “the CAE should report functionally to theaudit committee or its equivalent” and administratively to the chief executive officer of theorganization. The largest percentage of responding CAEs indicate that they report to the auditcommittee.



As detailed in Figure 5-1, 47.3% of CAEs report to the audit committee level and another 43.4%report to the executive level of management. Only 5.1% report to a staff manager position.

Figure 5-1CAE’s Reporting Status

CAE Respondents (2,367) in Percentages

Other4.2%

Staff positionreporting to astaff manager

5.1%

Officer positionreporting toexecutive

management/high-level

governmentofficial20.6%

Manager positionreporting to

executive management/high-level government

official22.8%

Independent position reporting to the audit committee

of the board/oversight board

47.3%



To gain a better understanding of the factors that could influence the reporting level of the CAE,Table 5-1 looks at reporting status by type of organization. The IIA believes that the CAE shouldfunctionally report to the audit committee. It is apparent that this occurs in the majority of cases inpublicly listed and not-for-profit organizations. This is not the case in the public sector where thereis a tendency to report to either a line manager or a high government official. This could reflectdifferences in the organizational configuration of public sector operations where the audit committeestructure is often absent.

Table 5-1CAE’s Reporting Status by Type of Organization


Type of Number of Independent Officer Managerial Staff Position Other TotalOrganization Respondents Position Position Position Reporting to a

Reporting to Reporting to Reporting to Staff Managerthe Audit the Executive Executive

Committee of Management/ Management/the Board/ High-level High-levelOversight Government Government

Board Official Official

Not-for- 171 56.1 13.5 21.1 6.4 2.9 100.0ProfitOrganizationPublicly 820 55.3 17.4 19.9 5.1 2.3 100.0Traded(Listed)CompanyPrivately 587 47.5 22.0 22.5 5.5 2.5 100.0Held(Non-listed)CompanyOther 56 41.1 21.4 23.2 3.6 10.7 100.0Service 205 38.0 22.9 17.7 2.9 18.5 100.0Provider/ConsultantPublic 521 36.1 25.6 29.8 5.2 3.3 100.0Sector/Government



The high level of reporting status and the importance of the CAE’s relationship with the board isreinforced by those involved in the CAE’s appointment and performance review. The responseslisted in Figure 5-2 indicate that 51.2% of the CAE respondents were appointed by the auditcommittee, and the chairperson of the board was involved in nearly one-third of the CAE respondents’appointments.

Figure 5-2Position that Appoints CAE


Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.

There is evidence of involvement of the CEO in 54.4% of CAE respondents’ appointments. TheCFO had a role in the CAE respondent’s appointment 27.8% of the time. This level of involvementby the board, the audit committee, and senior management in the appointment of the CAE reinforcesthe overall high level of CAE reporting status and the importance of the CAE to the organization.



Table 5-2 shows, by group, information about the position that appoints the CAE (see the insideback cover for a list of the groups). There are noticeable differences between the group results forCAEs that are appointed by the audit committee chairperson in groups 1, 2, 3, 11, and 12 (61.6% to68%) and in groups 4 to 10 (26% to 38%).

Table 5-2Position that Appoints CAE by Group*


Position 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Audit Committee/ 68.0 61.6 67.1 38.0 26.0 26.0 29.8 36.7 37.0 31.9 65.4 66.7 41.6Oversight Committee/Committee ChairpersonChief Executive Officer 55.6 67.4 58.6 37.0 55.0 56.0 50.4 58.4 37.0 59.6 49.4 55.6 47.0Chairperson of the 18.3 10.5 13.8 68.0 44.0 49.0 44.3 52.8 43.5 40.4 33.3 33.3 38.9BoardChief Financial Officer 41.8 32.6 46.7 7.0 10.0 26.0 6.1 15.4 10.9 8.5 14.8 11.1 20.1Another person 6.8 4.7 5.3 3.0 0.0 3.0 0.8 1.3 2.2 2.1 0.0 0.0 0.7reporting to CFOOther 13.4 23.3 15.8 14.0 21.0 10.0 17.6 8.2 6.5 6.4 4.9 0.0 13.4

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.

Tied to the discussion of the reporting level of CAEs within an organization is who undertakes theperformance review of the CAE. Despite the recommended dual reporting structure, evaluation isprimarily a management responsibility (Practice Advisory 1110-2). Board members and/or auditcommittee members usually do not have sole responsibility for such functions for the CAE, althoughtheir input in the evaluation process is valuable.

Figure 5-3 summarizes the CAEs’ responses indicating the level within an organization that performstheir evaluation. The audit committee’s involvement is most prevalent in the CAEs’ evaluation(48.7%) with an almost equal input by the CEO (44.9%) and significant input by senior management(31.2%). The chairperson of the board is involved with 16.4% of the CAEs’ evaluations while the



entire board is involved 16.1% of the time. As CAE respondents could indicate all those whoparticipated in their evaluation and the percentages in Figure 5-3 add up to well over 100.0%, itappears that input from several high-level officials of an organization are combined to evaluate theperformance of the CAE.

Figure 5-3Evaluation of CAEs’ Performance





Table 5-3 shows group differences indicating who evaluates the CAE. Further analysis by type oforganization is provided in Table 5-3-1-A in Appendix 5. This table indicates that the audit committeeis most involved in publicly traded and not-for-profit organizations. The chief executive officertakes the lead in privately held and public sector organizations.

Table 5-3Evaluation of CAEs’ Performance by Group*


Position 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Board of Directors 7.1 5.8 9.9 23.0 34.0 26.0 25.2 24.9 19.6 25.5 19.8 11.1 14.1Chairperson of the 6.5 4.7 5.9 57.0 20.0 23.0 26.7 31.5 15.2 12.8 13.6 11.1 18.1BoardChief Executive Officer 42.1 59.3 46.1 49.0 45.0 44.0 42.7 50.8 39.1 44.7 46.9 77.8 40.3Audit Committee/ 59.8 62.8 67.8 21.0 27.0 29.0 35.1 44.9 37.0 36.2 64.2 88.9 35.6Oversight Committee/Committee ChairpersonSenior Management 38.0 38.4 41.4 25.0 32.0 12.0 25.2 26.6 26.1 23.4 13.6 0.0 28.2Auditee/Client at the 8.1 19.8 27.6 5.0 14.0 15.0 14.5 9.5 0.0 27.7 7.4 22.2 6.0end of auditSupervisor periodically 9.7 5.8 8.6 5.0 11.0 11.0 4.6 4.9 4.3 4.3 2.5 11.1 6.7Peers/Subordinates 4.6 14.0 15.1 6.0 5.0 7.0 4.6 3.0 4.3 10.6 6.2 11.1 2.7periodicallyNot evaluated 3.0 3.5 3.9 1.0 3.0 6.0 5.3 2.0 6.5 10.6 4.9 0.0 7.4




Relationship with the Audit Committee

Practice Advisory 2060-2, Relationship with the Audit Committee, governs the relationship of theIAA and the audit committee. As noted in Table 5-4, CAEs confirm that an audit/oversight committeeexists in 72.6% of their organizations. The CAE’s relationship with the committee chairperson isvery important. Of respondent CAEs with audit committees, 63.2% meet regularly with their auditcommittee chair in addition to attending regular audit committee meetings. It is notable that ofthose that have audit/oversight committees, 91.3% of CAEs believe they have appropriate accessto the committee.

Table 5-4CAE’s Relationship with Audit/Oversight Committee

CAE Respondents Percentage of Yes Responses

Question Total YesRespondents Percent of

TotalResponses

Is there an audit/oversight committee 2,315 72.6in your organization?Does the CAE meet with the audit/ 1,669 63.2oversight committee chairperson inaddition to the regularly scheduledmeetings?Does the CAE believe that he/she 1,671 91.3has appropriate access to the audit/oversight committee?

As indicated in Table 5-4-1-A in Appendix 5, CAE responses by groups have some major differencesrelating to the CAE’s relationship with an audit committee. These differences appear to be primarilyrelated to the existence of the audit committee structure in some groups and not in others. CAEs ingroups 1, 2, 3, and 11 specify that 81.5% to 92.9% of their organizations have an audit committee,compared to CAEs in the other groups who indicate that 38.7% to 69.5% of their organizationshave an audit committee. In group 12, all respondents have an audit committee.



For those CAEs that have an audit committee, Table 5-5 summarizes the number of audit committeemeetings held in the last fiscal year, the number of meetings CAEs were invited to attend, and thenumber of meetings attended by the CAEs. The CAEs responding indicate that 96.9% of auditcommittees met between 1 and 12 times per year. The majority of audit committees (82.7%) met4 or more times per year. There is also a close correlation between the number of audit committeemeetings held, the number of meetings the CAEs were invited to attend, and the number of timesthe CAEs actually attended the meetings.

Table 5-5Audit/Oversight Committee Meetings During Last Fiscal Year


Number of Meetings Held Meetings the CAE Meetings the CAEAudit Percent of 1,661 Total was Invited to Attend Attended

Committee Respondents Percent of 1,657 Percent of 1,656Meetings Total Respondents Total Respondents

None 8.0 7.91 1.8 4.8 4.72 5.9 7.4 7.93 9.6 8.6 8.84 35.5 31.6 31.65 10.2 9.4 9.66 11.8 9.7 9.07 2.6 2.5 2.88 6.1 5.1 5.09 1.4 1.3 1.310 4.3 3.2 3.511 1.3 0.8 1.312 6.4 4.8 4.0

More than12 3.1 2.8 2.6

Total 100.0 100.0 100.0

External Relationships - Legislation Affecting Internal Auditing

In the CBOK Affiliate questionnaire, IIA affiliate leaders were asked about local and federalregulations and legislation affecting the profession of internal auditing. Of the 46 affiliates that



responded, 78% indicate that their countries have legislation or regulations affecting the internalauditing profession. Table 5-6 lists the 36 affiliates whose countries have laws and regulationsaffecting internal auditing. The United States and Canada also have legislation affecting internalauditing.

In a majority of the responding affiliates’ countries, legislation or regulations exist affecting internalauditing in the public sector. In most of these affiliates, financial entities, banks, and insurancecompanies are subjected to legislation that prescribes the establishment or the role of internalauditing in an organization. In several affiliates (e.g., The Netherlands, Norway, South Africa, andSpain), corporate governance requirements for listed companies strongly recommend the installationof an IAA as part of their corporate governance structure. In other affiliates (e.g., France, Italy,United Kingdom, and Ireland), it is recommended that all private companies, whether listed or not,have an IAA. In a few affiliates (e.g., Belgium and Turkey), initiatives have been taken to createa more formal legal framework for the internal audit profession.

Table 5-6Countries with Legislation or Regulation

Affecting Internal Auditing

Argentina LuxembourgAustralia MexicoAustria The NetherlandsAzerbaijan NorwayBelgium PeruBolivia PhilippinesBulgaria RussiaCanada SingaporeCongo SloveniaDenmark South AfricaDominican Republic SpainFinland SwedenFrance TaiwanGermany ThailandIsrael TurkeyItaly UgandaJapan United Kingdom and IrelandLebanon United StatesLithuania Venezuela



In 61% (22 affiliates) of the 36 responding affiliates where legislation or regulation affecting internalauditing exists, The IIA affiliate had an influence on the final form of the legislation or regulation.Table 5-7 provides an overview of these 22 affiliates.

Table 5-7Countries Where the IIA Affiliate Influenced

Legislation or Regulation Affecting Internal Auditing

Australia The NetherlandsAzerbaijan NorwayBulgaria PhilippinesDenmark RussiaFinland South AfricaFrance SpainGermany SwedenItaly TaiwanJapan ThailandLuxembourg TurkeyMexico United Kingdom and Ireland

Those IIA affiliates that assisted in the development of the legislation or regulations took part in thediscussions and provided input through participation and lobbying in committees, work groups, andconferences. IIA affiliates also regularly issue their own opinions on drafts of local and nationallaws and regulations. The publication of position papers and articles reflecting their members’ideas and opinions is a common method of participation in the evolution of local and national lawsand regulations.

Organizations’ and CAEs’ Perceptions About the IAA

To gain an understanding of how the IAA is perceived within their organization, all respondentswere asked to rank their level of agreement with the statements in Table 5-8 on a scale of 1- 5,from strongly disagree (1) to strongly agree (5). The mean response for each question was calculatedfor the four IAA staff levels responding to the survey. With means mostly above 4.2 for all stafflevels, most respondents indicate their IAA is highly independent, objective, adds value, andeffectively evaluates internal controls. This is generally supported by the group results in Table 5-8-1-A located in Appendix 5.



Statements with means around 4.0 indicate respondents’ agreement that their IAAs have an effectiveapproach to risk management; are an integral part of the governance process; are credible withinthe organization; are proactive in looking at important financial matters, risks, and internal controls;have sufficient status in the organization; and that compliance with the IIA’s Code of Ethics is akey factor for their IAAs to add value to their organizations.

The statements ranked under 4.0 but above 3.5 indicate respondents have less support for thestatements about effectiveness in the evaluation of corporate governance and compliance withThe IIA’s Standards. Overall, the perceptions by the respondents provide a very positive viewabout the IAA within their organizations. In Table 5-8-1-A in Appendix 5, mean responses forthese statements for CAEs by groups show very similar results across all groups.

Table 5-8Relationship of IAA to the Organization


Statement CAE Mean Audit Audit Senior/ Audit Staffof 2,374 Manager Supervisor Mean

Respondents Mean Mean of 1,626of 2,033 of 2,251 Respondents

Respondents Respondents

Your internal audit function is an 4.45 4.34 4.25 4.10independent objective assuranceand consulting activity.Your internal audit function adds 4.41 4.32 4.26 4.20value. Internal audit brings a systematic 4.03 3.99 3.98 3.95approach to evaluate theeffectiveness of risk management.Your internal audit function brings 4.35 4.27 4.21 4.11a systematic approach to evaluatethe effectiveness of internal controls.Your internal audit function brings a 3.80 3.73 3.71 3.74systematic approach to evaluate theeffectiveness of governanceprocesses.Your internal audit function 4.10 4.05 3.96 3.88proactively examines importantfinancial matters, risks, and internalcontrols.




Table 5-8 (Cont.)Relationship of IAA to the Organization


Statement CAE Mean Audit Audit Senior/ Audit Staffof 2,374 Manager Supervisor Mean

Respondents Mean Mean of 1,626of 2,033 of 2,251 Respondents

Respondents Respondents

Your internal audit function is an 4.10 4.04 3.97 3.91integral part of the governanceprocess by providing reliableinformation to management.The way our internal audit function 3.52 3.81 3.66 3.51adds value to the governanceprocess is through direct access tothe audit committee.Your internal audit function has 4.07 3.97 3.86 3.75sufficient status in the organizationto be effective.Independence is a key factor for 4.46 4.40 4.32 4.29your internal audit function to addvalue.Objectivity is a key factor for your 4.58 4.47 4.42 4.36internal audit function to add value.Your internal audit function is 4.30 4.17 4.08 3.99credible within your organization.Compliance with The IIA’s 3.86 3.90 3.89 3.90International Standards for theProfessional Practice of InternalAuditing is a key factor for yourinternal audit activity to add valueto the governance process.Compliance with The IIA’s Code 4.03 4.04 3.98 3.99of Ethics is a key factor for yourinternal audit function to add valueto the governance process.




Methods Used to Measure the Value Added by the IAA

The IIA defines internal auditing as “an independent, objective assurance and consulting activitydesigned to add value and improve an organization’s operations.” In The IIA’s Standards Glossary,add value is defined as, “Value is provided by improving opportunities to achieve organizationalobjectives, identifying operational improvement, and/or reducing risk exposure through both assuranceand consulting services.”

Figure 5-4 on the following page lists the methods used by the respondents’ organizations to measurethe value added by their IAAs. The measures include acceptance and implementation ofrecommendations (51.4%), assessment by customer surveys from audited departments (34.6%),and the number of management requests for internal assurance or consulting projects (26.8%).Reliance by the external auditors on the IAA is also used as a value-added indicator (33.5%). Noformal measurement of value added was indicated in 32.6% of the 2,361 respondents.

As can be seen in Table 5-9, considerable differences exist between groups in the methods used toevaluate the value added by IAAs. There are significant differences when relying on customer/auditee surveys (10.9% - 57.9%), external auditors’ reviews (9.7% - 77.8%), and the number ofmajor audit findings (4.3% - 66.7%). There was variation between groups where there is noformal measurement of value added by IAAs’ services with a high of 47.5% for group 6.



Figure 5-4Methods Used to Measure Value Added by the IAA



internal audit activity

internal audit assurance or consulting

____________________________C

hapter 5: Current Status of the Internal A

udit Activity 199

The Institute of Internal Auditors R

esearch Foundation

Table 5-9Methods Used to Measure Value Added by the IAA by Group*

All Respondents by Group in Percentages

Method of 1 2 3 4 5 6 7 8 9 10 11 12 N/C**Evaluation

Customer/client 37.5 50.0 57.9 32.0 26.0 24.4 33.6 23.0 10.9 55.3 32.9 44.4 32.0surveys from auditeddepartmentsRecommendations 46.9 52.3 55.3 59.2 53.7 34.4 62.6 56.3 60.9 31.9 64.6 100.0.0 58.0accepted/implementedCost savings and 30.1 27.9 17.8 49.5 31.1 17.5 34.4 21.7 30.4 17.0 42.7 66.7 36.0improvements fromrecommendationsimplementedNumber of management 28.0 44.2 34.9 21.4 21.5 14.4 26.7 23.7 32.6 12.8 39.0 77.8 23.3requests for internalaudit assurance orconsulting projectsReliance by external 37.7 46.5 50.7 9.7 16.4 32.5 30.5 33.2 10.9 34.0 34.1 77.8 26.7auditors on the internalaudit activityBudget to actual audit hours 17.9 30.2 25.7 8.7 12.4 18.8 22.9 9.9 26.1 19.1 14.6 33.3 12.7Cycle time from 10.8 12.8 13.8 3.9 5.6 12.5 11.5 10.2 15.2 14.9 13.4 11.1 12.7entrance conference todraft reportNumber of major audit 15.2 19.8 18.4 44.7 37.3 15.0 29.8 18.4 37.0 4.3 30.5 66.7 29.3findingsOther 11.1 11.6 17.1 3.9 18.6 7.5 4.6 9.9 8.7 8.5 9.8 11.1 11.3No formal measurement 34.5 24.4 27.6 35.0 27.1 47.5 31.3 32.6 26.1 31.9 23.2 11.1 30.0of value addedTotal respondents by 914 86 152 103 177 160 131 304 46 47 82 9 150group


200 A G

lobal Summ

ary of the Com

mon B

ody of Know

ledge 2006______________________

The Institute of Internal Auditors R

esearch Foundation

Internal Audit A

ctivity

Governing D

ocuments in the O

rganization

According to Standard 2130, G

overnance, the IAA

“should assess and make appropriate

recomm

endations for improving the governance process.” Table 5-10 show

s the types of documents

that support the establishment of corporate governance in an organization. R

espondents report that73.3%

of their organizations have a corporate ethics policy/code of ethics/code of conduct and66.3%

have a long-term strategic plan. O

nly 53.2% of the respondents’ organizations have a

corporate governance code and 56.9% have an audit oversight/com

mittee charter.

Table 5-10D

ocuments that Exist in the O

rganization Supporting theE

stablishment of C

orporate Governance

All R

espondents in Percentages

Docum

entsN

umber of Yes

Percent ofR

esponsesR

espondents

Corporate Ethics Policy/C

ode of Ethics/6,859

73.3C

ode of Conduct

Long-term Strategic Plan for the

6,20166.3

Organization

Audit O

versight/Com

mittee C

harter5,322

56.9C

orporate Governance C

ode4,974

53.2

Note: The respondents w

ere asked to mark all that apply so the total responses m

ay be more than the total num

ber ofrespondents and the percentages m

ay be more than 100.



Figure 5-5 shows the type of documents that support the work and performance of the IAA. Eachis important to the success of the IAA. An internal audit charter is required by The IIA’s AttributeStandard 1000, Purpose, Authority, and Responsibility, and Practice Advisory (PA) 1000-1, InternalAudit Charter. Documented audit plans are expected to be in use. Compliance with PerformanceStandard 2010, Planning, requires the CAE to “Establish risk-based plans to determine the prioritiesof the IAA.”

Figure 5-5Documents that Exist in the Organization Supporting the

Work and Performance of the IAAAll Respondents in Percentages

Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.

The respondents indicate that 81.3% of their IAAs have an audit plan, 72.3% of their IAAs havean internal audit charter, and 60.1% have a mission statement. A majority of respondents’ IAAs(69.5%) use internal audit risk assessments to develop the audit plan. Respondents indicate that63% of their IAAs have an internal audit operating manual/policy statement and 40.3% have anaudit plan that is longer than one year. These are all positive signs for effective internal auditprocedures.

Audit Activity



Managing the Internal Audit Activity

To gather information about compliance with The IIA’s Standards, all respondents were askedquestions about who performed administrative tasks, quality assessments of the IAA, and technicalcompetency training for internal auditors. The questions required the respondent to indicate whatpercentage of these activities are performed by the IAA, by service providers, or not performed atall.

Performance Standard 2000 requires that the chief audit executive (CAE) “should effectivelymanage the internal audit activity to ensure it adds value to the organization.” These activitiesinclude administrative activities such as developing an audit plan and assigning audit tasks.Performance Standard 2200 states that, “Internal auditors should develop and record a plan foreach engagement, including the scope, objectives, timing, and resource allocations.” The results inTable 5-11 show that over 91.5% of all respondents believe that their IAA performs the administrativetasks appropriate for the department. The vast majority of IAA leadership takes charge of theadministrative responsibilities inherent in the IAA.

Table 5-11Managing the Internal Audit Activity

Who Performs Audit ActivitiesAll Respondents in Percentages

Activity Total Number IAA Other Co-Sourced Out- Not Totalof Departments sourced Performed Percent

Respondents in byby Activity Organization Activity

Administrative 7,750 91.5 3.6 2.3 1.2 1.4 100.0(audit plan,assign tasks)Technical 8,746 44.4 14.1 6.6 21.3 13.6 100.0competencytraining forauditorsQuality 8,212 37.0 13.5 5.3 17.4 26.8 100.0assessment ofinternal auditactivity

Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same foreach activity.



To continuously monitor the effectiveness of the IAA, Standard 1300 states, “The CAE shoulddevelop and maintain a quality assurance and improvement program” (QA&IP). The QA&IPshould include both ongoing and periodic internal assessments that cover the entire spectrum ofaudit and consulting work performed by the internal audit activity. The quality of the internal auditactivities are assessed by the IAA (37%), other departments (13.5%), or outsourced (17.4%).About twenty-seven percent (26.8%) of the respondents do not perform quality assessments oftheir internal audit activities. More details about respondents’ QA&IP programs can be found inChapter 4.

Standard 1210 requires that internal auditors “possess the knowledge, skills, and other competenciesneeded to perform their individual responsibilities.” To be certain that the audit staff has the necessaryskills, 44.4% of the IAAs provide technical competency training for auditors. Other departmentswithin the organization provide 14.1% of the training, and 27.9% of training is either co-sourced oroutsourced. Of the respondents, 13.6% indicate that no training for the audit staff is provided.



Creating the Audit Plan

In accordance with IIA Performance Standard 2010 on Planning, the CAE should plan what toaudit based on risk assessment. Figure 5-6 indicates that 95.6% of CAEs plan their audit activity atleast annually, including 36.4% who update their plan multiple times a year.

Figure 5-6Percentage Frequency of Audit Plan Updating


No audit plan3.2%

Every two years0.7%

More than everytwo years

0.5%

Every year59.2%

Multiple timesper year36.4%



Figure 5-7 lists the methods CAEs use to determine the audit plan. The use of risk-based methodologyrequired by Performance Standard 2010 and Practice Advisory PA 2010-1, Planning, is used by86.7% of the respondents. This method is supplemented by 73.1% of respondents who includerequests from management. Audit planning is also influenced by consulting the previous year’splan (62.8%) and consultation with divisional or business heads (62.9%). Strong influence on theaudit plan can come from audit committee requests (55.5%) and compliance/regulatory requirements(58.8%) as well.

Figure 5-7How the Audit Plan is Established


Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.



As shown in Table 5-12, the groups’ CAEs show a consistently high percentage of reliance on risk-based methodology for audit planning, from a low of 75% to a high of 100%. Audit committee/oversight committee requests are strongly supported in groups 1, 2, 3, 11, and 12, and there is highreliance and compliance/regulatory requirements in groups 1, 2, 7, and 12. Requests frommanagement and review of previous year’s audit plan are also supported.

Table 5-12How Audit Plan is Established by Groups*


Method 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Use of a risk-based 89.1 94.2 94.6 87.3 85.1 89.8 82.0 77.2 75.0 93.6 91.3 100.0 78.7methodologyConsult previous 62.0 61.6 59.2 80.4 60.6 65.6 60.9 59.9 56.8 53.2 66.3 88.9 68.1years audit planConsultation with 73.1 87.2 78.9 42.2 52.6 49.7 46.1 54.1 40.9 80.9 57.5 44.4 49.6divisional or businessheadsRequests from 78.8 81.4 72.8 53.9 74.9 71.3 64.1 73.5 68.2 59.6 67.5 88.9 62.4managementAudit committee/ 65.7 81.4 68.0 36.3 28.0 38.9 37.5 51.0 47.7 51.1 71.3 77.8 48.9oversight committeerequestsCompliance/regulatory 66.2 67.4 58.5 43.1 39.4 59.2 65.6 55.1 52.3 34.0 55.0 77.8 56.0requirementsRequests from or 40.8 58.1 50.3 22.5 16.6 47.1 22.7 23.1 9.1 38.3 35.0 33.3 30.5consultation withexternal auditorsOther 8.9 9.3 7.5 7.8 14.9 12.1 15.6 7.5 11.4 8.5 6.3 22.2 7.1Total number ofrespondents 878 86 147 102 175 157 128 294 44 47 80 9 141

*For a list of affiliate groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so that the total percent by group may be more than 100.



Allocation of IAAs’ Time

The definition of internal auditing and Standard 2100, Nature of Work, includes three broad areasof responsibility for IAAs to “evaluate and contribute to the improvement of risk management,control, and governance processes.” The following summarizes the respondent’s responses aboutthe how IAAs’ time is allocated, the types of audits performed in the organization and who performsthem, and what tools are used by the IAA when performing their work. Audits are generally placedin three categories, (1) general types of audits, (2) audits performed in the areas of risk management,control, and governance processes, and (3) other audit activities.

In order to gauge the extent of various types of internal audit activities performed by the IAAs,respondents were asked to estimate the time spent on compliance audits, consulting/advisory,financial process audits, fraud investigations, governance audits, information technology audits,operational, management audits, and other types of audits. Table 5-13 on the following page showsthe mean percentage of time spent for all respondents over a period of 6 years (3 years ago,currently, and an estimate for 3 years from now).



Table 5-13Average of IAAs’ Time Spent on Audits

for All Respondents in Mean Percentages

Activity Mean Mean Mean AnticipatedPercentage of Percentage Percentage of Change in MeanTime Spent 3 of Current Time Expected Percentage of

Years Ago Time Spent to be Spent 3 Time Spent fromYears from Now 2003 to 2009

Compliance audits (laws, 23.4 22.4 19.9 -3.5regulations, and policy)Operational 22.5 21.1 19.5 -3.0Financial process audits 15.5 14.9 13.8 -1.7(including assistance to theexternal auditor)Consulting/advisory 8.2 9.8 11.5 +3.3Information technology audits 7.9 9.7 12.3 +4.4Other 6.6 3.3 2.6 -4.0Fraud investigations 5.9 6.1 6.2 +0.3(forensic accounting/auditingManagement audits 5.2 5.5 5.8 +0.6Governance audits (ethics, 4.8 7.2 8.4 +3.6control framework, regulatory,linkage of strategy, andcompany performance)Total 100.0 100.0 100.0

Note: Responses are in percentages and the mean percentage is the average response for that activity.

For the six-year period, while no one type of audit appears to dominate the work performed byIAAs, respondents indicate that most of the IAAs’ time was, is, and will be spent on complianceaudits (23.4% past, 22.4% current, and 19.9% future). Time spent on operational auditing is a closesecond with 22.5% in the past, 21.1% currently, and 19.5% in the future. The third largest type ofaudit is financial with 15.5% of audit time three years ago, 14.9% currently, and 13.8% in thefuture. As the time spent on those types of audits has been decreasing, the time spent on consulting,governance, and information technology is increasing. This seems reasonable since the definitionof internal auditing changed to include consulting and governance in 1999.



Types of Audits Performed

Table 5-14 lists types of audits and who performs them. The top four types of audits performed bythe IAA are internal auditing (85.6%), operational auditing (79.1%), investigations of fraud andirregularities (56.3%), and financial auditing (56%). Other IAA engagements include ethics audits(47.1%), management effectiveness audits (48.5%), and information technology departmentassessments (45.4%). The three largest audit areas that are co-sourced or outsourced are financialauditing (27.2%), information technology department assessment (18.8%), and quality/ISO audits(14.1%). The three areas where audits are less likely to be performed by the IAA are social andsustainability audits (40.0%), quality/ISO audits (32.6%), and ethics audits (27.4%).

The results in Table 5-13 indicate that IAAs anticipate spending most of their time on complianceaudits, operational audits, and financial process audits. Table 5-14 shows that operational auditsand financial auditing are most often performed by the IAA. The internal auditing category inTable 5-14 presumes to include compliance auditing since that was not asked separately in thissurvey question. The results for where the IAA’s time is spent and who performs these auditactivities appear to be consistent for the respondents. Fraud investigations, ethics audits, andinformation technology department audits do not consume much IAA time in Table 5-13, but are inthe domain of many IAAs as indicated in Table 5-14.



Table 5-14Types of Audits

Who Performs Audit ActivitiesAll Respondents in Percentages

Type of Audit Total IAA Other Co- Out- Not TotalNumber Department in Sourced sourced Performed Percent

of Respondents Organization by Activityby Activity

Internal auditing 7,918 85.6 3.4 4.8 3.3 2.9 100.0Operational audits 8,443 79.1 11.9 3.6 2.5 2.9 100.0Investigations of 9,877 56.3 31.4 5.9 3.8 2.6 100.0fraud andirregularitiesFinancial auditing 8,989 56.0 14.7 7.2 20.0 2.1 100.0Management 8,324 48.5 28.4 3.7 3.1 16.3 100.0effectivenessreview/auditEthics audits 7,828 47.1 21.3 3.0 1.2 27.4 100.0Information 8,959 45.4 28.8 8.8 10.0 7.0 100.0technologydepartmentassessmentSocial and 7,648 22.7 30.4 3.4 3.5 40.0 100.0sustainabilityauditsQuality/ISO audits 7,896 20.5 32.8 4.6 9.5 32.6 100.0



Risk, Controls, and Governance Audits

Practice Advisory 1311-1, Internal Assessments, states, “The CAE is responsible for establishingan internal audit activity whose scope of work includes all the activities in the Standards and in thedefinition of internal auditing,” which includes effectiveness of risk management, control, andgovernance processes. Realizing that all audits have some elements of all three, the followingsummarizes the type of audit activities performed in these three areas and who performs theseaudits.

Effectiveness of Risk Management

The internal auditor has several responsibilities for the effectiveness of risk management within anorganization. Standard 2110, Risk Management, states that the IAA should “assist the organizationby identifying and evaluating significant exposures to risk and contributing to the improvement ofrisk management and control systems.” Standard 2600, Resolution of Management’s Acceptanceof Risks, highlights the importance of the CAE discussing risks and other internal audit findingswith senior management. If the decision regarding residual risk is not resolved, the CAE shouldreport the matter to the board for resolution.

Table 5-15 shows the major audit activities performed in the risk, control, and governance areas.Risk management work performed within organizations includes business viability assessments,information risk assessment, and enterprise risk management. While the majority of businessviability assessments are performed by other departments within the organization (51.6%), IAAsperform 24.6% of these audits and 16.8% of the respondents report that these audits are notperformed. In the area of information risk assessment, the IAA performs 47.5% of the activitiesand other departments perform 30.9% and 15.2% of this work is co-sourced or outsourced. Forenterprise risk management activities, IAAs perform 37.6% of these assessment activities, otherdepartments within the organization perform 43.6%, and 6.5% of these activities are co-sourced oroutsourced.



Table 5-15Who Performs Risk, Control, and Governance

Audit ActivitiesAll Respondents in Percentages

Activity Total IAA Other Co- Out- Not TotalNumber Department in Sourced sourced Performed Percent


Internal control 9,366 70.8 17.0 6.3 4.2 1.7 100.0testing/systemsevaluationControl framework 8,772 58.9 28.6 4.6 1.5 6.4 100.0monitoring anddevelopmentCompliance with 9,181 51.4 35.3 5.0 2.0 6.3 100.0corporategovernance andregulatory coderequirementsInformation risk 9,282 47.5 30.9 8.2 7.0 6.4 100.0assessmentEnterprise risk 8,679 37.6 43.6 5.0 1.5 12.3 100.0managementResource 8,096 32.1 47.9 3.6 2.0 14.4 100.0management andcontrolsLinkage of strategy 8,266 26.3 55.8 3.8 1.6 12.5 100.0and companyperformanceBusiness viability 7,742 24.6 51.6 4.5 2.5 16.8 100.0assessments



Audits of Controls

Standard 2120, Control, states that the IAA should “assist the organization in maintaining effectivecontrols.” In Table 5-15, respondents indicate that 70.8% of the activities to test internal controlsand systems evaluation are done by the IAA. Other departments perform 17% of the same activitiesand 10.5% of these activities are co-sourced or outsourced.

Corporate Governance

Standard 2130, Governance, requires IAAs to “assess and make appropriate recommendations forimproving the governance process.” Table 5-15 lists several governance audit activities performedwithin organizations. The corporate governance activities performed by IAA includes controlframework monitoring and development (58.9%), compliance with corporate governance andregulatory code requirements (51.4%), resource management and controls (32.1%), and linkageof strategy and company performance (26.3%). Logically, other departments within organizationsare very active in compliance with corporate governance and regulatory code requirements (35.3%)and in the areas of linkage of strategy and company performance (55.8%) and resource managementand controls (47.9%).

Compliance or Special Consulting Projects

Table 5-16 shows audit activities from the list provided to the respondents in the CBOK 2006questionnaire that are compliance activities or special consulting projects. Practice Advisory2120.A1-1, Assessing and Reporting on Control Processes, states that testing “compliance withlaws, regulations, and contracts” is part of the IAA’s study and evaluation of internal controls.Two areas where the IAA performs compliance activities are compliance with company privacypolicies (43.1%) and health, safety, and environment (22.1%).

The definition of internal auditing includes consulting in its scope of acceptable audit activity. Afew areas of consulting included in the study indicate that 11.3% of the activities for corporatetakeovers/mergers are performed by IAAs while 50.4 % are handled by other departments in theorganization. The IAA provides 46.2% of the support for external auditors, other departmentsprovide 28.1% and co-sourced or outsourced work accounts for 14% of the activities required.Project management activities are performed mainly by other departments (58.3%) with 27.7% ofthese activities performed by the IAA. The IAA and other departments in the organization eachprovide 39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.



Table 5-16Who Performs Other Audit Activities


Activity Total IAA Other Co- Out- Not TotalNumber Department in Sourced sourced Performed Percent


External audit 8,421 46.2 28.1 5.1 8.9 11.7 100.0assistanceCompliance with 8,584 43.1 42.1 4.0 1.6 9.2 100.0company privacypoliciesSpecial projects 10,414 39.6 39.6 8.3 7.1 5.4 100.0Project 8,542 27.7 58.3 5.1 2.8 6.1 100.0managementHealth, safety, 8,083 22.1 57.3 4.2 3.0 13.4 100.0and environmentCorporate 7,796 11.3 50.4 4.9 3.8 29.6 100.0takeovers/mergers

Performing the Engagement – The Use of Tools

This section summarizes the use of 16 tools and techniques currently in place or planned to be usedby IAAs globally. The demands on the IAA and its staff are increasing as the significance andusefulness of the work of the IAA become better known and valued throughout the organization.Internal audit is designed to add value and improve an organization’s operations by bringing asystematic, disciplined approach to evaluation, improvement, and effectiveness of risk management,controls, and governance. As internal auditing resources may be constrained, the IAA must useaudit tools and techniques to use its time efficiently. The tools and techniques in the CBOK surveywere identified by reviewing the Standards and Practice Advisories, internal auditing literature,past CBOK studies, and the CBOK 2006 pilot study. Based on this review, 16 tools and techniques



were identified as being important for the IAA. Respondents could not add to or amend the list thatwas included in the CBOK 2006 survey. Some of the tools listed help with audit administration(planning, managing, preparing working papers, etc.) while others relate to helping internal auditorsperform their engagements (analyzing data, statistical sampling, etc.). All the tools contribute to theIAA adding value to the organization

The selection of tools and techniques in this survey is supported by the Standards and PracticeAdvisories. In the Standards and expanded upon in the Practice Advisories, certain tools areemphasized:

• Attribute Standard 1220, Due Professional Care, recommends that the internal auditor inexercising due professional care should consider the use of computer-assisted audit toolsand other data analysis techniques.

• Analytical review is supported in Practice Advisory 2100-10, Audit Sampling.

• Risk-based audit planning is addressed in Standard 2010, Planning, which requires thechief audit executive to establish risk-based plans to determine the priorities of the internalaudit activity, consistent with the organization’s goals.

• Standard 2010.A1, Assurance Engagement, states that the IAA plan of engagements shouldbe based on a risk assessment, undertaken at least annually. This issue is also analyzed bythe Practice Advisory 2010-2, Linking the Audit Plan to Risk and Exposures.

• Practice Advisory 2100-10, “Audit Sampling is defined as the application of audit proceduresto less than 100 percent of the population to enable the auditor to evaluate audit evidenceabout some characteristics of the items selected to form or assist in forming a conclusionconcerning the population. Statistical sampling involves the use of techniques from whichmathematically constructed conclusions regarding the population can be drawn.”

• Practice Advisory 1311-1, Internal Assessments, suggests that Periodic Assessment mayinclude benchmarking of the IAA practices and performance metrics against relevant bestpractices of the internal auditing profession.

• The balanced scorecard tool is mentioned in Practice Advisory 1311-2, Establishing Measures(Quantitative Metrics and Qualitative Assessments) to Support Reviews of Internal Audit



Activity Performance. This Practice Advisory reflects recommended practices formeasuring the performance of internal auditing and it is related to Standard 1311, InternalAssessments.

• Practice Advisory 2120.A1-2, Using Control Self Assessment (CSA) for Assessing theAdequacy of Control Processes, states that the CSA methodology can be used by managersand internal auditors for assessing the adequacy of the organization’s risk managementand control processes. Internal auditors can utilize CSA programs for gathering relevantinformation about risks and controls, for focusing the audit plan on high risk, unusual areas,and to forge greater collaboration with operating managers and work teams.

• Standard 1300, Quality Assurance and Improvement Program, requires the CAE to developand maintain a quality assurance and improvement program that covers all aspects of theinternal audit activity and continuously monitors its effectiveness. This program includesperiodic internal and external quality assessments and ongoing internal monitoring.

The respondents were asked to indicate which tools/techniques their IAAs currently use or plan touse in the next three years by rating all the tools listed on a five point scale from 1, not used, to 5,extensively used. Results are shown in means and/or in the frequency of respondents selecting atool/technique. Tables include responses by position, by response type, and/or by groups.

Current Usage of Audit Tools and Techniques

The use of various tools and techniques is fundamental for the effectiveness and efficiency of theIAA in performing their engagements. The use of these tools/techniques helps the auditor successfullyplan, monitor progress, document, analyze data, complete the audit, and determine the magnitudeof audit findings. Table 5-17 indicates the extent that respondent IAAs currently use sixteen differentaudit tools/techniques. The means listed in the table summarize the responses given by each stafflevel of auditors: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. Themean was calculated based on a scale of 1 (not used) to 5 (extensively used). An overall mean foreach item is also presented.

The results show that CAEs and Practitioners almost uniformly rank the tools/techniques currentlyused by the IAA the same. Electronic communication (e.g., Internet, e-mail), risk-based auditplanning, analytical review, and electronic workpapers are currently the most utilized tools. Electroniccommunication is overwhelmingly the highest ranked tool/technique for all respondents.



Table 5-17Extent the IAA Currently Uses Audit Tools/Techniques

All Respondents by Mean*

Tools/Techniques Number of Overall CAE Audit Audit Audit OtherRespondents Mean Manager Senior/ Staff

Supervisor

Other electronic 6,629 4.08 3.98 4.15 4.19 4.13 3.64communication(e.g., Internet, e-mail)Risk-based audit 6,596 3.56 3.57 3.63 3.58 3.54 3.08planningAnalytical review 6,619 3.21 3.12 3.21 3.28 3.23 3.05Electronic workpapers 6,566 3.19 2.99 3.28 3.28 3.38 2.90Statistical sampling 6,522 2.77 2.64 2.69 2.83 3.00 2.76Computer-assisted 6,567 2.67 2.54 2.73 2.73 2.73 2.68audit techniquesFlowchart software 6,526 2.42 2.31 2.51 2.45 2.46 2.41Benchmarking 6,494 2.41 2.37 2.44 2.42 2.42 2.41Process mapping 6,496 2.36 2.22 2.39 2.43 2.46 2.39applicationControl self-assessment 6,497 2.30 2.09 2.27 2.42 2.54 2.40Data mining 6,385 2.26 2.18 2.26 2.29 2.37 2.18Continuous/real-time 6,483 2.21 2.06 2.12 2.30 2.47 2.22auditingThe IIA’s quality 6,409 2.06 1.93 2.13 2.07 2.18 2.09assessment review toolsBalanced scorecard or 6,417 2.02 1.85 2.06 2.09 2.13 2.07similar frameworkTotal quality 6,366 1.97 1.79 1.98 2.00 2.19 2.11management techniquesProcess modeling software 6,352 1.69 1.51 1.66 1.78 1.88 1.87

*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,5 = Extensively Used.Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same foreach audit tool/technique.



The tools/techniques that obtained the highest overall means from all respondents are:

1. Other electronic communication (e.g., Internet, e-mail) (4.08).2. Risk-based audit planning (3.56).3. Analytical review (3.21).4. Electronic workpapers (3.19).5. Statistical sampling (2.77).

The tools/techniques that received the lowest overall mean responses are:

12. Continuous/real-time auditing (2.21).13. The IIA’s quality assessment review tools (2.06).14. Balanced scorecard or similar framework (2.02).15. Total quality management techniques (1.97).16. Process modeling software (1.69).

As shown in Table 5-17-1-A, even in regions of the world where access to the Internet might notbe easily or readily available, it is generally ranked the highest. Electronic working papers and risk-based audit planning are uniformly ranked high by all respondents. Many of the remaining tools aregrouped in the 2.00 to 2.50 range, indicating moderate to average use.



Table 5-18 shows the means in rank order of use by staff level of the respondents. Each rankinggoes from 1, the tool/technique with the highest mean, to 16, the tool/technique with the lowestmean. The consistency in ranking by all staff levels about usage of tools and techniques by theirIAAs is evident.

Table 5-18Extent the IAA Currently Uses Audit Tools/Techniques

All Respondents by Rank

Tools/Techniques Overall CAE Audit Audit Senior/ AuditAverage Manager Supervisor Staff Other

Other electronic communication 1 1 1 1 1 1(e.g., Internet, e-mail)Risk-based audit planning 2 2 2 2 2 2Analytical review 3 3 4 3/4 4 3Electronic workpapers 4 4 3 3/4 3 4Statistical sampling 5 5 6 5 5 5Computer-assisted audit 6 6 5 6 6 6techniquesFlowchart software 7 8 7 7 8/9 7/8Benchmarking 8 7 8 9/10 11 7/8Process mapping application 9 9 9 8 8/9 10Control self-assessment 10 11 10 9/10 10 9Data mining 11 10 11 12 12 12Continuous/real-time auditing 12 12 13 11 7 11The IIA’s quality assessment 13 13 12 14 14 14review toolsBalanced scorecard or similar 14 14 14 13 15 15frameworkTotal quality management 15 15 15 15 13 13techniquesProcess modeling software 16 16 16 16 16 16

Note: In some cases the rankings were tied. For example, rankings of Benchmarking and Control Self Assessment atthe Audit Senior/Supervisor level were tied.



Although the means are generally lower for CAEs than for other respondents, the comparison ofthe overall means with the means and rankings for CAEs and other respondents does not showany significant differences between the categories of respondents. The only major differencesbetween the means for the different staff levels relate to:

• Continuous real-time auditing (2.06, ranked 12 for the CAE versus 2.47, ranked 7 forAudit Staff).

• Electronic working papers (2.99, ranked 4 for the CAE versus 3.38, ranked 3 for AuditStaff).

• Control self-assessment (2.09, ranked 11 for the CAE versus 2.54, ranked 10 for the AuditStaff).

• Statistical sampling (2.64, ranked 5 for the CAE versus 3.00, ranked 5 for Audit Staff).

The analysis of the means according to the 13 groups is provided in Table 5-17-1-A in Appendix 5.There are noticeable differences for electronic workpapers (3.53 for group 8 and 1.97 for group12), risk-based audit planning (3.91 for group 3, 3.86 for groups 2 and 10, and 2.53 for group 4), andother electronic communication (4.38 for group 10; and 3.15 for group 12). Differences related toaccess to electronic resources may be reflected in the results for some of the groups.

Table 5-17-2 shows the rankings by groups. Each ranking goes from 1, the tool/technique with thehighest mean in the group, to 16, the tool/technique with the lowest mean in the group. Thiscomparison shows that the degree of consensus on most tools and techniques among the differentgroups is very high. This is the case for other electronic communications which ranks first orsecond in each group. Process modeling software is always ranked between 13 and 16, analyticalreview is always ranked between second and sixth and electronic workpapers is ranked betweenthird and seventh. The highest variability in this comparison, which indicates the lowest level ofconsensus, relates to data mining (groups 7 and 9), continuous real-time auditing (groups 4 and 11),control self-assessment (groups 4 and 12), and process mapping application (groups 8 and 10).When analyzing the ranking information most groups are within two rankings of the overall ranking.Exceptions are group 7 with 50% of their rankings more than two places away, group 10 with37.5% of their rankings more than two places away, and groups 1, 4, and 12 have 31% of theirrankings more than two places away from the overall ranking.



Table 5-17-2Tools and Techniques Currently Used by Group*

All Respondents by Means**

Overall 1 2 3 4 5 6 7 8 9 10 11 12 N/C***Tools/Techniques**** AverageOther electronic 1 1 2 2 1 1 1 2 1 1 1 1 1 1communication(e.g., Internet, e-mail)Risk-based audit 2 2 1 1 6 2 2 1 2 2 2 2 2 2planningAnalytical review 3 5 4 5 2 4 4 6 4 3 4 3 5 4Electronic workpapers 4 3 5 3 3 3 3 3 3 5 3 5 7 3Statistical sampling 5 6 7 6 7 6 6 5 7 7 9 6 4 6Computer-assisted 6 4 3 4 9 5 5 4 6 4 5 4 3 5audit techniquesFlowchart software 7 8 11 13 11 9 13 11 11 11 12 13 14 11Benchmarking 8 11 8 7 10 11 8 14 10 10 6 7 6 12Process mapping 9 13 10 12 8 7 7 7 5 12 14 10 9 9applicationControl self- 10 12 6 8 4 10 10 8 8 8 7 8 13 8assessmentData mining 11 7 9 11 12 8 9 16 9 6 13 11 11 10Continuous/real-time 12 9 12 10 5 13 11 9 13 9 10 14 10 7auditingThe IIA’s quality 13 10 13 9 14 12 12 10 14 13 8 9 12 13assessment reviewtoolsBalanced scorecard 14 15 14 15 16 15 14 15 12 15 11 15 15 15or similar frameworkTotal quality 15 14 15 14 13 14 16 12 16 14 15 12 8 14managementtechniquesProcess modeling 16 16 16 16 15 16 15 13 15 16 16 16 16 16software

*For a list of groups, please see the inside back cover.**The ranking goes from 1 (the tool/technique with the highest mean in the group) to 16 (the tool/technique with thelowest mean in the group).***N/C = Respondents did not indicate affiliate or chapter membership.****The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall means.



Table 5-19 summarizes how all respondents’ replies are distributed along the 5 options: not used;moderately used; average use; very much used; and extensively used. The frequencies show theextent to which the internal audit activity (IAA) currently uses the listed audit tools and techniqueswhen compared to the overall mean usage of all respondents’ IAAs. This table provides a moredetailed picture of overall usage of tools and techniques. Since some respondents’ organizationsand IAAs are much larger and older than others, they may use more audit tools and have moreresources to purchase and apply the listed tools and techniques.

Table 5-19Extent the IAA Currently Uses the

Listed Audit Tools/TechniquesAll Respondents by Mean and Frequency

Tools/Techniques Number of Mean* % Not % % % %Respondents Used Moderately Average Very Extensively

Used Use Much UsedUsed

Other electronic 6,643 4.08 2.7 6.9 16.7 27.5 46.2communication(e.g., Internet,e-mail)Risk-based audit 6,611 3.56 8.0 13.6 21.3 28.8 28.3planningAnalytical review 6,634 3.21 6.5 20.5 31.1 29.6 12.3Electronic workpapers 6,580 3.19 19.8 15.6 17.2 20.9 26.5Statistical sampling 6,536 2.77 18.0 25.9 27.5 18.8 9.8Computer-assisted 6,581 2.67 22.3 25.4 25.0 17.5 9.8audit techniquesFlowchart software 6,540 2.42 31.7 24.8 21.6 13.5 8.4Benchmarking 6,505 2.41 24.9 30.9 26.6 13.7 3.9Process mapping 6,510 2.36 36.1 21.4 20.9 13.9 7.7applicationControl self- 6,511 2.30 34.1 26.0 21.1 13.0 5.8assessmentData mining 6,399 2.26 36.1 25.4 20.8 12.1 5.6Continuous/real-time 6,497 2.21 39.0 23.8 19.7 12.4 5.1auditing

*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,5 = Extensively Used.



Table 5-19 (Cont.)Extent the IAA Currently Uses the

Listed Audit Tools/TechniquesAll Respondents by Mean and Frequency



The IIA’s quality 6,424 2.06 46.6 20.8 17.4 10.5 4.7assessment reviewtoolsBalanced scorecard 6,427 2.02 48.4 19.2 18.8 9.8 3.8or similar frameworkTotal quality 6,380 1.97 48.6 21.9 17.5 8.5 3.5management techniquesProcess modeling 6,366 1.69 62.7 16.6 12.4 5.8 2.5software


Extensively Used

The analysis of the usage frequencies reveals that some tools are used extensively for a significantportion (more than 25%) by the respondents’ IAAs:

1. Other electronic communication (e-mail, Internet) (46.3%)2. Risk-based audit plan (28.3%)3. Electronic working papers (26.5%)

These particular tools match three core tasks of the IAA, planning, documenting field work, andcommunication. The latter two tasks can be very labor intensive when completed without technologysupport. For IAAs to have invested and developed tools in these areas seems appropriate.



The frequency of the extensively used category for these three tools and techniques shows theirimportance to the IAAs. The use of these tools allows the IAA to function efficiently and effectively.This is especially true for the use of electronic communication and electronic working paperswhich help with audit administration. A risk-based audit plan also helps with the performance of theaudit. When available resources are limited, both financially and by number of staff, technologyallows the IAA to expand its scope.

These findings are consistent with those based on the mean scores for other electronic communicationand risk-based audit plan. As shown on the frequency distribution in Table 5-19, there is a differencefor analytical review, which has a relatively high overall mean (3.21) and ranking (3) but has alower percentage in the extensively used category (12.3%). Although electronic workpapers isranked fourth with a mean of 3.19, in the frequency distribution it is shown as having 26.5% ofrespondents indicating extensively use. The use of a risk-based audit plan is in keeping with Standard2010.A1, Planning, which states that the IAA’s “Plan of engagements should be based on a riskassessment, undertaken at least annually.” This is supported elsewhere in the Standards andPractice Advisories. Over 78% of respondents indicate that they extensively use, very much use,or have average use of this technique.

In Appendix 5, Table 5-19-1-A shows extensively used responses for tools/techniques by auditorposition. This table reveals that there are usually lower frequencies for the response “extensivelyused” for CAEs. This is consistent with the means analysis. This may be due to the increasedadministrative work and outreach that CAEs do in their daily work. As the head of the department,the CAE must be aware of the activities and audits undertaken, but be less involved in the dailyoperating activities and the audit process. Standard 2030, Resource Management, states that theCAE “should ensure that internal audit resources are appropriate, sufficient, and effectively deployedto achieve the approved plan.” The most significant differences in this table are for electroniccommunications (41.5% for the CAE, 50.6% for Audit Seniors/Supervisors), electronic workpapers(21.1% for CAEs, Audit Staff 30.9%), and risk-based audit planning (29.6% for Audit Seniors/Supervisors, Other 17%).

Not Used

The analysis of frequencies makes it possible to identify those tools that are currently not used atall by respondents in auditing activities. According to Practice Advisory 1210-1, Proficiency, noteveryone in the IAA must be able to apply the tools and techniques required in performingengagements. Rather, the IAA must collectively possess this ability. This means that all membersof the IAA should be aware of the use of various tools and techniques in the department, but eachstaff member need not have a specific facility and ability to use the tool.



An unusually high number of the listed tools and techniques are indicated as not being used at allbased on Table 5-19. This information can be very important for practitioners, consultants, standardsetters, software companies, and others servicing or involved with the internal audit profession.More than one-fifth of the respondents do not use benchmarking (24.9%) or computer-assistedaudit techniques (22.3%). The least used tool is process modeling software which is not used by62.7% of respondents. Many other tools are indicated as not being used by more than 30% ofrespondents.

The percentage of respondents that do not currently use the listed tools and techniques that fall intothis category are:

• Process modeling software (62.7% of respondents do not use this tool).• Total quality management techniques (48.6%).• The balanced scorecard or similar framework (48.4%).• The IIA’s quality assessment review tools (46.6%).• Continuous/real-time auditing (39.0%).• Data mining (36.1%).• Process mapping application (36.1%).• Control self-assessment (34.1%).• Flowchart software (31.7%).

Standard 1300, Quality Assurance and Improvement Program, requires the CAE to “develop andmaintain a quality assurance and improvement program…and continuously monitors itseffectiveness.” This program is “designed to help the internal audit activity add value and improvethe organization’s operations.” Many IAAs see value in implementing this standard. Low use ofThe IIA’s quality assessment review (QAR) tools makes compliance with this standard andcontributing to the organization’s governance, risk management, and effectiveness more difficult.In Chapter 4, 32.8% of respondents indicated that they currently have a quality assessment andimprovement program in place and 21.9% intend to put one in place in the next 12 months.

According to Practice Advisory 2100-6, Control and Audit Implications of E-commerce Activities,when control self-assessment (CSA) is used by management to review controls, the IAA shouldreview the policies for authenticating transactions and evaluating controls. The use of electronicsystems and models is the most effective way to monitor and evaluate e-commerce activities. Thelist of tools and techniques above indicates that many respondents do not use the listed tools andtechniques that would enable IAA staff to easily test systems and controls.



Table 5-19 further reveals that statistical sampling (indicated as not used by 18%) is often used ina moderate or average way. This is in accordance with Practice Advisory 2100-10, Audit Sampling.The use of benchmarking is similar. Some management techniques, such as total quality management(48.6% not used) and the balanced scorecard (48.4% not used), are not generally used in internalaudit activities.

Control self-assessment (CSA) is not widely used by the IAA (34.1% not used), so that in mostorganizations the involvement of management in self-evaluating the control activity might not befully exploited. However, it is important to distinguish between control self-assessment as an audittechnique for the internal auditor to complete an audit engagement and CSA as a managementpractice implemented in an organization with or without the involvement of the IAA. Managementshould self-assess their internal control on an ongoing basis as part of their managerial responsibilitiesexternal to the IAA.

In Appendix 5, Table 5-19-2-A shows by frequency and positional level of the respondent the audittools and techniques that are not currently used by the IAA. The frequencies for the answer “notused” are generally higher for CAE respondents than for Practitioners. Differences between thefrequencies for tools not used are markedly different for control self-assessment (40.8% CAE,27.3% for Audit Staff), process modeling software (69.9% CAE, 55.3% Audit Staff), and totalquality management techniques (54.1% CAE, 41.6% Audit Staff).This continues the patternpreviously noted.

In Appendix 5, Table 5-19-3-A details the frequency for all 13 groups for the response “not currentlyused.” Major differences include the use of electronic workpapers (66.7% in group 12 versus7.8% in group 8), flowchart software (73.5% in group 12 versus 25.5% in group 1), and processmapping application (62.5% in group 12 versus 22.5 in group 8). In group 12, for most tools/techniques the frequency of the not used response is higher than in other groups. Other differencesamong the groups indicate a general lack of consistency in the use of the listed tools and techniquesglobally.

The groups’ means and frequencies highlight differences in the current practice globally among thelisted tools and techniques. Electronic communication and electronic working papers are extensivelyused. Process modeling software is often not used by auditors (62.7%), while computer-assistedaudit techniques and flowchart software are moderately used. In some respondents’ organizations,process mapping application and data mining are not used (frequency of 36.1% for each tool). Thisis also true for continuous/real-time auditing (39.0% not used). Standard 1220, Due ProfessionalCare, recommends that the internal auditor exercise due professional care and consider the use ofcomputer-assisted audit tools and other data analysis techniques.



Respondents by group indicate that auditing techniques such as analytical review and a risk-basedapproach for audit planning are generally used and in many cases used extensively. Data suggeststhat IAAs are focusing their resources and activities on critical areas and on the organization’sprimary business risks.

Predictive Changes in the Use of Audit Tools and Techniques Over theNext Three Years

It is important to understand how the IAA plans to change the way it performs audits and how itplans to become more effective and efficient as it adds value to its organization. Table 5-20 providesan overall view of the extent to which respondents’ IAAs intend to use the listed tools and techniquesin the next three years. Again, respondents did not have an opportunity to list tools not mentionedon the pre-established list. An overall mean response and means by respondents’ staff level areprovided.

Using the overall mean for all respondents, the top five means for tools where usage is expected toincrease are:

1. Other electronic communication (e.g., Internet, e-mail) (4.16).2. Risk-based audit planning (3.99).3. Electronic workpapers (3.68).4. Analytical review (3.42).5. Computer-assisted audit techniques (CAAT) (3.37).

Respondents are consistent with their emphasis on the same tools and techniques as they arecurrently using. The only change in the top five tools when compared to current use is with numberfive. Statistical sampling (currently ranked sixth) has been replaced by computer-assisted audittechniques which had been ranked sixth.



Table 5-20Extent the IAA Plans to Use the

Listed Audit Tools/Techniques in the Next Three YearsAll Respondents by Mean*

Tools/Techniques Number of Mean CAE Audit Audit Audit OtherRespondents Manager Senior/ Staff

Supervisor

Other electronic 4,751 4.16 4.11 4.20 4.24 4.21 3.87communication (e.g.,Internet, e-mail)Risk-based audit planning 4,789 3.99 4.09 4.05 3.96 3.84 3.54Electronic workpapers 4,816 3.68 3.59 3.81 3.75 3.71 3.39Analytical review 4,731 3.42 3.41 3.42 3.46 3.42 3.25Computer-assisted audit 4,826 3.37 3.36 3.44 3.39 3.26 3.23techniquesStatistical sampling 4,756 3.04 2.95 3.00 3.10 3.17 3.15Data mining 4,731 2.84 2.84 2.88 2.86 2.80 2.63Control self-assessment 4,816 2.82 2.75 2.76 2.89 2.97 2.88Benchmarking 4,741 2.79 2.80 2.84 2.77 2.73 2.74Continuous/real-time 4,845 2.78 2.73 2.80 2.82 2.87 2.69auditingFlowchart software 4,794 2.77 2.71 2.84 2.77 2.78 2.82The IIA’s quality 4,799 2.73 2.73 2.82 2.69 2.66 2.70assessment review toolsProcess mapping application 4,767 2.72 2.65 2.71 2.79 2.79 2.77Total quality management 4,772 2.43 2.34 2.44 2.46 2.52 2.57techniquesBalanced scorecard or 4,770 2.38 2.31 2.44 2.39 2.41 2.41similar frameworkProcess modeling software 4,749 2.08 1.95 2.05 2.17 2.23 2.30




In Appendix 5, Table 5-20-1-A shows groups’ means for use of tools and techniques in the nextthree years. Again there is consistency globally when taking out the high and low outliers. Thereare noticeable differences for total quality management between group 8 and group 12. Other toolswith a difference of more than 1.25 between groups include benchmarking, CAAT, continuous/real-time auditing, data mining, risk-based audit planning, and statistical sampling.

By comparing the overall means from Table 5-20 and rankings from Table 5-21, with the meansand rankings for CAEs and other practitioners by staff level, there is a high level of consistencybetween the staff levels. This reinforces the expectation that CAEs would adequately communicateplans and expectations with all members of the IAA staff. The only major difference is for theplanned use of risk-based audit planning (4.09 for the CAE versus 3.54 for Other), but all positionsrank this technique as second most used or to be used.



Table 5-21Extent the IAA Plans to Use the

Listed Audit Tools/Techniques in the Next Three YearsAll Respondents by Rank*

Tools/Techniques Number of Overall CAE Audit Audit Audit OtherRespondents Average Manager Senior/ Staff

Supervisor

Other electronic 4,751 1 1 1 1 1 1communication (e.g.,Internet, e-mail)Risk-based audit planning 4,789 2 2 2 2 2 2Electronic workpapers 4,816 3 3 3 3 3 3Analytical review 4,731 4 4 5 4 4 4Computer-assisted audit 4,826 5 5 4 5 5 5techniquesStatistical sampling 4,756 6 6 6 6 6 6Data mining 4,731 7 7 7 8 9 13Control self-assessment 4,816 8 9 12 7 7 7Benchmarking 4,741 9 8 8/9 11/12 12 10Continuous/real-time 4,845 10 10/11 11 9 8 12auditingFlowchart software 4,794 11 12 8/9 11/12 11 8The IIA’s quality 4,799 12 10/11 10 13 13 11assessment review toolsProcess mapping application 4,767 13 13 13 10 10 9Total quality management 4,772 14 14 14/15 14/15 14 14techniquesBalanced scorecard or 4,770 15 15 14/15 14/15 15 15similar frameworkProcess modeling software 4,749 16 16 16 16 16 16

Note: In some cases the rankings were tied. For example, rankings of continuous/real-time auditing and The IIA’squality assessment review tools at the CAE level were tied.



The frequency analysis provides another view of the extent the IAA plans to use the listed audittools/techniques in the next three years. Table 5-22 reports the frequencies for all respondents.

Table 5-22Extent the IAA Plans to Use the Listed Audit Tools/Techniques

in the Next Three YearsAll Respondents by Mean and Frequency



Other electronic 4,751 4.16 1.6 5.6 16.3 28.1 48.4communication (e.g.,Internet, e-mail)Risk-based audit 4,789 3.99 3.1 6.6 17.6 33.6 39.1planningElectronic workpapers 4,816 3.68 8.0 10.7 20.5 27.0 33.8Analytical review 4,731 3.42 4.3 14.6 31.5 33.9 15.7Computer -assisted 4,826 3.37 7.8 15.8 26.8 31.1 18.5audit techniquesStatistical sampling 4,756 3.04 10.5 21.8 32.7 23.7 11.3Data mining 4,731 2.84 18.7 21.9 26.5 22.4 10.5Control self-assessment 4,816 2.82 15.1 26.3 28.6 21.1 8.8Benchmarking 4,741 2.79 13.5 27.6 31.4 21.3 6.2Continuous/real-time 4,845 2.78 18.0 24.3 27.8 21.0 8.9auditingFlowchart software 4,794 2.77 19.4 24.3 26.8 19.0 10.5The IIA’s quality 4,799 2.73 20.3 23.7 27.5 19.4 9.1assessment reviewtoolsProcess mapping 4,767 2.72 22.6 22.2 25.6 19.8 9.8applicationTotal quality 4,772 2.43 30.0 24.5 24.7 14.6 6.2management techniquesBalanced scorecard or 4,770 2.38 31.2 24.1 25.0 15.0 4.7similar frameworkProcess modeling 4,749 2.08 43.9 22.4 19.6 10.0 4.1software




Tools that Will Be Extensively Used

Generally, respondents expect that there will be an extensive use of a wide range of tools in thenext three years, usually more than at present. The results when comparing the overall frequencyin Table 5-22 with the results in Table 5-19 show several significant increases in the use of thelisted tools.

• Risk-based audit planning (usage of 39.1% in the next three years versus 28.3% currentusage)

• Computer-assisted audit techniques (18.5% in the next three years versus 9.8% currently)• Electronic workpapers (33.8% in the next three years versus 26.5% currently)• The IIA’s quality assessment review tools (9.1% in the next three years versus 4.7%

currently)

Some respondents feel the need to control the quality of auditing processes, in accordance with theStandards, The IIA’s quality assessment review will have greater importance in the future.

The general increase in the frequencies of the “extensively used” response is consistent for bothCAEs and Practitioners. There are slight differences between the two categories of respondentswhen comparing the results in Table 5-19-1-A and Table 5-22-1-A:

• Risk-based audit planning (12.9% increase for CAE versus 7.0% increase for Audit Staff)• Other electronic communication (8.3% increase for Other versus 0.7% increase for Audit

Manager)

Tools that Will Not be Used in the Next Three Years

Table 5-23 compares some of the results of Table 5-22-2 in Appendix 5 that lists the tools that willnot be used in the next three years with Table 5-19-2-A in Appendix 5 that shows tools IAAs planto use more of in the future. The decrease in the overall frequencies for all respondents (whichmeans an increase in the number of respondents who will use a certain tool) is particularly relevantfor the following tools and techniques.



Table 5-23Comparison of the IAA Plans to Use the Listed Audit Tools/Techniques

in the Next Three Years and Not Currently UsedAll Respondents Percentage

Tools and Techniques Respondents Respondents Projecting That ThisIndicating Tool Will Not Be Used in the Next

Current Use Three Years

Process modeling software 62.7 43.9Balanced scorecard or similar 48.4 31.2frameworkIIA’s quality assessment 46.6 20.3review toolsContinuous real-time auditing 39.0 18.0Data mining 36.1 18.7Control self-assessment (CSA) 34.1 15.1Computer-assisted audit 22.3 7.8techniques

These findings are important since they reveal that most CAEs and Practitioners in the near futureintend to use the tools and techniques suggested by the Standards, Practice Advisories, and bestpractices even when they are currently not used today. The expected increase for the CSA tool aswell as for continuous/real-time auditing will contribute to making management more aware of andresponsible for the internal control system.

Resolution of Major Differences

Practice Advisory 2410-1, Communication Criteria, suggests “As part of the internal auditor’sdiscussions with the engagement client, the internal auditor should try to obtain agreement on theresults of the engagement and on a plan of action to improve operations, as needed.” Respondentswere asked to indicate at what points in the audit process major differences are resolved. Eachcategory could be selected by each respondent since they may resolve major issues in severalphases of the audit process. Table 5-24 shows that 44.5% of the respondents usually resolve majordifferences during fieldwork and 45.2% usually resolve them during audit reporting. Thirty-twopoint four percent sometimes resolve audit issues during planning, and 28.5% indicated that resolutionrarely happens during the planning stage.



Table 5-24When Are Major Audit Issues Resolved

for All Respondents by Percentage

When Resolved During During During Audit After the Never*Planning Audit Reporting Audit % of 4,319

% of 6,358 Fieldwork % of 6,760 Report is RespondentsRespondents % of 6,710 Respondents Issued

Respondents % of 6,398Respondents

Never 16.1 1.9 2.0 18.6 61.2Rarely 28.5 6.6 7.1 31.6 24.4

Sometimes 32.4 37.1 27.8 20.6 9.2Usually 16.3 44.5 45.2 18.6 2.6Always 6.7 9.9 17.9 10.6 2.6

Total 100.0 100.0 100.0 100.0 100.0

*The researchers presume this means that issues were never left unresolved throughout the process.

Approximately 23% of all respondents believed that audit issues are always or usually resolvedduring planning; about half of them noted that audit issues are usually or always resolved duringaudit fieldwork (54.4%); and about 63.1% of them thought that issues are resolved during auditreporting. About 5.2% of these issues do not appear to ever be followed up. It seems that majoraudit issues are resolved throughout the audit process but predominantly during fieldwork and theaudit reporting period.



Reporting of Findings

Standard 2440, Disseminating Results, states, “The chief audit executive should communicateresults to the appropriate parties.” Figure 5-8 indicates that a majority of 58.8% of the respondentsagree that the responsibility of reporting audit findings rests with the CAEs. The next staff level forreporting results that respondents selected is the Audit Manager (19.6%).

Figure 5-8Primary Responsibility for Reporting Findings to

Senior ManagementAll Respondents (7,119) in Percentages

No formalreporting of

results1.1%

Other1.9% Auditee/client

3.4%

Both internalaudit manager

and auditee/client7.4%

Both CAE andauditee/client

7.8%

Internal auditmanager19.6%

CAE58.8%



As shown in Table 5-25, CAEs believe they have the primary responsibility for reporting the auditfindings alone (75.1%) or jointly (10.3%) with the auditee/client, while Audit Managers indicatethey should report the findings alone (28.2%) or with the auditee/client (9.4%). Audit Senior/Supervisor, Audit Staff, and Other concur with the Audit Manager respondents.

Table 5-25Primary Responsibility for Reporting Findings to Senior Management


Responsibility Total CAE Audit Audit Audit Staff Other Overallfor Reporting Respondents Respondents Manager Senior/ Respondents Respondents Average

Findings by % of Total Respondents Supervisor % of Total % of Total %Position % of Total Respondents

% of Total

CAE 4,187 75.1 51.6 54.7 51.6 43.0 58.8Internal audit 1,396 6.4 28.2 24.4 24.3 18.0 19.6managerBoth chief 555 10.3 6.6 5.9 6.9 10.0 7.8auditexecutiveand auditee/clientBoth internal 528 3.6 9.4 9.8 8.0 7.0 7.4auditmanager andauditee/clientAuditee/ 240 2.7 2.8 2.5 5.2 7.5 3.4clientOther 134 0.9 0.8 2.1 2.9 7.5 1.9No formal 79 1.0 0.6 0.6 1.1 7.0 1.1reporting ofresultsTotal respon- 7,119 100.0 100.0 100.0 100.0 100.0 100.0dents/total



Monitoring Corrective Action

In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain asystem to monitor the disposition of results communicated to management.” Standard 2500.A1goes on to require that “a follow-up process to monitor and ensure that management actions havebeen effectively implemented or that senior management has accepted the risk of not taking action.”Figure 5-9 provides respondents’ beliefs about who has the primary responsibility for monitoringcorrective action on findings listed in audit reports. Fifty percent believe that both the internalauditor and auditee/client have the primary responsibility for monitoring corrective action.

Figure 5-9Primary Responsibility for Monitoring Corrective Action Taken


Other1.9%

No formalfollow-up

3.1%Auditee/client

13.7%

Internal auditor31.3%

Both internalauditor and

auditee/client50.0%



In Table 5-26, the majority of the respondents (37.5% to 54.5%) believe that both the internalauditor and auditee/client together have the primary responsibility to monitor that needed correctiveaction has been adopted. Between 25.8% and 35.7% of the respondents indicated that the internalauditor has the primary responsibility. With the exception of the Other respondents (8.5%), only2.0% to 3.4% indicated they had no formal follow-up procedures.

Table 5-26Primary Responsibility for Monitoring Corrective Actions Taken


Primary Total CAE Audit Audit Audit Staff Other OverallResponsibility Respondents Respondents Manager Senior/ Respondents Respondents Average

by Position % of Total Respondents Supervisor % of Total % of Total Total% of Total Respondents Percent

% of Total

Both internal 3,560 54.5 51.8 47.9 46.9 37.5 50.0audit andauditee/clientInternal auditor 2,226 28.0 30.4 34.3 35.7 25.8 31.3Auditee/client 974 14.0 13.7 12.5 12.9 19.2 13.7No formal 219 2.0 2.8 3.4 3.0 8.5 3.1follow-upOther 137 1.5 1.3 1.9 1.5 9.0 1.9Total 7,116 100.0 100.0 100.0 100.0 100.0 100.0respondents



Summary

The operation of the internal audit activity is complex and demanding. The chief audit executivemust manage both internal and external relationships, the administration and organization of theactivity, the plan and functioning of the audits performed, and resolve any issues that arise. TheStandards and Practice Advisories provide the guidance needed to accomplish these tasks, butcompliance may be challenging due to internal and external limitations placed upon the department.The appointment procedures, performance evaluations, and reporting relationships for CAEs aregenerally in accordance with Standard 1100, Independence and Objectivity, and 1110, OrganizationalIndependence. IAA independence is maintained by having board and senior managementinvolvement in the CAE’s hiring and performance evaluation. The matrix relationship and participationof key constituents helps maintain independence and the IAA’s position in the organization.

Perceptions by CAE respondents provide a very positive view about the IAA within theirorganizations, and the IAA is seen as highly credible. Many IAAs are relatively young but followthe guidance included in the Standards and utilize the documents recommended by The IIA. MostIAAs use a risk-based approach to engagement planning and allocate time in accordance with theneeds of the organization, focusing on the effectiveness of risk management, control, and governanceprocesses. CAEs and Practitioners almost uniformly rank the tools currently used by the IAA thesame, with electronic communication (e.g., Internet, e-mail), risk-based audit planning, analyticalreview, and electronic workpapers as the most used tools. These tools are also expected to be themost used in the next three years. Major audit issues are resolved throughout the audit process butpredominantly during fieldwork and the audit reporting period.



APP

EN

DIX

5

Tabl

e 5-3

-1-A

Eval

uatio

n of

CA

E’s P

erfo

rman

ce b

y Typ

e of O

rgan

izat

ion

CA

E R

espo

nden

ts in

Per

cent

ages

Type

of

Tota

lB

oard

of

Cha

irC

hief

Aud

itSe

nior

Aud

itee/

Supe

rvis

orPe

ers/

Not

Org

aniz

atio

n/R

espo

n-D

irec

tors

of th

eE

xecu

tive

Com

mit

tee/

Man

age-

Clie

ntPe

riod

ical

lySu

bord

inat

esE

valu

ated

Num

ber

ofde

nts

Boar

dO

ffic

erO

vers

ight

men

tat

the

End

Peri

odic

ally

Res

pond

ents

Com

mit

tee/

of A

udit

Com

mit

tee

Cha

irpe

rson

Publ

icly

811

13.3

19.4

41.4

64.6

36.7

9.59.0

5.21.5

Trad

ed(L

isted

)C

ompa

nyPr

ivat

ely

583

22.6

20.4

49.9

44.4

27.1

9.47.0

3.62.4

Hel

d(N

on-li

sted

)C

ompa

nyPu

blic

515

10.9

11.5

50.5

34.8

29.9

12.8

7.27.4

5.0Se

ctor

/G

over

nmen

tSe

rvic

e20

623

.811

.730

.631

.629

.120

.49.7

12.1

8.7Pr

ovid

er/

Con

sulta

ntN

ot-fo

r-17

19.9

10.5

48.0

55.6

29.2

11.7

7.64.1

9.4Pr

ofit

Org

aniz

atio

nO

ther

5525

.516

.447

.347

.325

.53.6

5.51.8

3.6

Not

e: T

he r

espo

nden

ts w

ere

aske

d to

mar

k al

l th

at a

pply

so

the

tota

l of

the

per

cent

ages

may

be

mor

e th

an 1

00.



Table 5-4-1-ACAE’s Relationship with Audit/Oversight Committee by Group*

CAE Respondents - Percentage of Yes Responses

Question 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Is there an audit/ 85.2 92.9 91.4 53.5 38.7 49.7 51.2 69.5 65.8 54.3 81.5 100.0 65.5oversight committeein your organization?Does the CAE meet 64.1 75.6 75.5 70.6 62.3 43.4 67.2 48.8 69.2 44.0 77.3 77.8 59.6with the audit/oversight committeechairperson inaddition to theregularlyscheduledmeetings?Does the CAE 93.9 91.0 92.0 90.0 88.2 85.5 88.1 88.1 89.3 92.0 93.9 88.9 84.2believe that he/shehas appropriateaccess to the audit/oversight committee?




Tabl

e 5-8

-1-A

Rel

atio

nshi

p of

IAA

to th

e Org

aniz

atio

n by

Gro

up*

CA

E R

espo

nden

ts in

Mea

ns**

Stat

emen

t1

23

45

67

89

1011

12N

/C**

*

Your

inte

rnal

aud

it fu

nctio

n is

an

inde

pend

ent

4.45

4.57

4.44

4.21

4.41

4.64

4.63

4.43

4.31

4.57

4.44

4.78

4.27

obje

ctiv

e as

sura

nce

and

cons

ultin

g ac

tivity

.Yo

ur in

tern

al a

udit

func

tion

adds

val

ue.

4.46

4.55

4.30

4.12

4.35

4.40

4.51

4.40

4.39

4.43

4.37

5.00

4.28

Inte

rnal

aud

it br

ings

a s

yste

mat

ic a

ppro

ach

to3.

994.

234.

083.

804.

024.

004.

194.

104.

053.

804.

134.

564.

00ev

alua

te th

e eff

ectiv

enes

s of r

isk

man

agem

ent.

Your

inte

rnal

aud

it fu

nctio

n br

ings

a sy

stem

atic

4.41

4.51

4.42

3.93

4.23

4.47

4.40

4.34

4.13

4.13

4.40

4.67

4.15

appr

oach

to e

valu

ate

the

effe

ctiv

enes

s of

inte

rnal

con

trols

.Yo

ur in

tern

al a

udit

func

tion

brin

gs a

syst

emat

ic3.

844.

053.

963.

653.

803.

583.

903.

663.

703.

853.

954.

223.

62ap

proa

ch to

eva

luat

e th

e ef

fect

iven

ess

ofgo

vern

ance

pro

cess

es.

Your

inte

rnal

aud

it fu

nctio

n pr

oact

ivel

y4.

164.

184.

104.

163.

874.

124.

343.

983.

983.

804.

134.

224.

02ex

amin

es im

porta

nt fi

nanc

ial m

atte

rs, r

isks

,an

d in

tern

al c

ontro

ls.

Your

inte

rnal

aud

it fu

nctio

n is

an

inte

gral

par

t4.

194.

374.

223.

884.

043.

974.

113.

994.

093.

964.

194.

443.

90of

the

gove

rnan

ce p

roce

ss b

y pr

ovid

ing

relia

ble

info

rmat

ion

to m

anag

emen

t.Th

e w

ay o

ur in

tern

al a

udit

func

tion

adds

val

ue3.

703.

873.

803.

273.

092.

783.

333.

513.

483.

153.

984.

333.

34to

the

gove

rnan

ce p

roce

ss is

thro

ugh

dire

ctac

cess

to th

e au

dit c

omm

ittee

.Yo

ur in

tern

al a

udit

func

tion

has s

uffic

ient

4.07

4.21

4.03

3.90

4.09

4.26

4.27

4.00

4.00

3.91

4.08

4.67

3.89

stat

us in

the

orga

niza

tion

to b

e ef

fect

ive.

Inde

pend

ence

is a

key

fact

or fo

r you

r int

erna

l4.

434.

554.

384.

324.

304.

624.

674.

554.

494.

394.

455.

004.

38au

dit f

unct

ion

to a

dd v

alue

.O

bjec

tivity

is a

key

fact

or fo

r you

r int

erna

l4.

564.

644.

644.

384.

514.

754.

734.

644.

564.

614.

514.

784.

41au

dit f

unct

ion

to a

dd v

alue

.

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

* *T

he m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

Stro

ngly

Dis

agre

e, 2

= D

isag

ree,

3 =

Neu

tral,

4 =

Agr

ee, 5

= S

trong

ly A

gree

.**

*N/C

= R

espo

nden

ts d

id n

ot i

ndic

ate

affi

liate

or

chap

ter

mem

bers

hip.



Tabl

e 5-8

-1-A

(Con

t.)R

elat

ions

hip

of IA

A to

the O

rgan

izat

ion

by G

roup

*C

AE

Res

pond

ents

in M

eans

**

Stat

emen

t1

23

45

67

89

1011

12N

/C**

*

Your

inte

rnal

aud

it fu

nctio

n is

cre

dibl

e w

ithin

4.35

4.45

4.22

4.05

4.19

4.52

4.51

4.16

4.24

4.28

4.33

4.33

4.13

your

org

aniz

atio

n.C

ompl

ianc

e w

ith T

he II

A’s I

nter

natio

nal

3.74

3.85

3.99

3.99

4.01

3.83

4.27

3.79

4.07

3.98

3.91

4.56

3.77

Stan

dard

s for

the

Prof

essi

onal

Pra

ctic

e of

Inte

rnal

Aud

iting

is a

key

fact

or fo

r you

rin

tern

al a

udit

func

tion

to a

dd v

alue

to th

ego

vern

ance

pro

cess

.C

ompl

ianc

e w

ith T

he II

A’s

code

of e

thic

s is

3.99

4.04

4.11

3.99

4.11

3.99

4.42

3.91

4.20

4.22

4.13

4.78

3.80

a ke

y fa

ctor

for y

our i

nter

nal a

udit

func

tion

to a

dd v

alue

to th

e go

vern

ance

pro

cess

.

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

Stro

ngly

Dis

agre

e, 2

= D

isag

ree,

3 =

Neu

tral,

4 =

Agr

ee, 5

= S

trong

ly A

gree

.**

*N/C

= R

espo

nden

ts d

id n

ot i

ndic

ate

affi

liate

or

chap

ter

mem

bers

hip.



Tabl

e 5-1

7-1-

AE

xten

t the

IAA

Cur

rent

ly U

ses t

he L

iste

d A

udit

Tool

s/Te

chni

ques

by

Gro

up*

All

Res

pond

ents

by

Mea

ns**

Tool

s/Te

chni

ques

12

34

56

78

910

1112

N/C

***

Ana

lytic

al re

view

3.24

3.10

2.97

2.98

3.47

3.33

3.31

3.10

3.57

3.20

3.44

3.32

3.07

Bal

ance

d sc

orec

ard

or si

mila

r fra

mew

ork

2.04

1.91

2.15

1.52

1.98

1.80

2.13

2.17

1.98

2.11

2.09

1.76

1.977

Ben

chm

arki

ng2.4

92.3

92.4

62.1

22.5

82.2

92.1

92.2

82.7

02.5

32.4

52.4

72.3

02C

ompu

ter-

assi

sted

aud

it te

chni

ques

2.75

2.70

2.68

2.39

2.53

2.74

2.91

2.43

3.00

2.40

2.54

2.50

2.051

Con

tinuo

us/re

al-ti

me a

uditi

ng2.0

61.9

82.1

32.7

92.4

72.2

62.4

62.0

92.6

02.0

12.1

62.4

42.4

9C

ontro

l sel

f-as

sess

men

t2.2

52.4

12.3

32.7

62.4

12.1

12.3

12.3

22.5

52.2

02.2

42.1

92.2

9D

ata m

inin

g2.3

02.0

52.1

12.1

52.7

72.1

91.8

82.2

82.8

61.8

52.2

92.1

22.1

5El

ectro

nic w

orkp

aper

s3.2

02.7

83.3

12.7

33.3

43.1

03.1

23.5

33.2

63.2

12.5

61.9

73.1

0Fl

owch

art s

oftw

are

2.61

2.43

2.20

2.12

2.44

2.18

2.38

2.37

2.51

2.10

2.32

1.68

2.20

Oth

er el

ectro

nic c

omm

unic

atio

n4.2

63.9

94.1

93.3

94.0

74.1

13.8

43.9

54.0

54.3

83.9

03.1

53.8

4(e

.g.,

Inte

rnet

, e-m

ail)

Proc

ess m

appi

ng a

pplic

atio

n2.2

12.4

62.2

52.5

92.4

32.2

52.6

72.6

92.3

51.8

92.4

91.8

42.4

0Pr

oces

s mod

elin

g so

ftwar

e1.6

11.6

91.6

41.6

71.7

31.7

31.9

51.7

91.7

81.5

61.7

11.4

21.7

7R

isk-

base

d au

dit p

lann

ing

3.71

3.86

3.91

2.53

3.54

3.71

3.38

3.36

3.23

3.86

3.52

3.55

3.17

Stat

istic

al sa

mpl

ing

2.82

2.60

2.72

2.59

2.81

2.53

2.81

2.82

2.85

2.18

2.71

3.00

2.77

The

IIA’

s qu

ality

ass

essm

ent r

evie

w to

ols

2.25

1.92

2.14

1.82

1.98

1.99

1.95

1.78

1.83

2.01

2.06

1.91

1.82

Tota

l qua

lity

man

agem

ent t

echn

ique

s2.0

91.8

42.1

11.8

51.9

71.8

61.8

61.6

32.0

21.7

52.1

41.9

71.9

1

*For

a l

ist

of a

ffili

ate

grou

ps,

plea

se s

ee t

he i

nsid

e ba

ck c

over

.**

The

mea

n is

the

ave

rage

res

pons

e to

: 1

= N

ot U

sed,

2 =

Mod

erat

ely

Use

d, 3

= A

vera

ge U

se, 4

= V

ery

Muc

h U

sed,

5 =

Ext

ensi

vely

Use

d.**

*N/C

= R

espo

nden

ts d

id n

ot i

ndic

ate

affi

liate

or

chap

ter

mem

bers

hip.



Table 5-19-1-AAudit Tools/Techniques that are Currently Extensively Used

All Respondents by Frequency*

Tools/Techniques** Mean CAE Audit Audit Audit Other Manager Senior/ Staff

Supervisor

Other electronic communication 46.3 41.5 49.5 50.6 48.5 31.7(e.g., Internet, e-mail)Risk-based audit planning 28.3 28.1 28.8 29.6 29.5 17.0Electronic workpapers 26.5 21.1 28.4 30.1 30.9 18.4Analytical review 12.4 10.8 11.5 13.5 15.0 12.8Computer-assisted audit techniques 9.8 6.9 10.2 11.0 12.5 11.1Statistical sampling 9.7 7.2 8.1 10.7 15.3 9.8Flowchart software 8.3 6.2 8.6 9.3 10.7 8.1Process mapping application 7.7 5.8 8.0 9.1 9.2 6.4Control self-assessment 5.7 3.8 5.3 6.2 9.0 7.3Data mining 5.6 4.5 5.2 5.6 8.0 6.1Continuous/real-time auditing 5.1 3.0 4.3 5.9 8.2 7.0The IIA’s quality assessment 4.6 3.5 5.2 4.4 6.4 4.9review toolsBalanced scorecard or similar 3.9 1.9 4.1 4.4 6.0 4.9frameworkBenchmarking 3.9 3.6 2.8 4.4 5.1 5.4Total quality management techniques 3.5 2.3 3.6 3.4 5.9 4.3Process modeling software 2.5 1.1 2.2 3.0 4.2 4.1

*As this is a frequency for only the “Currently Extensively Used” category, the rows will not add across to 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.



Table 5-19-2-AAudit Tools/Techniques Not Currently Used



Supervisor

Process modeling software 62.7 69.9 64.0 58.7 55.3 55.7Total quality management techniques 48.6 54.1 48.3 47.8 41.6 42.2Balanced scorecard or similar 48.4 52.9 46.9 46.2 46.2 46.6frameworkThe IIA’s quality assessment review 46.6 49.8 43.8 47.5 43.5 46.0toolsContinuous/real-time auditing 39.0 42.9 42.5 34.8 31.9 42.7Data mining 36.1 38.0 34.6 35.5 34.5 39.6Process mapping application 36.1 40.1 35.1 34.3 33.7 33.7Control self-assessment 34.1 40.8 35.1 30.5 27.3 30.2Flowchart software 31.7 33.9 27.1 31.3 34.1 33.9Benchmarking 24.9 23.8 23.0 26.4 26.4 28.4Computer-assisted audit techniques 22.3 23.7 19.8 21.1 24.4 24.9Electronic workpapers 19.8 22.3 18.2 19.3 17.1 23.6Statistical sampling 18.0 19.6 19.3 16.8 14.7 18.7Risk-based audit planning 8.0 6.6 7.2 7.9 9.6 16.1Analytical review 6.5 5.4 5.7 5.9 8.3 12.5Other electronic communication 2.7 2.9 2.6 1.6 2.3 7.7(e.g., Internet, e-mail)

*As this is a frequency for only the “Not Currently Used” category, the rows will not add across to 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.



Tabl

e 5-1

9-3-

AA

udit

Tool

s/Tec

hniq

ues N

ot C

urre

ntly

Use

d by

Gro

up*

All

Res

pond

ents

by

Mea

n**

Tool

s/Te

chni

ques

12

34

56

78

910

1112

N/C

***

Ana

lytic

al re

view

5.84.9

8.26.7

3.53.4

4.510

.27.4

5.42.2

14.7

9.9B

alan

ced

scor

ecar

d or

sim

ilar f

ram

ewor

k49

.347

.543

.868

.047

.053

.042

.340

.059

.146

.444

.363

.652

.6B

ench

mar

king

22.8

19.4

23.0

35.7

23.8

22.7

33.3

25.2

19.6

18.8

21.5

37.5

32.2

Com

pute

r-as

sist

ed a

udit

tech

niqu

es18

.818

.221

.326

.529

.018

.718

.629

.821

.727

.328

.238

.225

.4C

ontin

uous

/real

-tim

e aud

iting

44.3

50.0

46.4

16.8

32.2

33.9

27.6

40.8

28.0

46.3

40.9

35.3

27.9

Con

trol s

elf-

asse

ssm

ent

37.9

29.9

34.9

13.9

29.9

40.4

32.5

29.0

34.4

27.9

37.6

50.0

33.5

Dat

a min

ing

33.0

38.5

40.3

36.8

20.3

34.1

54.9

37.1

22.0

51.8

38.9

48.5

43.0

Elec

troni

c wor

kpap

ers

22.7

27.8

20.1

25.7

11.8

17.5

17.9

7.814

.614

.334

.866

.720

.9Fl

owch

art s

oftw

are

25.5

30.0

40.4

38.0

33.0

34.9

32.8

32.2

36.7

39.3

36.2

73.5

41.2

Oth

er el

ectro

nic c

omm

unic

atio

n2.0

3.31.8

7.21.5

1.24.3

2.76.4

1.83.3

23.5

3.2(e

.g.,

Inte

rnet

, e-m

ail)

Proc

ess m

appi

ng a

pplic

atio

n42

.134

.440

.328

.331

.935

.724

.322

.539

.151

.837

.162

.533

.2Pr

oces

s mod

elin

g so

ftwar

e66

.960

.666

.363

.659

.256

.252

.056

.563

.767

.962

.181

.859

.5R

isk-

base

d au

dit p

lann

ing

6.36.6

4.824

.26.6

4.010

.48.4

13.7

5.45.6

8.814

.6St

atis

tical

sam

plin

g16

.819

.120

.517

.017

.518

.118

.116

.520

.732

.420

.814

.720

.0Th

e II

A’s

qual

ity a

sses

smen

t rev

iew

tool

s39

.748

.345

.749

.048

.745

.252

.456

.859

.649

.546

.960

.657

.1To

tal q

ualit

y m

anag

emen

t tec

hniq

ues

42.6

54.7

44.6

47.8

47.4

49.0

55.7

64.8

52.7

56.0

41.9

59.4

52.2

*For

a l

ist

of a

ffili

ate

grou

ps,

plea

se s

ee t

he i

nsid

e ba

ck c

over

.**

The

mea

n is

the

ave

rage

res

pons

e to

: 1

= N

ot U

sed,

2 =

Mod

erat

ely

Use

d, 3

= A

vera

ge U

se, 4

= V

ery

Muc

h U

sed,

5 =

Ext

ensi

vely

Use

d.**

*N/C

= R

espo

nden

ts d

id n

ot i

ndic

ate

affi

liate

or

chap

ter

mem

bers

hip.



Tabl

e 5-2

0-1-

AE

xten

t the

IAA

Pla

ns to

Use

the L

iste

dA

udit

Tool

s/Te

chni

que i

n th

e Nex

t Thr

ee Y

ears

by

Gro

up*

All

Res

pond

ents

by

Mea

n**

Tool

s/Te

chni

ques

12

34

56

78

910

1112

N/C

***

Ana

lytic

al re

view

3.51

3.36

3.37

3.34

3.74

3.56

2.86

3.02

4.11

3.55

3.82

3.96

3.22

Bal

ance

d sc

orec

ard

or si

mila

r fra

mew

ork

2.37

2.24

2.61

2.13

2.60

2.22

2.27

2.30

2.51

2.40

2.77

3.36

2.23

Ben

chm

arki

ng2.8

62.1

83.0

12.4

93.0

92.7

92.2

92.5

23.2

52.9

93.0

43.7

62.5

0C

ompu

ter-

assi

sted

aud

it te

chni

ques

3.54

3.24

3.54

2.83

3.46

3.37

3.14

2.79

4.08

3.24

3.45

4.23

3.14

Con

tinuo

us/re

al-ti

me a

uditi

ng2.8

72.0

72.9

13.0

22.9

72.6

32.6

22.2

63.3

42.4

12.8

03.5

22.8

3C

ontro

l sel

f-as

sess

men

t2.7

53.1

02.9

83.1

03.1

02.6

72.6

52.6

63.3

62.8

93.0

13.5

02.7

9D

ata m

inin

g3.0

32.7

92.8

52.4

63.1

52.6

92.2

22.5

53.5

62.2

82.9

13.5

22.5

7El

ectro

nic w

orkp

aper

s3.8

23.2

84.0

03.1

54.0

03.5

63.2

93.5

84.0

13.6

13.3

13.6

23.4

0Fl

owch

art s

oftw

are

2.93

2.71

2.74

2.49

3.13

2.46

2.56

2.42

3.19

2.30

2.87

3.48

2.53

Oth

er el

ectro

nic c

omm

unic

atio

n4.3

54.1

24.3

53.4

74.3

54.2

53.5

03.8

64.3

64.4

64.1

04.3

63.8

4(e

.g.,

Inte

rnet

, e-m

ail)

Proc

ess m

appi

ng a

pplic

atio

n2.5

32.7

22.8

02.9

03.2

92.8

22.7

52.8

02.9

82.2

73.9

83.5

52.7

8Pr

oces

s mod

elin

g so

ftwar

e1.9

11.9

52.1

92.1

52.5

62.2

12.3

01.9

92.3

51.8

82.3

32.8

72.1

9R

isk-

base

d au

dit p

lann

ing

4.13

4.28

4.36

3.01

4.18

4.17

3.56

3.66

4.17

4.24

4.07

4.36

3.53

Stat

istic

al sa

mpl

ing

3.09

2.89

3.08

3.01

3.37

2.92

2.89

2.78

3.44

2.53

3.20

4.00

2.91

The

IIA’

s qu

ality

ass

essm

ent r

evie

w to

ols

2.86

2.58

2.92

2.41

3.04

2.60

2.60

2.18

2.94

2.85

3.01

3.52

2.49

Tota

l qua

lity

man

agem

ent t

echn

ique

s2.4

32.1

62.7

32.4

52.8

32.2

12.4

61.9

12.8

72.0

92.8

93.5

72.4

1

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

Not

Use

d, 2

= M

oder

atel

y U

sed,

3 =

Ave

rage

Use

, 4 =

Ver

y M

uch

Use

d, 5

= E

xten

sive

ly U

sed.

***N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Table 5-22-1-AAudit Tools/Techniques that Will Be Extensively Used

in the Next Three YearsAll Respondents by Frequency*


Supervisor

Other electronic communication 48.5 45.2 50.2 51.7 51.5 40.0(e.g., Internet, e-mail)Risk-based audit planning 39.1 41.0 41.2 38.1 36.5 27.2Electronic workpapers 33.9 29.6 37.6 36.9 36.8 26.9Computer-assisted audit techniques 18.5 16.7 20.4 19.6 18.0 17.9Analytical review 15.7 14.8 14.5 16.6 18.7 15.1Statistical sampling 11.4 9.5 10.9 12.3 15.0 13.0Flowchart software 10.5 8.8 11.1 10.4 13.3 12.4Data mining 10.4 9.4 10.6 10.8 12.3 10.6Process mapping application 9.8 7.8 9.1 11.4 12.7 12.2The IIA’s quality assessment 9.0 8.2 10.4 8.6 8.8 12.4review toolsContinuous/real-time auditing 8.9 7.4 8.2 10.0 11.8 10.6Control self-assessment 8.8 7.2 7.9 9.4 12.8 11.1Benchmarking 6.2 6.4 5.2 6.6 7.3 5.4Total quality management techniques 6.2 4.7 6.6 6.3 7.9 10.9Balanced scorecard or similar 4.7 3.3 4.4 4.9 7.8 5.3frameworkProcess modeling software 4.1 2.0 3.8 5.6 5.9 8.1

*As this is a frequency for only the “Extensively Used in the Next Three Years” category, the rows will not add acrossto 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.



Table 5-22-2-AAudit Tools/Techniques that Will Not Be Used in the Next Three Years


Tools/Techniques** Overall CAE Audit Audit Audit OtherAverage Manager Senior/ Staff

Supervisor

Process modeling software 43.9 47.9 44.5 41.0 39.8 38.1Balanced scorecard or similar 31.2 32.3 28.7 31.9 32.0 31.3frameworkTotal quality management techniques 30.0 31.4 29.5 29.3 29.3 28.5Process mapping application 22.6 24.1 23.3 21.1 21.0 21.2The IIA’s quality assessment 20.3 18.7 18.6 22.1 23.6 23.5review toolsFlowchart software 19.4 19.9 17.2 19.3 22.1 19.1Data mining 18.7 17.1 18.1 18.9 21.7 25.1Continuous/real-time auditing 18.0 18.0 16.9 17.9 18.6 23.3Control self-assessment 15.1 14.5 17.9 13.3 14.5 17.7Benchmarking 13.5 11.2 11.9 15.7 17.3 17.0Statistical sampling 10.5 11.3 10.6 10.3 9.2 9.3Electronic workpapers 8.0 8.3 5.8 8.0 9.1 12.1Computer-assisted audit techniques 7.8 7.3 6.1 8.1 10.7 10.8Analytical review 4.3 3.2 4.0 3.8 7.1 9.2Risk-based audit planning 3.1 2.1 2.8 2.7 5.6 7.6Other electronic communication 1.6 1.4 1.7 1.1 1.7 5.5(e.g., Internet, e-mail)

*As this is a frequency for only the “Will Not Be Used in the Next Three Years” category, the rows will not add acrossto 100.**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.

_______________________________ Chapter 6: Staffing and Professional Development 251


CHAPTER 6STAFFING AND PROFESSIONAL

DEVELOPMENT

Introduction

This chapter summarizes the respondents’ perceptions about staffing their internal audit activities(IAA) and their staffs’ qualifications. The topics addressed include staffing of the IAA, serviceproviders, staff evaluation, number of staff with certifications, and continuing professionaldevelopment. The main objective of the CBOK 2006 study is to develop a summary of the globalpractice of internal auditing around the world.






Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the five categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in theOther category consist primarily of other professional staff whose position is not captured by thetraditional job titles included in the survey. A review of their credentials indicates they may bemembers of the IAA, employed by service providers, or in organizations where their titles are lesstraditional but with duties within internal auditing.

When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additional



details. For example, Table 6-1 has a related Table 6-1-1. Additional related tables may be locatedin Appendix 6 at the end of this chapter. A table that is in the Appendix can be clearly identified byan “A” at the end of its number. For example, Table 6-7-1-A is located in Appendix 6.

Staffing

Number of Staff in the IAA

Practice Advisory 2230-1 states, “The number and experience level of the internal auditing staffrequired should be based on an evaluation of the nature and complexity of the engagement assignment,time constraints, and available resources.” Several survey questions were asked to gain anunderstanding of the type of staff, use of co-sourcing, and size of respondents’ IAAs. Table 6-1lists CAE responses to the current number of audit staff by staff level in their IAAs. Of the 359CAEs that responded to the use of external auditors as staff, 49.3% or 177 indicate they use thissource for audit staff and 255 of 438 CAE respondents use contract audit staff.

Table 6-1Number of Full-time Staff at Each Staff Level in the IAA


Number CAE’s Audit Audit Audit Staff External Contract Supportat Each % of Managers Seniors/ % of Auditors Audit Staff Staff

Staff 2,184 % of Supervisors 1,742 (co-sourced) (co-sourced) (Adminis-Level Respondents 1,173 % of Respondents % of % of trative,

Respondents 954 359 438 Secretarial,Respondents Respondents Respondents & Clerical)

Total of936

Respondents

None 0.4 10.9 13.2 3.9 50.7 41.6 12.7One 90.1 36.7 27.7 19.5 12.3 22.1 54.62-5 6.0 41.6 41.7 44.0 24.5 27.6 25.4

6-10 1.8 6.3 9.1 14.4 7.2 4.3 3.411 or 1.7 4.5 8.3 18.2 5.3 4.4 3.9MoreTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0



Table 6-1-1 shows that very few of the CAE respondents’ IAAs have part-time staff and thosetend to be at the audit staff level or with outsourced personnel.

Table 6-1-1Number of Part-time Staff in the IAA


Number CAE Audit Audit Audit Staff External Contract Supportof Staff Total of Managers Seniors/ Total of Auditors Audit Staff Staff

153 Total of Supervisors 231 (co-sourced) (co-sourced) (Adminis-Respondents 119 Total of Respondents Total of Total of trative,

Respondents 120 181 194 Secretarial,Respondents Respondents Respondents & Clerical)

Total of206

Respondents

None 51.6 70.6 65.0 31.2 42.0 42.3 39.8One 39.2 19.3 21.7 37.7 19.3 29.4 53.42-5 6.5 8.4 12.5 26.8 32.6 22.7 4.9

6-10 2.0 0.8 0.0 2.2 3.3 2.1 0.511 or 0.7 0.9 0.8 2.1 2.8 3.5 1.4MoreTotal 100.0 100.0 100.0 100.0 100.0 100.0 100.0



Many of the respondents’ IAAs have a fairly small number of staff members at each staff level.Figure 6-1 reports that 24% of the respondents to this question indicate that their IAAs have 1-3members of the audit staff. Another 18.9% have 4-6 staff members and an additional 11.1% have7-9 staff members in their IAAs. Of the respondents, 25.8% have 25 or more staff members intheir IAA.

Figure 6-1Number of Full-time Staff at Each Staff Level


25 or more25.8%

1-324.0%

4-618.9%

7-911.1%10-12

6.7%

13-155.0%

16-183.8%

19-212.7%

22-242.0%



Open Staff Positions

Several questions were asked about hiring practices for open positions and what methods are usedto make up for staff vacancies. As seen in Figure 6-2, special incentives to hire staff are notgenerally used. Only 12.8% of CAEs’ organizations offer relocation expenses, 10.9% provide atransportation allowance, and 8.4% give a signing bonus.

Figure 6-2Special Incentives Offered to Hire Staff





CAEs were also asked what methods are used to make up for staff vacancies. Figure 6-3 showthat 28.2% of CAE respondents replied that their IAAs have no vacancies. CAEs indicate thatthe two most common methods used to cover staff vacancies are reduction in the areas of auditcoverage (30.7%) and co-sourcing from internal audit service providers (28.7%).

Figure 6-3Methods Used to Make Up for Staff Vacancies






For groups, Table 6-2 points out that a reduction in coverage is a general strategy common to allgroups, whereas the use of co-sourcing is primarily practiced in groups 1, 2, 3, and 11. Groups 5(39.7%) and 6 (39.1%) have the highest percentages of no vacancies. Groups 12 (11.1%) and 11(14.8%) report the lowest levels of no vacancies and the highest level of reducing the areas ofaudit coverage, 44.4% and 37% respectively, due to lack of staff.

Table 6-2Methods Used to Make Up for Staff VacanciesCAE Respondents in Percentages by Groups*

Methods 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Facilitate control self- 5.4 14.0 14.7 35.6 16.8 10.3 16.7 11.7 15.2 10.6 18.5 44.4 17.9assessments in placeof auditsReduce areas of 35.3 26.7 34.7 23.1 21.2 23.7 26.5 33.0 19.6 23.4 37.0 44.4 25.2coverageIncreased use of audit 10.6 11.6 18.0 18.3 10.3 17.3 20.5 12.6 26.1 8.5 29.6 33.3 15.9softwareBorrowing staff from 11.4 17.4 13.3 19.2 17.9 12.8 8.3 14.2 4.3 14.9 13.6 33.3 15.9other departmentsCo-sourcing from 34.6 41.9 43.3 11.5 14.7 21.8 22.0 27.5 17.4 29.8 33.3 11.1 17.2internal audit serviceprovidersNo vacancies 28.0 24.4 21.3 29.8 39.7 39.1 27.3 24.9 30.4 25.5 14.8 11.1 27.8Other methods 8.4 10.5 14.0 10.6 14.7 8.3 15.2 16.2 19.6 17.0 17.3 22.2 19.9Respondents 912 86 150 104 184 156 132 309 46 47 81 9 151

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.

Missing Skills

Standard 1210.A1, Proficiency, notes that, “The CAE should obtain competent advice and assistanceif the internal audit staff lacks the knowledge, skills, or other competencies needed to perform allor part of the engagement.” Standard 1210.C1 goes on to state, “The CAE should decline theconsulting engagement or obtain competent advice and assistance if the internal audit staff lacksthe knowledge, skills, or other competencies needed to perform all or part of the engagement.”



Skill shortages are an issue that CAEs must often address in creative ways. Methods respondentsuse to compensate for missing skill sets are indicated in Figure 6-4. In only 13.1% of the respondents’IAAs are there no missing skill sets. The most typical techniques to address skill shortages arethrough the use of co-sourcing/outsourcing (51.4%), reduction of areas of coverage (17.7%), andborrowing staff from other departments (14.5%).

Figure 6-4Methods Used to Compensate for Missing Skills






Service Providers

Respondents by Staff Level that are Service Providers

Respondents were asked if they work for a service provider or worked for an in-house IAA. Asshown in Figure 6-5, 86% indicate that they work within an organization and 14% of the respondentsindicate that they work for services providers.

Figure 6-5Service Provider of Internal Audit Services


ServiceProvider14.0%

In-houseInternal

Audit Activity86.0%



Table 6-3 shows by staff level if the respondents work for an in-house IAA or work for a serviceprovider.

Table 6-3Staff Levels at In-house IAA or Service Provider


Staff Level Number of Percent of Percent of Totalof Respondent Respondents Staff Level Staff Level

Working Working forIn-house a Service

IAA Provider

CAEs 2,337 86.7 13.3 100.0Audit Managers 2,004 83.0 17.0 100.0Audit Seniors/Supervisors 2,208 87.2 12.8 100.0Audit Staff 1,595 88.7 11.3 100.0Other 630 82.1 17.9 100.0Total/Average 8,774 86.0 14.0 100.0



Outsourced IAA Activities

Figure 6-6 indicates the percentage of the IAAs’ activities that are performed by service providers.Sixty-eight point eight percent of CAE respondents indicate that 10% or less of their IAAs’ auditwork is being co-sourced/outsourced. All respondents indicated some level of outsourcing/co-sourcing.

Figure 6-6IAA’s Audit Activities - Percentage Outsourced/Co-sourced





As described in Table 6-4, 33% of CAEs indicate that their budget for co-sourcing/outsourcing isprojected to increase in the next three years. It appears that most organizations are conductingtheir internal audits with in-house audit staff.

Table 6-4Anticipated Budget Changes for Outsourced/Co-sourced Activities

in the Next Three YearsCAE Respondents in Percentages

Change Percent ofAnticipated 2,145 Respondents

Remain the same 55.7Increase 33.0Decrease 11.3Total 100.0

Staff Evaluation

Table 6-5 summarizes how audit staff is evaluated. The audit staff is mainly evaluated by a supervisoron a periodic basis (78.5%). Customer/auditee feedback is the second most commonly used methodfor evaluation of audit staff’s performance (45.6%).

Table 6-5Method of Staff Evaluation


Methods of Percent ofStaff Evaluation 2,367 Respondents

By supervisor periodically 78.5Customer/auditee feedback 45.6Peers/subordinates periodically 23.4Other 15.5




Certifications

To ensure an adequate grounding of skills and abilities among the audit staff, it is important forindividuals in the IAA to be Certified Internal Auditors (CIA). Other certifications such as CGAP,CCSA, CFSA, and CISA are also important to show the staff’s proficiency in specialized areas.CAE respondents were asked about the types of certifications held by their staff. Figure 6-7provides a listing of the staff certification profile from responding CAEs. A staff member couldhave more than one certification. This table indicates that the audit staff has a wide range ofcertifications. Public accounting is the most common (35.0%), followed by the CIA certification(28.6%).

Figure 6-7IAA Staff Members with Certifications






In T

able

6-6

, the

type

s of c

ertif

icat

ions

hel

d by

gro

ups a

re li

sted

. CA

Es in

gro

ups 2

(45.

3%) a

nd 4

(40.

9%) i

ndic

ate

thei

r sta

ff h

ave

the

high

est p

erce

ntag

es o

f CIA

s. D

istri

butio

n of

the

mai

n ce

rtific

atio

ns in

Fig

ure

6-7

are

gene

rally

cons

iste

nt w

ith th

e gr

oup

dist

ribut

ion

in T

able

6-6

. Whe

n th

e C

AEs

wer

e as

ked

if th

ere

is a

nee

d fo

r ad

ditio

nal

certi

ficat

ions

bey

ond

the

CIA

/MII

A/P

IIA

for a

udit

man

ager

s, 40

.9%

of C

AEs

agr

eed

it w

as n

eces

sary

. Man

y C

AEs

(40.

4%) b

elie

ve th

at th

ey n

eed

othe

r cer

tific

atio

ns in

add

ition

to th

e C

IA/M

IIA

/PII

A d

esig

natio

n.

Tabl

e 6-6

IAA

Sta

ff M

embe

rs W

ith C

ertif

icat

esC

AE

Res

pond

ents

- Av

erag

e Per

cent

ages

by

Gro

ups*

Type

of

Cer

tific

ate

12

34

56

78

910

1112

N/C

**

Inte

rnal

Aud

iting

(suc

h31

.045

.326

.040

.921

.928

.97.7

17.7

28.8

28.7

23.8

19.3

27.08

as C

IA/M

IIA

/PII

A)

Info

rmat

ion

Syst

ems

19.5

20.0

13.0

11.7

6.618

.49.7

9.219

.113

.713

.415

.510

.83A

uditi

ng (s

uch

as C

ISA

/Q

iCA

/CIS

M)

Gov

ernm

ent A

uditi

ng/

18.5

6.414

.86.0

13.9

6.52.6

.61.3

5.40.0

5.08.2

5Fi

nanc

e (s

uch

as C

IPFA

/CG

AP/

CGFM

)C

ontro

l Sel

f-as

sess

men

t9.1

6.910

.914

.59.4

10.1

4.39.3

8.08.1

5.06.6

76.0

0(s

uch

as C

CSA

)Pu

blic

Acc

ount

ing/

39.6

51.4

24.1

17.9

16.3

29.4

39.9

21.3

26.4

34.8

30.8

29.8

31.95

Cha

rtere

d A

ccou

ntan

cy(s

uch

as C

A/C

PA/

AC

CA

/AC

A)

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.N

ote:

The

res

pond

ents

wer

e as

ked

to m

ark

all

that

app

ly s

o th

e to

tal

of t

he p

erce

ntag

es m

ay b

e m

ore

than

100

.



Tabl

e 6-6

(Con

t.)IA

A S

taff

Mem

bers

With

Cer

tific

ates

CA

E R

espo

nden

ts -

Aver

age P

erce

ntag

es b

y G

roup

s*

Type

of

Cer

tific

ate

12

34

56

78

910

1112

N/C

**

Man

agem

ent/G

ener

al17

.223

.315

.514

.92.1

5.21.7

14.6

9.08.0

12.9

19.1

14.44

Acc

ount

ing

(suc

h as

CMA

/CIM

A/C

GA

)A

ccou

ntin

g - t

echn

icia

n2.2

6.620

.427

.54.1

13.7

9.618

.27.8

0.010

.13.9

13.76

leve

l (su

ch a

s CAT

/AAT

)Fr

aud

Exam

inat

ion

16.2

11.2

10.0

4.58.9

3.02.9

2.912

.21.9

3.65.0

16.81

(suc

h as

CFE

)Fi

nanc

ial S

ervi

ces

19.0

0.01.1

1.24.1

6.33.5

2.60.0

2.26.7

5.05.8

0A

uditi

ng (

such

as

CFSA

/CID

A/C

BA)

Fello

wsh

ip (s

uch

as5.4

29.9

17.28

0.010

.219

.58.4

6.86.3

0.010

.80.0

10.11

FCA

/FCC

A/F

CMA

)C

ertif

ied

Fina

ncia

l2.6

0.00.9

71.7

1.38.2

1.55.3

0.00.0

4.38

0.01.4

5A

naly

st (s

uch

as C

FA)

Oth

er C

ertif

icat

ions

23.7

31.4

26.19

21.7

44.0

48.3

14.2

29.9

15.2

39.9

29.0

62.9

37.59

Tota

l Num

ber o

f3,0

9524

451

724

039

843

540

268

212

916

330

235

430

Res

pond

ents

Per

Gro

up

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.N

ote:

The

res

pond

ents

wer

e as

ked

to m

ark

all

that

app

ly s

o th

e to

tal

of t

he p

erce

ntag

es m

ay b

e m

ore

than

100

.



Continuing Professional Development

The IIA requires 80 hours of continuing professional development (CPD) every two years. TheIIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to“enhance their knowledge, skills, and other competencies through continuing professionaldevelopment.” Respondents were asked how many hours of formal training they received over thelast 36 months or while they have been working in their IAA if less than 3 years. Training includes,but is not limited to, seminars, conferences, workshops, and in-house information sessions providedby either the respondents’ organization or other organizations.

Hours of Training Over the Last 36 Months by Staff Level

Table 6-7 lists the number of hours of formal training by staff level taken by the respondents duringthe 36-month period prior to responding to the CBOK 2006 survey. The range in hours of formaltraining reported is from none to 240 or more hours. There is an expectation that all respondentswould have taken at least 120 hours of CPD over the prior three-year period. Of the CAEs, 48.2%achieved or exceeded 120 hours of CPD. Another 16.4% of the CAEs attained the 80-119 hourlevel of CPD. The percentages of respondents at the other staff levels that achieved 120 or morehours of formal training are 49.1% for Audit Managers, 42.4% for Senior/Supervisors, 35.5% forAudit Staff, and 34.1% for Others.

Table 6-7Hours of Formal Training During the Last 36 Months or

While in IAA if Less Than 3 YearsAll Respondents in Percentages

Number CAE Audit Audit Senior/ Audit Staff Othersof Hours of 2,288 Manager Supervisor of 1,558 of 598

Respondents of 1,947 of 2,159 Respondents RespondentsRespondents Respondents

None 0.9 1.2 1.2 2.2 7.41-39 11.6 11.2 13.2 19.1 19.440-79 22.9 21.7 24.5 25.4 23.980-119 16.4 16.8 18.7 17.8 15.2120-159 23.9 24.8 20.6 16.9 16.7160-199 4.9 5.8 5.1 3.1 4.7200-239 6.5 6.3 5.6 4.6 3.0

240 or More 12.9 12.2 11.1 10.9 9.7Total 100 100 100 100 100



In Appendix 6, Tables 6-7-1-A through 6-7-6-A provide more detailed data for the groups. Thetables show details about the hours of formal training received by all respondents within the last 36months and then broken down by category of internal audit staff.

Hours of Training Compared to Years as a Member of IIA

Table 6-8 looks at whether the period of IIA membership has any affect on the amount of CPDtaken by respondents. It does appear that respondents who have been IIA members for a longerperiod of time have taken more CPD in the 36 months prior to the survey. For respondents thathave been members for 11 or more years, 54.6% have taken 120 or more hours of CPD comparedto 50.3% of respondents who have been members for 6-10 years, and 39.4% of respondents whohave been members for 1-5 years.

Table 6-8Comparing Hours of CPD During the Last 36 Months and

Years as a Member of The IIA All Respondents in Percentages

Number of IIA Member IIA Member IIA MemberHours of for 1-5 Years for 6-10 Years for 11 or MoreFormal of 5,014 of 1,657 Years of 1,266

Training Respondents Respondents Respondents

None 1.8 0.9 1.41- 39 15.5 9.4 9.140-79 25.4 21.8 20.580-119 17.9 17.6 14.4120-159 18.5 26.6 30.0160-199 4.0 5.8 7.9200-239 5.5 5.8 6.6

240 or More 11.4 12.1 10.1Total 100.0 100.0 100.0



CIA/MIIA/PIIA Certification and Hours of CPD

Figure 6-8 summarizes the number of hours of CPD taken by respondents who have their CIA/MIIA/PIIA certification. Of those that indicate that they are a CIA/MIIA/PIIA, 51% have taken120 or more hours of CPD.

Figure 6-8Number of Hours of Formal Training During the Last

36 Months for CIA/MIIA/PIIA RespondentsAll Respondents (3,366) in Percentages

Hours of Training Required by Law/Statute

To further understand the factors impacting the amount of CPD taken by internal auditors,respondents were asked how many hours of training over a 12-month period are required by law/statute in the country where they work. The benchmark for a 24-month period is still the 80 hoursrequired by The IIA, but it is acknowledged that there could be some country specific variation. InTable 6-9, the replies appear to be consistent across all levels of audit staff. Respondents that

None1.1% 1-39 hours

9.9%

40-79 hours21.4%

80-119 hours16.6%

120-159 hours26.1%

200-239 hours6.2%

240 or morehours12.7%

160-199 hours6.0%



indicate they do not have any law/statute requiring CPD in the countries where they work rangefrom 38.0% to 41.2%. Countries that have statutory requirements for 31-40 hours per year ofCPD range from 25.0% to 32.8%. A few countries require more than 40 hours of CPD annually.

The relatively high percentage of respondents that work in countries that have no or minimumstatutory CPD requirement, may help explain why many of the respondents in Table 6-7 indicatethat they have taken the equivalent of 119 hours or less of CPD in the past 36 months.

Table 6-9Hours of Training Over a 12-Month Period Required by Law/Statute


Number CAE Audit Audit Senior/ Audit Staff Othersof Hours % of 2,028 Manager Supervisor % of 1,177 % of 513

Respondents % of 1,687 % of 1,832 Respondents RespondentsRespondents Respondents

None 41.0 38.1 41.2 38.0 39.01-10 5.6 3.7 4.5 9.0 4.011-20 8.5 9.1 8.3 8.0 12.021-30 4.8 5.0 5.5 5.0 7.031-40 30.3 32.8 29.5 25.0 28.041-50 1.9 2.1 2.3 3.0 2.051-60 1.6 1.7 2.1 1.0 1.061-70 0.1 0.3 0.5 1.0 0.0

Over 70 6.2 7.2 6.1 10.0 7.0Total 100.0 100.0 100.0 100.0 100.0

Frequency of Types of Training

The survey asked the CAEs to provide information on the frequency of training in several specificareas for themselves and other members of the IAA. Respondents were asked to indicate whetherthe training was more frequent than annually, annually, less frequently than annually, as needed, ornever. The detailed results are shown in Table 6-10. CAEs report that training on the Standardsand professional practices are most common with 46.3% receiving training annually or morefrequently than annually and 37.5% receiving training as needed. Another important training areais basic/advanced technology, with 36.3% of the training being provided annually or more frequently



and 46.3% being trained as necessary. This result is expected as the IAA seeks skill upgradeswhen new technology becomes available.

Table 6-10Frequency of Types of Training


Type of Number of More Annually Less As Never TotalTraining Respondents Frequently Frequently Needed

than thanAnnually Annually

Standards and 2,286 18.5 27.8 12.1 37.5 4.1 100.0professionalpracticesBasic/advanced 2,231 13.0 23.3 12.3 46.3 5.1 100.0technologyAnti-fraud 2,217 9.5 22.5 17.2 41.1 9.7 100.0techniquesEthics training 2,211 6.7 31.4 13.8 35.9 12.2 100.0Communication 2,242 8.8 18.4 15.3 46.9 10.6 100.0skillsTeam-building 2,232 9.4 17.1 15.6 43.5 14.4 100.0skills

The responses given to the question on ethics training could reflect the desire for improving corporategovernance or the need for more transparent business practices following many widely publicizedcorporate collapses in recent years. It was reported that 38.1% of ethics training sessions tookplace annually or more frequently and 35.9% as needed. It is interesting to note that 12.2% ofrespondents indicate that ethics training is never provided, compared with 4.1% indicating notraining on the Standards and professional practices and 5.1% indicating no training on basic/advanced technology.



Summary

The majority (54%) of the CAE respondents’ IAAs have 9 or fewer staff and 25.8% of the IAAshave 25 or more audit staff. A minority of respondents offer incentives to attract individuals foropen positions in the IAA. The respondents’ most used methods to compensate for missing skillsets are to reduce the audit scope or to outsource the task. Over 25% of the respondents hold aCIA/MIIA/PIIA designation. About half of the CAE respondents received 120 hours of CPD overthe 36 months prior to the CBOK 2006 survey.



APP

EN

DIX

6

Tabl

e 6-7

-1-A

Hou

rs o

f For

mal

Tra

inin

g D

urin

g L

ast 3

6 M

onth

s or W

hile

in IA

A if

Les

s Tha

n 3 Y

ears

All

Res

pond

ents

in P

erce

ntag

es b

y G

roup

s*

N

umbe

r of

Hou

rs1

23

45

67

89

1011

12N

/C**

Non

e1.1

1.02.9

1.11.8

0.71.6

1.93.3

1.52.2

2.44.3

1- 39

9.713

.114

.235

.210

.213

.68.4

16.8

23.6

14.6

20.3

12.2

21.7

40-7

923

.521

.427

.926

.418

.525

.416

.728

.125

.223

.425

.119

.520

.480

-119

16.9

21.8

15.2

16.8

18.9

18.3

14.9

18.7

15.4

20.4

17.3

22.0

17.3

120-

159

30.1

19.4

15.3

10.5

15.7

19.2

16.7

14.6

12.2

13.1

16.5

24.4

14.6

160-

199

6.13.9

4.92.6

6.54.5

4.53.1

4.12.9

3.52.4

2.520

0-23

95.9

9.24.9

2.05.8

4.99.6

4.66.5

5.85.6

4.94.8

240

or M

ore

6.710

.214

.75.4

22.6

13.4

27.6

12.2

9.718

.39.5

12.2

14.4

Tota

l10

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 6-7

-2-A

Hou

rs o

f For

mal

Tra

inin

g D

urin

g L

ast 3

6 M

onth

s or W

hile

in IA

A if

Les

s Tha

n 3 Y

ears

CA

E R

espo

nden

ts in

Per

cent

ages

by

Gro

ups*

N

umbe

r of

Hou

rs1

23

45

67

89

1011

12N

/C**

Non

e0.5

0.01.4

1.01.7

0.60.0

1.34.8

2.30.0

0.02.1

1-39

6.512

.28.2

40.4

7.916

.76.9

15.2

19.0

11.6

15.6

0.017

.540

-79

21.3

25.6

23.8

21.2

14.1

31.4

15.3

30.7

26.2

23.3

28.6

14.3

19.6

80-1

1913

.912

.213

.618

.323

.716

.713

.020

.516

.718

.613

.057

.119

.612

0-15

934

.719

.521

.19.6

17.5

18.6

18.3

14.9

9.514

.020

.80.0

21.7

160-

199

7.24.9

5.41.9

7.33.8

2.31.7

2.42.3

2.60.0

2.820

0-23

96.8

11.0

8.21.9

7.93.2

9.24.0

4.89.3

10.4

14.3

5.624

0 or

Mor

e9.1

14.6

18.3

5.719

.99.0

35.0

11.7

16.6

18.6

9.014

.311

.1To

tal

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 6-7

-3-A

Hou

rs o

f For

mal

Tra

inin

g D

urin

g L

ast 3

6 M

onth

s or W

hile

in IA

A if

Les

s Tha

n 3 Y

ears

Aud

it M

anag

er R

espo

nden

ts in

Per

cent

ages

by

Gro

ups*

Num

ber

of H

ours

12

34

56

78

910

1112

N/C

**

Non

e0.7

0.02.5

0.01.0

2.01.5

1.80.0

0.01.4

0.02.0

1-39

7.49.8

14.5

28.9

6.06.9

3.617

.313

.00.0

23.0

15.4

22.3

40-7

920

.221

.626

.033

.323

.019

.616

.825

.326

.127

.324

.30.0

18.9

80-1

1915

.027

.512

.513

.320

.027

.515

.317

.817

.422

.716

.215

.420

.312

0-15

935

.821

.617

.520

.019

.022

.518

.211

.613

.018

.217

.653

.812

.216

0-19

97.6

3.94.5

0.09.0

2.95.8

4.98.7

0.04.1

0.03.4

200-

239

5.99.8

5.50.0

6.06.9

8.86.7

17.4

9.15.4

7.75.4

240

or M

ore

7.45.8

17.0

4.516

.011

.829

.914

.74.3

22.7

8.17.7

15.5

Tota

l10

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 6-7

-4-A

Hou

rs o

f For

mal

Tra

inin

g D

urin

g L

ast 3

6 M

onth

s or W

hile

in IA

A if

Les

s Tha

n 3 Y

ears

Aud

it Se

nior

/Sup

ervi

sor R

espo

nden

ts in

Per

cent

ages

by

Gro

ups*

Num

ber

of H

ours

12

34

56

78

910

1112

N/C

**

Non

e0.8

0.01.6

0.00.0

0.02.3

2.06.5

0.02.4

0.01.8

1-39

9.215

.217

.428

.811

.97.8

10.5

16.8

29.0

14.3

19.0

22.2

21.6

40-7

925

.415

.233

.727

.420

.331

.416

.322

.829

.025

.021

.444

.419

.980

-119

18.9

30.4

17.9

21.9

16.1

15.7

17.4

17.8

19.4

21.4

26.2

11.1

17.5

120-

159

28.3

17.4

10.3

8.216

.115

.715

.720

.86.5

7.114

.311

.112

.316

0-19

95.6

4.34.9

6.85.6

7.85.8

3.00.0

3.62.4

0.03.5

200-

239

6.26.6

3.32.7

3.53.9

11.1

4.66.5

7.12.4

0.04.7

240

or M

ore

5.610

.910

.94.2

26.5

17.7

20.9

12.2

3.121

.511

.911

.218

.7To

tal

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 6-7

-5-A

Hou

rs o

f For

mal

Tra

inin

g D

urin

g L

ast 3

6 M

onth

s or W

hile

in IA

A if

Les

s Tha

n 3 Y

ears

Aud

it St

aff i

n Pe

rcen

tage

s by

Gro

ups*

Num

ber

of H

ours

12

34

56

78

910

1112

N/C

**

Non

e1.3

6.33.3

2.25.0

0.00.0

0.50.0

3.24.2

0.04.6

1-39

16.3

12.5

15.8

40.2

14.9

20.0

10.0

17.1

38.1

12.9

29.2

0.023

.540

-79

27.0

31.3

30.0

27.2

16.8

11.7

20.0

32.1

14.3

25.8

16.7

28.6

21.8

80-1

1920

.825

.017

.510

.911

.913

.312

.519

.29.5

19.4

25.0

28.6

15.5

120-

159

22.1

18.8

12.5

9.811

.920

.020

.013

.014

.319

.48.3

14.3

13.0

160-

199

3.40.0

4.21.1

5.03.3

2.53.6

9.56.5

4.20.0

0.820

0-23

94.7

6.14.2

2.26.9

8.35.0

4.10.0

0.00.0

0.05.0

240

or M

ore

4.40.0

12.5

6.427

.623

.430

.010

.414

.312

.812

.428

.515

.8To

tal

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

100.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 6-7

-6-A

Hou

rs o

f For

mal

Tra

inin

g D

urin

g L

ast 3

6 M

onth

s or W

hile

in IA

A if

Les

s Tha

n 3 Y

ears

Oth

er R

espo

nden

ts in

Per

cent

ages

by

Gro

ups*

Num

ber

of H

ours

12

34

56

78

910

1112

N/C

**

Non

e5.5

9.115

.42.8

2.30.0

6.910

.00.0

0.014

.320

.015

.91-

3914

.127

.315

.427

.813

.629

.620

.724

.016

.753

.821

.420

.024

.640

-79

25.9

0.017

.927

.825

.022

.220

.730

.033

.37.7

35.7

20.0

18.8

80-1

1915

.727

.312

.822

.220

.514

.810

.312

.00.0

23.1

7.10.0

13.0

120-

159

22.7

18.2

15.4

8.39.1

18.5

3.48.0

50.0

0.07.1

20.0

17.4

160-

199

5.90.0

7.72.8

4.53.7

3.42.0

0.00.0

7.120

.02.9

200-

239

3.19.1

0.02.8

2.33.7

13.8

2.00.0

0.00.0

0.01.5

240

or M

ore

7.19.0

15.4

5.522

.77.5

20.8

12.0

0.015

.47.3

0.05.9

Tota

l10

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.010

0.0

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



_______________________________________________ Chapter 7: Internal Audit Skills 279


CHAPTER 7INTERNAL AUDIT SKILLS

Introduction

Recognizing the evolutionary nature of the profession, this chapter summarizes the skills internalauditors are expected to possess today while they perform as internal auditors in their IAA or forclient organizations. All respondents were provided with a list of technical and behavioral skillsdeveloped from the International Standards for the Professional Practice of Internal Auditing(Standards), Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK2006 pilot study. Respondents were unable to amend or change the list of skills provided in theCBOK 2006 survey. As a guide when answering the survey questions, respondents were given thefollowing definition of technical skills: “using terminology or subject matter in a particular field.”Behavioral skills were defined in the survey as “actions toward others measured by commonlyaccepted standards and management of one’s own actions.”


• Not all of those that participated in the survey answered all of the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.




Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the four categories of respondents:CAEs, Audit Managers, Audit Seniors/Supervisors, and Audit Staff.

When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additional



details. For example, Table 7-4 is the total of all respondents for that question with a related Table7-4-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be 7-4-2. Additional related tables may be located in Appendix 7 at theend of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end ofits number. For example, Table 7-1-1-A is located in Appendix 7.

The possession and use of certain behavioral and technical skills are necessary elements forinternal audit practitioners to achieve a high level of quality performance in their internal auditingwork. The Standards and Practice Advisories each indicate specific skills that are appropriate forinternal auditors to possess. Standard 1220, Due Professional Care, requires internal auditors to“apply the care and skill expected of a reasonably prudent and competent internal auditor.” Standard1210, Proficiency, states, “Internal auditors should possess the knowledge, skills, and othercompetencies needed to perform their individual responsibilities.” The standard continues, “Theinternal audit activity collectively should possess or obtain the knowledge, skills, and othercompetencies needed to perform its responsibilities.”

The possession and application of technical skills enable internal auditors to achieve a high level ofperformance in their activities. The selection of technical skills in the survey is supported by theStandards and Practice Advisories which emphasize certain technical skills:

• Attribute Standard 1210.A2 – “The internal auditor should have sufficient knowledge toidentify the indicators of fraud...”

• Attribute Standard 1210.A3 – “Internal auditors should have knowledge of key informationtechnology risks and controls...”

• Performance Standard 2120.A1 – “...the internal audit activity should evaluate the adequacyand effectiveness of controls...”

• Performance Standard 2210.A1 – “Internal auditors should conduct a preliminary assessmentof the risks relevant to the activity under review…”

• Performance Standard 2320 – “Internal auditors should base conclusions and engagementresults on appropriate analyses and evaluations.”

The objectives for this survey question were to understand the current skill framework of technicaland behavioral skills necessary for internal auditors to successfully perform their jobs in theirposition within the internal audit activity (IAA). Figure 7-1 lists the technical and behavioral skillsincluded in CBOK 2006.



Figure 7-1Technical and Behavioral Skills

Data collection and analysisFinancial analysisForensic skills/fraud awarenessIdentifying types of controlsInterviewingISO/quality knowledgeNegotiatingResearch skillsRisk analysisStatistical samplingTotal quality managementUnderstanding businessUse of information technologyConfidentialityFacilitatingGovernance and ethics sensitivityInterpersonal skillsLeadershipObjectivityRelationship buildingStaff managementTeam buildingTeam playerWorking independentlyWork well with all levels of management

Technical Skills

CAE Respondents

Chief audit executives (CAEs) were asked to identify the five most important technical andbehavioral skills they need to possess in order to be successful as the leader of their IAA. Theywere also asked to identify the five most important technical and behavioral skills that the Audit

TechnicalSkills

BehavioralSkills



Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform their jobs. The resultscan be used to identify similarities among the CAEs’ responses.

Table 7-1 shows the CAEs’ selection of the five most important technical skills by staff level fromthe 13 listed in the questionnaire. Understanding the business and risk analysis are skills that onaverage get the highest scores. There is no individual technical skill that is highly rated by CAErespondents for all staff levels in the IAA. The higher the percentages in Table 7-1 for eachtechnical skill the more CAEs agreed on the importance of that skill.

Table 7-1Most Important Technical Skills by Staff Level


Technical Skills CAE Audit Audit AuditManager Senior/ Staff

Supervisor

Data collection and analysis 15.2 14.7 33.9 77.6Financial analysis 35.9 35.4 36.4 35.1Forensic skills/fraud awareness 43.2 38.7 31.7 20.9Identifying types of controls 30.8 33.6 45.2 52.1(e.g., preventative, detective)Interviewing 37.7 37.8 44.1 58.3ISO/quality knowledge 18.9 16.0 10.7 7.6Negotiating 68.7 49.5 23.5 7.3Research skills 20.8 19.6 29.9 41.5Risk analysis 74.9 59.0 41.3 27.5Statistical sampling 6.5 8.8 20.7 29.5Total quality management 33.4 21.0 10.6 3.7Understanding the business 78.3 58.6 43.9 45.5Use of information technology 28.3 30.4 37.3 51.4

Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.



CAE

At the CAE position, high-level technical skills are vital for the IAA to be successful. For their owncategory, the technical skills most commonly chosen as important are:

• Understanding the business (78.3%).• Risk analysis (74.9%).• Negotiating (68.7%).• Forensic skills/fraud awareness (43.2%).• Interviewing (37.7%).

From the list provided, the CAEs indicate that understanding the business (78.3%), risk analysis(74.9%), and negotiating (68.7%) are especially important technical skills they need to performtheir role in the IAA. These results are in accordance with Performance Standard 2010, Planning,and its related Practice Advisories that require the CAE to establish a risk-based audit plan todetermine the priorities of the internal audit activity. As this is a high-level technical skill, it isappropriate that it is not vital at lower staff levels. Forensic skills/fraud awareness skills were alsocommonly chosen as important (43.2%). This seems appropriate as Standard 2210A.2 requiresthe internal auditor to consider for all assurance engagements “the probability of significant errors,irregularities, noncompliance, and other exposures when developing the engagement objectives.”

Audit Manager

For the Audit Manager category, the technical skills most commonly chosen as important by CAEsare:

• Risk analysis (59%).• Understanding the business (58.6%).• Negotiating (49.5%).• Forensic skills/fraud awareness (38.7%).• Interviewing (37.8%).

For Audit Managers, risk analysis (59%) and understanding the business (58.6%) are critical forsuccessful performance of duties. CAEs also identified negotiating (49.5%) as an important technicalskill for Audit Managers, although there is a more than 19% decrease in the importance of this skillfrom the CAE level. The most commonly chosen technical skills are the same at both the CAE andthe Audit Manager level.




For the Audit Senior/Supervisor category, the technical skills that were most commonly chosen byCAEs as important are:

• Identifying types of controls (45.2%).• Interviewing (44.1%).• Understanding the business (43.9%).• Risk analysis (41.3%).• Use of information technology (37.3%).

Some technical skills become less important at the Audit Senior/Supervisor level than the AuditManager level. One example shown in Table 7-1 is forensic skill/fraud awareness, which decreasesfrom 38.7% at the Audit Manager level to 31.7% at the Audit Senior/Supervisor level. Anotherdecrease is found in risk analysis, which decreases from 59.0% at the Audit Manager level to41.3% at the Audit Senior/Supervisor level. Understanding the business follows the same pattern,decreasing from 58.6% at the Audit Manager level to 43.9% at the Audit Senior/Supervisor level.

There are also some technical skills that are newly identified as important by CAEs when theyconsidered the Audit Senior/Supervisor level. Identifying types of controls (45.2%) and the use ofinformation technology (37.3%) were chosen by CAEs as important to the Audit Senior/Supervisorlevel.

Audit Staff

For the Audit Staff category, the technical skills that were most commonly chosen by CAEs asimportant are:

• Data collection and analysis (77.6%).• Interviewing (58.3%).• Identifying types of controls (52.1%).• Use of information technology (51.4%).• Understanding the business (45.5%).



CAE respondents indicate that the technical skills needed by each staff level change as theyprogress to higher staff levels. For example, while 77.6% of the CAEs selected data collection andanalysis as an important technical skill for the Audit Staff, only 14.7% indicate that it is importantfor Audit Managers, and 15.2% selected it as important for CAEs. For negotiating, 68.7 % feelthat it is important for CAEs and only 7.3% note that it is considered an important technical skill forthe Audit Staff.

Identifying types of controls was identified by CAEs as slightly increasing in importance from45.2% at the Audit Senior/Supervisor level to 52.1% at the Audit Staff level. Interviewing alsoshows an increase from 44.1% at the Audit Senior/Supervisor level to 58.3% at the Audit Stafflevel. The use of information technology shows a relatively large increase from 37.3% at the AuditSenior/Supervisor level to 51.4% at the Audit Staff level.

In Appendix 7, Tables 7–1-1-A (CAEs), 7-1-2-A (Audit Managers), 7-1-3-A (Audit Seniors/Supervisors), and 7-1-4-A (Audit Staff) show CAE responses for technical skills broken out forthe 13 groups. Overall the tabulation by CAE by groups agrees with the top five technical skills foreach staff level. These results clearly indicate that the CAE respondents believe that the technicalskills appropriate for success in the IAA differ at various staff levels in the IAA.

Practitioner Respondents

While CAEs ranked the five most important technical skills for all staff levels including themselves,the Practitioners were asked to indicate the importance of all thirteen technical skills to performtheir work at their current staff position. The practitioner respondents indicated importance of thetechnical skill to them on a scale of 1 (minimally important) to 5 (very important). Table 7-2 dividesthe mean responses into the three staff levels: Audit Manager, Audit Senior /Supervisor, and AuditStaff. The results for technical skills show little variation by staff levels. The skills that consistentlyget the highest mean scores from the Practitioner respondents are data collection and analysis,identifying types of controls, interviewing, research skills, risk analysis, and understanding thebusiness. The higher the mean in Table 7-2 for each technical skill the more Practitioners agreedon the importance of that skill.



Table 7-2Importance to Respondent of Technical Skills to Perform Work

Practitioner Respondents by Means*

Technical Skills Audit Audit AuditManager Senior/ Staff

Supervisor

Data collection and analysis 4.1 4.3 4.4Financial analysis 3.8 3.9 3.7Forensic skills/fraud awareness 3.6 3.6 3.6Identifying types of controls 4.3 4.2 4.1(e.g., preventative, detective)Interviewing 4.3 4.3 4.3ISO/quality knowledge 2.9 2.9 3.0Negotiating 3.7 3.6 3.5Research skills 3.9 4.0 4.0Risk analysis 4.4 4.3 4.2Statistical sampling 3.2 3.3 3.5Total quality management 2.9 2.9 3.0Understanding the business 4.5 4.4 4.3Use of information technology 4.1 4.1 4.1

*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.

The skills related to quality (ISO/quality knowledge and TQM) received the lowest ranking of allthe skills for all three professional levels in the IAA.



In Table 7-2-1, the main differences that emerge by comparing group data are those skills that aregenerally not considered as important by Practitioners: statistical sampling, total quality management,and negotiating. Group 9 considers statistical sampling to be very important (mean of 3.9) whilegroup 10 has a much lower mean (2.8). Group 12 differs from the others for TQM with a mean of3.4 which is very different than group 10’s mean of 2.4. Negotiating gets its highest score in groups2, 3, and 7 (4.0) while group 10 gives this skill a much lower value (2.9).

Table 7-2-1Importance to Respondent of Technical Skills to Perform Work by Groups*

Practitioner Respondents in Means**

Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C***

Data collection and 4.2 4.0 4.2 4.4 4.5 4.0 4.6 4.2 4.4 4.2 4.3 4.5 4.3analysisFinancial analysis 3.8 3.5 3.8 4.0 3.9 3.4 4.1 3.5 4.2 3.4 4.3 4.1 3.9Forensic skills/fraud 3.6 3.4 3.5 3.9 3.7 3.3 3.8 3.3 4.0 3.3 3.5 3.8 3.7awarenessIdentifying types of 4.3 4.4 4.4 4.1 4.1 3.8 4.41 3.8 4.4 4.2 4.2 4.5 4.1controls (e.g.,preventative, detective)Interviewing 4.4 4.3 4.4 3.9 4.4 4.4 4.3 4.2 4.1 4.4 4.3 4.2 4.1ISO/quality knowledge 2.8 2.8 3.1 3.4 3.0 2.6 3.4 2.8 3.0 2.6 3.1 3.3 3.3Negotiating 3.5 4.0 4.0 3.7 3.9 3.5 4.0 3.4 3.9 2.9 3.8 3.6 3.7Research skills 4.0 3.9 3.9 3.7 4.1 3.7 4.1 3.7 4.3 3.1 3.8 3.8 3.9Risk analysis 4.2 4.4 4.4 4.2 4.4 4.3 4.5 4.4 4.3 4.5 4.3 4.2 4.2Statistical sampling 3.2 3.0 3.2 3.5 3.5 2.9 3.7 3.3 3.9 2.8 3.5 3.8 3.5Total quality 2.9 2.7 3.1 3.2 3.1 2.6 3.3 2.7 3.3 2.4 3.2 3.4 3.1managementUnderstanding 4.7 4.5 4.6 4.3 4.3 4.5 4.5 4.2 4.5 4.6 4.5 4.5 4.4businessUse of information 4.1 3.9 4.3 4.0 4.1 3.9 4.4 4.0 4.2 4.2 4.1 4.0 4.2technology

*For a list of groups, please see the inside back cover.**The mean is the average response to: 1 = minimally important to 5 = very important.***N/C = Respondents did not indicate affiliate or chapter membership.



To add to the understanding of the importance placed by the Practitioners on the different technicalskills by staff level, the data from Table 7-2 is displayed in rank order by staff level in Table 7-3. InTable 7-3, the technical skills are ranked from 1 (most important) through 13 (least important).There is a high level of consistency in the ranking of technical skills among the three staff levels(Audit Manager, Audit Senior/Supervisor, and Audit Staff). The relative decreasing importance ofcertain skills as one achieves higher staff levels in the IAA is only indicated for data collection andanalysis. There is only slightly more importance of risk analysis and identifying types of controls asone achieves higher staff levels in the IAA.

Table 7-3Rankings of Technical Skills by Staff Level

Practitioner Respondents by Rank

Technical Skills Audit Audit Senior/ AuditManager Supervisor Staff

Data collection and analysis 5/6 2/3/4 1Financial analysis 8 8 8Forensic skills/fraud awareness 10 9/10 9Identifying types of controls 3/4 5 5/6(e.g., preventative, detective)Interviewing 3/4 2/3/4 2/3ISO/quality knowledge 12/13 12/13 12/13Negotiating 9 9/10 10/11Research skills 7 7 7Risk analysis 2 2/3/4 4Statistical sampling 11 11 10/11Total quality management 12/13 12/13 12/13Understanding the business 1 1 2/3Use of information technology 5/6 6 5/6

Note: In some cases the rankings are tied. For example, rankings of Data Collection andAnalysis and Use of Information Technology at the Audit Manager level are tied.



Behavioral Skills

CAE Respondents

For an IAA to be successful, internal auditors must possess the appropriate level of skills that arefundamental for performance of their work (Standard 1210, Proficiency). From the twelve behavioralskills that were listed in the survey question, CAEs were asked to indicate the five most importantfor various professional staff levels in the IAA. The results can be used to identify similaritiesamong the CAEs’ responses.

Table 7-4 provides an overall view of the skills that CAEs chose as important for those performinginternal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Stafflevels in the IAA. Their responses are presented in percentages by frequency of response forthose that answered the question. The higher the percentages in Table 7-4 for each behavioral skillthe more CAEs agreed on the importance of that skill. CAEs selected confidentiality first orsecond for all staff levels with a low of 53.2% for Audit Managers to a high of 73.4% for the AuditStaff. CAEs also selected objectivity (45.7% to 73.7%) and interpersonal skills (44% to 67.4%) ashighly needed behavioral skills for all staff levels.



Table 7-4Most Important Behavioral Skills by Staff Level


Behavioral Skills CAE Audit Audit AuditManager Senior/ Staff

Supervisor

Confidentiality 68.7 53.2 56.2 73.4Facilitating 34.3 33.3 28.6 13.4Governance and ethics sensitivity 54.8 32.0 23.5 24.1Interpersonal skills 49.0 44.0 49.9 67.4Leadership 75.1 48.8 21.8 3.4Objectivity 58.2 45.7 54.3 73.7Relationship building 44.7 30.9 24.7 29.0Staff management 34.8 44.0 30.1 2.2Team building 32.9 39.4 30.8 7.8Team player 15.2 18.4 34.9 65.2Work well with all levels of management 58.3 42.6 35.2 40.3Working independently 18.9 16.9 26.4 55.6

Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.

The importance of objectivity and confidentiality is supported by many references in the ProfessionalPractices Framework. Objectivity and confidentiality are two of the four principles in The IIA’sCode of Ethics. The IIA’s Code of Ethics states for objectivity, “Internal auditors exhibit the highestlevel of professional objectivity in gathering, evaluating, and communicating information about theactivity or process being examined.” For confidentiality, The IIA’s Code of Ethics states, “Internalauditors respect the value and ownership of information they receive and do not disclose informationwithout appropriate authority unless there is a legal or professional obligation to do so.” Accordingto the Code, internal auditors must be prudent in their use and protection of information acquired.Information cannot be used for personal gain or in a way that would be against the law or hurt theorganization.



The following discusses the CAE’s rankings by staff level based on Table 7-4.

CAE

The behavioral skills CAEs commonly chose as important at their level are:

• Leadership (75.1%).• Confidentiality (68.7%).• Work well with all levels of management (58.3%).• Objectivity (58.2%).• Governance and ethics sensitivity (54.8%).

For CAEs, the importance of relationships and leadership skills instead of skills emphasizing theirown individual success is supported in Standards 2440, Disseminating Results, 2500, MonitoringProgress, and 2600, Resolution of Management’s Acceptance of Risks. Each requires the CAE tocommunicate with management and monitor progress. Practice Advisory 2340-1 states that theCAE, “Is responsible for assuring that appropriate engagement supervision is provided.” CAEs didnot commonly choose as important behavioral skills such as team player (15.2%) and workingindependently (18.9%).

Audit Manager

The most important behavioral skills that CAEs commonly believe Audit Managers should possessat their level are:

• Confidentiality (53.2%).• Leadership (48.8%).• Objectivity (45.7%).• Interpersonal skills (44.0%).• Staff management (44.0%).• Works well with all levels of management (42.6%).

The importance of staff management skills at higher levels in the IAA is consistent with Standard2340, which states that “engagements should be properly supervised to ensure objectives areachieved...” Based on Standard 2030, Resource Management, if they are managing the engagementproperly, they are ensuring that the staff is effectively deployed to achieve the approved plan.Progression in hierarchical position in the IAA from Audit Staff to Audit Manager results in arelative decrease in importance of the percentage ranking for confidentiality, objectivity, interpersonalskills, and team player as shown by the percentages attributed to each.




For the Audit Senior/Supervisor level, the behavioral skills chosen by CAEs as important include:

• Confidentiality (56.2%).• Objectivity (54.3%).• Interpersonal skills (49.9%).• Work well with all levels of management (35.2%).• Team player (34.9%).

Comparing four of the behavioral skills CAEs chose as important for the Audit Manager and AuditSenior/Supervisor levels, confidentiality is important at all levels. This holds true when comparingthe Audit Manager (53.2%) and the Audit Senior/Supervisor (56.2%) levels. Objectivity is alsorelatively close in importance at both levels (45.7% and 54.3%). Interpersonal skills show closealignment for the Audit Manager (44.0%) and Audit Senior/Supervisor (49.9%) levels. Work wellwith all levels of management is also commonly chosen as important by CAEs for both of theselevels (42.6% ad 35.2%).

Audit Staff

A comparison of the CAEs’ responses regarding the important behavioral skills related to the fourstaff levels reveals some noticeable differences. For the Audit Staff, the most commonly chosenbehavioral skills CAEs believe they should possess are:

• Objectivity (73.7%).• Confidentiality (73.4%).• Interpersonal skills (67.4%).• Team player (65.2%).• Working independently (55.6%).

Skills indicated by CAEs as not critical for Audit Staff members to possess at this point in theirinternal auditing career are staff management (2.2%), leadership (3.4%), and team building (7.8%).

In Table 7-4, when comparing results for Audit Seniors/Supervisors and Audit Staff to those ofAudit Managers, CAE respondents’ choices show a trend of increasing importance for:



• Leadership (3.4% to 48.8%).• Staff management (2.2% to 44.0%).• Team building (7.8% to 39.4%).• Facilitating (13.4% to 33.3%).

CAE Respondents by Staff Level for Groups

Tables 7-4-1 (CAEs), 7-4-2 (Audit Managers), 7-4-3 (Audit Seniors/Supervisors), and 7-4-4 (AuditStaff) show the selections by CAEs by groups of the most commonly chosen behavioral skills.

Table 7-4-1 shows the behavioral skills CAEs by group chose as important for the performance oftheir job. Variability of results relate predominantly to facilitating, works well with all levels ofmanagement, governance and ethics sensitivity, and staff management.

Table 7-4-1Most Important Behavioral Skills

for CAEs by Groups*CAE Respondents in Percentages

Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Confidentiality 65.2 66.7 67.9 74.4 72.7 71.5 81.6 75.9 62.5 50.0 72.5 62.5 61.1Facilitating 32.2 34.6 32.1 33.7 52.1 38.7 28.9 37.2 30.0 14.3 24.6 50.0 33.6Governance and ethics 48.0 59.3 53.7 73.3 50.3 54.7 69.3 63.5 65.0 40.5 68.1 75.0 52.7sensitivityInterpersonal skills 52.6 59.3 53.0 54.7 50.9 40.9 46.5 39.8 35.0 45.2 59.4 37.5 40.5Leadership 78.4 75.3 88.1 64.0 66.7 72.3 78.9 75.6 80.0 57.1 78.3 75.0 60.3Objectivity 52.0 56.8 53.7 65.1 70.3 59.1 64.9 64.7 65.0 54.8 65.2 75.0 57.3Relationship building 45.8 60.5 63.4 36.0 40.0 38.7 44.7 42.5 32.5 38.1 46.4 37.5 37.4Staff management 26.1 29.6 36.6 30.2 58.8 43.8 33.3 51.5 27.5 28.6 33.3 12.5 28.2Team building 28.4 33.3 32.8 45.3 41.2 24.8 33.3 44.4 37.5 19.0 29.0 37.5 31.3Team player 8.2 13.6 13.4 20.9 27.9 10.2 37.7 22.2 7.5 9.5 17.4 12.5 17.6Working independently 10.9 19.8 12.7 36.0 29.1 19.7 25.4 25.6 25.0 19.0 21.7 25.0 26.7Work well with all levels 64.0 65.4 59.7 47.7 69.1 56.9 48.2 41.0 55.0 76.2 65.2 50.0 47.3of management

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.



In Table 7-4-2 for Audit Managers, CAEs in group 4 indicate that governance and ethics sensitivity(60.5%) and leadership (69.8%) are commonly important for Audit Managers. Governance andethics sensitivity is one of the most important behavior skills for only 21.6% of the CAE respondentsbelonging to group 1. Leadership is considered an important skill by CAEs for Audit Managers foronly 33.3% of respondents in group 10. A major difference between CAE respondents by group isfor facilitating, which is identified as much less important in group 10. Staff management skills arecommonly chosen as important by CAEs in group 3 (59.7%) but not by CAEs in group 10 (23.8%).


for Audit Manager by Groups*CAE Respondents in Percentages


Confidentiality 50.8 54.3 56.7 61.6 49.7 54.7 63.2 57.1 47.5 33.3 62.3 75.0 45.8Facilitating 29.3 30.9 38.1 46.5 42.4 30.7 34.2 35.7 45.0 9.5 36.2 50.0 32.8Governance and ethics 21.6 28.4 31.3 60.5 29.1 34.3 45.6 43.6 50.0 31.0 40.6 62.5 35.1sensitivityInterpersonal skills 47.9 55.6 61.9 39.5 42.4 31.4 32.5 33.8 35.0 42.9 58.0 62.5 38.2Leadership 49.9 37.0 46.3 69.8 50.9 35.8 57.9 44.7 50.0 33.3 59.4 50.0 47.3Objectivity 41.4 46.9 49.3 43.0 49.1 43.8 56.1 47.4 52.5 40.5 60.9 87.5 43.5Relationship building 29.7 34.6 42.5 32.6 29.7 27.0 26.3 33.5 20.0 26.2 39.1 37.5 27.5Staff management 42.9 53.1 59.7 45.3 49.1 38.7 33.3 44.4 47.5 23.8 50.7 50.0 38.2Team building 38.3 33.3 43.3 55.8 39.4 41.6 35.1 43.6 27.5 40.5 40.6 25.0 31.3Team player 11.4 16.0 19.4 16.3 27.3 13.1 37.7 27.1 15.0 14.3 24.6 12.5 23.7Working independently 13.6 14.8 13.4 22.1 21.8 16.1 17.5 18.8 10.0 21.4 31.9 25.0 22.1Work well with all 47.5 49.4 56.0 38.4 38.8 31.4 38.6 33.1 27.5 42.9 52.2 25.0 36.6levels of management




Table 7-4-3 highlights the CAEs’ responses for Audit Seniors/Supervisors. With the exception ofCAEs in groups 4, 5, and 12, there is remarkable consistency among CAEs in the groups. The maindifferences are for staff management and leadership. For CAEs in group 4, these two skills areconsidered quite important (53.5% and 46.5%) while group 5 indicates that these skills are notimportant for Audit Seniors/Supervisors (13.9% and 7.9%). The percentages from Table 7-4 forthese two categories are respectively 30.1% and 21.8%. Another large difference relates tofacilitating where group 4 considers this much more important (57%) than group 10 (19%).


for Audit Seniors/Supervisors by Groups*CAE Respondents in Percentages






In Table 7-4-4 (Audit Staff) there are uniformly low indicators of importance for staff management,leadership, team building, and facilitating. Group 6 believes that working independently is importantfor Audit Staff (70.8%) while group 7 considers this skill much less important (35.1%). Being ateam player is vital for CAEs in group 7 (72.8%) and much less important in group 9 (37.5%).Whereas CAEs in group 9 believe that governance and ethics sensitivity is very important (45.0%)for Audit Staff when compared to the average 24.1% in Table 7-4, CAEs in group 12 show thelowest percentage for this skill (12.5%). CAEs’ range of percentages for objectivity is 100% forgroup 12, 82.5% for group 7, and 52.3% for group 4. The percentage from Table 7-4 is 73.7%.Works well with all levels of management ranges from a low of 12.5% in group 12 to a high of52.3% in group 4.


for Audit Staff by Groups*CAE Respondents in Percentages







Practitioners were asked to indicate the importance of each of the twelve behavioral skills toperform their work at their current position in their organization. These respondents were asked touse a scale of importance from 1 (minimally important) to 5 (very important). The data is dividedinto the three staff levels: Audit Manager, Audit Senior/Supervisor, and Audit Staff. The higher themean in Table 7-5 for each behavioral skill the more Practitioners agreed on the importance of thatskill.

Practitioners consider almost all of the behavioral skills to be important with only marginal differencesin the means. The only skill categories with ratings below 4.0 are:

• Staff management (the lowest score of all categories analyzed).• Facilitating (among the lowest scores given a skill by all respondents).• Leadership and team building (a mean lower than 4.0 only for the Audit Staff category).

Table 7-5Importance of Behavioral Skills to Perform Work

Practitioner Respondents by Mean*

Behavioral Skills Audit Audit AuditManager Senior/ Staff

Supervisor

Confidentiality 4.8 4.8 4.7Facilitating 4.1 4.0 3.9Governance and ethics sensitivity 4.4 4.3 4.3Interpersonal skills 4.6 4.5 4.5Leadership 4.3 4.1 3.9Objectivity 4.8 4.8 4.7Relationship building 4.4 4.4 4.3Staff management 4.1 3.8 3.5Team building 4.2 4.0 3.9Team player 4.3 4.2 4.2Work well with all levels of management 4.6 4.6 4.5Working independently 4.2 4.2 4.2

*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.



The practitioner results highlight many similarities with the CAE respondents. Confidentiality andobjectivity are the skills that practitioners consider the most important for all professional levels.This is consistent with Practice Advisory 1120-1, Individual Objectivity, which states, “Objectivityis an independent mental attitude which internal auditors should maintain in performingengagements.” Interpersonal skills and works well with all levels of management are also viewedby respondents as very important to perform audit work.

Table 7-5-1 shows the means of the Practitioner responses by groups. The responses show that alllisted behavorial skills are considered important, regardless of where respondents reside.Confidentiality and objectivity are the highest ranking skills for all groups. Considering the contentsof The IIA’s Code of Ethics and the Standards, the uniformity of this perception among practitionersglobally is very important. Almost universally the lowest rankings by Practitioner groups are forstaff management, facilitating, and leadership. Staff management has a mean of more than 4.0only for groups 12 and 7. For the other groups, the mean varies from 3.4 for group 10 to 4.0 forgroup 3. Regarding leadership, group 12 considers this behavioral skill to be very important (4.6) toperform audit work, while groups 5 and 6 assign leadership a much lower value (3.7).

Table 7-5-1Importance of Behavioral Skills to Perform Work by Groups*

Practitioner Respondents in Means**

Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C***

Confidentiality 4.8 4.7 4.8 4.6 4.7 4.8 4.9 4.7 4.7 4.7 4.7 4.9 4.7Facilitating 4.1 4.1 3.9 3.8 4.1 3.8 4.3 3.9 4.1 3.5 4.0 4.0 4.0Governance and ethics 4.3 4.4 4.4 4.2 4.2 4.1 4.6 4.2 4.2 4.3 4.1 4.4 4.3sensitivityInterpersonal skills 4.6 4.7 4.6 4.5 4.5 4.3 4.5 4.3 4.3 4.3 4.5 4.7 4.4Leadership 4.3 4.3 4.2 4.0 3.7 3.7 4.4 3.8 4.1 3.8 4.2 4.6 4.0Objectivity 4.7 4.8 4.8 4.7 4.7 4.7 4.8 4.7 4.7 4.8 4.5 4.8 4.7Relationship building 4.5 4.5 4.5 4.2 4.2 4.0 4.2 4.2 4.3 4.1 4.2 4.5 4.2Staff management 3.9 3.7 4.0 3.8 3.7 3.5 4.2 3.8 3.9 3.4 3.9 4.5 3.8Team building 4.1 4.0 4.1 4.1 4.0 3.7 4.3 4.0 4.0 3.7 4.1 4.5 4.0Team player 4.3 4.2 4.2 4.1 4.2 4.0 4.5 4.2 4.1 4.0 4.2 4.4 4.2Work well with all 4.4 4.3 4.3 4.1 4.1 4.3 3.9 3.7 4.4 4.3 4.3 4.4 4.1levels of managementWorking independently 4.7 4.7 4.7 4.3 4.5 4.5 4.6 4.4 4.4 4.6 4.5 4.6 4.4

*For a list of groups, please see the inside back cover.**The mean is the average response to: 1 = minimally important to 5 = very important.***N/C = Respondents did not indicate affiliate or chapter membership.



Summary

For their own position, CAEs indicate understanding the business and risk analysis as importanttechnical skills for them to possess. CAEs indicate noticeable difference in technical skills neededbetween the various staff levels. Technical skills that are considered more important by CAEs forthe Audit Staff but less vital for themselves are data collection and analysis, identifying types ofcontrols, and use of information technology. CAEs considered other technical skills, such asunderstanding the business, risk analysis, and negotiating, to be more important for themselves butnot as important for the Audit Staff or Audit Seniors/Supervisors.

Practitioners uniformly indicate the need for most of the technical skills and behavioral skills attheir own staff level. Practitioners consider most technical and behavioral skills listed to be importantto perform their work at their current position in the IAA. The results show that the CAEs andPractitioners almost uniformly consider confidentiality and objectivity to be important behavioralskills.



APPENDIX 7

Table 7-1-1-AMost Important Technical Skills

for CAEs by Groups*CAE Respondents in Percentages

Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Data collection and 11.1 13.6 9.0 39.5 27.9 11.7 21.9 14.3 17.5 16.7 11.6 12.5 16.8analysisFinancial analysis 37.7 23.5 38.8 44.2 38.8 35.0 28.1 34.6 40.0 26.2 39.1 12.5 32.8Forensic skills/fraud 45.4 34.6 35.1 68.6 46.7 35.8 43.9 37.6 42.5 33.3 53.6 25.0 38.9awarenessIdentifying types of 26.6 34.6 14.9 53.5 32.1 29.2 28.9 38.3 57.5 35.7 30.4 25.0 32.8controls (e.g.,preventative, detective)Interviewing 35.2 46.9 38.8 39.5 47.9 36.5 24.6 40.2 45.0 47.6 33.3 25.0 37.4ISO/quality knowledge 13.1 14.8 24.6 25.6 29.7 15.3 29.8 21.4 20.0 11.9 34.8 12.5 16.8Negotiating 70.1 77.8 75.4 54.7 69.1 70.8 65.8 77.4 55.0 57.1 65.2 50.0 49.6Research skills 14.5 28.4 28.4 19.8 42.4 19.0 20.2 21.8 22.5 9.5 33.3 50.0 16.0Risk analysis 76.1 80.2 74.6 74.4 69.1 70.8 74.6 82.0 75.0 71.4 78.3 62.5 61.8Statistical sampling 3.2 6.2 3.7 18.6 12.7 3.6 13.2 7.5 15.0 0.0 11.6 0.0 7.6Total quality 30.3 24.7 38.1 34.9 50.3 32.1 43.0 28.2 42.5 19.0 46.4 25.0 29.8managementUnderstanding the 83.9 86.4 88.8 53.5 65.5 72.3 74.6 83.8 57.5 88.1 82.6 75.0 59.5businessUse of information 28.9 27.2 35.1 32.6 36.4 12.4 39.5 17.7 40.0 26.2 37.7 50.0 24.4technology

*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.



Table 7-1-2-AMost Important Technical Skillsfor Audit Managers by Groups*



Data collection and 12.7 18.5 14.9 27.9 18.2 10.9 13.2 14.3 7.5 21.4 20.3 12.5 14.5analysisFinancial analysis 36.0 19.8 35.8 59.3 39.4 27.0 24.6 32.3 40.0 28.6 47.8 25.0 39.7Forensic skills/fraud 41.9 33.3 42.5 47.7 33.9 32.8 41.2 34.6 32.5 33.3 44.9 50.0 30.5awarenessIdentifying types of 29.9 40.7 35.1 48.8 33.9 27.0 36.8 38.7 45.0 23.8 36.2 37.5 32.1controls (e.g.,preventative, detective)Interviewing 35.0 45.7 42.5 47.7 38.8 34.3 23.7 42.5 47.5 35.7 40.6 50.0 39.7ISO/quality knowledge 9.3 12.3 16.4 32.6 26.1 16.1 27.2 17.7 15.0 4.8 30.4 12.5 19.1Negotiating 48.1 54.3 59.0 60.5 50.9 46.7 49.1 50.8 45.0 28.6 60.9 62.5 38.2Research skills 15.8 21.0 22.4 18.6 30.3 17.5 28.1 21.1 10.0 14.3 31.9 25.0 17.6Risk analysis 59.2 60.5 72.4 64.0 49.7 51.1 64.9 60.9 65.0 47.6 69.6 37.5 48.9Statistical sampling 6.2 6.2 8.2 9.3 7.9 10.9 14.9 12.0 15.0 4.8 18.8 0.0 9.2Total quality 16.5 13.6 17.9 48.8 34.5 16.1 24.6 18.8 37.5 16.7 31.9 37.5 18.3managementUnderstanding 61.7 65.4 76.9 46.5 50.9 51.1 52.6 60.2 45.0 64.3 63.8 50.0 44.3businessUse of information 33.2 28.4 31.3 25.6 37.0 14.6 32.5 22.6 40.0 23.8 47.8 37.5 28.2technology




Table 7-1-3-AMost Important Technical Skills for

Audit Seniors/Supervisors by Groups*CAE Respondents in Percentages






Table 7-1-4-AMost Important Technical Skills for

Audit Staff by Groups*CAE Respondents in Percentages






______________________________________ Chapter 8: Internal Auditor Competencies 305


CHAPTER 8INTERNAL AUDITOR COMPETENCIES

Introduction

Internal auditors at all levels need to obtain and develop a range of competencies and knowledgethat enable them to perform their work effectively and enable the internal audit activity (IAA) tofunction properly. This chapter summarizes the fundamental competencies and the areas of knowledgeneeded by practicing internal auditors today. Competencies range from generally applicable individualcompetencies, such as time management and presentation competencies, to abilities such as beingable to work through an issue to find the root cause of a problem area. Internal auditors also musthave different competencies to be successful at a given staff position within the IAA. This chapteraddresses the range of internal audit competencies at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Staff levels and areas of knowledge at all staff levels except CAE.

Certain competencies and knowledge are essential for the success of an individual internal auditor,the audit process, and the overall success of the IAA. Standard 1210, Proficiency, states, “Internalauditors should possess the knowledge, skills, and other competencies needed to perform theirindividual responsibilities,” and Standard 1230, Continuing Professional Development, states, “Internalauditors should enhance their knowledge, skills, and other competencies through continuingprofessional development.” Internal auditors must continually update their competencies andknowledge to remain current. The importance of competencies is also highlighted as one of fourprinciples in The IIA’s Code of Ethics.

Internal auditors at all staff levels need to obtain and develop a range of competencies and abilitiesthat enable them to perform their work effectively. These competencies range from generallyapplicable individual competencies to qualities that are specific to internal auditors. Since PracticeAdvisory 1210-1, Proficiency, requires that “The internal audit staff should collectively possess theknowledge and skills essential to the practice of the profession within the organization,” eachindividual internal auditor need not possess all competencies and abilities in each knowledge area.It is the responsibility of the CAE to insure that the IAA collectively possesses or have access tothe needed competencies and abilities. When assigning staff to an audit, the CAE must considerwhether they are qualified and competent in the areas being audited. This implies that differentcompetencies and knowledge are appropriate for those in different staff levels in the IAA. Anassessment of auditor abilities and competencies within the IAA should be completed annually toensure the staff remains proficient and current, collectively and individually.



This chapter addresses respondents’ perception of the importance of a set of competencies andknowledge areas to their job performance at their staff level in the IAA. Respondents were alsoasked to determine those competencies that change in importance as one goes up the IAA hierarchy.Table 8-1 lists the competencies and knowledge areas developed from The IIA’s Standards,Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK 2006 pilotstudy. As a guide for respondents, competencies were defined in the survey as “competenciesessential to perform certain tasks.” Respondents could not amend or add to the list of competenciesor knowledge areas provided in the survey.

Table 8-1Competencies and Knowledge Areas Included in the Survey

Competencies Knowledge Areas

Ability to promote the internal audit Accountingactivity within the organizationAnalytical (ability to work through Auditingan issue)Change management Business law and government regulationCommunication Business managementConceptual thinking Changes to professional standardsConflict resolution Enterprise risk managementCritical thinking EthicsForeign language skills FinanceKeeping up to date with professional Fraud awarenesschanges in opinions, standards, andregulationsOrganization skills GovernancePresentation skills Human resource managementProblem identification and solution Information technologyProject planning and management Internal auditing standardsReport development Managerial accountingTime management MarketingTraining and developing staff Organization cultureUnderstanding complex information Organizational systemssystemsWriting skills Strategy and business policy

Technical knowledge for your industry




• Not all of those that participated in the survey answered all of the questions asked. Resultsare shown and discussed only for those respondents who answered a particular surveyquestion.




Some participants’ responses are presented according to the respondents’ position in the IAA.These more detailed summaries of results may be provided for the four categories of respondents:CAEs, Audit Managers, Audit Senior/Supervisor, and Audit Staff.

When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. For example, Table 8-2 isthe total of all respondents for that question with a related table 8-2-1 showing the responses bygroup. A table can have more than one related table, where the second related table would beTable 8-2-2. Additional related tables may be located in Appendix 8 at the end of this chapter. Atable that is in the Appendix can be clearly identified by an “A” at the end of its number. Forexample, Table 8-3-1-A is located in Appendix 8.

Competencies

CAE Respondents

Chief audit executives (CAEs) were asked to identify the five most important competencies theyneed to possess in order to be successful as the leader of their IAA. They were also asked toidentify the five most important competencies that Audit Manager, Audit Senior/Supervisor, andAudit Staff each need to perform their jobs. The results can be used to identify similarities amongthe CAEs’ responses.

Successful completion of the IAA annual plan requires that the internal auditor staff possess theproper competencies crucial for the nature and extent of the activities performed at various levels



of responsibility. Practice Advisory 2030-1, Resource Management, suggests that CAEs select“individuals who are qualified and competent regarding the areas being audited and in applyinginternal auditing skills.” From the eighteen competencies that were listed in this question, CAEswere asked to indicate the five most important for various professional staff levels in the IAA.Table 8-2 provides an overall view of the skills that CAEs commonly chose as important for thoseperforming internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, andAudit Staff levels. Their responses are presented in percentages by frequency of response. Highpercentages in Table 8-2 indicate the competencies received strong common support from CAEsregarding the importance of these competencies.

Table 8-2Most Important Competencies by Staff Level

CAE Respondents (2,092 ) in Percentages

CAE Audit Audit AuditManager Senior/ Staff

Supervisor

Ability to promote the internal audit activity within 78.1 28.3 10.9 9.3the organizationAnalytical (ability to work through an issue) 24.9 31.5 47.7 63.9Change management 34.7 20.4 7.6 4.1Communication 60.3 46.7 43.2 51.9Conceptual thinking 38.0 20.7 16.1 17.8Conflict resolution 41.2 35.3 20.2 7.2Critical thinking 31.3 26.3 31.0 43.9Foreign language skills 13.4 10.8 8.1 12.4Keeping up to date with professional changes in 41.3 31.0 22.9 22.5opinions, standards, and regulationsOrganization skills 30.3 27.9 22.0 20.9Presentation skills 37.4 25.5 15.5 13.0Problem identification and solution 21.6 23.8 34.5 47.0Project planning and management 24.7 35.7 24.3 7.1Report development 13.0 23.0 27.3 22.1Time management 15.8 18.7 28.2 40.2Training and developing staff 30.1 38.2 20.9 2.6Understanding complex information systems 12.4 14.9 16.1 16.3Writing skills 23.6 24.2 32.0 51.0

Note: Each CAE respondent was able to select five most important competencies from the provided list for each stafflevel.



CAEs identified communication as highly important for all staff levels. This supports PracticeAdvisory 1210-1, Proficiency, which states, “Internal auditors should be skilled in oral and writtencommunication.” Foreign language skills was the only competency identified as being of lowimportance for all staff levels.

The other 16 competencies show changing relative importance when going up or down the stafflevels of the IAA. This is in keeping with the intent of the Standards, which suggests that skills andcompetencies vary in importance among the staff of the IAA.

Important Competencies Identified by CAEs for Staff Levels

As shown in Table 8-2, there is relative consistency in the identification of the most importantcompetencies for the Audit Staff and the Audit Senior/Supervisor levels. This is not the case forthe Audit Manager and CAE positions which have increasing oversight responsibility.

Keeping current with professional changes is important for all members of the IAA. Standard1230, Continuing Professional Development, states that internal auditors “...enhance their knowledge,skills, and other competencies through continuing professional development.” Despite the criticalnature of the acquisition of knowledge for the success of the IAA as a whole, this competency wasnot commonly indicated by CAE respondents as one of the most important for any of the stafflevels.

CAE

When looking at Table 8-2, the two highest percentages for CAEs are the ability to promote theIAA within the organization (78.1%) and communication (60.3%). This is consistent with Standard2000, Managing the Internal Audit Activity, which states that the CAE “...should effectively managethe internal audit activity to ensure it adds value to the organization.” Standard 2020, Communicationand Approval, states, “The chief audit executive should communicate the internal audit activity’splans…to senior management and to the board for review and approval.” Standard 2060, Reportingto the Board and Senior Management, states, “The chief audit executive should report periodicallyto the board and senior management on the internal audit activity’s purpose, authority, responsibility,and performance relative to its plan. Reporting should also include significant risk exposures andcontrol issues, corporate governance issues, and other matters needed or requested by the boardand senior management.”



The major role the CAE respondents identified for themselves is to communicate and promote theIAA to senior members of management and the board. CAE respondents commonly indicated themost important competencies that they should possess are:

• Ability to promote the IAA within the organization (78.1%).• Communication (60.3%).• Keeping up to date with professional changes in opinions, standards, and regulations (41.3%).• Conflict resolution (41.2%).• Conceptual thinking (38.0%).

While CAEs strongly support their perception of the most important competencies at their level,the majority of the respondents also show that a wide range of other competencies are valued.CAEs should also excel in presentation skills (37.4%) and change management (34.7%). CAEsdid not identify time management (15.8%), foreign language skills (13.4%), report development(13.0%), and understanding complex information systems (12.4%) as important for someone intheir position to possess.

Audit Manager

CAE respondents identified the following competencies as most important for Audit Managers:

• Communication (46.7%)• Training and developing staff (38.2%)• Project planning and management (35.7%)• Conflict resolution (35.3%)• Analytical (31.5%)• Keeping up to date with professional changes in opinions, the Standards, and regulations

(31.0%)

Communication skills are perceived by the CAE respondents as an essential part of the AuditManager’s skills. Competencies that CAEs did not identify as critical for Audit Managers arechange management (20.4%), time management (18.7%), understanding complex informationsystems (14.9%), and foreign language skills (10.8%).



At the Audit Manager level, some skills learned at lower levels are mastered. As indicated in Table8-2, skills for which CAE respondents believe relative importance diminishes from Audit Staff toAudit Manager levels are:

• Analytical (from 63.9% to 31.5%).• Writing skills (from 51.0% to 24.2%).• Problem identification and solution (from 47.0% to 23.8%).• Time management (from 40.2% to 18.7%).

Comparing data related to Audit Managers with those of Audit Staff, skills that show a trend ofincreasing importance are:

• Training and developing staff (2.6% to 38.2%).• Project planning and management (7.1% to 35.7%).• Conflict resolution (7.2% to 35.3%).• Ability to promote the IAA within the organization (9.3% to 28.3%).


For the Audit Senior/Supervisor, CAEs commonly indicated that the most important competencieswere:

• Analytical (47.7%).• Communication (43.2%).• Problem identification and solution (34.5%).• Writing skills (32.0%).• Critical thinking (31.0%).

Even though not commonly identified as one of the most important competencies for Audit Senior/Supervisor, note that CAEs respondents gave higher percentages for report development (27.3%),project planning (24.3%), and training and developing staff (20.9%) for the Audit Senior/Supervisorlevel than for Audit Staff. Competencies that CAEs do not consider critical for Audit Senior/Supervisor are presentation skills (15.5%), ability to promote the IAA (10.9%), foreign languageskills (8.1%), and change management (7.6%).



Audit Staff

In Table 8-2 the competency commonly indicated as the most important by CAEs for the AuditStaff is analytical (ability to work through an issue) (63.9%). This supports Standard 2320, Analysisand Evaluation, which states that internal auditors “base conclusions and engagement results onappropriate analyses and evaluations.” The CAE respondents indicated the following as the mostimportant competencies for the Audit Staff level:

• Analytical (63.9%)• Communication (51.9%)• Writing skills (51.0%)• Problem identification and solution (47.0%)• Critical thinking (43.9%)

Competencies that CAEs indicate are not as critical for Audit Staff members to possess at thispoint in their internal auditing career are conflict resolution (7.2%), project planning and management(7.1%), change management (4.1%), and training and developing staff (2.6%).

CAE Respondents by Staff Level for Groups

Tables 8-2-1 (CAE), 8-2-2 (Audit Manager), 8-2-3 (Audit Senior/Supervisor), and 8-2-4 (AuditStaff) show CAE respondents’ percentages for the five most important competencies for the 13groups.

Table 8-2-1 highlights the competencies CAEs value for their own job performance. Overwhelmingly,CAEs in all groups find it critically important to be able to promote the IAA within the organizationand to have the ability to communicate in general. CAEs indicate variability in importance by groupon their competencies in change management, conceptual thinking, foreign language skills, reportdevelopment, and time management.



Tabl

e 8-2

-1Fi

ve M

ost I

mpo

rtan

t Com

pete

ncie

s for

CA

E b

y G

roup

s*C

AE

Res

pond

ents

in P

erce

ntag

e

Com

pete

ncie

s1

23

45

67

89

1011

12N

/C**

Abi

lity

to p

rom

ote

the

75.1

84.0

88.8

80.2

80.6

80.3

80.7

82.3

80.0

64.3

72.5

75.0

71.0

inte

rnal

aud

it ac

tivity

with

in th

e or

gani

zatio

nA

naly

tical

(abi

lity

to21

.021

.020

.139

.533

.919

.737

.726

.320

.035

.727

.50.

025

.2w

ork

thro

ugh

an is

sue)

Cha

nge m

anag

emen

t28

.137

.053

.733

.726

.734

.353

.544

.440

.04.

853

.637

.528

.2C

omm

unic

atio

n67

.064

.260

.452

.349

.148

.955

.362

.045

.076

.260

.937

.548

.9C

once

ptua

l thi

nkin

g37

.045

.741

.024

.458

.243

.832

.532

.037

.516

.755

.125

.029

.8C

onfli

ct re

solu

tion

37.5

37.0

38.8

40.7

53.3

42.3

39.5

51.1

42.5

14.3

47.8

75.0

36.6

Crit

ical

thin

king

31.1

32.1

26.9

30.2

33.9

24.8

35.1

31.2

37.5

40.5

46.4

12.5

26.0

Fore

ign

lang

uage

skill

s2.

62.

52.

231

.432

.713

.938

.625

.927

.511

.914

.50.

012

.2K

eepi

ng u

p to

dat

e w

ith40

.437

.038

.852

.341

.829

.253

.545

.535

.031

.046

.450

.038

.9pr

ofes

sion

al ch

ange

sin

opi

nion

s, st

anda

rds,

and

regu

latio

nsO

rgan

izat

ion

skill

s20

.922

.226

.938

.450

.933

.634

.246

.627

.531

.031

.925

.026

.0Pr

esen

tatio

n sk

ills

44.3

39.5

39.6

30.2

41.8

19.7

24.6

30.5

40.0

47.6

39.1

37.5

29.0

Prob

lem

iden

tific

atio

n13

.723

.514

.936

.031

.514

.627

.235

.337

.526

.229

.012

.519

.1an

d so

lutio

nPr

ojec

t pla

nnin

g an

d20

.023

.528

.438

.433

.913

.136

.032

.035

.011

.930

.40.

017

.6m

anag

emen

tR

epor

t de

velo

pmen

t8.

17.

47.

524

.421

.22.

226

.320

.722

.54.

820

.325

.015

.3Ti

me m

anag

emen

t10

.412

.39.

031

.433

.910

.218

.422

.622

.52.

420

.30.

016

.8Tr

aini

ng an

d24

.927

.226

.944

.241

.225

.535

.138

.735

.033

.333

.312

.523

.7de

velo

ping

staf

fU

nder

stan

ding

8.4

9.9

9.0

15.1

21.2

5.1

26.3

13.9

20.0

7.1

20.3

12.5

17.6

com

plex

info

rmat

ion

syst

ems

Writ

ing

skill

s27

.024

.725

.418

.627

.913

.123

.719

.520

.019

.027

.50.

018

.3*F

or a

lis

t of

gro

ups,

ple

ase

see

the

insi

de b

ack

cove

r.**

N/C

= R

espo

nden

ts d

id n

ot i

ndic

ate

affi

liate

or

chap

ter

mem

bers

hip.

Not

e: E

ach

CA

E re

spon

dent

was

abl

e to

sel

ect

five

mos

t im

port

ant

com

pete

ncie

s fr

om t

he p

rovi

ded

list

for

each

sta

ff l

evel

.



In Table 8-2-2 for Audit Manager, CAE respondents selected communication, project planning andmanagement, and training and developing staff as the most important skills for this staff level.While there is generally consistency among the CAE respondents within the groups about theimportance of most of the competencies for Audit Manager, there are some outliers that place lessweight on certain competencies. In group 10, CAEs’ percentage for training and staff developmentis only 14.3% while the next lowest value was 25.0% for CAEs in group 12. CAEs in six othergroups have values of 40% or higher for training and staff development. CAEs in ten groups hadpercentages of 30% or more for project planning and management, but CAEs in groups 12 (12.5%)and 6 (21.2%) had far fewer CAEs selecting this competency as being important for Audit Manager.CAEs in group 2 (11.1%) had fewer respondents selecting change management as important thanCAEs in groups 4 (50%) and 12 (62.5%).



Tabl

e 8-2

-2M

ost I

mpo

rtan

t Com

pete

ncie

s for

Aud

it M

anag

er b

y G

roup

s*C

AE

Res

pond

ents

in P

erce

ntag

es

Com

pete

ncie

s1

23

45

67

89

1011

12N

/C**

Abi

lity

to p

rom

ote

the

23.6

32.1

39.6

33.7

23.6

26.3

40.4

31.2

32.5

28.6

29.0

37.5

29.0

inte

rnal

aud

it ac

tivity

with

in t

he o

rgan

izat

ion

Ana

lytic

al (

abili

ty t

o27

.830

.933

.645

.336

.423

.439

.531

.217

.538

.144

.937

.533

.6w

ork

thro

ugh

an is

sue)

Cha

nge

man

agem

ent

14.7

11.1

20.9

50.0

21.8

14.6

29.8

27.1

25.0

14.3

21.7

62.5

22.1

Com

mun

icat

ion

48.5

53.1

56.7

58.1

39.4

37.2

41.2

44.4

32.5

50.0

53.6

50.0

42.7

Con

flict

res

olut

ion

31.6

32.1

35.8

57.0

38.8

28.5

36.8

39.5

42.5

14.3

47.8

37.5

36.6

Crit

ical

thi

nkin

g23

.423

.529

.926

.726

.125

.532

.528

.230

.031

.034

.812

.527

.5C

once

ptua

l th

inki

ng16

.218

.519

.424

.425

.524

.125

.426

.330

.04.

830

.437

.520

.6Fo

reig

n la

ngua

ge sk

ills

1.7

2.5

0.7

29.1

20.0

10.2

24.6

24.1

17.5

9.5

15.9

0.0

16.8

Kee

ping

up

to d

ate

26.1

25.9

35.8

40.7

31.5

25.5

45.6

38.0

32.5

26.2

36.2

25.0

29.8

with

pro

fess

iona

lch

ange

s in

opi

nion

s,st

anda

rds,

and

regu

latio

nsO

rgan

izat

ion

skill

s23

.319

.826

.953

.540

.624

.823

.732

.332

.514

.333

.312

.529

.0Pr

esen

tatio

n sk

ills

23.9

21.0

31.3

30.2

25.5

19.0

26.3

25.2

20.0

23.8

47.8

0.0

28.2

Prob

lem

ide

ntifi

catio

n18

.824

.726

.129

.126

.713

.928

.133

.525

.023

.833

.337

.525

.2an

d so

lutio

nPr

ojec

t pla

nnin

g an

d36

.139

.535

.143

.040

.021

.236

.838

.045

.031

.033

.312

.531

.3m

anag

emen

tR

epor

t de

velo

pmen

t22

.728

.425

.420

.923

.013

.130

.728

.215

.04.

826

.125

.019

.8Ti

me

man

agem

ent

13.7

16.0

11.2

32.6

30.3

10.2

28.1

24.8

22.5

4.8

31.9

0.0

21.4

Trai

ning

and

40.2

48.1

48.5

47.7

30.3

32.1

41.2

31.2

35.0

14.3

52.2

25.0

32.8

deve

lopi

ng s

taff

Und

erst

andi

ng11

.614

.815

.718

.614

.58.

828

.117

.312

.59.

521

.725

.020

.6co

mpl

ex i

nfor

mat

ion

syst

ems

Writ

ing

skill

s29

.125

.926

.117

.419

.412

.424

.620

.715

.023

.830

.40.

022

.1*F

or a

lis

t of

gro

ups,

ple

ase

see

the

insi

de b

ack

cove

r.**

N/C

= R

espo

nden

ts d

id n

ot i

ndic

ate

affi

liate

or

chap

ter

mem

bers

hip.

Not

e: E

ach

CA

E re

spon

dent

was

abl

e to

sel

ect

five

mos

t im

port

ant

com

pete

ncie

s fr

om t

he p

rovi

ded

list

for

each

sta

ff l

evel

.



Table 8-2-3 highlights the CAE respondents’ group results for Audit Senior/Supervisor. There isrelative consistency among the CAEs’ selections of the most important and least importantcompetencies for this staff level. CAEs in group 12 did not support the importance of changemanagement, foreign language skills, presentation skills, or writing skills (00.0%). CAEs in group 4consider project planning and management to be very important (40.7%), but only 9.1% CAEs ingroup 5 selected this competency to be one of the top five competencies. CAEs in group 3 believethat writing skills are important (41.0%), but CAEs in group 4 believe they are less significant forthe Audit Senior/Supervisor (17.4%). CAEs in group 7 believe that keeping up to date withprofessional changes in opinions, standards, and regulations is fundamental (42.1%), but CAEs ingroup 10 believes that this element is not critical for the Audit Senior/Supervisor (14.3%).



Tabl

e 8-2

-3M

ost I

mpo

rtan

t Com

pete

ncie

s for

Aud

it Se

nior

/Sup

ervi

sor b

y G

roup

s*C

AE

Res

pond

ents

in P

erce

ntag

es

Com

pete

ncie

s1

23

45

67

89

1011

12N

/C**

Abi

lity

to p

rom

ote

the

8.1

8.6

16.4

23.3

6.7

5.8

18.4

9.0

22.5

14.3

15.9

25.0

16.0

inte

rnal

aud

it ac

tivity

with

in t

he o

rgan

izat

ion

Ana

lytic

al (

abili

ty t

o46

.251

.956

.757

.043

.051

.851

.844

.047

.554

.849

.375

.039

.7w

ork

thro

ugh

an is

sue)

Cha

nge

man

agem

ent

4.8

4.9

2.2

25.6

10.3

5.8

15.8

9.0

17.5

7.1

10.1

0.0

5.3

Com

mun

icat

ion

44.6

43.2

51.5

53.5

40.6

38.7

37.7

32.0

42.5

42.9

59.4

62.5

45.0

Con

flict

res

olut

ion

17.5

14.8

20.1

32.6

17.0

21.9

28.1

22.9

25.0

14.3

29.0

50.0

16.8

Crit

ical

thi

nkin

g31

.522

.220

.925

.630

.338

.036

.837

.227

.533

.321

.712

.529

.8C

once

ptua

l th

inki

ng12

.811

.110

.425

.613

.921

.219

.322

.227

.57.

121

.712

.518

.3Fo

reig

n la

ngua

ge sk

ills

1.7

1.2

1.5

20.9

12.1

11.7

14.0

20.7

17.5

7.1

10.1

0.0

8.4

Kee

ping

up

to d

ate

14.5

16.0

21.6

36.0

27.9

25.5

42.1

33.8

37.5

14.3

27.5

37.5

19.1

with

pro

fess

iona

lch

ange

s in

opi

nion

s,st

anda

rds,

and

regu

latio

nsO

rgan

izat

ion

skill

s24

.118

.517

.929

.116

.421

.923

.721

.120

.09.

530

.412

.519

.1Pr

esen

tatio

n sk

ills

10.3

13.6

14.2

29.1

15.2

18.2

22.8

20.3

17.5

14.3

30.4

0.0

16.8

Prob

lem

ide

ntifi

catio

n31

.437

.042

.552

.333

.327

.736

.834

.237

.533

.346

.437

.532

.1an

d so

lutio

nPr

ojec

t pla

nnin

g an

d26

.629

.631

.340

.79.

124

.121

.920

.320

.014

.330

.412

.519

.8m

anag

emen

tR

epor

t de

velo

pmen

t25

.323

.535

.823

.324

.214

.640

.437

.627

.519

.027

.525

.023

.7Ti

me

man

agem

ent

25.3

30.9

38.8

40.7

24.8

23.4

28.9

31.6

35.0

9.5

44.9

12.5

23.7

Trai

ning

and

dev

elop

ing

22.2

24.7

25.4

38.4

13.3

11.7

29.8

13.9

27.5

11.9

24.6

25.0

18.3

staf

fU

nder

stan

ding

com

plex

11.4

14.8

17.2

20.9

18.2

20.4

21.1

21.1

22.5

4.8

23.2

25.0

17.6

info

rmat

ion

syst

ems

Writ

ing

skill

s36

.532

.141

.017

.426

.129

.231

.626

.722

.523

.839

.10.

029

.0*F

or a

lis

t of

gro

ups,

ple

ase

see

the

insi

de b

ack

cove

r.**

N/C

= R

espo

nden

ts d

id n

ot i

ndic

ate

affi

liate

or

chap

ter

mem

bers

hip.

Not

e: E

ach

CA

E re

spon

dent

was

abl

e to

sel

ect

five

mos

t im

port

ant

com

pete

ncie

s fr

om t

he p

rovi

ded

list

for

each

sta

ff l

evel

.



Table 8-2-4 shows that for Audit Staff there are uniformly low percentages for training anddeveloping staff, project planning and management, change management, and conflict resolution.CAE respondents consider analytical ability and communication to be by far the most importantcompetencies for the Audit Staff in all groups.

There is variability among the CAE respondents among some groups for some competencies.Foreign language skills vary from a low of 3.2% in group 1 to a high of 29.1% for group 4. Group6 believes that critical thinking is very important for Audit Staff (58.4 %) while group 4 considersthis much less important (19.8%). Keeping up to date with professional changes in opinions,standards, and regulations is considered vital by responding CAEs in group 7 (51.8%) and significantlyless important for group 1 (10.4%). While responding CAEs in Group 4 believe that presentationskills are very important (50.0%) for Audit Staff, no CAEs in group 12 selected this competency asimportant. The range of percentages for responding CAEs for report development is 8.0% forgroup 6 to 59.3% for group 4.



Tabl

e 8-2

-4M

ost I

mpo

rtan

t Com

pete

ncie

s for

Aud

it St

aff M

embe

rs b

y G

roup

s*C

AE

Res

pond

ents

in P

erce

ntag

es

Com

pete

ncie

s1

23

45

67

89

1011

12N

/C**

Abi

lity

to p

rom

ote

the

6.6

7.4

16.4

10.5

4.8

8.0

15.8

9.0

27.5

9.5

13.0

25.0

12.2

inte

rnal

aud

it ac

tivity

with

in t

he o

rgan

izat

ion

Ana

lytic

al (

abili

ty t

o68

.467

.970

.941

.966

.165

.759

.657

.570

.071

.459

.450

.051

.1w

ork

thro

ugh

an is

sue)

Cha

nge

man

agem

ent

2.6

1.2

1.5

10.5

6.7

4.4

8.8

6.4

7.5

2.4

1.4

0.0

2.3

Com

mun

icat

ion

58.1

53.1

61.9

45.3

61.2

46.0

41.2

30.1

57.5

57.1

58.0

62.5

47.3

Con

cept

ual

thin

king

13.7

14.8

9.0

29.1

13.9

19.7

30.7

29.3

25.0

11.9

18.8

25.0

14.5

Con

flict

res

olut

ion

5.9

2.5

6.7

11.6

12.7

9.5

7.9

7.9

10.0

2.4

7.2

12.5

4.6

Crit

ical

thi

nkin

g47

.438

.334

.319

.839

.458

.445

.649

.230

.050

.033

.337

.537

.4Fo

reig

n la

ngua

ge sk

ills

3.2

3.7

5.2

29.1

21.8

23.4

14.9

27.8

22.5

9.5

14.5

12.5

11.5

Kee

ping

up

to d

ate

with

10.4

17.3

25.4

38.4

30.9

27.7

51.8

30.8

37.5

23.8

20.3

12.5

26.0

prof

essi

onal

cha

nges

inop

inio

ns,

stan

dard

s, a

ndre

gula

tions

Org

aniz

atio

n sk

ills

33.3

16.0

13.4

18.6

6.7

13.9

15.8

12.4

17.5

2.4

21.7

0.0

9.9

Pres

enta

tion

skill

s7.

19.

910

.450

.016

.46.

616

.715

.015

.023

.815

.90.

019

.8Pr

oble

m i

dent

ifica

tion

51.5

59.3

52.2

51.2

41.8

44.5

39.5

37.6

47.5

42.9

47.8

25.0

39.7

and

solu

tion

Proj

ect p

lann

ing

and

7.2

11.1

11.2

9.3

4.8

5.1

7.0

6.0

5.0

9.5

5.8

0.0

6.9

man

agem

ent

Rep

ort

deve

lopm

ent

13.4

17.3

17.9

59.3

26.7

8.0

30.7

36.5

37.5

19.0

23.2

37.5

26.0

Tim

e m

anag

emen

t46

.250

.658

.250

.025

.529

.929

.835

.335

.011

.942

.050

.029

.8Tr

aini

ng a

nd1.

10.

01.

511

.63.

01.

53.

54.

15.

02.

45.

80.

03.

1de

velo

ping

sta

ffU

nder

stan

ding

com

plex

9.6

9.9

11.9

34.9

20.0

24.8

24.6

19.9

30.0

14.3

18.8

25.0

20.6

info

rmat

ion

syst

ems

Writ

ing

skill

s53

.755

.658

.247

.757

.045

.354

.446

.242

.538

.153

.637

.537

.4

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.N

ote:

Eac

h C

AE

resp

onde

nt w

as a

ble

to s

elec

t fi

ve m

ost

impo

rtan

t co

mpe

tenc

ies

from

the

pro

vide

d lis

t fo

r ea

ch s

taff

lev

el.




The Practitioners were asked to indicate the importance of each of the eighteen competencies toperforming their jobs at their current position in their organization. The scale used to determine thelevel of importance was 1 (minimally important) to 5 (very important). Table 8-3 shows the meanresponses by Practitioners for the eighteen competencies.

Table 8-3Importance of Competencies to Perform Work



Supervisor

Ability to promote the internal audit activity 4.32 4.15 4.11within the organizationAnalytical (ability to work through an issue) 4.52 4.53 4.45Change management 4.03 3.89 3.72Communication 4.61 4.59 4.54Conceptual thinking 4.33 4.29 4.25Conflict resolution 4.27 4.24 4.13Critical thinking 4.48 4.43 4.36Foreign language skills 2.59 2.54 2.66Keeping up to date with professional changes 4.05 4.01 4.02in opinions, standards, and regulationsOrganization skills 4.15 4.13 4.13Presentation skills 4.13 4.03 4.02Problem identification and solution 4.50 4.48 4.44Project planning and management 4.13 4.02 3.84Report development 4.31 4.27 4.19Time management 4.26 4.25 4.21Training and developing staff 4.06 3.74 3.56Understanding complex information systems 3.79 3.73 3.65Writing skills 4.49 4.47 4.39

*The mean is the average response to: 1 = minimally important to 5 = very important.Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and4,735.



As indicated by only marginal differences in the means, Practitioners consider almost all of thecompetencies equally important across the positional levels in the IAA. The only categories whichshow some change between the Audit Staff level and the Audit Manager level are:

• Ability to promote the IAA within the organization (4.11 to 4.32).• Project planning and management (3.84 to 4.13).• Change management (3.72 to 4.03).• Training and developing staff (3.56 to 4.06).

The competency categories for all levels with the most means below 4.0 are:

• Foreign language skills (the lowest score of all categories analyzed with means between2.54 and 2.66).

• Understanding complex information systems (second lowest mean for all levels but stillsomewhat important with means of 3.65 to 3.79).

• Training and developing staff (a mean higher than 4.0 only for the Audit Manager category).• Change management (a mean higher than 4.0 only for the Audit Manager category).• Project planning and management (a mean higher than 4.0 for the Audit Senior /Supervisor

and Audit Manager categories).

Table 8-4 shows the ranking of the competency means for Practitioners. The consistent rankingsamong the Audit Manager, Audit Senior/Supervisor, and Audit Staff levels are striking. Practitionersindicate that many of the competencies are equally important across the hierarchical scale in theIAA with only marginal differences in the ranks. The results highlight some similarities with theresponses of the CAE group. Communication is the most important for all professional levels. Thisis consistent with Standard 2420, Quality of Communication, which states, “Communications shouldbe accurate, objective, clear, concise, constructive, complete, and timely.” This standard appliesfor all internal auditors. The foreign language skills competency is indicated by respondents as theleast important for all Practitioners at all staff levels.



Table 8-4Rankings of the Competencies by Staff Level

Practitioner Respondents by Rank


Supervisor

Ability to promote the internal audit activity 7 10 11within the organizationAnalytical (ability to work through an issue) 2 2 2Change management 16 15 15Communication 1 1 1Conceptual thinking 6 6 6Conflict resolution 9 9 9/10Critical thinking 5 5 5Foreign language skills 18 18 18Keeping up to date with professional changes 15 14 12/13in opinions, standards, and regulationsOrganization skills 11 11 9/10Presentation skills 12/13 12 12/13Problem identification and solution 3 3 3Project planning and management 12/13 13 14Report development 8 7 8Time management 10 8 7Training and developing staff 14 16 17Understanding complex information systems 17 17 16Writing skills 4 4 4

Note: In some cases the rankings were tied. For example, rankings of conflict resolution and organization skills at theAudit Staff level were tied.



CAEs and Practitioners seem to approach the competencies differently. CAEs appear to be viewingcompetencies appropriate for a positional level from a department manager’s perspective, whilePractitioners appear to view the need for a variety of competencies necessary for their success.For Audit Managers especially, the difference between the CAE and the Audit Manager responsesis noticeable for the following competencies: training and development, project planning, writingskills, problem identification and solution, and keeping up to date with professional changes inopinions, standards, and regulations. The differences for the Audit Manager level may be reflectiveof the transition from more operational duties to managerial duties. (CAEs and Practitioners wereasked to rank the same list of competencies but their methods differed. CAEs indicated the fivemost important competencies for each audit staff level, while Practitioners ranked each competencyas it related to the competency’s importance for themselves to do their job.)

Practitioner Rankings by Groups

In Appendix 8, Tables 8-3-1-A (Audit Manager), 8-3-2-A (Audit Senior/Supervisor), and 8-3-3-A(Audit Staff) show Practitioner responses for competencies broken out for the 13 groups. Foreignlanguage skills are universally the lowest ranked competency. For all groups, analytical ability,communication, and problem identification and solution are the only abilities to receive meansabove 4.0 for all three staff levels. For the three staff levels, understanding complex informationsystems has a mean of more than 4.0 for only seven groups. In general after taking out the veryhigh and very low outliers among the groups, the responses show the perception that many skillsare important to the respondents regardless of where they reside. Considering the contents of TheIIA’s Code of Ethics and the Standards, the uniformity of this perception among practitionersglobally is very important. These tables indicate that the findings are relatively consistent betweenthe groups for the three staff levels.

Areas of Knowledge

Standard 1210, Proficiency states, “Internal auditors should possess the knowledge …needed toperform their individual responsibilities.” Practice Advisory 1210-1, Proficiency, states, “Proficiencymeans the ability to apply knowledge to situations likely to be encountered and to deal with themwithout extensive recourse to technical research and assistance.” This section looks at 19 areas ofknowledge to determine which are important to internal auditors for the satisfactory performanceof their job at staff positions in the IAA.



Certain areas of knowledge are emphasized in the Standards and expanded upon in the PracticeAdvisories:

• Attribute Standard 1210 – “Internal auditors should possess the knowledge, skills, andother competencies needed to perform their individual responsibilities.”

• Attribute Standard 1210.A1 – “The chief audit executive should obtain competent adviceand assistance if the internal audit staff lacks the knowledge…needed to perform all orpart of the engagement.”

• Practice Advisory 1210-1 – “An appreciation is required of the fundamentals of subjectssuch as accounting, economics, commercial law, taxation, finance, quantitative methods,and information technology.”

• Practice Advisory 1210-1 – “Proficiency in accounting principles and techniques is requiredof auditors who work extensively with financial records and reports.”

• Practice Advisory 1210-1 – “An understanding of management principles is required.”

The areas of knowledge for this question were identified by reviewing the Standards and PracticeAdvisories, internal auditing literature, past CBOK studies, and the current CBOK 2006 pilotstudy. Based on this review, nineteen areas of knowledge were identified as being important forinternal auditors. The Practitioner Questionnaire asked respondents to indicate the importance ofthese nineteen areas of knowledge to perform their work at their current position in their organizationon a scale of 1 (minimally important) to 5 (very important). Respondents were unable to amend oradd to the list. Table 8-5 shows an analysis of the three professional levels Audit Manager, AuditSenior/Supervisor, and Audit Staff. In Appendix 8, Tables 8-5-1-A (Audit Manager), 8-5-2-A (AuditSenior/Supervisor), and 8-5-3-A (Audit Staff) list the areas of knowledge in descending order bymean.






Supervisor

Accounting 3.83 3.77 3.71Auditing 4.68 4.66 4.61Business law and government regulation 3.68 3.70 3.68Business management 3.75 3.60 3.53Changes to professional standards 3.71 3.64 3.68Enterprise risk management 3.85 3.74 3.71Ethics 4.21 4.18 4.26Finance 3.70 3.68 3.64Fraud awareness 4.00 3.93 3.91Governance 3.95 3.80 3.77Human resource management 3.44 3.23 3.15Information technology 3.85 3.84 3.79Internal auditing standards 4.19 4.19 4.24Managerial accounting 3.35 3.30 3.27Marketing 2.70 2.60 2.64Organization culture 3.91 3.79 3.82Organizational systems 3.75 3.76 3.78Strategy and business policy 3.73 3.61 3.60Technical knowledge for your industry 3.97 3.92 3.96

*The mean is the average response to: 1 = minimally important to 5 = very important.NOTE: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and4,751.

The means in Table 8-5 and the rankings in Table 8-6 indicate that knowledge of auditing isoverwhelmingly ranked first for all Practitioner respondents (4.61 to 4.68 for the Audit Staff throughAudit Manager). Ethics is ranked second (4.21 to 4.26) by all levels except for Audit Senior/Supervisor (4.18, ranked 3). Areas of knowledge consistently ranked in the top five for all Practitionerrespondents are internal auditing standards, which is ranked second or third by all staff levels,technical knowledge for your industry (3.92 to 3.97), and fraud awareness (3.91 to 4.00), whichare ranked either fourth or fifth for all Practitioner respondents.



There is unanimity in the ranking of the least important areas of knowledge for all Practitionerrespondents. Marketing at 19 is ranked the lowest (2.60 to 2.70), and human resource management(3.15 to 3.44) and managerial accounting (3.27 to 3.35) are ranked either 18 or 17 for all respondents.For the other areas of knowledge listed, Practitioner rankings vary.


Practitioner Respondents by Staff Level


Supervisor

Accounting 10 9 10Auditing 1 1 1Business law and government regulation 16 12 12Business management 11 16 16Changes to professional standards 14 14 13Enterprise risk management 8 11 11Ethics 2 3 2Finance 15 13 14Fraud awareness 4 4 5Governance 6 7 9Human resource management 17 18 18Information technology 9 6 7Internal auditing standards 3 2 3Managerial accounting 18 17 17Marketing 19 19 19Organization culture 7 8 6Organizational systems 12 10 8Strategy and business policy 13 15 15Technical knowledge for your industry 5 5 4



Audit Manager

Looking at Table 8-5-1, the five most important areas of knowledge that Audit Managers indicatethey should possess are:

1. Auditing (4.68).2. Ethics (4.21).3. Internal auditing standards (4.19).4. Fraud awareness (4.00).5. Technical knowledge for your industry (3.97).

Table 8-5-1Importance of Areas of Knowledge to Perform Work as Audit Manager


Areas of Knowledge Audit Manager

Auditing 4.68Ethics 4.21Internal auditing standards 4.19Fraud awareness 4.00Technical knowledge for your industry 3.97Governance 3.95Organization culture 3.91Enterprise risk management 3.85Information technology 3.85Accounting 3.83Business management 3.75Organizational systems 3.75Strategy and business policy 3.73Changes to professional standards 3.71Finance 3.70Business law and government regulation 3.68Human resource management 3.44Managerial accounting 3.35Marketing 2.70

*The mean is the average response to: 1 = minimally important to 5 = very important.

Practitioners indicated that progression in hierarchical position in the IAA from Audit Staff to AuditManager results in no significant change in areas of knowledge that are fundamental to internal



auditors’ success. Focus on business management, enterprise risk management, and governancedoes gain more importance. Marginally less crucial are business law and government regulation,information technology, and organizational systems.


Table 8-5-2 reveals that Audit Seniors/Supervisors indicate that the five most important areas ofknowledge fundamental to their job performance are:

1. Auditing (4.66).2. Internal auditing standards (4.19).3. Ethics (4.18).4. Fraud awareness (3.93).5. Technical knowledge for your industry (3.92).

Table 8-5-2Importance of Areas of Knowledge to Perform Work as

Audit Senior/SupervisorPractitioner Respondents in Means*

Areas of Knowledge Audit Manager/Supervisor

Auditing 4.66Internal auditing standards 4.19Ethics 4.18Fraud awareness 3.93Technical knowledge for your industry 3.92Information technology 3.84Governance 3.80Organization culture 3.79Accounting 3.77Organizational systems 3.76Enterprise risk management 3.74Business law and government regulation 3.70Finance 3.68Changes to professional standards 3.64Strategy and business policy 3.61Business management 3.60Managerial accounting 3.30Human resource management 3.23Marketing 2.60




There is no area of knowledge that becomes more significant for this level than for the Audit Staff.

Audit Staff

Table 8-5-3 shows the five most important areas of knowledge that the Audit Staff believes arefundamental for their job performance are:

1. Auditing (4.61).2. Ethics (4.26).3. Internal auditing standards (4.24).4. Technical knowledge for your industry (3.96).5. Fraud awareness (3.91).

Table 8-5-3Importance of Areas of Knowledge to Perform Work as Audit Staff


Areas of Knowledge Audit Staff

Auditing 4.61Ethics 4.26Internal auditing standards 4.24Technical knowledge for your industry 3.96Fraud awareness 3.91Organization culture 3.82Information technology 3.79Organizational systems 3.78Governance 3.77Accounting 3.71Enterprise risk management 3.71Business law and government regulation 3.68Changes to professional standards 3.68Finance 3.64Strategy and business policy 3.60Business management 3.53Managerial accounting 3.27Human resource management 3.15Marketing 2.64




Group Means for Areas of Knowledge

Tables 8-5-4-A (Audit Manager), 8-5-5-A (Audit Senior/Supervisor), and 8-5-6-A (Audit Staff)show Practitioner mean responses for areas of knowledge broken out for the 13 groups. Whenanalyzed by groups there is evidence of a wide divergence of opinion for many knowledge areas.There is a high level of consistency once very high and low rated knowledge areas by individualgroups are removed.

For Audit Managers in Table 8-5-4-A, auditing receives the highest means. Internal auditing standardshas means of 4.00 and above for all but one group and ethics is above 4.00 for all but two groups.

Group means for the Audit Senior/Supervisor level in Table 8-5-5-A are very similar to those of theAudit Staff for the high and low ranking areas of knowledge. The other areas of knowledge meansare relatively close together for most of the groups.

For the Audit Staff (Table 8-5-6-A), auditing is critical for all groups with all means above 4.24.Ethics (9 groups) and internal auditing standards (8 groups) receive rankings above 4.0 for themajority of the groups. The low rankings continue to be low for human resource management,managerial accounting, and marketing. Group 12 was the only group whose means for enterpriserisk management, ethics, organizational systems, and strategy and business policy are all 5.00,indicating the respondents in this group believe that these knowledge areas are of the highestimportance for that group’s respondents.



Summary

The results show that the CAEs and Practitioners consider communication as the most importantcompetency for all members of the IAA. The CAE respondents believe that ability to promote theIAA within the organization is overwhelmingly the most important competency that the CAEshould possess. The top two competencies deemed most important by the CAE for the Audit Staffand Audit Senior/Supervisor are analytical and communication. The CAEs’ responses indicate adifference among the competencies needed based on staff levels (Audit Staff, Audit Senior/Supervisor, Audit Manager, CAE) while the Practitioner responses at each staff level generallyindicate that for their current position the competencies are equally important.

When viewing the importance of competencies across the array of hierarchical positions in theIAA from CAE to the Audit Staff, the ability to promote the IAA within the organization, changemanagement, conflict resolution and training, and developing staff show a trend of increasingimportance at higher staff levels. Problem identification, time management, and writing competenciesnoticeably decline in importance as an internal auditor advances to higher staff levels.

Areas of knowledge important to the respondents’ job performance were only ranked by Practitionersand did not include CAEs in the rankings. They indicated that for all Practitioner levels, auditing isthe most important knowledge area followed by ethics and internal auditing standards. Fraudawareness and technical knowledge of the respondents’ industry are the only other competencieswith rankings in the top five for all Practitioner respondents. There are no noticeable differencesbased on comparisons of members of the audit staff and those at the Audit Senior/Supervisor level.At the manager level, enterprise risk management marginally increases in importance. There is anoverall consistency of rankings of the knowledge areas by Practitioner respondents for all stafflevels.

When comparing the data for the 13 groups, differences relate to only a few competencies andknowledge areas.



APP

EN

DIX

8Ta

ble 8

-3-1

-AIm

port

ance

of C

ompe

tenc

ies t

o Pe

rfor

m W

ork

for A

udit

Man

ager

by

Gro

ups*

Prac

titio

ner R

espo

nden

ts in

Mea

ns**

Com

pete

ncie

s1

23

45

67

89

1011

12N

/C**

*

Abi

lity

to p

rom

ote

the

4.20

4.36

4.46

4.18

4.41

4.29

4.75

4.33

4.83

4.06

4.14

4.83

4.27

inte

rnal

aud

it ac

tivity

with

in t

he o

rgan

izat

ion

Ana

lytic

al (

abili

ty t

o4.

584.

604.

544.

284.

504.

564.

664.

324.

724.

504.

374.

674.

40w

ork

thro

ugh

an is

sue)

Cha

nge

man

agem

ent

4.06

4.09

4.22

3.56

3.77

3.77

4.34

3.94

4.33

3.81

3.96

4.42

3.93

Com

mun

icat

ion

4.70

4.72

4.69

4.28

4.49

4.43

4.62

4.51

4.53

4.50

4.54

4.75

4.44

Con

flict

res

olut

ion

4.32

4.19

4.38

4.05

4.29

3.95

4.48

4.21

4.56

3.88

4.21

4.58

4.11

Crit

ical

thi

nkin

g4.

574.

474.

503.

794.

424.

414.

484.

394.

724.

444.

404.

924.

34C

once

ptua

l th

inki

ng4.

414.

454.

403.

774.

384.

344.

354.

054.

724.

384.

334.

504.

23Fo

reig

n la

ngua

ge sk

ills

1.77

1.62

2.02

3.38

3.65

3.61

3.90

3.59

4.00

3.69

3.00

3.25

3.14

Kee

ping

up

to d

ate

with

3.91

3.70

4.16

3.87

4.08

4.02

4.48

4.15

4.56

4.33

4.10

4.50

4.09

prof

essi

onal

cha

nges

inop

inio

ns,

stan

dard

s,an

d re

gula

tions

Org

aniz

atio

n sk

ills

4.21

4.07

4.14

3.62

4.08

3.93

4.35

4.20

4.39

3.94

4.00

4.33

4.03

Pres

enta

tion

skill

s4.

154.

174.

164.

004.

053.

884.

164.

114.

504.

254.

284.

504.

00Pr

oble

m i

dent

ifica

tion

4.52

4.52

4.55

4.36

4.45

4.45

4.53

4.49

4.89

4.44

4.42

4.58

4.45

and

solu

tion

Proj

ect p

lann

ing

and

4.28

4.11

4.09

3.74

4.06

3.81

4.23

3.90

4.33

4.00

4.13

4.42

3.92

man

agem

ent

Rep

ort

deve

lopm

ent

4.35

4.50

4.35

3.87

4.36

3.64

4.52

4.30

4.33

4.25

4.38

4.67

4.33

Tim

e m

anag

emen

t4.

334.

374.

433.

774.

293.

824.

394.

174.

503.

814.

444.

834.

00Tr

aini

ng a

nd4.

033.

984.

153.

864.

003.

814.

444.

064.

393.

604.

004.

504.

04de

velo

ping

sta

ffU

nder

stan

ding

3.71

4.09

3.77

3.54

3.70

3.75

4.25

3.68

4.67

3.75

3.90

4.33

3.81

com

plex

inf

orm

atio

nsy

stem

sW

ritin

g Sk

ills

4.56

4.60

4.59

3.79

4.58

4.36

4.53

4.31

4.61

4.33

4.52

4.92

4.28

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

min

imal

ly i

mpo

rtan

t to

5 =

ver

y im

port

ant.

***N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



8-3-

2-A

Impo

rtan

ce o

f Com

pete

ncie

s to

Perf

orm

Wor

k fo

r Aud

it Se

nior

/Sup

ervi

sor b

y G

roup

s*Pr

actit

ione

r Res

pond

ents

in M

eans

**

Com

pete

ncie

s1

23

45

67

89

1011

12N

/C**

*

Abi

lity

to p

rom

ote

the

4.06

4.08

4.24

4.28

4.18

4.15

4.48

4.04

4.36

4.24

4.09

4.71

4.28

inte

rnal

aud

it ac

tivity

with

in t

he o

rgan

izat

ion

Ana

lytic

al (

abili

ty t

o4.

584.

714.

574.

364.

564.

574.

604.

294.

554.

564.

505.

004.

42w

ork

thro

ugh

an is

sue)

Cha

nge

man

agem

ent

3.95

3.89

4.09

3.76

3.70

3.41

4.24

3.76

3.68

3.36

3.82

3.43

3.79

Com

mun

icat

ion

4.67

4.79

4.72

4.48

4.56

4.32

4.56

4.36

4.14

4.58

4.52

4.86

4.53

Con

cept

ual

thin

king

4.39

4.39

4.26

3.80

4.38

4.32

4.31

4.05

4.05

4.08

4.24

4.71

4.19

Con

flict

res

olut

ion

4.31

4.16

4.33

4.18

4.36

3.72

4.35

4.08

4.00

3.76

4.09

4.00

4.23

Crit

ical

thi

nkin

g4.

534.

534.

453.

884.

344.

434.

524.

274.

244.

404.

354.

434.

33Fo

reig

n la

ngua

ge sk

ills

1.81

1.55

1.90

3.36

3.46

3.66

3.61

3.29

3.36

3.68

2.88

2.43

3.22

Kee

ping

up

to d

ate

with

3.86

3.71

4.18

4.22

4.06

4.04

4.40

4.05

3.73

4.17

3.97

4.00

4.16

prof

essi

onal

cha

nges

inop

inio

ns,

stan

dard

s,an

d re

gula

tions

Org

aniz

atio

n sk

ills

4.23

4.26

4.14

3.48

4.10

3.83

4.33

4.01

3.73

3.71

3.74

4.57

4.11

Pres

enta

tion

skill

s4.

113.

973.

933.

944.

043.

764.

043.

993.

954.

124.

034.

003.

89Pr

oble

m i

dent

ifica

tion

4.51

4.66

4.56

4.24

4.52

4.34

4.50

4.41

4.14

4.56

4.45

5.00

4.44

and

solu

tion

Proj

ect p

lann

ing

and

4.17

4.08

4.04

3.76

3.91

3.43

4.07

3.80

3.86

4.20

4.03

4.00

3.91

man

agem

ent

Rep

ort

deve

lopm

ent

4.28

4.47

4.43

4.02

4.24

3.41

4.56

4.38

4.50

4.00

4.26

4.83

4.20

Tim

e m

anag

emen

t4.

344.

374.

433.

784.

193.

664.

414.

143.

903.

804.

354.

574.

14Tr

aini

ng a

nd3.

653.

683.

823.

713.

773.

284.

163.

793.

413.

563.

794.

293.

94de

velo

ping

sta

ffU

nder

stan

ding

com

plex

3.64

3.61

3.98

3.67

3.55

3.71

4.09

3.65

3.95

3.68

3.79

3.43

3.90

info

rmat

ion

syst

ems

Writ

ing

Skill

s4.

534.

554.

573.

904.

594.

414.

584.

294.

324.

364.

414.

294.

33

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

min

imal

ly i

mpo

rtan

t to

5 =

ver

y im

port

ant.

***N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 8-3

-3-A

Impo

rtan

ce o

f Com

pete

ncie

s to

Perf

orm

Wor

k fo

r the

Aud

it St

aff b

y G

roup

s*Pr

actit

ione

r Res

pond

ents

in M

eans

**

Com

pete

ncie

s1

23

45

67

89

1011

12N

/C**

*

Abi

lity

to p

rom

ote

the

4.01

4.17

4.33

4.30

4.11

3.89

4.42

3.99

4.62

3.88

3.82

5.00

4.25

inte

rnal

aud

it ac

tivity

with

in t

he o

rgan

izat

ion

Ana

lytic

al (

abili

ty t

o4.

534.

174.

494.

534.

544.

304.

774.

164.

384.

294.

124.

674.

48w

ork

thro

ugh

an is

sue)

Cha

nge

man

agem

ent

3.75

3.83

3.85

3.70

3.60

3.20

4.29

3.61

4.00

3.16

3.59

4.00

3.87

Com

mun

icat

ion

4.65

4.42

4.74

4.56

4.45

4.40

4.77

4.30

4.38

4.28

4.00

4.67

4.50

Con

cept

ual

thin

king

4.39

4.25

4.29

4.09

4.27

4.04

4.55

3.96

4.31

3.92

3.82

5.00

4.22

Con

flict

res

olut

ion

4.20

4.00

4.26

4.27

4.02

3.76

4.58

3.90

4.23

3.36

3.94

4.00

4.25

Crit

ical

thi

nkin

g4.

544.

424.

443.

934.

164.

364.

684.

154.

234.

483.

944.

334.

27Fo

reig

n la

ngua

ge sk

ills

1.90

1.50

2.27

3.36

3.60

3.33

3.48

3.21

4.00

3.48

2.29

3.33

3.13

Kee

ping

up

to d

ate

with

3.82

4.00

4.30

4.34

4.28

3.89

4.55

3.99

4.38

3.52

3.76

5.00

4.16

prof

essi

onal

cha

nges

inop

inio

ns,

stan

dard

s,an

d re

gula

tions

Org

aniz

atio

n sk

ills

4.28

4.42

4.22

3.86

4.04

3.84

4.29

4.08

4.31

3.63

3.71

4.67

4.03

Pres

enta

tion

skill

s4.

013.

923.

974.

134.

073.

804.

194.

124.

153.

843.

824.

673.

96Pr

oble

m i

dent

ifica

tion

4.45

4.58

4.53

4.57

4.45

4.31

4.68

4.41

4.62

4.05

4.18

4.67

4.35

and

solu

tion

Proj

ect p

lann

ing

and

3.96

3.42

3.89

3.89

3.81

3.49

3.84

3.75

4.15

3.56

3.59

3.67

3.72

man

agem

ent

Rep

ort

deve

lopm

ent

4.21

4.33

4.38

4.10

3.99

3.72

4.84

4.17

4.46

3.84

3.88

5.00

4.26

Tim

e m

anag

emen

t4.

394.

334.

454.

134.

113.

694.

524.

024.

543.

523.

825.

004.

06Tr

aini

ng a

nd3.

353.

253.

433.

993.

563.

304.

103.

804.

233.

163.

475.

003.

76de

velo

ping

sta

ffU

nder

stan

ding

3.51

3.33

3.81

3.81

3.69

3.51

4.06

3.53

3.92

3.56

3.35

5.00

3.90

com

plex

inf

orm

atio

nsy

stem

sW

ritin

g Sk

ills

4.49

4.17

4.46

3.90

4.54

4.24

4.58

4.24

4.23

4.24

4.41

5.00

4.41

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

min

imal

ly i

mpo

rtan

t to

5 =

ver

y im

port

ant.

***N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 8-5

-4-A

Impo

rtan

ce o

f Are

as o

f Kno

wle

dge t

o Pe

rfor

m W

ork

for A

udit

Man

ager

by

Gro

ups*

Prac

titio

ner R

espo

nden

ts in

Mea

ns**

Are

as o

f Kno

wle

dge

12

34

56

78

910

1112

N/C

***

Acc

ount

ing

3.84

3.34

3.67

3.95

3.81

3.65

4.20

3.67

4.44

3.44

4.17

4.25

3.96

Aud

iting

4.70

4.53

4.61

4.42

4.67

4.58

4.84

4.68

4.89

4.88

4.69

4.92

4.72

Bus

ines

s la

w a

nd3.

483.

703.

733.

683.

793.

534.

293.

694.

174.

004.

064.

423.

86go

vern

men

t reg

ulat

ion

Bus

ines

s m

anag

emen

t3.

643.

843.

853.

613.

813.

664.

193.

673.

944.

063.

854.

273.

83C

hang

es t

o pr

ofes

sion

al3.

613.

403.

853.

793.

523.

524.

183.

594.

173.

634.

024.

333.

83st

anda

rds

Ente

rpris

e ris

k m

anag

emen

t3.

544.

074.

114.

033.

953.

944.

354.

004.

444.

203.

984.

334.

00Et

hics

4.26

4.04

4.16

4.21

3.95

3.76

4.67

4.09

4.56

4.38

4.09

4.50

4.33

Fina

nce

3.52

3.38

3.70

3.69

4.00

3.58

4.25

3.71

4.44

3.63

4.11

4.08

3.75

Frau

d aw

aren

ess

4.01

3.85

3.94

3.82

3.99

3.71

4.36

3.90

4.33

3.81

4.13

4.17

4.10

Gov

erna

nce

3.81

4.26

4.21

3.79

3.97

3.79

4.30

3.97

4.17

4.25

4.09

4.17

3.84

Hum

an r

esou

rce

3.25

3.32

3.52

3.21

3.57

3.28

3.96

3.59

3.94

3.63

3.55

3.75

3.58

man

agem

ent

Info

rmat

ion

tech

nolo

gy3.

793.

573.

803.

643.

833.

884.

363.

744.

443.

944.

064.

423.

87In

tern

al a

uditi

ng s

tand

ards

4.15

3.68

4.27

4.00

4.20

4.04

4.67

4.05

4.72

4.06

4.29

4.67

4.23

Man

ager

ial a

ccou

ntin

g3.

053.

173.

283.

453.

553.

404.

043.

534.

173.

313.

694.

003.

69M

arke

ting

2.45

2.53

2.86

3.16

2.95

2.58

3.30

2.61

3.67

2.40

2.92

3.58

3.00

Org

aniz

atio

n cu

lture

3.92

3.89

3.92

3.49

3.82

3.80

4.07

3.94

4.22

3.50

3.81

4.42

3.84

Org

aniz

atio

nal

syst

ems

3.65

3.93

3.99

3.45

3.71

3.86

3.93

3.61

4.33

3.75

3.77

4.40

3.90

Stra

tegy

and

bus

ines

s3.

633.

684.

023.

643.

653.

693.

993.

574.

334.

063.

834.

503.

77po

licy

Tech

nica

l kno

wle

dge

3.99

4.02

4.02

3.72

3.92

3.40

4.16

4.03

4.44

3.50

4.00

4.33

3.90

for

your

ind

ustr

y

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

min

imal

ly i

mpo

rtan

t to

5 =

ver

y im

port

ant.

***N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 8-5

-5-A

Impo

rtan

ce o

f Are

as o

f Kno

wle

dge t

o Pe

rfor

m W

ork

for A

udit

Seni

or/S

uper

viso

r by

Gro

ups*

Prac

titio

ner R

espo

nden

ts in

Mea

ns**

Are

as o

f Kno

wle

dge

12

34

56

78

910

1112

N/C

***

Acc

ount

ing

3.77

3.55

3.45

3.94

3.78

3.53

4.20

3.46

4.27

3.76

3.97

4.71

4.02

Aud

iting

4.67

4.76

4.73

4.53

4.56

4.42

4.80

4.56

4.77

4.60

4.65

4.71

4.68

Bus

ines

s la

w a

nd3.

553.

713.

773.

793.

793.

514.

163.

623.

773.

803.

533.

574.

02go

vern

men

t reg

ulat

ion

Bus

ines

s m

anag

emen

t3.

583.

683.

633.

713.

543.

493.

943.

433.

273.

673.

683.

863.

62C

hang

es t

o pr

ofes

sion

al3.

603.

503.

763.

923.

523.

464.

063.

483.

413.

283.

624.

003.

76st

anda

rds

Ente

rpris

e ris

k m

anag

emen

t3.

513.

793.

864.

103.

823.

934.

163.

943.

553.

923.

624.

293.

85Et

hics

4.30

4.11

4.10

4.06

3.95

3.78

4.62

3.85

4.09

4.24

3.82

4.29

4.16

Fina

nce

3.58

3.49

3.71

3.88

3.97

3.26

4.04

3.55

3.59

3.76

3.73

4.00

3.91

Frau

d aw

aren

ess

3.95

3.82

3.95

3.94

3.90

3.64

4.27

3.66

3.86

3.64

3.76

4.14

4.07

Gov

erna

nce

3.76

4.08

4.16

3.63

3.61

3.57

4.06

3.65

3.55

3.88

3.85

3.57

3.87

Hum

an r

esou

rce

3.08

3.42

3.41

3.31

3.26

3.05

3.70

3.15

3.09

3.16

3.06

3.43

3.48

man

agem

ent

Info

rmat

ion

tech

nolo

gy3.

783.

713.

864.

083.

573.

884.

223.

713.

554.

173.

794.

004.

09In

tern

al a

uditi

ng s

tand

ards

4.22

4.16

4.26

4.00

4.15

3.93

4.55

3.92

3.82

4.08

4.09

4.29

4.26

Man

ager

ial a

ccou

ntin

g3.

133.

083.

223.

693.

413.

163.

923.

283.

233.

383.

183.

573.

61M

arke

ting

2.41

2.37

2.68

3.16

2.68

2.29

3.23

2.55

2.45

2.64

2.59

2.71

2.88

Org

aniz

atio

n cu

lture

3.80

4.03

3.96

3.62

3.54

3.51

4.09

3.79

3.68

3.76

3.47

4.29

3.72

Org

aniz

atio

nal

syst

ems

3.70

4.03

4.15

3.63

3.68

3.67

3.90

3.66

3.64

3.64

3.59

4.43

3.79

Stra

tegy

and

bus

ines

s3.

573.

843.

893.

883.

423.

513.

893.

333.

503.

763.

654.

573.

54po

licy

Tech

nica

l kno

wle

dge

3.97

3.92

3.99

4.20

3.73

3.50

4.08

3.97

3.55

3.54

3.76

4.43

3.83

for

your

ind

ustr

y

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

min

imal

ly i

mpo

rtan

t to

5 =

ver

y im

port

ant.

***N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 8-5

-6-A

Impo

rtan

ce o

f Are

as o

f Kno

wle

dge t

o Pe

rfor

m W

ork

for t

he A

udit

Staf

f by

Gro

ups*

Prac

titio

ner R

espo

nden

ts in

Mea

ns**

Are

as o

f Kno

wle

dge

12

34

56

78

910

1112

N/C

***

Acc

ount

ing

3.71

3.17

3.56

4.06

3.85

3.36

4.10

3.48

4.50

3.12

3.71

4.33

3.86

Aud

iting

4.62

4.75

4.75

4.56

4.72

4.24

4.90

4.57

4.92

4.40

4.29

4.33

4.57

Bus

ines

s la

w a

nd3.

583.

753.

764.

093.

563.

314.

033.

614.

253.

723.

534.

003.

87go

vern

men

t reg

ulat

ion

Bus

ines

s m

anag

emen

t3.

463.

253.

563.

873.

593.

444.

033.

294.

253.

483.

533.

333.

65C

hang

es t

o pr

ofes

sion

al3.

653.

754.

024.

043.

733.

114.

003.

424.

333.

083.

124.

003.

82st

anda

rds

Ente

rpris

e ris

k m

anag

emen

t3.

423.

423.

964.

174.

063.

804.

033.

714.

173.

563.

355.

003.

87Et

hics

4.40

4.42

4.29

4.31

4.06

3.77

4.55

4.01

4.75

3.88

3.88

5.00

4.26

Fina

nce

3.54

3.42

3.89

4.09

3.93

3.18

4.03

3.31

4.50

2.84

3.76

4.33

3.85

Frau

d aw

aren

ess

3.95

3.67

3.93

4.17

3.71

3.53

4.45

3.60

4.33

3.28

3.76

4.67

4.18

Gov

erna

nce

3.73

3.92

4.16

3.80

3.72

3.53

4.13

3.53

4.09

3.88

3.76

3.67

3.85

Hum

an r

esou

rce

2.95

3.17

3.18

3.46

3.38

2.80

3.65

3.07

4.00

2.84

3.06

4.00

3.45

man

agem

ent

Info

rmat

ion

tech

nolo

gy3.

693.

583.

883.

973.

963.

424.

353.

594.

003.

883.

594.

674.

04In

tern

al a

uditi

ng s

tand

ards

4.29

4.00

4.52

4.16

4.37

3.80

4.68

3.94

4.67

3.80

3.59

4.33

4.34

Man

ager

ial a

ccou

ntin

g3.

052.

923.

243.

963.

553.

023.

743.

143.

922.

923.

384.

333.

53M

arke

ting

2.44

2.25

2.66

3.24

2.86

2.16

3.27

2.53

3.67

2.00

2.76

2.67

2.91

Org

aniz

atio

n cu

lture

3.83

4.08

3.94

3.74

3.59

3.58

4.13

3.71

4.08

4.13

3.59

4.67

3.88

Org

aniz

atio

nal

syst

ems

3.71

3.92

4.16

3.68

3.72

3.69

4.10

3.56

4.00

3.84

3.82

5.00

3.91

Stra

tegy

and

bus

ines

s3.

513.

504.

103.

913.

433.

414.

323.

174.

003.

963.

185.

003.

73po

licy

Tech

nica

l kno

wle

dge

for

3.98

4.00

4.13

4.21

3.83

3.02

4.23

4.14

3.75

3.36

3.47

4.67

3.96

your

ind

ustr

y

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**Th

e m

ean

is t

he a

vera

ge r

espo

nse

to:

1 =

min

imal

ly i

mpo

rtan

t to

5 =

ver

y im

port

ant.

***N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 339


CHAPTER 9EMERGING ROLES OF

INTERNAL AUDIT ACTIVITIES

Introduction

To examine the emerging role of the internal audit activity (IAA) in the organization, this chapterstarts with a discussion of the length of time organizations have had IAAs and the number of yearsthe organizations have been in existence. The next section reports on the general types of auditsbeing performed currently by IAAs and the expected changes in emphasis over the next threeyears. Another section examines the range of special audit activities respondents’ IAAs performnow and how that is expected to change in the next three years. The last section looks at therespondents’ organizations and the IAA’s current role in the organization as well as how theorganization’s environment and the IIA’s role will evolve over the next three years.






When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.For a list of groups, please refer to the inside back cover of the report. Some tables have additionaldetails. For example, Table 9-4 is the total of all respondents for that question with a related Table9-4-1 showing the responses by group. A table can have more than one related table, where thesecond related table would be 9-4-2.



Years That the IAA and Organizations Have Existed

Before looking at the roles and expected roles of the IAAs, one needs to gain a perspective of thelength of time respondents’ organizations have had IAAs and the years their organizations havebeen in existence. Figure 9-1 lists the number of years the respondents’ IAAs have been in existence.The largest numbers of respondents work for IAAs that have been in existence for only 0-5 years(28.4%). Another 21% of the respondents work for IAAs that have been in existence for 6-10years. This shows that many of the respondents’ IAAs (49.4%) are just starting to develop in theirorganizations. Only 13.8% of the respondents work in IAAs that have been in existence for 31 ormore years.



0-5 Years28.4%

41+ Years8.1%

31-40 Years5.7%

21-30 Years14.1%

11-20 Years22.7%6-10 Years

21.0%



Table 9-1 provides the number of years respondent organizations have had IAAs by groups. Thegroups are listed on the inside back cover of this report. In group 5 respondents indicate that 60.5%of their IAAs are 0-5 years old and another 22.5% are 6-10 years old. Respondents in the othergroups indicate between 20% - 33.9% of the IAAs are between 0-5 years old and an additional16.1% - 33.1% indicate their IAAs are between 6-10 years old. A review of the countries in eachgroup and historical events explain some of these differences since in some areas of the world,economies are more developed than others.

Table 9-1Number of Years the IAA Has Existed by Groups*


Morethan

Group Respon- 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50dents Years Years Years Years Years Years Years Years Years Years Years Total

1 3,025 23.8 16.1 10.9 12.6 9.2 8.9 3.1 4.8 .7 4.5 5.4 100.02 188 26.1 20.7 17.0 13.3 5.9 6.9 2.7 2.7 1.1 1.1 2.5 100.03 636 25.8 26.6 11.9 10.2 5.8 7.1 2.7 1.9 .5 4.2 3.3 100.04 347 25.6 33.1 15.9 13.3 3.2 3.5 1.2 2.0 .6 .8 .8 100.05 550 60.5 22.5 8.0 2.7 1.5 1.3 .0 1.1 .2 1.3 .9 100.06 423 23.6 18.0 10.4 7.6 8.0 11.6 3.1 2.6 .9 5.2 9.0 100.07 467 23.1 20.3 13.1 9.9 8.4 11.8 2.8 3.2 .6 2.6 4.2 100.08 910 32.7 25.3 14.3 11.1 5.5 3.7 1.9 1.3 .2 1.3 2.7 100.09 118 33.9 29.7 15.3 7.6 5.1 .8 .0 .0 .8 3.4 3.4 100.0

10 125 22.4 25.6 11.2 8.0 6.4 4.8 3.2 6.4 .0 3.2 8.8 100.011 226 28.8 24.3 11.9 10.2 5.8 8.4 1.3 4.0 .9 2.2 2.2 100.012 40 20.0 27.5 10.0 10.0 5.0 12.5 2.5 .0 7.5 2.5 2.5 100.0

N/C** 692 27.6 23.3 11.6 13.0 4.8 7.4 1.4 3.6 .6 3.3 3.4 100.0Overall 7,747 2,194 1,628 914 847 529 566 181 255 48 257 328Respondentsin CategoryOverall 28.4 21.0 11.8 10.9 6.8 7.3 2.4 3.3 .6 3.3 4.2 100.0Percent inCategory




Figure 9-2 reports on how long respondents’ organizations have been in existence. A correlationtest performed by the researchers showed a relationship between how long the organizations havebeen in existence and how long the organizations have had an IAA. It appears that older companiestend to have established IAAs longer than younger companies.

Figure 9-2Number of Years Organizations Have Existed




Table 9-2 lists the length of time respondents’ organizations have been in existence by the 13groups. Groups 1, 6, and 10 have a large number of respondents (54.5% - 59.2%) working inorganizations that are more than 50 years old and only 11.2% - 13.4% with organizations that are10 or less years old. While for respondents in groups 4, 5, and 11, greater than 24% of theirorganizations (24.1% - 29.4%) are 10 years old or less.

Table 9-2Number of Years Organizations Have Existed by Groups*


Group Respondents 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More TotalYears Years Years Years Years Years Years Years Years Years than

50Years

1 3241 4.4 6.8 4.7 4.8 3.9 5.0 3.7 4.8 1.7 5.7 54.5 100.02 189 8.5 11.1 3.7 6.3 3.7 6.9 4.2 2.6 2.1 7.4 43.5 100.03 648 8.3 13.1 9.3 5.9 5.4 5.1 3.1 5.2 1.4 5.7 37.5 100.04 354 11.6 17.8 9.9 12.7 3.4 9.0 5.9 5.1 4.0 3.7 16.9 100.05 552 12.0 17.4 24.8 6.7 2.2 3.1 2.2 3.1 1.1 4.3 23.1 100.06 434 4.8 8.5 6.0 2.5 1.8 4.4 2.5 3.7 .9 8.5 56.4 100.07 504 6.0 14.1 10.3 5.0 4.0 6.7 5.0 3.4 3.6 6.5 35.4 100.08 954 11.3 10.6 7.0 6.2 3.6 5.8 2.5 4.8 1.5 5.6 41.1 100.09 125 8.0 9.6 7.2 13.6 11.2 3.2 7.2 1.6 5.6 8.0 24.8 100.0

10 135 6.7 6.7 3.7 4.4 3.0 3.7 5.2 1.5 3.7 2.2 59.2 100.011 228 11.4 12.7 10.1 11.0 8.3 6.1 5.7 6.1 4.8 4.8 18.8 100.012 39 5.1 10.3 7.7 10.3 5.1 15.4 10.3 10.3 7.7 .0 17.8 100.0

N/C** 762 8.7 14.3 9.4 7.9 3.5 6.2 3.1 3.3 1.8 5.4 36.4 100.0Total/ 8165 590 856 648 496 321 442 299 355 165 461 3532

OverallRespondentsin Category

OverallPercent inCategory 7.2 10.5 7.9 6.1 3.9 5.4 3.7 4.3 2.0 5.6 43.4 100.0

*For a list of affiliate groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.



Changing Emphasis on Types of Audits

This section focuses on the anticipated change in demand for the general types of audits that willbe performed by the IAA in the next three years. The definition of internal auditing in The IIA’s1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,acknowledges the importance of assurance services and consulting in the areas of risk management,governance, and controls. With this expansion of scope, it was expected that the audits performedby IAAs would include these three areas. In order to assess staffing needs, required competencies,and the skills necessary in the near future, the profession needs to anticipate changes in the demandfor their services. Table 9-3 shows the estimates of all respondents to the question about whetherthey anticipate the general types of audits performed by their IAA will increase, decrease, or staythe same over the next three years.

Table 9-3Anticipated Changes in Types of Audits to Be Performed

Within the Next Three YearsAll Respondents in Percentages

Activity Total Increase Decrease Stay the TotalResponses Same Percent

Risk management 6,728 79.5 2.3 18.2 100.0Governance 6,704 63.2 4.0 32.8 100.0Regulatory compliance 6,698 46.9 11.7 41.4 100.0Operational auditing 6,715 46.2 14.7 39.1 100.0Review of financial processes 6,724 43.5 14.6 41.9 100.0

Respondents predict that the greatest increase in the types of audits performed in the next threeyears will be in risk management (79.5%) and governance (63.2%) audits. The projected increasesfor these types of audits will need to be reflected in the IAA’s internal audit plan, the resourcesallocated to the IAA, and in the audit staff’s competencies. For many of the respondents, regulatorycompliance (46.9%), operational auditing (46.2%), and reviews of financial processes (43.5%)show material increases as well. Some respondents do anticipate that less time will be spent onoperational audits (14.7%), the review of financial processes (14.6%), and regulatory complianceaudits (11.7%).



As IAAs around the world are evolving at different rates, this study also looked at the expectedchanges in the types of audits to be performed by IAAs by groups. Table 9-3-1 presents predictedincreases in the types of audits for all respondents by group, Table 9-3-2 presents the decreasesanticipated by group, and Table 9-3-3 shows predictions of no change by group. The respondentsin all groups agreed that the performance of risk management and governance audits should increasethe most in the next three years.

Table 9-3-1Changes in Types of Audits Performed – Increased Role in the Future

(Next Three Years) by Groups*All Respondents in Percentages

Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Review of financial 45.0 30.0 44.0 41.2 48.0 35.9 44.5 37.2 55.9 40.9 47.2 70.6 46.0processesRisk management 74.5 75.0 84.0 88.5 83.6 77.2 89.0 82.6 87.9 79.1 83.9 100.0 80.7Governance 55.9 67.0 76.0 72.2 61.0 64.5 75.9 64.6 79.4 52.6 77.2 85.3 63.9Regulatory compliance 46.4 46.0 50.0 40.8 41.2 44.6 54.7 47.2 52.2 25.0 49.2 64.7 51.1Operational auditing 47.9 48.0 45.0 51.9 44.6 44.7 44.5 38.3 59.1 30.7 45.8 67.7 50.1


Table 9-3-2Changes in Types of Audits Performed – Decreased Role in the Future


Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**





Table 9-3-3Changes in Types of Audits Performed – Stay the Same in the Future


Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**



Emerging Roles in Organizations’ Activities

To gain an understanding of what roles IAAs have and will have in various types of activities andfunctions performed within an organization, respondents were provided with a list of importanttasks performed by organizations. They were asked to indicate if their IAA currently has a role inthe area, if the IAA is likely to have a role in the next three years, or if it is unlikely for the IAA tohave a role. Role was defined as being within the IAA’s scope of work. The list was developedfrom a review of internal auditing literature and the CBOK 2006 pilot survey. An overview of allresponses is shown in Table 9-4.

The respondents’ IAAs all do some work in the areas listed. The four highest ranked areas whererespondents indicate that their IAAs currently perform audits are fraud prevention/detection (69%),risk management (66.6%), regulatory compliance assessment monitoring (64%), and corporategovernance (52.2%). Areas where respondents’ IAAs currently have less of a role are emergingmarkets (11.5%), environmental sustainability (14%), and globalization (15.3%). For most of theaudit areas that are not currently being audited, respondents indicated that 17.7% to 38.1% of theirIAAs plan to do audit work in those areas over the next three years. Currently 23.6% have a rolein corporate social responsibility and an additional 31.6% of the respondents are likely to have arole in the next three years. Areas where more than a third of the respondents indicate they areunlikely to be involved are executive compensation (45.4%), environmental sustainability (39.9%),emerging markets (39.5%), globalization (35.2%), and intellectual property and knowledge assessment(35.1%).



Table 9-4Emerging Roles of the IAA - Total Responses in Percentages

Roles Total Currently Likely to Have Unlikely to Not TotalRespon- Have a Role a Role Within Have a Role Applicable

dents the Next 3Years

Alignment of strategy 6,500 23.1 35.2 30.1 11.6 100.0and performancemeasures (e.g., BalancedScorecard)Benchmarking 6,476 28.6 35.7 26.0 9.7 100.0Corporate governance 6,511 52.2 31.2 11.4 5.2 100.0Corporate social 6,415 23.6 31.6 33.8 11.0 100.0responsibilityDevelop training and 6,522 46.6 34.4 15.3 3.7 100.0education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 6,490 34.0 26.1 29.0 10.9 100.0Evidential issues 6,385 39.8 23.9 23.5 12.8 100.0Emerging markets 6,426 11.5 22.5 39.5 26.5 100.0Environmental sustainability 6,436 14.0 24.7 39.9 21.4 100.0Executive compensation 6,429 16.0 17.7 45.4 20.9 100.0Fraud prevention/detection 6,530 69.0 22.9 5.7 2.4 100.0Globalization 6,431 15.3 21.1 35.2 28.4 100.0Intellectual property and 6,391 19.2 28.4 35.1 17.3 100.0knowledge assessmentIT management assessment 6,453 46.1 32.2 16.8 4.9 100.0Knowledge management 6,387 26.1 38.1 26.9 8.9 100.0systems development reviewMergers and acquisitions 6,437 18.4 23.7 30.8 27.1 100.0Project management 6,410 39.8 27.6 25.1 7.5 100.0Provide training to the 6,436 31.2 34.4 21.7 12.7 100.0audit committeeRegulatory compliance 6,442 64.0 23.0 9.2 3.8 100.0assessment monitoringRisk management 6,509 66.6 25.5 5.6 2.3 100.0Strategic frameworks 6,407 27.0 36.8 27.7 8.5 100.0



Tables 9-4-1 and 9-4-2 show the total results by group for the question about roles and work areasthat respondent IAAs’ currently have or are likely to have in the next three years. The respondents’group data shows many variations in the roles the IAAs currently have and are likely to have inthree years. Approximately 80% of the groups’ respondents indicate that they are currently involvedor will be involved in the next three years in corporate governance, fraud prevention, IT managementassessment, regulatory compliance, and risk management. The group data indicates thatapproximately 50% to 59% of the IAAs have or will have a role in alignment of strategy andperformance measures.



Table 9-4-1Emerging Roles of the IAA - Currently Have a Role by Groups*


Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Alignment of strategy and 22.8 19.1 32.6 11.6 17.6 16.6 34.4 22.7 18.9 26.4 28.2 25.7 22.0performance measures(e.g., Balanced Scorecard)Benchmarking 30.6 26.6 34.9 16.0 26.6 22.2 26.3 26.8 35.2 29.1 33.0 36.4 25.6Corporate governance 56.5 70.7 75.2 25.7 37.6 47.2 47.4 52.9 40.0 48.2 60.7 62.9 35.7Corporate social 26.4 15.5 30.7 15.4 15.2 11.1 31.6 22.7 25.3 17.4 20.2 30.3 20.7responsibilityDevelop training and 48.7 44.6 51.0 40.5 39.8 30.5 52.5 50.8 41.1 31.8 50.6 64.7 42.5education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 45.2 41.3 47.8 17.7 18.9 21.6 24.6 20.3 26.4 22.7 29.3 37.1 21.4Evidential issues 40.8 36.3 41.5 29.2 43.6 35.6 55.2 35.3 40.0 24.5 34.5 56.3 38.5Emerging markets 11.9 10.4 15.0 5.9 8.0 10.1 13.1 11.1 10.0 15.5 11.5 12.5 12.1Environmental 13.1 9.3 20.6 12.9 11.8 7.9 18.6 13.4 12.4 18.2 11.5 17.6 17.3sustainabilityExecutive compensation 19.8 9.8 17.2 8.2 13.1 7.4 18.2 11.6 11.1 19.8 14.5 21.2 14.3Fraud prevention/ 75.1 71.7 73.4 52.7 56.9 64.7 69.2 64.8 72.8 65.8 63.2 82.9 60.7detectionGlobalization 14.4 7.7 18.1 13.4 12.9 12.5 29.0 12.9 15.6 23.9 19.0 14.7 15.2Intellectual property and 22.3 18.7 24.7 10.6 16.6 10.7 23.2 14.9 16.7 24.1 17.5 14.3 14.7knowledge assessmentIT management assessment 48.7 47.8 48.0 26.0 37.2 45.0 62.7 46.8 42.7 51.8 36.9 48.6 37.9Knowledge management 31.4 27.6 34.2 12.4 18.5 20.6 28.4 16.8 26.7 23.6 23.1 17.6 21.4systems developmentreviewMergers and acquisitions 20.6 12.7 19.9 8.2 12.1 19.1 23.8 20.0 23.3 14.5 12.7 8.6 13.5Project management 44.4 45.3 50.4 32.0 30.2 40.6 36.2 33.4 28.1 42.2 30.5 41.2 31.7Provide training to the 40.2 29.4 39.5 16.1 15.1 13.2 31.7 26.8 19.1 24.8 23.1 31.4 23.3audit committeeRegulatory compliance 63.9 64.8 58.4 61.4 60.8 67.2 70.3 75.7 56.7 54.5 55.2 57.1 57.1assessment monitoringRisk management 69.5 76.9 79.6 46.4 57.7 62.7 67.7 68.8 56.0 67.9 67.1 76.5 52.9Strategic frameworks 29.2 29.1 39.0 15.2 20.5 13.5 39.8 19.2 22.4 31.2 22.4 47.1 25.3




Table 9-4-2Emerging Roles of the IAA - Likely to Have a Role in

Next Three Years by Groups*All Respondents in Percentages

Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Alignment of strategy and 31.0 36.1 37.7 41.7 41.9 26.5 43.3 37.3 46.7 20.0 41.8 54.3 39.6performance measures(e.g., Balanced Scorecard)Benchmarking 32.2 35.3 36.2 36.7 44.8 33.9 44.3 35.1 44.3 27.3 42.6 42.4 37.9Corporate governance 25.8 22.8 20.1 49.4 39.8 33.4 39.3 34.0 50.0 25.5 33.1 28.6 40.9Corporate social 23.9 36.5 36.5 39.0 30.5 29.7 41.4 39.9 39.1 31.2 42.2 42.4 38.0responsibilityDevelop training and 31.8 32.6 31.3 40.5 41.4 35.8 36.9 31.6 44.4 44.5 36.8 32.4 39.5education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 24.7 27.2 25.2 24.6 27.7 20.8 37.4 21.9 46.2 19.1 39.1 40.0 27.2Evidential issues 22.4 24.2 26.6 29.2 25.8 20.3 25.8 21.1 27.8 19.1 35.1 34.4 25.1Emerging markets 19.1 18.1 27.4 23.8 24.7 16.3 35.6 20.9 26.7 12.7 37.9 43.8 25.2Environmental 17.9 26.2 32.8 28.1 24.5 21.2 37.5 29.3 33.7 20.0 38.5 55.9 27.3sustainabilityExecutive compensation 14.5 10.4 21.3 17.3 20.6 11.5 30.5 17.3 15.6 15.3 30.1 30.3 21.6Fraud prevention/ 18.9 19.0 17.5 38.9 32.0 25.1 25.3 23.4 21.7 21.6 28.7 8.6 30.1detectionGlobalization 13.9 19.1 21.2 42.4 24.6 16.6 33.8 21.3 22.2 15.6 37.4 35.3 31.4Intellectual property and 23.3 39.6 32.4 38.4 32.5 20.5 37.6 24.0 41.1 16.7 49.1 51.4 33.3knowledge assessmentIT management assessment 27.5 31.9 32.2 41.5 43.9 31.2 29.2 32.6 44.9 24.5 42.0 42.9 39.4Knowledge management 31.3 43.1 39.1 45.0 47.8 36.4 45.1 42.0 46.7 33.6 46.8 64.7 41.8systems developmentreviewMergers and acquisitions 21.8 17.7 20.1 23.5 25.8 20.9 28.5 25.0 32.2 20.0 32.4 42.9 28.1Project management 23.2 26.3 28.4 37.9 37.5 27.4 30.7 25.7 36.0 25.7 32.2 41.2 33.1Provide training to the 30.0 41.1 36.5 39.2 36.0 31.1 41.9 34.4 43.8 32.1 48.6 51.4 38.4audit committeeRegulatory compliance 20.8 21.4 27.7 28.6 25.7 22.0 22.6 16.4 36.7 19.1 32.0 31.4 29.8assessment monitoringRisk management 22.2 18.1 15.8 46.8 31.6 28.3 25.5 23.5 38.5 22.0 28.9 17.6 37.1Strategic frameworks 33.2 37.4 37.7 44.4 41.4 33.1 40.3 35.4 54.1 25.7 48.3 41.2 43.3




Table 9-4-3 summarizes the areas where respondents think the IAA would not have a role in thenext three years. The areas that most groups agree that the IAA will not have a role in theforeseeable future are emerging markets, environmental sustainability, executive compensation,and intellectual property and knowledge assessment.

Table 9-4-3Emerging Roles of the IAA – Not Likely to Have a Role in

Next Three Years by Groups*All Respondents in Percentages

Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**

Alignment of strategy and 34.7 34.4 24.2 31.3 25.1 41.9 12.2 28.9 18.9 41.8 22.0 11.4 26.3performance measures(e.g., Balanced Scorecard)Benchmarking 28.5 31.5 23.4 35.5 17.3 33.3 16.2 26.6 11.4 34.5 18.8 3.0 22.9Corporate governance 12.9 6.0 3.4 20.8 13.8 13.5 6.9 8.3 6.7 12.7 3.9 5.7 15.3Corporate social 38.7 38.1 26.5 33.6 36.7 46.2 19.0 25.1 26.4 45.9 30.6 21.2 29.2responsibilityDevelop training and 16.0 19.0 15.0 13.3 14.3 28.5 7.8 13.6 10.0 18.2 10.9 0.0 14.3education of organizationpersonnel (e.g., internalcontrols, risk management,regulatory requirements)Disaster recovery 25.4 29.9 23.2 40.0 28.2 41.8 23.6 38.4 19.8 50.0 25.9 11.4 29.3Evidential issues 25.4 28.6 21.3 26.2 18.4 31.8 10.3 22.7 21.1 45.5 19.5 3.1 21.3Emerging markets 44.0 48.9 33.3 45.7 32.4 43.5 30.4 37.5 43.3 41.8 35.1 25.0 31.1Environmental 46.5 49.2 31.7 38.3 33.3 46.8 26.5 35.2 38.2 50.9 37.4 11.8 30.9sustainabilityExecutive compensation 49.1 59.6 44.1 45.5 41.4 50.1 30.0 44.7 47.8 46.8 41.6 30.3 37.1Fraud prevention/detection 4.0 7.1 7.0 6.1 7.6 8.4 3.3 7.9 4.3 12.6 4.0 5.7 6.2Globalization 37.7 42.6 32.9 29.0 30.0 40.1 24.9 36.9 46.7 37.6 34.5 35.3 29.7Intellectual property and 36.7 31.3 30.7 36.5 29.8 44.9 24.5 40.4 28.9 50.0 24.0 14.3 34.0knowledge assessmentIT management assessment 19.5 17.6 15.9 22.5 11.0 18.8 3.8 15.4 9.0 20.9 17.0 2.9 16.8Knowledge management 28.4 23.8 22.1 28.7 22.7 34.0 19.6 30.3 22.2 34.5 24.3 8.8 25.4systems developmentreviewMergers and acquisitions 29.6 30.4 30.4 40.8 28.3 36.8 27.2 32.1 28.9 36.4 39.9 25.7 28.6Project management 26.0 22.3 18.7 20.2 21.7 27.9 24.0 31.4 22.5 25.7 30.5 5.9 22.7Provide training to the 20.1 25.0 19.2 27.5 23.0 32.8 13.6 23.7 22.5 25.7 22.0 11.4 22.4audit committeeRegulatory compliance 11.0 12.1 11.4 8.9 8.2 7.6 3.8 4.0 4.4 19.1 11.6 2.9 8.4assessment monitoringRisk management 6.2 3.3 3.4 4.9 6.6 7.9 2.5 5.5 3.3 10.1 3.5 0.0 6.8Strategic frameworks 30.1 25.8 19.0 29.2 25.2 45.2 12.9 33.4 17.6 37.6 20.7 2.9 21.5*For a list of groups, please see the inside back cover.**N/C = Respondents did not indicate affiliate or chapter membership.



Organizational Environment and Key Activities of the IAA

This final section of the chapter captures CAE and Audit Manager respondents’ agreement withstatements about their organizations and their IAA’s role in the organization. The survey asked if astatement currently applies, is likely to apply within the next three years, or will not apply in theforeseeable future. As listed in Table 9-5, 61.2% of the respondents indicate that their countriescurrently have laws or regulations that require organizations to have an IAA and an additional13.1% anticipate having such requirements in the next three years. Corporate governance codesare complied with in 67.7% of the organizations with 22.7% of the respondents’ organizationslikely to comply with a corporate governance code in the next three years. In 70.5% of therespondents’ organizations, there is an internal control framework and 24.3% indicate that theirorganizations will have a framework in the next three years.

Assurance audits receive more emphasis than consulting services in 71.5% of the organizations.The IAAs (64.3% currently, 25.3% more in three years) educate their organizations’ personnelabout internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,25.6% more in three years) have an important role in the integrity of their organizations’ financialreporting. Internal auditors anticipate having a growing advisory involvement in the development ofstrategy (28.9% currently, 32.7% in the next three years) while 30.3% noted they would not havean advisory role in strategy development in the foreseeable future. Providing training to auditcommittee members (34% currently, 32.3% in the next three years) is also anticipated to increase.Implementation of a knowledge management system is expected to escalate (25.6% currently,43.9% in the next three years) while 20.6% indicate their organizations will not apply a knowledgemanagement system in the foreseeable future.



Table 9-5How Statements Apply to Your Organization

CAEs’ and Audit Managers’ Agreement with Statements in Percentages

Statement Number of Currently Likely to Will Not Not TotalRespondents Applies Apply Apply in the Applicable

Within the ForeseeableNext 3 FutureYears

Internal auditing is required 3,464 61.2 13.1 12.9 12.8 100.0by law or regulation wherethe organization is based.Internal auditors in the 3,445 28.9 32.7 30.3 8.1 100.0organization have anadvisory role in strategydevelopmentThe organization complies 3,447 67.7 22.7 4.3 5.3 100.0with a corporate governancecode.The organization has 3,443 70.5 24.3 3.5 1.7 100.0implemented an internalcontrol framework.The organization has 3,423 25.6 43.9 20.6 9.9 100.0implemented a knowledgemanagement systemThe internal audit activity 3,424 34.0 32.3 18.5 15.2 100.0has provided training toaudit committee members.The internal audit activity 3,437 55.7 25.6 13.8 4.9 100.0assumes an important rolein the integrity of financialreporting.The internal audit activity 3,437 64.3 25.3 7.3 3.1 100.0educates organizationpersonnel about internalcontrols, corporategovernance, and complianceissues.The internal audit activity 3,448 71.5 15.2 8.4 4.9 100.0places more emphasis onassurance than consultingservices.



Tables 9-5-1 and 9-5-2 provide information by groups for CAE and Audit Manager respondents’current agreement with these statements and the likelihood of application in the next three years.The group tables show that the majority (48.0% up to 84.2%) live in countries that have or likelywill have laws and regulations in the next three years requiring organizations to have internalauditors. Most organizations within the groups have (49.1% to 78.8%) or likely will adopt (16.8%to 45.3%) an internal control framework in the next three years projecting coverage of over 90%of the respondents’ IAAs. Most respondents within the groups agree that the IAA does or willassume an important role in the integrity of financial reporting, educates organization personnelabout internal controls, corporate governance and compliance issues, and places more emphasison assurance than internal controls and consulting services. In most groups, the advisory role theIAA has in the organization’s strategy development (currently 17.5% - 39.5% with group 12 at60%) will likely significantly increase in the next three years.



Tabl

e 9-5

-1H

ow S

tate

men

ts C

urre

ntly

App

ly to

Res

pond

ents

’ Org

aniz

atio

ns b

y G

roup

s*C

AE

and

Aud

it M

anag

er A

gree

men

t with

Sta

tem

ents

in P

erce

ntag

es

Stat

emen

t1

23

45

67

89

1011

12N

/C**

Inte

rnal

aud

iting

is r

equi

red

58.0

48.0

67.7

80.0

64.7

60.6

65.7

62.4

52.7

54.7

66.4

84.2

58.8

by la

w o

r re

gula

tion

whe

reth

e or

gani

zatio

n is

bas

ed.

Inte

rnal

aud

itors

in

the

29.7

30.3

33.8

39.5

22.8

17.5

35.5

22.9

37.0

20.8

33.9

60.0

28.4

orga

niza

tion

have

an

advi

sory

role

in

stra

tegy

dev

elop

men

tTh

e or

gani

zatio

n co

mpl

ies

73.8

72.4

79.6

55.5

60.3

54.8

55.7

66.9

53.7

54.7

71.9

55.0

56.6

with

a c

orpo

rate

gov

erna

nce

code

.Th

e or

gani

zatio

n ha

s70

.471

.373

.278

.861

.259

.278

.477

.565

.549

.177

.963

.265

.5im

plem

ente

d an

int

erna

lco

ntro

l fr

amew

ork.

The

orga

niza

tion

has

22.9

27.9

32.4

30.5

25.2

19.3

26.5

26.2

46.3

25.0

33.9

26.3

23.9

impl

emen

ted

a kn

owle

dge

man

agem

ent

syst

emTh

e in

tern

al a

udit

activ

ity46

.935

.843

.417

.414

.513

.034

.024

.021

.220

.821

.915

.023

.0ha

s pr

ovid

ed t

rain

ing

toau

dit

com

mitt

ee m

embe

rs.

The

inte

rnal

aud

it ac

tivity

64.1

62.3

58.4

42.4

39.5

45.2

58.1

46.7

54.7

39.6

62.8

50.0

47.5

assu

mes

an

impo

rtant

rol

ein

the

int

egrit

y of

fin

anci

alre

port

ing.

The

inte

rnal

aud

it ac

tivity

73.1

68.0

71.3

47.1

50.2

42.7

66.2

62.9

45.5

43.4

65.8

60.0

53.2

educ

ates

org

aniz

atio

npe

rson

nel

abou

t in

tern

alco

ntro

ls,

corp

orat

ego

vern

ance

, an

d co

mpl

ianc

eis

sues

.Th

e in

tern

al a

udit

activ

ity75

.272

.481

.665

.060

.968

.871

.267

.158

.262

.369

.378

.966

.8pl

aces

mor

e em

phas

is o

nas

sura

nce

than

con

sulti

ngse

rvic

es.

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Tabl

e 9-5

-2H

ow S

tate

men

ts a

re L

ikel

y to

App

ly W

ithin

the N

ext 3

Yea

rs t

oR

espo

nden

ts’ O

rgan

izat

ions

by

Gro

ups*

CA

E a

nd A

udit

Man

ager

Agr

eem

ent w

ith S

tate

men

ts in

Per

cent

ages

Stat

emen

t1

23

45

67

89

1011

12N

/C**

Inte

rnal

aud

iting

is r

equi

red

by9.

616

.313

.113

.315

.113

.013

.015

.432

.711

.315

.510

.520

.8la

w o

r re

gula

tion

whe

re t

heor

gani

zatio

n is

bas

ed.

Inte

rnal

aud

itors

in

the

28.6

24.6

32.7

32.8

41.8

31.6

43.9

33.8

44.4

17.0

42.6

35.0

36.7

orga

niza

tion

have

an

advi

sory

role

in

stra

tegy

dev

elop

men

tTh

e or

gani

zatio

n co

mpl

ies

16.8

22.8

17.3

40.3

28.4

27.9

33.5

22.8

44.4

24.5

21.1

40.0

29.2

with

a c

orpo

rate

gov

erna

nce

code

.Th

e or

gani

zatio

n ha

s23

.223

.823

.618

.632

.832

.519

.720

.227

.345

.316

.831

.629

.5im

plem

ente

d an

int

erna

lco

ntro

l fr

amew

ork.

The

orga

niza

tion

has

37.4

49.2

49.6

47.5

49.1

43.5

51.2

45.3

44.4

46.2

47.0

63.2

53.2

impl

emen

ted

a kn

owle

dge

man

agem

ent

syst

emTh

e in

tern

al a

udit

activ

ity27

.934

.131

.346

.132

.027

.539

.630

.251

.930

.248

.275

.038

.7ha

s pr

ovid

ed t

rain

ing

toau

dit

com

mitt

ee m

embe

rs.

The

inte

rnal

aud

it ac

tivity

20.9

19.7

27.4

37.3

29.4

27.9

31.2

30.5

34.0

18.9

27.4

40.0

26.2

assu

mes

an

impo

rtant

rol

ein

the

int

egrit

y of

fin

anci

alre

port

ing.

The

inte

rnal

aud

it ac

tivity

20.1

23.8

20.9

35.5

32.3

30.6

26.8

26.6

43.6

30.2

26.3

35.0

34.7

educ

ates

org

aniz

atio

npe

rson

nel

abou

t in

tern

alco

ntro

ls,

corp

orat

ego

vern

ance

, an

d co

mpl

ianc

eis

sues

.Th

e in

tern

al a

udit

activ

ity11

.919

.59.

928

.320

.614

.418

.612

.629

.122

.621

.115

.821

.8pl

aces

mor

e em

phas

is o

nas

sura

nce

than

con

sulti

ngse

rvic

es.

*For

a l

ist

of g

roup

s, p

leas

e se

e th

e in

side

bac

k co

ver.

**N

/C =

Res

pond

ents

did

not

ind

icat

e af

filia

te o

r ch

apte

r m

embe

rshi

p.



Summary

Internal auditing has evolved significantly from its origins in the early 20th century. The results ofCBOK demonstrate that internal auditing will continue to evolve in the future by incorporating newresponsibilities and having an impact on more areas of the organization.

It is especially interesting to note that respondents indicated their IAA’s responsibilities increasingin all of the major types of audits that are currently being performed, some by large amounts. Forexample, risk management is expected to increase 79.5% over the next three years. Furthermore,it does not appear that any of the current types of audits performed will decrease in any significantway over the next three years.

As the profession evolves, emerging roles to monitor include alignment of strategy and performancemeasures, benchmarking, knowledge management, systems development review, and strategicframeworks. Each of these was indicated by respondents as having an increase of more than 35%over the next three years.

Executive compensation stood out in the CBOK results as clearly showing that IAAs do notcurrently and most likely will not have a role in the future. Respondents indicate that 16% of IAAscurrently have a role and 17.7% are likely to have a role in the next three years. This is comparedwith 45.4% of respondents who indicate that their IAA is unlikely to have a role in the next threeyears in this activity.



_____________________________ Chapter 10: Research Method and Literature Review 359


CHAPTER 10RESEARCH METHOD

AND LITERATURE REVIEW

This chapter reviews the research method used to gather the data for the Common Body ofKnowledge (CBOK) 2006 study and provides a literature review prepared by each of the researchteams listed below summarizing the past studies reviewed prior to preparing the CBOKquestionnaires.

RESEARCH METHOD

Project Teams

The research team was comprised of three international teams that were selected from the responsesto the CBOK request for proposals. Table 10-1 lists the members of the three CBOK 2006 teams.Based on the location of the selected research teams, the international affiliates and chapters werebroken down into three broad geographical areas.



Table 10-1Research Teams

Teams General Areasof Responsibilities

Lead Team• Priscilla A.Burnaby (Bentley College, United States) – North, Central, and

Project Coordinator and Team Coordinator South America and• Susan Hass (Simmons College, United States) the Caribbean• Mohammad J. Abdolmohammadi (Bentley College,

United States)• Rob Melville (Cass Business School, England) – Europe and Africa

Team Coordinator• Marco Allegrini and Giuseppe D’Onza

(University of Pisa, Italy)• Leen Paape (Erasmus University, Netherlands)• Gerrit Sarens (University of Ghent, Belgium)• Marinda M. Marais (University of South Africa)• Elmarie Sadler (University of South Africa)• Houdini Fourie (Tshwane University of

Technology, South Africa)• Barry J. Cooper (Deakin University, Australia) – Asia and Pacific

Team Coordinator• Philomena Leung (Deakin University, Australia)



Pilot Test and Literature Review1

The pre-scope questionnaire sent to practitioners for their input was developed after reviewing theProfessional Practices Framework (The IIA, 2004) and performing a literature review of currentinternal auditing studies around the world. A summary of the literature review is included in thesecond part of this chapter. The objective of the pilot survey was to determine what practitionersbelieved should be included in the CBOK 2006 questionnaires. Based upon discussions withknowledgeable internal auditors, key stakeholders at The IIA, and the literature review, the followingtopics were selected for inclusion in the pilot survey:

• Audit methods, tools, and techniques• Auditor skill sets• Certification and professional development• Emerging trends in internal auditing• Evaluation of staff• Internal auditing standards from the Professional Practices Framework• Percentage of time spent on different types of audits in 2005• Role of the board of directors and audit committee• Specific areas of knowledge required of internal auditors

To collect data from a small representative group of experienced internal auditors, the pre-scopequestionnaire was sent to a number of internal auditors in various regions of the world by each ofthe three global teams. The respondents were asked to indicate which items listed on the pre-scope questionnaire should be included or excluded from the CBOK 2006 study. Each topic on thepilot questionnaire was followed by a request for the respondents to add related areas and questionsthat they thought should be included in the final questionnaire.

Sixty-three responses were received from nine countries. Table 10-2 indicates the number ofresponses from each country. Appendix 10-A contains the pre-scope questionnaire and a summaryof the responses, including the respondents’ suggestions for additional areas to be included inCBOK 2006. A majority of participants agreed with the inclusion in the study of most of the topicsin the pre-scope questionnaire and provided insights into other topics that should be included.These areas were priorities for inclusion in the final CBOK questionnaires.




Table 10-2Summary of Pilot Test Respondents by Countries

Countries RespondentsAsia

Australia 11New Zealand 5Malaysia 2

EuropeBelgium 9France 2Italy 6South Africa 1U.K./Ireland 13

USA 14Total 63

To include current practices and explore emerging practices in the profession, CBOK 2006incorporated several topics that were not included in prior CBOK studies. This was based on theliterature review and the results of the pilot survey. Appendix 10-B lists topical areas covered inpast CBOK studies and those that were covered in CBOK 2006. CBOK 2006 used The IIA’sInternational Standards for the Professional Practice of Internal Auditing (Standards) as ofSeptember 2006, the date of the study, as the basis for the focus of the study. The Standardscontain the expanded scope in The IIA’s definition of internal auditing, which includes governance,risk management, and internal control engagements for the internal audit activity (IAA).



CBOK 2006 Questionnaires

Due to the need expressed by The IIA’s CBOK Steering Committee to limit the members’ responsetime to 40 minutes, it was decided to create three separate CBOK questionnaires as follows:

1. Affiliates: The IIA is fortunate to have numerous Affiliate organizations around the world thatprovide services to their geographic area in cooperation with IIA headquarters. This questionnaireasked affiliate leaders questions about regulatory and cultural differences affecting the applicationof ethics and the Standards in their area. One questionnaire was sent to each participatingaffiliate.

2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest positionwithin the organization responsible for the internal audit activity (IAA). Data on the status ofthe IAA within the organization, application of the Standards, skills needed at each staff level,and emerging audit roles were collected from CAEs worldwide.

3. Practitioners: For purposes of this study, Practitioners are all other internal auditors that arenot CAEs. Data about the application of the Standards, how an audit is performed, skill setsneeded, and the emerging roles of IAA were collected from internal auditors worldwide.

The three detailed questionnaires developed by the CBOK 2006 teams were subjected to closescrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, thequestionnaires were reviewed by a statistical expert and a small group of internal auditors worldwideto ensure completeness and validity. Based on their comments, the final questionnaires weredeveloped and translated from English into 16 languages (Spanish, French, German, Russian, Czech,Turkish, Simplified Chinese, Japanese, Traditional Chinese, Indonesian, Arabic, Polish, Bulgarian,Italian, Portuguese, and Swedish). In September 2006, the CAE and Practitioner questionnaireswere distributed electronically to The IIA membership by participating affiliates, chapters, andUnited States members that allow The IIA to send them e-mails using the survey software Peruses.The Affiliate questionnaire was distributed by The IIA in December 2006. As some of the questionsfor the CAE and Practitioner questionnaires were the same, the questionnaires were combined fortranslation. Please see Appendix 10-C for the combined CAE and Practitioner questionnaire. Aguide for which questions were asked of all participants or either the CAE or the Practitioner isprovided in the first two pages of Appendix 10-C.



Number of Responses

As of September 2006, The IIA had approximately 127,700 members. As listed in Table 10-3, themembership was made up of 143 chapters in the United States, 11 chapters in Canada, 9 chaptersin the Caribbean, and 94 affiliates. The total number of responses to the CAE and Practitionerquestionnaires was 15,028. After the responses that were deemed not usable were deleted fromthe database, 9,366 usable responses remained resulting in a 7.3% overall response rate. Due tosome Affiliates not participating and some members who have opted not to receive e-mails fromThe IIA, the survey was sent to approximately 99,000 members resulting in an estimated 9.5%response rate. The respondents represent 91 countries as one of the participating countries hastwo affiliates.

Table 10-3Number of Participating Chapters and Affiliates

Area *Number of 1 or More Usable Number of AffiliatesChapters/Affiliates Responses from that Returned CBOK

Chapters/Affiliates AffiliateQuestionnaire

U.S.A. 143 133 Not ApplicableCanada 11 11 Not ApplicableCaribbean 9 7 Not ApplicableIIA Affiliates 94 83 46

*Tallied from The IIA’s Web site

Responses were determined to not be useable if the reply was empty or the respondent did notanswer enough questions to be considered for inclusion. A total of 133 United States’ chapters, allof the Canadian chapters, and 7 of the Caribbean chapters participated in CBOK 2006. Eighty-three affiliates had at least one usable CAE or Practitioner response. The number of respondentsfor the United States, Canada, and the Caribbean and for each participating affiliate is summarizedin Appendix 1-B of Chapter 1 and on the inside back cover of this research report. Forty-sixaffiliates returned the CBOK Affiliate questionnaire by the January 15, 2007, cutoff date forinclusion (noted by a + sign in Appendix 1-B in Chapter 1).

Clustering for Groups

As data was collected from numerous affiliates and chapters, a methodology was needed to combinethem into groups for comparison of responses. Clustering literature was reviewed for plausible



ways to combine affiliates and chapters by cultural classification. Pioneer work for culturalclassification was performed by Hofstede (1980), who argued that the four dimensions of PowerDistance, Individualism, Masculinity, and Uncertainty Avoidance influence work environments.Based on these dimensions, Hofstede (1983) classified fifty countries into different cultural zones.In 2004, House et al. expanded Hofstede’s dimensions and the number of countries classified intocultural zones. House et al. (2004) used nine dimensions to classify 62 countries into variouscategories. Table 10-4 defines and lists the dimensions used by Hofstede (1983) and House et al.(2004).

Table 10-4Cultural Classification Criteria

No. Criterion Definition +

1* Uncertainty The extent to which members of an organization or society strive to avoidAvoidance uncertainty by relying on established social norms, rituals, and bureaucratic

practices.2* Power The degree to which members of an organization or society expect and agree

Distance that power should be stratified and concentrated at higher levels of anorganization or government.

3** Institutional The degree to which organizational and societal institutional practicesCollectivism encourage and reward collective distribution of resources and collective

action.4** In-group The degree to which individuals express pride, loyalty, and cohesiveness in

Collectivism their organizations or families.5*** Gender The degree to which an organization or society minimizes gender role

Egalitarianism differences while promoting gender equality.6*** Assertiveness The degree to which individuals in organizations or societies are assertive,

confrontational, and aggressive in social relationships.7@ Future The degree to which individuals in organizations or societies engage in

Orientation future-oriented behaviors such as planning, investing in the future, anddelaying individual or collective gratification.

8@ Performance The degree to which an organization or society encourages and rewardsOrientation group members for performance improvement and excellence.

9@ Human The degree to which individuals in organizations or societies encourage andOrientation reward individuals for being fair, altruistic, friendly, generous, caring, and

kind to others.

+Definitions are from House and Javidan (2004, 11-13)*These two criteria are the same as those of Hofstede’s (1980)**These two criteria are based on Hofstede’s (1980) Individualism***These two criteria are based on Hofstede’s (1980) Masculinity.@House et al. (2004) added these based on literature other than Hofstede (1980).



Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62societies was insufficient for complete classification of the CBOK 2006 participants. By usingadditional information from the Central Intelligence Agency World Fact Book (2006), affiliatelanguage, geographical location, and discussions with The IIA staff and leadership, the affiliatesand chapters were classified into 12 groups. Respondents who did not indicate membership in aspecific affiliate or chapter were clustered into a 13th group that was included in statistical summariesfor the aggregate results but not in affiliate or chapter cultural cluster results. Please refer to theinside back cover of this report for the groups used for the analysis of responses for CBOK 2006.



LITERATURE REVIEW

Introduction

The objective of the literature review for CBOK 2006 was to provide a summary of publishedarticles, studies on special topics, and research projects about the practice of internal auditingaround the world as determined by the research teams around the world. Each research teamprepared a literature review for the countries in their area of the world.

Prior IIA CBOK Studies2

Overview

The IIA has sponsored four prior CBOK studies. Appendix 10-C lists the topical areas covered inthese studies and identifies topical areas covered in the CBOK 2006 study. The past four CBOKstudies are summarized in the following section. Table 10-5 compares the number of participatingcountries and usable questionnaire responses used in each CBOK study.

Table 10-5Comparison of CBOK’s Number of Countries and Number of Respondents

CBOK Year Number of Number of UsableNumber Countries Respondents

I 1972 1 75II 1985 2 340III 1991 2 1,163IV 1999 21 136V 2006 91 9,366




CBOK I in 1972

The objective of CBOK I (Gobeil, 1972) was to define the CBOK for the profession of internalauditing. The survey was conducted only in the United States. The report was based on a sampleof 100 internal auditors from which there were 75 responses. The questionnaires were distributedto The IIA’s international officers, directors, and the chairs and committee members of allinternational committees. It attempted to define and interpret three areas. The first area was toestablish the knowledge that internal auditors should possess to be considered professionally proficient.The second area of interest was the knowledge required for candidates sitting for the CertifiedInternal Auditor (CIA) exam. The final area was the type of knowledge that should be the focus ofcontinuing professional development and training.

The study outlined three different levels of knowledge required in the three different subject matters(Gobeil, 1972), namely:

• Appreciation of the broad nature and fundamentals involved in, and an ability to recognizethe existence of special features and problems in, various business transactions, anddetermination of what further study or research must be undertaken under variousconditions.

• A sound appreciation of the broad aspects of practices and procedures and an awarenessof the problems related to more detailed aspects thereof. It also included the ability toapply such broad knowledge to situations likely to be encouraged, to recognize the moredetailed aspects which must be considered, and to carry out research and studies necessaryto come to a reasonable solution.

• A sound understanding of principles, practices, and procedures and the ability to applysuch knowledge to situations likely to be encountered in order to deal with all aspectswithout extensive recourse to technical research and assistance.

CBOK II in 1985

The objective of CBOK II (Barrett et al., 1985) was to establish the structure of the CBOK forpracticing internal auditors. This study included responses from the United States and Canada.The researchers first reviewed how the medical, legal, military, religious, accounting, and auditingprofessions determined their CBOK. Then they conducted interviews with directors and managersof large international audit departments in Canada and the United States. Based on this backgroundthe researchers developed and distributed questionnaires to approximately 900 individuals of whom340 returned usable responses.



The researchers identified three key areas of CBOK: knowledge of relevant disciplines; skillsneeded to perform appropriate internal auditing tasks; and experiences necessary to be professionallyqualified, proficient, and a competent internal auditor. Barrett et al. (1985) presented three broadconclusions. First, senior internal auditors should have a firm grasp of the core academic disciplinesof auditing and computer systems and a working knowledge of communications and accounting.Second, at the bottom of the importance scale of knowledge is marketing. Finally, entry-levelinternal auditors are expected to possess as much knowledge but fewer skills as senior-levelauditors, and senior-level (not entry-level) auditors are expected to become professionally certified.

CBOK III in 1991

Albrecht et al. (1992) sent questionnaires to internal auditors in Canada and the United States. Ofthe 1,247 returned questionnaires, 1,163 responses were usable. The research method used by theauthors was the most elaborate of the CBOK studies to date. It included:

• Review of current internal audit literature.• Interviews with content experts in the subject areas identified by the literature review.• Development of the initial questionnaire.• One-day meetings with selected groups of internal audit practitioners in various cities.• Distribution of the CBOK questionnaire to practicing internal auditors and analysis of the

data.

This study contributed to the literature in several significant ways. It identified the competenciesand knowledge that was required for internal auditors to practice at varying levels of experience.It also identified the most appropriate setting (formal education, professional development seminars,or on-the-job experience) where the competency should be acquired. The researchers includedthe following in their findings:

• The knowledge included in the CBOK• The levels at which internal auditors should possess various knowledge elements of the

CBOK• The kind of knowledge that should be included on the CIA examination• The kind of knowledge that should be included in professional development and training

seminars for internal auditors

The authors found that a major demographic factor causing responses to the CBOK questionnaireto vary was the position level of the respondent. As auditors move from staff auditor to senior, tomanager, and finally to director, there are changes in what the respondents perceived should be therequired CBOK.



CFIA in 1999 (CBOK IV)

The next CBOK project, known as the Competency Framework for Internal Auditing (CFIA),was undertaken by a group of researchers in Australia. The study resulted in the publication of fivedetailed monographs (see Birkett, et al., 1999). To summarize the large amount of informationpresented, The IIA published a short executive summary monograph (McIntosh, 1999). Thesestudies surveyed five groups of participants and provided information about the changing nature ofinternal auditing from compliance to assurance, risk exposures, and control strategies.

The scope of Birkett, et al.’s (1999) studies addressed the areas of the future of the internal auditprofession, the value proposition of internal auditing, the critical competencies of internal auditors,global practices, and an assessment of these competencies. One of the interesting conclusionsfrom this study was that the future will be driven by global organizational change, which would beaccompanied by lower independence for internal auditors. The monographs also concluded thatinternal auditors must increasingly get involved with the assessment of risk and strategies forcontrol. The authors proved to be correct as both of these issues have been addressed by the U.S.Sarbanes-Oxley Act of 2002.

Internal Auditing: The Global Landscape

Birkett, et al. (1999) found that there were major difficulties in discussing the topic of internalauditing at a global level. They found that there was a lack of common meaning for terms like“internal control” and “compliance.” There were also differences in interpretation of “propergovernance.” The surveyed countries agreed on the desired skills that an internal auditor shouldpossess, including cognitive, behavioral, technical, analytic, appreciative, personal, interpersonal,and organizational skills. It was also important for internal auditors to have knowledge in specificareas such as information systems, finance, risk analysis, accounting, internal auditing, benchmarkingtechniques, and legal/regulatory systems. The respondents expressed concern that the certificationrequirements for the CIA designation were oriented toward North American practice. Major issuesand concerns that would affect the profession in the future were identified as globalization, increasedcompetition, rapid technological advancement, and changes in corporate governance.

Internal Auditing Knowledge: Global Perspectives

The profession of internal auditing was also discussed at the global level. The internal auditor’swork environment was further analyzed by its context, factors of influence, key roles in the function,critical knowledge/expertise needed, and the evaluation of the auditing function. The key roles inthe auditing function included audit management, project leader, internal auditor, management



development trainee, specialist, and external consultant. A competent internal audit departmentmust have knowledge of the organization, auditing tasks, technical applications, managementprocesses, risk/control framework, and commercial viability. Developing competency within internalauditing was done through an improved recruiting process and implementation of training/developmentprograms. The auditing function was then assessed based on the linkage between their activitiesand the value they provided. It was suspected that in the future, internal auditing would take on amore anticipatory/proactive role which brought up a discussion on auditors’ independence.

Competency: Best Practices and Competent Practitioners

This monograph includes six units, 27 elements, and many sub-elements, which are assessed throughbest practices. The focus of the monograph was on internal auditor competencies (skills) andcapabilities (potential for making judgment). The authors found that competency was the relationshipbetween task performance and individual attributes such as knowledge, skills, and attitudes(McIntosh, 1999, p. 4). The authors argued for common terminology but admitted that this was notan easy task because there is no equivalent for certain terminology (e.g., compliance) in somecountries.

Competency was defined in terms of best practices that are subject to benchmarks. The authorsdefined competency standards in terms of units of set tasks needed to meet the fundamentalrequirements of performing the audit. Elements of competency are subsets of tasks such asunderstanding organizational objectives/strategies, processes and capabilities, and the contextualdynamics affecting its functioning and sub-elements such as “identify/clarify the organization’sobjectives.” The authors listed six units of competency:

1. U1: Understanding risk2. U2: Understanding adequacy of control strategies3. U3: Improve risk management and control4. U4: Provide ongoing assurance to organizations5. U5: Manage the IA function6. U6: Manage the dynamic context that affect the work of the function

The Future of Internal Auditing: A Delphi Study

Birkett, et al. (1999) conducted a study that captured the opinions of 136 internal auditing expertsrepresenting 21 countries. The study focused on topics of importance to the future of the profession,key tasks performed, drivers of change, skills/knowledge required, and assessment criteria. Theresults indicated that the profession was gradually moving toward a focus on alignment with



organizational needs and how to create value for the organization. Drivers such as globalization,competition, increasing expectations/demands from stakeholders, legal perspectives, and technologywere changing the context of internal auditing work. With the changes that the profession wasfacing, auditors needed to be knowledgeable and aware of the importance of evaluating riskexposures. The assessment of the auditing function could be assessed internally according to theorganization’s value proposition or externally relative to best practices.

Assessing Competency in Internal Auditing: Structures and Methodologies

In this study, the authors provided four performance criteria: qualitative outcomes such as accuracy,critical process variables such as holistic review, evidence and performance such as relevantdocuments, and consulting and timing. The authors stated that the different designations of auditorlevels are trainee, team leader, manager, and director. Other designations included junior, senior,manager, and director. Internal auditors can also be called consultant, managing consultant, andvice president of audit.

North American Literature Review on Internal Auditing

Overview

The literature reviewed indicates that the role of the IAA has grown significantly over the yearsand given the significant change factors organizations are facing, such as the regulatory environmentand new technologies, it is likely to be subjected to more significant changes in the future. Theliterature is fairly extensive in its investigation of the internal auditor’s role in various corporategovernance issues. An extensive literature review by Gramling, et al. (2004) investigated theincreasing role of the IAA in corporate governance. Due to the recent review of this topic providedby Gramling, et al. (2004), that literature is not reviewed in detail in this chapter. The focus of thisliterature review is primarily on the external environment that is causing change in the organizationand the resulting expanded scope of audits required of the IAA.

The Professional Practices Framework of 2004

The most recent study undertaken by The IIA to determine the nature of the changes in internalauditing and the need to update the definition and standards of the profession was in 1999. Basedon this study The IIA published a report titled, A Vision for the Future: Professional PracticesFramework for Internal Auditing (The IIA, 1999). The report had the following objectives:



• Revise the definition of internal auditing• Produce a new framework• Improve existing processes of standards-setting and guidance development through better

coordination and leveraging of The IIA’s volunteer committees

This report resulted in changes to the definition of internal auditing, The IIA’s Code of Ethics, andThe IIA’s Standards. As seen below, the new definition of internal auditing expands the scope ofinternal auditing into corporate governance and risk management (The IIA, 2004):

Internal auditing is an independent, objective assurance and consulting activity designed toadd value and improve an organization’s operations. It helps an organization accomplish itsobjectives by bringing a systematic, disciplined approach to evaluate and improve theeffectiveness of risk management, control, and governance processes.

This is The IIA’s most proactive and comprehensive definition of internal auditing. It acknowledgesthe changing role of internal auditing in organizations, the need for a comprehensive and adaptableframework, and the ever-increasing value that the IAA contributes to contemporary organizationsof differing sizes and types.

As late as the beginning of the twenty-first century, the evolutionary practice of internal auditingresulted in developing internal audit best practices and adding value to the organization and itsstakeholders by understanding the link between internal audit and organizational goals. Before theenactment of Sarbanes-Oxley, internal audit services were focusing on detection, not prevention.Internal auditors were moving from a confrontational approach to partnering with managementand moving from a controls approach to a risk-based approach. They were also focusing onconsulting services (Roth, 2002).

Chapman and Anderson (2002) argue that the inclusion of assurance and consulting services in thenew definition of internal auditing results in internal auditing becoming a proactive, consumer-focused activity concerned with the important issues of control, risk management, and governance.The definition specifically states the internal audit activity (IAA) is designed to add value andimprove an organization’s operations (The IIA, 2002).

The Standards indicate examples of assurance engagements as financial, performance, compliance,system security, and diligence audits. Examples of consulting activities include conducting internalcontrol training, providing advice to management about the control concerns in new systems, draftingpolicies, and participating in quality teams. In addition, assurance services include financial auditing,performance auditing, and quick response auditing, and consulting services includes assessment



services, facilitation services, and remediation services (Anderson, 2003). These are all value-added activities and contribute to organizational success and strategic achievement. This wasreflected in the revised Professional Practices Framework which recognized that the IAA neededto support and promote a broad range of value-adding activities (RGTF, 1999). This also allowedfor the recognition of the practice of internal auditing as evolutionary in the competitive marketplace(Krogstad, et al., 1999). The next sections include more focused discussion of the factors thatsignificantly impact the future of the IAA.

Regulations

Prior to the need for compliance with the requirements of Sarbanes-Oxley in the United States andsimilar laws in other countries, the emphasis of the IAA in the late 1990s was more a consultativepartner with management (Roth and Espersen, 2003). Internal auditors also performed reviews ofcontrols over operational systems. In responding to regulatory and technological change factors,organizations are evolving in their need for different types of internal audit involvement. TheSarbanes-Oxley Act (2002) legislation in the United States resulted in extensive regulatoryrequirements for a more effective and better documented system of internal controls over financialreporting in publicly listed companies. The IAA is in an advantageous position to help organizationscomply with these requirements and is being called upon by companies to do much of the work indocumenting and testing key internal controls over financial reporting. The new regulatoryrequirements have increased the IAA’s participation in the development of control documentationand compliance auditing over financial reporting that was often left in the past to external auditors.

Sarbanes-Oxley legislation in the United States required the creation of the Public AccountingOversight Board in 2004 (PCAOB, 2004). PCAOB was created to reform the auditing of internalcontrol systems and financial reporting systems. The major objectives of the PCAOB are to enhancereliable financial reporting and to restore investor confidence after the business scandals andaccounting failures of early 2000s. Faced with the regulatory requirements of Sarbanes-Oxley,many organizations turned to their IAAs for help. Internal auditor involvement was primarilycompliance work surrounding the adequacy of key controls to aid in the increased reporting andgovernance requirements for publicly held companies. Although Sarbanes-Oxley work primarilyemphasized control compliance, it also required internal auditors to provide consulting activitiessuch as control system design.

Sarbanes-Oxley Changes Audit Coverage

The shift of the IAA to a compliance focus is a result of a regulatory regime imposed by therequirements of Sarbanes-Oxley (2002) and the PCAOB (2004). Also influential were the changes



in governance requirements that various stock exchanges implemented (Gray, 2004). Although theresulting involvement in responding to regulatory requirements is still deemed value-added work, itis a different trend than was evolving before the business scandals at the beginning of the centuryin such areas as governance and risk assessment.

An outcome of the current regulatory climate in the United States is that many IAA resources arespent on Sarbanes-Oxley compliance assurance work. A survey of audit managers undertaken inthe third quarter of 2005 indicated that Sarbanes-Oxley (2002) first-year compliance efforts utilized50% or more of internal audit (PwC, 2006). In the resource constrained paradigm within which theIAA operates, this emphasis means that resources must be diverted from operational audits andconsulting activities to increase Sarbanes-Oxley assurance services. This is a challenging resourceallocation problem for the IAA, where strong leadership and analytical skills as well as the abilityto manage projects more efficiently and effectively are required. Also needed are effectivecommunication and negotiation skills to interact with various stakeholders. When diverting resources,leaders of the IAA must be certain that they have a thorough understanding of how their workcontributes value and links to strategy execution and achievement.

The assurance work emphasis necessitated by regulatory requirements could also result in a negativereputation effect. For example, IAA stakeholders may develop a negative perception that is revertingback to the stereotypes of compliance duties in earlier periods. Gray (2004) argues that the imageof internal auditors may be regressing to that of “police” as they identify negative findings in theirassessment and tests of internal controls. This is a serious reputation issue that the IAA mustaddress. Internal auditors must understand when this is happening and neutralize or eliminate suchnegative perceptions if they are to be effective in their assurance and consulting activities, relationshipwith key stakeholders, and in their role as supporter of organizational success. Ignoring suchperceptions can result in reduced effectiveness of the IAA in its assurance and consulting activitiesand with stakeholders.

Finally, an outcome of the expanding regulatory requirements is that internal auditors work closelywith internal management and external auditors. Critics question whether this might damage theobjectivity of the IAA (Krell, 2005). Since independence and objectivity are the cornerstones ofthe definition of internal auditing, there is a need for development of holistic models in which theIAA can maintain its objectivity and independence despite the close working relationships withinternal management and external auditors. To do so may require internal auditors to use effectiveinterpersonal skills such as relationship management and team building, concepts that are widelyresearched and discussed in management science.



Risk Assessment

A recent survey shows that regulatory requirements diverted internal audit resources from otherimportant internal audit activities such as risk-based audits to assurance work (PwC, 2005A).Failure to address key strategic and operational risks as well as compliance risk in an annual auditprogram undermines the effectiveness of the IAA. It diminishes its strategic value to keystakeholders and exposes the enterprise to greater operational and financial risks in the future.Balancing all risks that an organization faces is imperative to the success of the IAA and theorganization as a whole (Krell, 2005).

Internal auditors must not only be able to assess risks in their larger organizations, they must alsobe able to complete complex risk analyses in their own IAA. Being able to self-evaluate is importantto the success of the IAA. To accomplish this, internal auditors need to possess increasing levelsof critical thinking, analysis, decision making, and logic. These are among the skills included in theCBOK 2006 study.

Increased Demands on the IAA

Balancing the complex, competing demands of stakeholder needs with limited IAA resources alsorequires effective management by the chief audit executive (CAE) (PwC, 2006). To be perceivedto add value, the internal audit activity must strategically align with the needs and priorities of all ofits key stakeholders, including the audit committee, executive management, and external auditors.Communicating the needs of the audit function, both orally and in writing, to key stakeholders iscritical to successfully maximizing resources. Effective risk analysis, time management, andprioritization of tasks are important skills for internal auditors to ensure effective utilization ofscarce resources.

The increased demand for the IAA services places strain on many departments’ limited timebudgets resulting in outsourcing and/or co-sourcing of activities. Rittenberg and Covaleski (1997)argue that outsourcing would be viable for functions that are not unique. For areas with specializedneeds or competencies, outsourcing may be a viable alternative. Outsourcing reduces the demandfor a scarce resource but requires management of external contract workers and their employers.CAEs must ensure that their management of internal audit staff is a transferable skill that can beused for the management of external co-sourcing relationships.



Information Technology

The information technology (IT) used by companies is becoming increasingly more complex. TheIAA must embrace technology, understand it, and be able to effectively audit the processes anduse it as an audit tool. Internal auditors will have to provide increased assurance by providing ITcontrol assessment within the system of internal controls. If IT controls are selected and implementedproperly on the basis of the risks they are designed to manage, then a methodology to continuouslymonitor IT control effectiveness and validity could provide the assurances needed (Le Grand,2005). Knowledge of IT controls, IT auditing techniques, and the current trends in IT enhancesunderstanding and efficient utilization of IAA resource.

While the complexity of IT makes auditing more challenging, it also provides an opportunity tostreamline internal audit activities by designing and utilizing continuous IT controls. This can relievesome of the stress of limited IAA resources that were noted previously. The use of continuousauditing may reduce the need for detailed annual reviews that have been typical in the past.Continuous auditing gives internal auditors the ability to monitor key business systems for bothanomalies at the transaction level and for data-driven indicators of control deficiencies and emergingrisk. This can also be incorporated into other aspects of the audit process (Coderre, 2005). Undercontinuous auditing, technology is an enabler, but must be initiated and managed by the IAA (Warren,2003). Continuous auditing should not be confused with continuous monitoring, which may bemanagement driven (COSO, 2004).

Computer-assisted audit tools (CAATs) can also expand audit coverage when there are finiteresources. Maintenance of existing resource levels while expanding the scope of continuousmonitoring and reporting of organizational effectiveness can be accomplished by utilization ofautomated testing capabilities. Effectively enhancing the extent of audit coverage would reducethe risks that arise with constrained resource allocation (PwC, 2005B). Training for computer skillsfor the internal audit staff would ensure IT expertise as an alternative to traditional manual audittechniques.

Risk-based Internal Auditing

The IIA’s Standards require the establishment of risk-based plans to determine that the prioritiesof the IAA are consistent with organizational goals. For example, the risk of noncompliance withthe regulatory requirements of Sarbanes-Oxley and other laws is a risk to the organization thatshould be assessed along with other risks when finalizing audit plans. Sarbanes-Oxley requiresmanagement’s development and monitoring of procedures and controls for making their requiredattestation regarding the adequacy of internal controls over financial reporting.



The Standards require that internal audit activities evaluate and contribute to the improvement ofthe organization’s risk management, control, and governance processes through consulting andassurance activities. Thus, after the first few years of compliance, the role of internal auditingactivity for Sarbanes-Oxley compliance should be one of support through consulting and assuranceactivities as outlined in the Standards (The IIA, 2004). This should allow the IAA to go back to abroader scope of services and provide more consulting than assurance services.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) releasedEnterprise Risk Management - Integrated Framework to help businesses respond to enterpriserisk management issues in their own organizations (COSO, 2004). The COSO definition of internalcontrol differs a bit from The IIA’s definition but the two are substantively similar enough that theyseek to accomplish the same purpose. Since assessing the effectiveness of risk management iscore to the globally accepted definition of internal auditing, the role of internal auditors must beclearly defined by organizations to ensure that they do not set the risk appetite, impose riskmanagement processes, or make decisions about risk responses. These are the duties ofmanagement. The IAA must not be accountable for risk management decisions for the organization(The IIA, 2005). The IAA must be objective and independent if it is to perform its value-addedduties and continue to contribute efficiently and effectively to corporate success.

The current emerging business trend appears to be that the business environment challenges manyorganizations to simultaneously strengthen their internal controls and sustain compliance withSarbanes-Oxley while also operating efficiently. After the first year of material compliance costs,organizations are faced with trying to reduce these costs. A top down risk-based approach to costcutting may help companies cut costs while identifying the most effective and efficient controlsneeded to both achieve compliance and reduce efforts (Deloitte, 2006). If this impacts the internalaudit activity in the future, concern about objectivity, independence, and risk may occur but mustinstantly be mitigated. By working independently and organizing the audit plan to focus on theneeds identified in a risk-based assessment in conjunction with discussion with key stakeholders,the IAA will be able to perform objective and independent audits.

Objectivity

Internal audit’s role is critical in assurance audits because it provides objective assurance (PwC,2005B). The assurance function of internal audit has always been perceived as an independentand continuing appraisal of an organization’s internal control system, providing appropriate assurancethat the systems were adequate, effective, and could be relied upon (The IIA, 2002). This isimportant because the internal control system comprises the entire network of systems establishedin an organization to provide reasonable assurance that organizational objectives will be achievedwith particular reference to risk; effective operations; economical and efficient use of resources;



compliance with procedures, laws, and regulations; safeguarding against loss, including fraud; andthe integrity and reliability of information and data (PwC, 2006). If auditors are to succeed in thisenvironment, they must be comfortable with governance, fraud, and ethical audits as they performan objective evaluation of the control environment.

New regulation has elevated internal auditing and moved it to the forefront of executive consciousnessand corporate governance. Internal auditors are now being viewed as the “go-to” group andmanagement is more receptive to changes and recognition of those individuals who help minimizethe negative consequences of disruption caused by the new regulations (Gray, 2004). Objectivityand professionalism are necessary for effective internal audit services. A change in the traditionalservices offered leads to an increase in the risks related to objectivity and independence. Managingthese risks requires auditors to be competent, have integrity, and to use due care when performingtheir duties. Training and education provide the foundation for the objectivity needed for auditorcompetence and adherence to moral values avoids the perception of deception (Mutchler, 2001).

Strategic Perspective

Due to the demands for increased corporate governance by external stakeholders, managementhas been demanding a more tangible explanation of value-added contributions from various functions(Zoellick, 2005). To be perceived to add value, the IAA must strategically align with the needs andpriorities of its key stakeholders, including the audit committee, executive management, and externalauditors. Strategic implementation has become increasingly important as organizations must competewith other, often more nimble, entities. Therefore, value for internal auditors may be defined assupporting the execution of strategy and those that lead its implementation (Simons, 2000).

To achieve this goal, foundational knowledge for internal auditors includes an understanding of thebusiness, the competitive nature of the industry, and the linkages of all functional and operationalareas in the company. The importance of academic training in foundational business subjects anda focus on the functions and skills learned in upper-level management courses appear critical fortoday’s new auditors. Without such knowledge, misunderstanding the strategic orientation ofstakeholders could impact perceived value added by and the success of the IAA.

Summary

The main message from this literature review is that understanding how internal audit activitiescreate value in an organization is of critical importance. Also important is the recognition that thecontemporary IAA is positioned to strategically align its goals with those of its many stakeholders,and yet must remain independent and objective. Another important message from this review isthat the IAA must position itself to be actively involved with risk assessment, control, and governance.



Given the regulatory requirements in the United States that have absorbed approximately 50 percentof the IAA’s limited resources, resource allocation has become a key activity of the IAA. Internalauditors need to take full advantage of new technologies such as continuous auditing and softwareinnovations in IAA department management. The IAA must use its limited resources to supportkey activities and organizational needs. Strategic alignment requires that the internal audit functionposture itself as vital to a rigorous, sustainable organizational vision of responsiveness to bothinternal and external needs. Enterprise risk assessment, and the subsequent allocation of resourcesto provide assurance about the adequacy of the control environment to key stakeholders, is adaunting task. Audits for all scope areas require a broad set of specialized skills.

Asia Pacific Literature Review on Internal Auditing3

Overview

Most available literature relates to Australia, New Zealand, China, Malaysia, Singapore, and HongKong. The approach in this literature review is to review the Asia Pacific developments inapproximate chronological order rather than country by country.

Early 1980s

The first known empirical study on the role of internal auditing in the Asia Pacific region was thatundertaken by Cooper and Craig (1983). This seminal research on internal auditing in Australiafound a number of issues that were of concern to the profession. It was found that there were anumber of misconceptions about what internal auditors were doing and what their chief executiveofficers (CEOs) perceived was being done, and in fact there were expectations by the CEOs thatinternal auditors could do more than the traditional financial auditing work mainly being done at thetime. There was nevertheless strong support for internal audit by CEOs and at the time it was seenas offering long-term career prospects. However, the profession in Australia in the early 1980ssuffered from an image problem, it did not have a strong professional body to represent its interestsas it has now, and there were no generally accepted professional qualifications recognized asnecessary to practice as an internal auditor. This study was undertaken before the development ofmodern internal auditing.

3The Asia Pacific literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal(MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portionsof the following article: Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,”Managerial Auditing Journal 21 (8), 2006, pp. 822-834.



Early 1990s

Cooper’s et al. (1989) Hong Kong study surveyed both CEOs and internal audit managers withrespective reasonable response rates of 25.8% and 23.1% in a survey of 485 organizations. At thetime, this was a very good response rate from business people as the culture in Hong Kong is notgenerally conducive to responding to surveys.

The Hong Kong study was aimed at determining the (then) current state of internal audit practicein Hong Kong, the level of professionalism evident in internal audit departments, and their trainingneeds. The majority of CEOs (45.6%) saw the main role of internal auditing as being an independentappraisal of the internal control system; 21.6% perceived internal auditing’s main role as anindependent review of the efficient operation of the organization; and 19.2% were more concernedwith proper safeguarding of assets and preventing and detecting fraud and error. From the perspectiveof internal audit managers, they saw their main role in financial auditing (including internal controlreviews), representing up to 50% of the activity in 94% of the internal audit departments respondingto the survey. The other major activity was the audit of operational areas to improve operationalefficiency, in line with the expectations of the CEOs as noted above. This study also found thatonly a minority of internal audit managers were members of The IIA and that on-the-job trainingwas mainly relied upon to develop internal audit skills.

During 1992, Cooper, et al. (1994) sent a major survey to the internal audit profession in Australia.He mailed questionnaires to CEOs and internal audit managers of a wide range of organizations inboth the private and public sectors. The research aimed to provide a profile of internal auditing inAustralia in the 1990s. It also addressed a number of issues, including attitudes and recognition;professionalism; role and scope of internal audit work; career opportunities; education and training;and the future role of internal auditing. A total of 687 organizations were surveyed with separatesurveys being sent to CEOs and internal audit managers, with usable response rates of 31.0% and30.9% respectively.

Although the overall view was a positive one in terms of attitudes and recognition, there was someconfusion between perceptions by CEOs and the reality as seen by the internal audit managers.Findings included:

• The perceived high profile of internal auditing as reported by the CEOs was not necessarilyborne out by their understanding of the audit process; for example, their strong support forthe “mechanical” aspects of the process rather than a more management-oriented role forinternal auditing.



• Reporting levels were generally less than ideal and the confusion between perceived statusand the reality of the situation was further reinforced by internal audit managers’ views onhow their role was seen by clients, particularly with respect to a perceived policing function.

• The survey did uncover some concerns over the number of internal audit managers whoare not members of The IIA and confusion about the value of the existing internal auditqualifications such as the CIA designation.

• Regarding the role and scope of internal auditing, the CEOs appeared to place the greatestemphasis on the audit of financial areas, and yet most internal auditors were by thenconcentrating on operational areas.

• There was general overall support for education and training, but there was apparentconfusion among internal audit managers as to whether internal auditing is a training groundor a career position.

• 85 percent of them agreed that management usually implemented audit recommendations.• 80 percent agreed that there was adequate feedback from management on audit

recommendations.• 85 percent agreed (including 24 percent strongly agreeing) that the internal audit activity

would become increasingly important to management in the future.

The Mid-1990s

In 1996, the first study on benchmarking internal auditing in the region was published by Cooper,Leung, and Mathews (1996). The three countries compared were Australia, Malaysia, and HongKong. The paper was based on the aforementioned studies of Australia in 1992, Hong Kong in1989, and a study by Mathews, Cooper, and Leung in Malaysia in 1994, which was based on acomparable methodology to the Australian and Hong Kong studies. These comparative studiesshowed that CEOs in Malaysia were very positive in their perceptions of internal auditing as wereCEOs in Australia. The perceptions were less positive with CEOs in Hong Kong.

CEOs’ understanding of internal audit activities in Malaysia and Australia appeared to set positivebenchmarks, with Malaysian CEOs particularly positive in their view of internal auditing as anindependent review of the efficient operation of the organization. However, the CEOs in HongKong were more concerned with internal audit resources being devoted to appraisal of internalcontrol, which is reinforced by their views of internal auditing being more exploitative and authoritativethan consultative.

An important benchmark is ensuring that audit recommendations are well thought through anduseful for management and this will normally be evidenced by the extent to which managementtakes notice of, and implements, internal audit findings. In this comparative study, 79.6% of Australian



internal audit managers agreed (with 19.1 % strongly agreeing) that CEOs recognize theiraccomplishments, compared with 80.1% in Malaysia and 83.3% in Hong Kong (although in thiscase, only 13.6% strongly agreed). With respect to the implementation of internal auditrecommendations by management, 85.5% of internal audit managers in Australia were in agreement,compared with 84.4% in Malaysia and 84.9% in Hong Kong. With regard to the adequacy offeedback from management on audit findings and recommendations, more than 75% of internalaudit managers in all countries were positive on this issue.

The Late 1990s

In 1997, a special edition on internal auditing in China was published by Managerial AuditingJournal, with papers by a number of practitioners and academics. Although none of the paperspresented empirical data, they did provide an insight into internal audit practice in China at the time.It is important to understand that the internal audit activity in China is an agent of the State, unlikein Western countries. Tang, Chow, and Cooper (2000) provide a background on how internalauditing operates in China in their book Accounting and Finance in China - A Review of CurrentPractice. In 1983, the State Council in China established the Audit Administration of the PeoplesRepublic of China (AAPRC) to supervise all auditing activities in the republic, and in 1988 issuedthe Regulation on Audit of the People’s Republic of China, the first comprehensive statute onstate audit, which dictated that state auditing, internal auditing, and public auditing are all to beguided by the AAPRC. In 1994, the Eighth National People’s Congress adopted the Audit Law ofthe People’s Republic of China, which provided for an audit organizational framework consistingof government audit institutions (departments), internal audit institutions, and public audit institutionsset up at various levels with varying degrees of authority.

Under the system in China, the designated scope of work carried out by internal audit institutionsincludes the audit of financial revenues and expenditures; the audit of economic contracts; theaudit of construction projects; and the audit of internal control. An additional audit area is the auditof economic responsibility, which ensures that management assumes its economic responsibilities,including the maintenance of assets, observance of economic laws and regulations, and fulfillmentof operational budgets.

Cai (1997) agrees with the categorization of internal audit roles as noted by Tang, Chow, andCooper (2000), but observes that as the socialist economy continues to develop in China, it is thelatter role of the audit of economic responsibility that is assuming major importance. As the economydevelops, different challenges will face internal auditing, and as management and state ownershipseparate in formerly State-owned enterprises, the role of internal auditing to help managementmake the transition and still protect the interests of the State will become more important. Wang



(1997) also points out that with the development of the market economy, enterprises need toimprove internal control systems, management and production technology, and reduce productioncosts; therefore, market competition requires the strengthening of internal auditing.

In addition, the Chinese have a practice called “guanxi” in business. In the Chinese language,“guanxi” is the term for a personal relationship. It refers to the networks of informal relationshipsand exchanges of favors that dominate all business and social activities that occur throughoutChina (Lovett, et al., 1999; Lou, 1997). Guanxi works on the basic, unspoken word. Individualsseek to meet their guanxi responsibilities, and failure to do so results in damaged prestige. InChina, business people first strive to build personal relationships with a potential customer and,once admitted to the clan/guanxi family, business follows. Thus, trust must be established beforebusiness may be conducted. Guanxi is nurtured by the exchange of gifts and favors. However,such gifts strike ethical nerves in Western society as gifts are contrary to at least the spirit if not theletter of the laws such as Sarbanes-Oxley and make it hard to follow internal auditing standards.

2000 Onward

A major study has been undertaken in New Zealand by Van Peursem (2004) on internal auditors’role and authority. In this study, internal auditors were asked to come to a view on whether functionsthey perform in connection with internal audit engagements are essential, and to what degree theyfeel they enjoy the authority over, and independence from, management that we might expect of aprofessional. The research constituted a survey of New Zealand auditors, all of whom were membersof the New Zealand affiliate of The IIA. A very high response rate of 73% was achieved over theoriginal and follow-up survey. The study found that characteristics of a “true” profession exist butdid not dominate. Significantly, and as subgroups, Van Peursem (2004) also observed that publicpractice and experienced auditors may enjoy greater influence over management, and accountancy-trained auditors may enjoy greater status owing to the “mystique” of their activities emanatingfrom their membership of well-known accountancy professional bodies.

Van Peursem (2004) also notes that Cooper et al. (1996) identified a potential issue in confusionbetween expectations that internal auditors will both independently evaluate management’seffectiveness, and also aid management. More recent observations by Glascock (2002) and McCall(2002) have expressed similar concerns. Van Peursem (2004) also concludes that a key issue isthat internal auditors will assume whatever position is in the best interests of their employer and bereluctant to counter management, irrespective of the consequences, which is potentially damagingin terms of image for the internal audit profession.



In a follow-up study in New Zealand, Van Peursem (2005) examined the role of the New Zealandinternal auditor and conceptualized on the auditor’s influence over that role. The fundamentalquestion is how an effective internal auditor can overcome the tension of working with managementto improve performance, while also remaining sufficiently distant from management in order toreport on their performance. The research found that there are three concepts characteristic ofthose who best balanced their role: the internal auditor’s external professional status; the presenceof a formal and informal communication network; and the internal auditors’ place in determiningtheir own role. Informing these concepts is the auditor’s ability to manage ambiguity. This was aqualitative study using a multiple case-based approach in which the researcher made observations,examined documents, and interviewed senior internal auditors in six New Zealand organizations.

In a Singaporean study reported by Goodwin and Yeo (2001), factors that may impact on theindependence and objectivity of internal auditing were investigated. In particular, the researchersconsidered the relationship of internal auditors and the audit committee and the use of the internalaudit activity as a management training ground, in terms of the potential effect on the independenceand objectivity of internal auditing. A survey of chief internal auditors found a strong relationshipbetween internal auditing and the audit committee, particularly where the committee was comprisedsolely of independent directors. Chief internal auditors were generally found to have regular andprivate access to the audit committee and this was supported by the regulatory framework inSingapore, which provided support for the independence and objectivity of internal auditors.

The use of internal auditing as a management training ground was also found to be widespread. Itwas also more common where an audit committee existed and where the organization was a largerentity. This existence of an audit committee minimized any negative impact on independence andobjectivity of the internal audit activity in situations where internal auditing was used as a managementtraining ground.

A study undertaken by Goodwin (2004) explored similarities and differences between public sectorinternal auditing and its counterpart in the private sector. Features examined include organizationalstatus, outsourcing, using internal auditing as a “tour of duty” function, audit activities, andrelationships with the external auditor. The study is based on a survey of chief internal auditors inorganizations in Australia and New Zealand. Results suggest that there are differences in statusbetween the internal audit activity in the two sectors, with public sector internal auditors generallyreporting to a higher level in the organization. While a similar amount of work is outsourced, publicsector organizations are more likely than those in the private sector to outsource to the externalauditor. There is little difference between internal audit activities and interactions with externalaudit in the two sectors. However, private sector internal auditing is perceived to lead to a greaterreduction in external audit fees compared to that in the public sector.



Goodwin-Stewart and Kent (2006) explored the voluntary use of internal auditing by Australianpublicly listed companies and sought to identify factors that lead listed companies to have aninternal audit activity. The study predicted that internal audit use is associated with factors relatedto risk management, strong internal controls, and strong corporate governance. To test the predictions,the study combined data from a survey of listed companies with information from corporate annualreports. The results indicate that only one-third of the sample companies use internal auditing.While size appears to be the dominant driver, there was also a strong association between internalauditing and the level of commitment to risk management. However, the study found only weaksupport for an association between the use of internal auditing and strong corporate governance.The study indicates that a large proportion of Australian listed companies do not use internalauditing and many of those firms that do have only one or two internal audit staff, a finding supportedby research by Leung, Cooper, and Robertson (2004). The implications of these findings for soundcorporate governance are serious, as it has been suggested that it is difficult for audit committeesto be effective without the support of internal auditing. It would appear that there is considerablescope for strengthening the relationship between internal auditing, audit committees, and externalauditors.

Leung et al. (2004) researched the role of internal auditing in corporate governance and managementin Australia. The specific objectives of the research were to identify the accountability structuresand internal audit objectives of organizations; determine the nature and extent of internal auditpractice; determine the management and governance relationships of chief audit executives (CAEs)within organizations; assess the application of the redefined internal audit activity; identify financialreporting risks and governance issues encountered by internal auditors; assess the effectiveness ofinternal auditing’s role in management accountability in a world actively concerned with corporategovernance issues; and recommend improvements in internal auditing. The researchers used atwo-pronged approach to ascertain information pertinent to the objectives. First, the total populationof CAEs in Australia was surveyed using an e-mail survey. The population total, based mainly onmembership of The Institute of Internal Auditors – Australia, was 397 and a 21.4% response rateyielded 85 usable responses. Second, eighteen CAEs were interviewed to gain a deeper insightinto issues that internal audit faces in Australia. To minimize any selection bias, an additional sevensenior business representatives from listed companies and the governmental sectors, includingregulatory bodies, were also interviewed.

This Australian study found that CAEs were generally very positive about the performance of theinternal audit activity. They see themselves as a key part of the management team, and that theycan influence decisions, maintain a sufficient level of objectivity, integrity, and competence in theirjobs, and are able to provide good support for their own staff. They view the culture and supportof management as a key factor in ensuring the effectiveness of their role.



A high percentage of respondents indicated that they perceived management recognized their rolein enhancing good corporate governance and that management appeared to take an interest in theirwork. On the other hand, there were views expressed that they should have a greater role in theorganization’s governance processes, although some were concerned that they did not have sufficientresources to discharge such additional work effectively. Many were also unsure about how theyshould actually go about making an effective contribution to the improvement of corporate governancein their organizations. What this Australian study indicates is that despite the universal concernsabout the need to enhance good corporate governance and the contribution that the internal auditingprofession can make, the internal auditor’s role in contributing to the process cannot be taken forgranted.

Ernst & Young et al. (2005) undertook a benchmarking study of internal audit services in thecommunications and entertainment sectors in both Australia and New Zealand. The study foundthat 63% of respondents indicated they had entered into a co-sourcing relationship with an externalparty and 13% had completely outsourced their internal audit function. With regard to reportingrelationships, 72% report primarily to the chair of the audit committee and 62% have increased thesize of their internal audit activities in the prior 12 months. With respect to corporate governance,63% of respondents are involved in providing assurance or monitoring compliance with the AustralianStock Exchange (ASX) Corporate Governance Principles.

Fadzil et al. (2005) undertook a study in Malaysia to determine whether the internal audit departmentof the companies listed on the Bursa Malaysia (Malaysian Stock Exchange) comply with theStandards and whether compliance with the Standards affects the quality of the internal controlsystem of the company.

It was found that management of the internal audit department, professional proficiency, objectivity,and review processes significantly influence the monitoring aspect of the internal control system.The scope and performance of audit work significantly influences the information and communicationaspects of the internal control system, while performance of audit work, professional proficiency,and objectivity significantly influence the control environment aspect of the internal control system.The study also shows that management of the internal audit department, performance of auditwork, the audit program, and audit reporting significantly influence the risk assessment aspect ofthe internal control system. Lastly, performance of audit work and audit reporting significantlyinfluences the control activities aspect of the internal control system.

A study in Malaysia by Ali, et al. (2004) looked at internal auditing in the state and local governmentsof Malaysia. Based on a series of semi-structured interviews, the authors found that only a minorityof local governments in Malaysia have an internal audit activity. The presence of quite a small



number of local governments with internal auditing may be due to the fact that in at least twostates, the internal audit activity of their local government departments is conducted by the internalaudit departments or units attached to the two state governments. There is no comfort, however,for such an arrangement – though it is certainly better than having no internal audit done at all atthe local government level. This is because internal auditing in so many of the state governmentsand their statutory bodies is operating with numerous limitations. The severest problems areconcerned with a shortage of audit staff and staff lacking in audit competencies. In manyorganizations, the non-audit personnel and top management are generally unsupportive of internalauditing.

Another study in Malaysia by Ernst & Young (2004) was undertaken to develop an understandingof the practice of internal auditing following the tightening of regulations and the increasingimportance of risk management and corporate governance practices in Malaysia. The survey wasgiven to participants of The IIA Malaysia’s National Conference held in September 2004 in KualaLumpur. Responses were received from 292 out of more than 600 participants. A total of 87% ofthe respondents stated that the primary function of internal auditing is to provide assurance ofinternal control and risk management processes and systems. The secondary role of the internalaudit activity is focused on three areas, namely, operational reviews (32%), efficiency of operations/cost savings (20%), and risk management (11%). The majority of respondents indicated havingstaff levels ranging from less than 5 to 25, although 50% of the respondents indicated that the sizeof internal auditing has increased in the past 12 months. The increase in the number of internalaudit staff could be the result of the rising importance of corporate governance in Malaysia.

Respondents reported that more than half of the internal audit staff are qualified auditors (53%),complemented by staff with a commercial background (26%) and information technology specialists(12%). Most of the respondents (in excess of 70%) indicated that their methodology commonlyincluded risk assessment, control evaluation, and process analysis. However, about 13% and 15%of the respondents respectively reported not having a risk assessment and control evaluation process.Only 30% of respondents reported internal auditing having commissioned an independent review.Of the 30% of respondents who indicated that a review had been conducted, 46% indicated thatthe review was conducted by peer companies while 44% engaged a professional services firm.

Ernst & Young (2005) also conducted a survey of internal auditing in Australia and New Zealandof the Australian Stock Exchange’s (ASX) top 200 companies in Australia and the top 100 listedcompanies in New Zealand and received 173 responses. The aim of the survey was to further theunderstanding of how internal audit activities in both the public and private sectors are continuingto evolve to meet ever-increasing demands and expectations. In total, 39% of respondents increasedthe size of their internal audit activities over the previous 12 months and 78% of internal auditactivities now report to either the audit committee chair or the CEO. Just 54% of internal audit



staff have a financial background, suggesting that internal audit teams are increasingly undertakingnon-financial reviews and recruiting more commercial and other specialist skills; 77% of respondentshave at least part of their internal audit conducted by an external party, mostly due to the need forspecialist skills.

Over half the organizations surveyed have changed the coverage of internal auditing to help supportthe ASX Principles of Good Corporate Governance. These internal audit teams are undertakingmore detailed controls testing and increasing their focus on providing assurance around riskmanagement frameworks to underpin compliance with the principles. In New Zealand, 76% ofprivate sector respondents have audit committees that satisfy the requirements of the updatedNew Zealand Stock Exchange Listing Rules. In both countries, 84% of internal audit activities arebasing their annual audit plan on generally accepted risk management principles.

Carey et al. (2006) undertook a study to investigate the determinants of internal audit outsourcingusing survey data on 99 companies listed on the Australian Stock Exchange. It was noted that54.5% of companies fully rely on an in-house internal audit activity, with the others outsourcing allor some of their internal audit activities. Outsourcing is associated with perceived cost savings andthe technical competence of the provider. However, it was also observed that 75% of those companiesoutsourcing did so to their external auditor, which may have implications for perceptions about theindependence of the external auditor.

Summary

The above provides a summary of the trend and literature covering internal auditing in the AsiaPacific region from the seminal work by Cooper and Craig in 1983 until the most recently reportedstudies in the academic and professional literature. In reviewing the above literature, a fewobservations can be noted:

• While internal auditing has been strongly supported by management, including the CEOs,conclusive consensus as to the role of internal auditors has not yet emerged.

• The function of internal auditors has changed from a more financially oriented role intoone that focuses on internal controls and risk assessment through the last two decades.CEOs have generally perceived internal auditing as having a financial function, whileinternal auditors moved their emphasis into systems and risks.

• There was, and still is, confusion regarding the independence of internal auditors. This ismade more complex by the definition of internal auditing which encompasses both theexpectations of the consulting role and the assurance role. Internal auditors are uncertainas to how to balance independence in both roles.



• During the 1990s, the increasing use of international accounting firms in consulting andassurance engagements overshadowed the internal audit function.

• The U.S. Sarbanes-Oxley Act of 2002 added the dimension of internal financial reportingassurance expected of internal auditors and audit committees.

• With the apparent lack of a structured approach to the body of knowledge, a clearlydefined role, and an apparent lack of status underpinned by a rigorous generally acceptedprofessional program (the CIA program has had limited uptake in Asia Pacific), internalauditing has suffered from lack of prominence in Asia Pacific.

• The Common Body of Knowledge 2006 study is timely and highly significant in shapingthe internal auditing profession in Asia Pacific in the years to come.

European Literature Review on Internal Auditing4

Overview

This section summarizes the major studies addressing internal auditing and related corporategovernance issues in Europe and is drawn from work carried out by authors from Belgium, Italy,the Netherlands, and the United Kingdom.

Physically, Europe can be described as a continent that contains approximately 45 separate nationsranging in size from the smallest states in the world to among the largest. Politically and economically,there is a diversity that includes former centralized economies (former USSR states such as Russiaand Ukraine), economies where state intervention is active (France), and free market capitalisteconomies (such as the U.K.). There is also a range of developmental status from post-industrialthrough to agrarian-based. Culturally, Europeans speak more than 200 different languages (withmany states being as a minimum bilingual and trilingual). Given that each state also has its ownlegal system and business traditions it is not surprising that there can be no “one size fits all” codeof corporate governance. The following is a summary of the major European studies on internalauditing.

4The European literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ),Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of thefollowing article: Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literature review oninternal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853.



Institut Français de l’Audit et du Contrôle Internes (2005)

This French study followed up a previous version in 2002 that was conducted in conjunction withErnst & Young. The survey was sent to 508 chief audit executives (CAEs), with a response rate of37%. Both the private and public sectors were included. Statistics include detailed descriptiveresults illustrated with charts and tables completed with results from interviews with the six majorCAEs. By conducting this survey, Institut Français de l’Audit et du Contrôle Internes (IFACI)wanted to assess the recent evolution in internal auditing in France, investigate the impact of newlaws and regulations, and assess the future of internal auditing. Major findings are discussed below.

Internal Audit Role in Corporate Governance

The independence and objectivity of internal auditors are guaranteed by their double reporting linesto top management and the audit committee. About 50% of the internal audit departments in thisstudy have a formal meeting with their top management every quarter, whereas 40% of the CAEshave private meetings with the head of the audit committee. The audit committee is primarilyinterested in the internal audit activities and mainly the implementation of their recommendations.More than half of the internal audit departments are involved with activities related to corporategovernance.

Internal Audit: Still Strongly Focused on Assurance

Assurance engagements are still dominant, representing 73% of the working agenda of internalauditors. These engagements mainly deal with the evaluation of internal controls, as well ascompliance audits. With respect to consulting engagements, internal auditors give advice andparticipate in specific projects or working teams.

Internal Audit’s Role in the Implementation of New Laws and Regulations

It is interesting to see that internal auditors play a key role in implementing laws such as the “Loi deSécurité Financière” and Sarbanes-Oxley. More than two-thirds of the internal audit departmentshave developed a project on internal control reporting and 74% have dedicated a part of theirworking time on the implementation of Sarbanes-Oxley. These two laws have slightly changedinternal audit’s work in that it has become more risk-based. In those companies that have tocomply with Sarbanes-Oxley, internal auditors currently spend more time on the evaluation offinancial controls and regularly conduct financial audits.



Internal Auditors as Credible, Objective, and Professional Partners

A large majority (82%) of the internal audit departments have an internal audit charter, formallyapproved by top management and the audit committee. In order to guarantee their objectivity, mostof the internal auditors adhere to the Code of Ethics defined by the profession. Even when theinternal audit plan is strongly influenced by specific requests from top management and the auditcommittee, the internal audit plan is, in a majority of the cases, also based on a risk assessment. Itwas observed that a significant number of CAEs have difficulty finding people with the rightcompetencies. This is one of the main reasons why internal audit is calling more and more forexpertise coming from other internal departments or from external providers.

Internal Audit has Sufficient Financial and Human Resources

On average, companies have 2.85 internal auditors for every 1,000 employees, with large differencesbetween sectors. In a majority of the companies, the internal audit budget remains stable, whereasin 42% of the companies, the internal audit budget increased. About 25% of the internal auditdepartments have existed for less than five years and 74% of the departments have less than 10internal auditors. The profile of an internal auditor did not change during the last three years.

IIA Belgium (2006)

IIA Belgium carried out a survey of its members from November 2005 until March 2006. Thissurvey was strongly inspired by the IFACI study in France. Internal audit departments in 260Belgian private companies were contacted. The response rate was 31%, which is quite good for afirst general survey about internal auditing in Belgium.

The survey addressed issues with respect to the internal audit department, the internal audit activities,risk management and the role of internal auditing, the relationship with stakeholders, and the futureevolution of internal auditing. The survey illustrates that, in Belgium, internal auditing is still arelatively young profession. The main findings are illustrated below.

Internal Audit Department Review

In terms of age of the internal audit department, more than 50% were created less than 5 yearsago. Most internal auditors have working experience in finance, operations, or external audit.Internal auditors’ education level is at least at the bachelor’s degree level. On average, internalauditors remain in internal auditing for less than four years (53% of the respondents). The recruitmentchannel for internal auditors is equally spread between internal and external sources. CAEs have



a relatively short experience in audit, with 64% of the CAEs having less than 10 years experiencein audit. Only 37% of the internal audit departments observed are conducting satisfaction surveyswith their auditees. Networking is important for internal auditors as more than 80% have regularcontacts with colleagues from other companies.

Internal Audit Activities

Integrated and operational audit represent globally more than 50% of the activities of the respondinginternal audit departments. Consulting activities remain low (on average 12% of the annual workingtime), but a majority of the responding internal audit departments expected an increase in consultingactivities in the next two years.

An internal audit charter is used in more than 90% of the cases. On average, 65% of the internalaudit plan is based on a risk analysis, but discrepancies have been observed by sector. In 42% ofthe cases, the yearly internal audit plan is adapted more than twice a year to take new requirementsand priorities into consideration. On average, 65% of the recommendations are implemented withinone year after the audit. In general, 61% of the responding internal audit departments do not useoutsourcing or co-sourcing today, but they expect to use, to some extent, more external serviceproviders in the future.

Role of Internal Auditing in Risk Management

Seventy percent of the respondents’ organizations have set up a risk measurement process. It isalso remarkable to notice that in a lot of companies, not everyone knows the policies and procedureshe or she has to follow. Gaps are observed by sector in terms of risk management practices. Onaverage, 29% of the respondents’ IAAs are responsible for the risk management process for theirorganizations.

Relationship with Stakeholders

Seventy-four percent of the CAEs report functionally to the audit committee. In 74% of the internalaudit departments reviewed the audit committee is in charge of dismissing the CAE, and in 51% ofthe cases the audit committee approves the internal audit budget. In second position, it is the CEOwho dismisses the CAE (44%) or approves the budget (49%). Some deviations have been observedby sector. It is interesting to see that the relationship with the audit committee is positively perceivedby most responding internal audit departments. Furthermore, there are exchanges between internalaudit and external audit (audit reports and audit planning). However, the relationship is less intensivein the other direction. Overall, the responding internal audit departments are satisfied with their



interaction with the CEO. Although CAEs are generally satisfied about their interaction with theCFO, this relationship is less intensive than the one with the CEO.

Challenges for Internal Auditing

The relationship with the audit committee and the board of directors needs to be reinforced and theassurance provided by internal auditing should become the best independent and objective assessmentin terms of risk management, internal controls, and corporate governance. The activities of internalauditors will be adapted to the new requirements and evolve with the new legislation and the newchallenges of the organization. The profile of the internal auditor is evolving in order to meet thebroader scope of activities. The profession still needs to become more recognized within thecompanies. Moreover, internal auditors need to aspire to a longer career in internal auditing.

Sarens and De Beelde (2006)

This study addressed internal auditors’ perception about their role in risk management, and comparedUnited States (US) and Belgian companies. The purpose of the study was to describe and comparein a qualitative way how internal auditors perceive their current role in risk management withinU.S. and Belgian companies, and was based on ten case studies (interviews with CAEs andanalysis of relevant documents).

In the Belgian cases, internal auditors’ focus on acute shortcomings in the risk management systemcreates opportunities to demonstrate their value. Internal auditors are playing a pioneering role inthe creation of a higher level of risk and control awareness and a more formalized risk managementsystem. In the U.S. cases, internal auditors’ objective evaluations and opinions are a valuable inputfor the new internal control review and disclosure requirements of Sarbanes-Oxley. In Belgium,the internal auditing profession is actually in a kind of “transition phase.” In order to survive thisphase, internal auditors need to assume a “teaching role” vis-à-vis the different management levelsto make them aware of their responsibilities in risk management. After this transition period, internalauditors will be able to focus more on their core activities.

Arena and Azzone (2006)

This study explores the relationship between enterprise risk management (ERM) and internalauditing. Particularly, this study analyzed internal auditing’s role with respect to ERM systems andthe integration of ERM and internal audit activities. The results are based on multiple case studiesapplying semi-structured interviews.



The results show a high diversity in risk management systems with respect to the actual adoptionof an integrated risk management system, the techniques that companies apply to identify risks,and the methodologies applied for risk assessment. Internal auditors mainly provide assurance onthe ERM process, and in some cases they support the implementation and management of theprocess. In half the cases, they found a partial integration between ERM and internal audit activities.More specifically, this integration concerns the comparison of risk maps made by managers andthose made by internal auditors, the integration of evidence that arises from self-assessment tosupport the internal audit plan, and the incorporation of the ERM process in the internal auditreports.

Allegrini and D’Onza (2003)

Based on a survey of the top 100 companies listed on the Italian stock exchange, this studyinvestigates internal auditing and risk assessment practices in large Italian companies. The analysisof the survey answers indicates the existence of three different approaches to internal auditing inthe Italian context. Some companies (25%) have a small internal audit department that carries outtraditional assurance activities. The internal auditor is still perceived as an inspector. These companiesdo not integrate the COSO methodology into their audit process, and have a control system entirelybased on hard variables. The annual audit planning generally follows an audit-cycle approach. Thismodel is often found in smaller companies.

In most companies (67%) internal auditors are providing some contributions to the risk managementprocess and are trying to incorporate the COSO model in the internal control policies and proceduresas well as in the audit process. In this context, internal auditors perform mainly operational auditsand make use of risk assessment findings in planning the annual schedule of audits (macro level).In planning the individual audits, they generally start from the recognition of significant risks inherentto the activity in order to limit or expand the test of controls. The internal audit department offinancial institutions generally follows this model.

Moreover, it is possible to identify a few large companies (8%) in which the internal audit unit isalso focused on consulting activities. Internal auditors attempt to add value through a more activesupport to risk management at different levels and to align internal audit objectives with the strategicgoals of the organization. This group includes the “early pioneers” in control and risk self-assessment(CRSA) projects, insofar as they try to strengthen the accountability at all levels of managementfor risk and control. They focus their work on significant risks, and they are trying to adopt acollaborative approach with line management. A risk-based approach is applied both at the macroand the micro levels so that we can assume they are embracing the risk paradigm as suggested bySelim and McNamee (1998). Furthermore, internal auditors focus on monitoring activities and softcontrols.



The survey results also show that, in Italy, control and risk self-assessment may be considered in a“start-up phase,” since it is possible to identify a few “early pioneers” implementing self-assessmentthroughout their entire organization. Some other companies claim to have started applying CRSAonly in a few business areas while others reveal their willingness to introduce it within the next fewyears.

Tettamanzi (2003)

This study, based on a questionnaire sent to 150 private companies, describes the historical evolution,current state, and prospects for future developments of internal audit practices in Italy and theUnited Kingdom. Tettamanzi found that the percentage of time spent on financial auditing is lowerthan the other types of activities (like compliance or operational reviews). In Italy, as well as theU.K., it was found that if internal auditing has existed for a period of time, its activities mainlyfocus on operational and management auditing. If the internal audit unit has been recently set up,they mainly focus on financial auditing. Nevertheless, the relevance of financial auditing washigher in the past. Currently, more resources have been devoted to operational and managementaudit and this will increase in the future. The study also reveals that in the U.K., many companieshave introduced an internal audit department to comply with the Cadbury Code. Similarly, in Italy,the Preda Code has determined the introduction and improvement of internal auditing in listedcompanies.

Arena, Azzone, Casati, and Mello (2004)

This study is based on a survey within 365 private Italian companies and investigates the existenceand characteristics of an internal audit activity and the activities performed. It was found that 74%of the responding companies have introduced an internal audit activity. The existence of an internalaudit activity differs between industries and can be linked with the company size. For thosecompanies that did not have an internal audit activity at that time, 30% had intentions to introduceone in the future.

However, 50% are not willing to introduce an internal audit activity in the future, whereas 20%have removed their internal audit activity. More than 50% of the internal audit departments in thisstudy have less than five internal auditors. With respect to the internal audit agenda, they foundthat operational audits, compliance audits, and the monitoring of the internal control system are themost prevalent activities.



Allegrini and Bandettini (2006)

This study replicated an earlier study by Selim and Woodward (2004) in the U.K. and Ireland andfocuses on internal audit and consulting assignments. The questionnaire was adapted to the Italiancontext and sent to the members of the Italian Institute of Internal Auditors. The results reveal thatthe new definition of internal auditing changed consistently the percentage of time allocated toconsulting assignments, which moved from 7% to 26%.

The perceptions regarding internal auditors’ involvement in consulting activities are positive orvery positive in 73% of the responding companies. It is interesting to see that 69% of the respondentsindicate that they perform consulting assignment regarding the Law number 231 (issued in 2001),which requires companies to set up a structured internal control system. More than half of therespondents (53%) declared to work on consulting assignments regarding corporate governanceand risk management.

Other Studies on Internal Auditing that Address European Issues

Rittenberg and Covaleski (1999) addressed outsourcing of internal auditing services in a governmentenvironment and provided insight into the methods and reasons for outsourcing. Melville (1999)addressed the current state of the art of control self-assessment (CSA) practice in the U.K. Theoverview was based on a survey of the top 50 companies listed on the FTSE, while the other twoelements were based on structured interviews. The conclusions drawn were that CSA is widelyseen as a beneficial practice, although it may not be repeated after the first exercise.

Hopkins (1997) discussed the fundamental differences in perceptions of internal audit quality betweenproviders of internal audit services and their prospective clients. The study was based on the U.K.public sector. Selim and Yiannakis (2001) addressed the various levels and methods of outsourcingin private and public sector organizations and discussed the various levels of success. Melville(2003) undertook a study based on an international survey of internal auditors, of which Europeanresponses were approximately 12% of the sample. The results showed that internal auditors werehighly geared toward making a contribution to strategic management, especially where a balancedscorecard type of system was used.

Selim, et al. (2003) found that based on a survey of six countries, internal auditors already play akey role in the mergers and acquisitions process, though it was also found that they would preferthis role to be further developed. Paape, Scheffe, and Snoep (2003) reviewed a survey carried outby the European Confederation of Institutes of Internal Auditing (ECIIA). While the authors were



unsure about the rigor of their research (due to problems with distribution of the questionnairesrather than a fundamental flaw in methodology), it is clear that there is a wide variety of internalaudit responses to corporate governance issues.

South African Literature Review on Internal Auditing5

Twenty years ago internal auditing in South Africa was not well known as a profession. In SouthAfrica, a number of factors contributed to the changes, development, and growth of the country’sinternal auditing profession. During the past five years, there were three major contributors to thelarge unexpected growth of the profession in South Africa. The first was the reports of the Kingcommission on corporate governance (King I: 1994 and King II: 2002). The second was the PublicFinance Management Act (SA 1999. Section 38), which made it a legal requirement for all formsof public organizations to have an internal audit activity in line with the Standards.

As internal auditing is a relative new profession in South Africa, limited formal research publicationswere found on internal auditing within the country. The following briefly discusses the variousresearch publications found about internal auditing in South Africa.

Communication Skills

During his research, Fourie (2006) attempted to find answers to two research questions. The firstwas whether tertiary institutions (universities) in South Africa teach sufficient communicationskills to enable aspiring internal auditors to perform their internal audit assignments professionally.The second question was whether internal auditors in practice regard themselves as having sufficientcommunication skills in order to conduct their internal audit assignments professionally.

The results of the study revealed that universities in South Africa do not teach adequatecommunication skills to aspiring internal auditors. The respondents indicated that they do not possessadequate communication skills to professionally conduct their internal audit engagements.

New Standards Address Challenges Faced by the Profession

Coetzee & du Bruyn (2001) investigated the limitations of the previous Standards and the changesin the new Standards. They found that change in auditing required by the new Standards was

5South Africa’s literature review was written by Houdini Fourie of the Tshwane University of Technology, SouthAfrica and Elmarie Sadler of University of South Africa.



difficult to analyze because the new Standards were to be used in conjunction with the previousStandards at the time of the paper’s publication. Coetzee & Du Bruyn are of the opinion that thenew Standards successfully address the challenges faced by internal auditors in the profession.

Effectiveness of Public Service Audit Committees

The question for this research was the effectiveness of public service audit committees in improvingaccountability in the South African public service as perceived by the independent external auditorsof government (Van der Nest, 2007). Van der Nest stated that “the audit committee is a keyaccountability instrument, playing a crucial role in the financial management and control environmentsof public corporations.” Audit committees are increasingly regarded as integral to modern controlstructures and governance practices in both the private sector and public service. The establishmentof audit committees is recognized as best practice with respect to good corporate governance. Theestablishment of audit committees is legislated in the financial management legislation in SouthAfrica.

Importance of Quality Control

In her study, Marais (2003) investigated the importance of quality control within internal auditactivities as prescribed by the Standards and guidelines of The IIA. The study also attempted todetermine to what extent these Standards and guidelines are applied in internal audit activities inSouth Africa.

The study concluded that quality control is not adequately applied within all IAAs in South Africa.Compliance with the Standards that were implemented during January 2002 should help to improvethe situation. Marais further concluded that The IIA should take action to motivate IAAs to exercisequality control according to the Standards.

Compliance with Good Practice and Legal Requirements by Audit Committees

In his paper, Van der Nest (2005) evaluated the compliance with good practice and legal requirementsby audit committees in South Africa’s government departments. The performance in four of theaudit committees’ important areas of responsibility was also measured.

The initial general observation by Van der Nest was that there is sufficient compliance with thelegal framework within which the South African public sector audit committees function. A furtherobservation was that there is general compliance with good practice for audit committees in theSouth African public sector. According to Van der Nest, evidence shows that “…there is apreoccupation with control issues and internal audit reports.” Van der Nest is concerned about the



absence or lack of other critical issues that should be addressed by audit committees, including riskmanagement, processes, financial reporting, and corporate governance.

Summary

The literature indicates many changes in the activities performed by internal auditors over the past30 years. The increasing complexity of business transactions, a more dynamic regulatory environment,and significant advances in information technology are developments that have resulted inopportunities and challenges for internal auditors. One of the objectives of CBOK 2006 was togather information on the current state of internal auditing around the world to determine thecurrent state of the art for the practice of internal auditing to add to the growing literature andstudy of the internal auditing profession.

References

1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body ofknowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,”Managerial Auditing Journal 21 (8), 2006, pp. 811-821.

2. Albrecht, W.S, J.D. Stice, and K.D. Stocks, A Common Body of Knowledge for the Practiceof Internal Auditing (Altamonte Springs, Florida: The Institute of Internal Auditors ResearchFoundation), 1992.

3. Ali, A.M., S.Z. Saidin, M.Z. Ghazali, M.S. Rahim, M.H. Sahdan, A. Ali, and A. Ahmi, InternalAudit in the State and Local governments of Malaysia, Working Paper, Universiti Utara Malaysia,2004.

4. Allegrini, M., and E. Bandettini, Internal Auditing And Consulting Assignments In Italy: AnEmpirical Research, Fourth European Conference on Internal Audit and Corporate Governance,2006b.

5. Allegrini, M., and G. D’Onza, “Internal Auditing and Risk Assessment in Large Italian Companies:an Empirical Survey,” International Journal of Auditing 7 (3), 2003, pp. 191-208.

6. Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literaturereview on internal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853.

7. Anderson, U., “Assurance and Consulting Services,” In Research Opportunities in InternalAuditing, Ch. 4, Bailey, A.D., A.A. Gramling, and S. Ramamoori (eds.) (Altamonte Springs,FL: The Institute of Internal Auditors Research Foundation), 2003.

8. Arena, M., and G. Azzone, “Internal Audit in Large Italian Companies: adoption, developmentand evolution,” Fourth European Academic Conference on Internal Audit and CorporateGovernance, 2006.

9. Arena, M., G. Azzone, P. Casati, and F. Mello, Rapporto di ricerca, Italian Institute of InternalAuditors, 2004.



10. Barrett, M.J., G.W. Lee, S.P. Roy, and L. Verastigu, A Common Body of Knowledge forInternal Auditors: A Research Study (Altamonte Springs, FL: The Institute of Internal Auditors),1985.

11. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal Auditing:The Global Landscape (Altamonte Springs, FL: The Institute of Internal Auditors), 1999a.

12. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal AuditingKnowledge: Global Perspectives (Altamonte Springs, FL: The Institute of Internal Auditors),1999b.

13. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P. J. Roebuck, Competency:Best Practices and Competent Practitioners (Altamonte Springs, FL: The Institute of InternalAuditors), 1999c.

14. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, The Future ofInternal Auditing: A Delphi Study (Altamonte Springs, FL: The Institute of Internal Auditors),1999d.

15. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, AssessingCompetency in Internal Auditing: Structures and Methodologies (Altamonte Springs, FL:The Institute of Internal Auditors), 1999e.

16. Burnaby, P.A., S. Hass and M.J. Abdolmohammadi, “A survey of internal auditors to establishthe scope of the common body of knowledge study in 2006,” Managerial Auditing Journal21 8, 2006, pp. 854-868.

17. Cai, C., “Internal audit under the socialist market economy system,” Managerial AuditingJournal 12 (4/5), 1997, pp. 210-213.

18. Carey, P., N. Subramanaim, and K. Ching, “Internal audit outsourcing in Australia,” Accountingand Finance 46 (1), 2006, pp. 11-30.

19. CIA World FactBook, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.20. Chapman, C., and U. Anderson, Implementing the Professional Practices Framework

(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation) 2002.21. Coderre, D., Continuous Auditing: Implications for Assurance, Monitoring, and Risk

Assessment (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),2005.

22. Coetzee, G.P., and Du Bruyn, “The relationship between the new IIA standards and the internalauditing profession,” Meditari 9(6), 2001, pp. 1-79.

23. Cooper, B.J., and J. Craig, A Profile of Internal Audit in Australia (Melbourne: RoyalMelbourne Institute of Technology), 1983.

24. Cooper, B.J., P. Leung, and C. Mathews, “Benchmarking – a comparison of internal audit inAustralia, Malaysia and Hong Kong,” Managerial Auditing Journal 11 (1), 1996, pp. 23-19.

25. Cooper, B.J., P. Leung, and C. Mathews, “Internal Audit: An Australian Profile,” ManagerialAuditing Journal 9 (3), 1994, pp. 13-19.



26. Cooper, B.J., P. Leung, and G. Chau, A Survey of Internal Auditing in Hong Kong (HongKong: Department of Accountancy, Hong Kong Polytechnic), 1989.

27. Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,”Managerial Auditing Journal 21 (8), 2006, pp. 822-834.

28. COSO, Enterprise Risk Management – Integrated Framework Executive Summary (TheCommittee of Sponsoring Organizations of the Treadway Commission), 2004.

29. Deloitte & Touche, Lean and Balanced – How to Cut Costs Without CompromisingCompliance, Deloitte & Touche, 2006.

30. Ernst & Young, Internal Audit in Malaysia, Kuala Lumpur, (Malaysia), Ernst & Young, 2004.31. Ernst & Young and IIA New Zealand and Australia, Trends in Australian and New Zealand

Auditing Second Annual Benchmarking Survey 2005, Ernst & Young and IIA New Zealandand Australia, 2005.

32. Fadzil, F.H., H. Haron, and M. Jantan, “Internal auditing practices and internal control system,”Managerial Auditing Journal 20 (8), 2005, pp. 844-866.

33. Fourie, H., Internal auditing and communication: a South African perspective, M. Techdissertation, Pretoria, Tshwane University of Technology, 2006.

34. Glascock, K.L., “Auditees or clients?” Internal Auditor, 59 (4), 2002, pp. 84-85.35. Gobeil, R.E., “The Common Body of Knowledge of Internal Auditors,” The Internal Auditor,

November/December 1972, pp. 20-29.36. Goodwin, J., “A comparison of internal audit in the private and public sectors,” Managerial

Auditing Journal 19 (5), 2004, pp. 640-650.37. Goodwin, J., and Y.T. Yeo, “Two factors affecting internal audit independence and objectivity:

evidence from Singapore,” International Journal of Auditing 5, 2001, pp.107-125.38. Goodwin-Stewart, J., and P. Kent, “The use of internal audit by Australian companies,”

Managerial Auditing Journal 21 (1), 2006, pp. 81-101.39. Gramling, A.A., M.J. Maletta, A. Schneider, and B.K. Church, “The Role of the Internal Audit

Activity in Corporate Governance: A Synthesis of the Extant Internal Auditing Literature andDirections for Future Research,” Journal of Accounting Literature 23, 2004, pp. 194-244.

40. Gray, G., Changing Internal Audit Practices in the New Paradigm: The Sarbanes-OxleyEnvironment (Altamonte Springs, FL: The Institute of Internal Auditors), 2004.

41. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, “The Americas literature review on internalauditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.

42. Hofstede, G., Culture’s consequences: International differences in work-related values(London, UK: Sage), 1980.

43. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B.Deregowski, S. Dziurawiec, and R.C. Annis (Eds.), Explications in Cross-Cultural Psychology,Swets and Zeitling, 1983.



44. Hopkins, R., “The nature of audit quality - a conflict of paradigms? An empirical study ofinternal audit quality throughout the United Kingdom Public Sector,” International Journalof Auditing 1 (2), 1997, pp. 117-133.

45. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: SagePublications), 2004.

46. IFACI (Institute de L’Audit Interne), Resultat de l’enquete sur la pratique de l’audit interne enFrance en 2005 (The Institute of Internal Auditors France), 2005.

47. IIABEL (The Institute of Internal Auditors Belgium), Internal audit in Belgium: the shaping ofinternal audit today and the future expectations – survey results (The Institute of InternalAuditors Belgium), www.iiabel.be.

48. King Committee on Corporate Governance, King report on corporate governance for SouthAfrica, Institute of Directors, 1994.

49. King Committee on Corporate Governance, King report on corporate governance for SouthAfrica, Institute of Directors, 2002.

50. Krell, E., “Is Sarbanes-Oxley Compromising Internal Audit?” Business Finance, August, 2005.51. Krogstad, J., A.J. Ridley, and L.E. Rittenberg, “Where We’re Going,” Internal Auditor. October

1999.52. Le Grand, C.H., Information Technology Controls (Altamonte Springs, FL: The Institute of

Internal Auditors Research Foundation), 2005.53. Leung, P., B.J. Cooper, and P. Robertson, The Role of Internal Audit in Corporate

Governance and Management (Melbourne: RMIT Publishing), 2004.54. Lou, Y., “Guanxi: principles, philosophies, and implications,” Human Systems Management 16

(1), 1997, pp. 43-51.55. Lovett, S., L.C. Simmons, and R. Kali, “Guanxi versus the market: ethics and efficiency,”

Journal of International Business Studies 30 (2), 1999, pp. 231-47.56. Marais, M., Quality control within internal audit functions and the application thereof in South

Africa, M. Comm. Dissertation, Pretoria, University of South Africa, 2003.57. McCall, S.M., “The auditor as consultant,” Internal Auditor 59 (6), 2002, pp. 35-39.58. McIntosh, E.R., Competency Framework for Internal Auditing: An Overview (Altamonte

Springs, FL: The Institute of Internal Auditors Research Foundation), 1999.59. Melville, R., “Control self assessment in the 1990s: the UK perspective,” International Journal

of Auditing 3 (3), 1999, pp. 191-206.60. Melville, R., “The Contribution Internal Auditors Make to Strategic Management,” International

Journal of Auditing 7 (3), 2003, pp. 209-222.61. Mutchler, J., Independence and Objectivity: A Framework for Internal Auditors (Altamonte

Springs, FL: The Institute of Internal Auditors Research Foundation), 2001.



62. Paape, L., J. Scheffe, and P. Snoep, “The Relationship between the Internal Audit Activity andCorporate Governance in the EU - a Survey,” International Journal of Auditing 7 (3), 2003,pp. 247-262.

63. PCAOB (Public Company Accounting Oversight Board), Auditing Standard No. 2: An Auditof Internal Controls over Financial Reporting Performed in Conjunction with an Audit of FinancialStatements, (Washington, DC: Public Company Accounting Oversight Board), 2004.

64. PricewaterhouseCoopers LLP, “Internal Audit Global Best Practices: #2 in a series,” TheInternal Audit Newsletter, 2005A, pp.5-6.

65. PricewaterhouseCoopers LLP, “How Computer Assisted Audit Tools Can Be Used in aFiduciary Audit Environment,” The Internal Audit Newsletter, 2005B, pp. 2-3.

66. PricewaterhouseCoopers LLP, PricewaterhouseCoopers’ State of the Internal AuditProfession: Internal Audit Post Sarbanes-Oxley (New York), 2006.

67. RGTF (Report of the Guidance Task Force to The IIA’s Board of Directors), A Vision for theFuture: Professional Practices Framework for Internal Auditing (Altamonte Springs, FL:The Institute of Internal Auditors Research Foundation), 1999.

68. Rittenberg, L., and M. Covaleski, “Outsourcing the internal audit activity: the British governmentexperience with market testing,” International Journal of Auditing 3 (3), 1999, pp. 225-235.

69. Rittenberg, L.E., and B.J.Covaleski, The Outsourcing Dilemma: What’s Best for InternalAuditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),1997.

70. Roth, J., Adding Value: Seven Roads to Success (Altamonte Springs, FL: The Institute ofInternal Auditors Research Foundation), 2002.

71. Roth, J., and D. Espersen, Internal Audit’s Role in Corporate Governance: Sarbanes-Oxley Compliance (Altamonte Springs, FL: The Institute of Internal Auditors ResearchFoundation), 2003.

72. Sarens, G., and I. De Beelde, “Internal Auditors’ Perception about Their Role in RiskManagement: A Comparison Between US and Belgian Companies,” Managerial AuditingJournal 21 (1), 2006, pp. 63-80.

73. Selim, G., and A. Yiannakas, “Outsourcing the Internal Audit Activity: A Survey of the UKPublic and Private Sectors,” International Journal of Auditing 5 (1), 2001, pp. 213-226.

74. Selim, G., and D. McNamee, Risk Management: Changing the Internal Auditor’s Paradigm,(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1998.

75. Selim, G., and S. Woodward, “Internal Auditing and Consulting Practice: UK and Ireland Survey,”British Academy of Management Annual Conference (UK: University of St. Andrews), 2004.

76. Selim, G., S. Sudarsanam, and M. Lavine, “The Role of Internal Auditors in Mergers, Acquisitionsand Divestitures: An International Study,” International Journal of Auditing 7 (3), 2003, pp.223-246.



77. Simons, R., Performance Measurement & Control Systems for Implementing Strategy(Upper Saddle River, NJ: Prentice Hall), 2000.

78. South Africa, The Public Finance Management Act, Act 1 of 1999, Pretoria, GovernmentPrinters, 1999.

79. U.S. Sarbanes Oxley Act of 2002 (One Hundred Seventh Congress of the United States ofAmerica, HR 3763), 2002.

80. Tang, Y.W., L. Chow, and B.J. Cooper, Accounting and Finance in China – A Review ofCurrent Practice, 4th, Sweet and Maxwell Asia, (Hong Kong), 2000.

81. Tettamanzi, P., “Internal auditing: evoluzione storica, stato dell’arte e tendenze di sviluppo:Italia e Regno unito a confronto,” Egea, 2003.

82. The Institute of Internal Auditors, A Vision for the Future: The Professional PracticesFramework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal AuditorsResearch Foundation), 1999.



85. The Institute of Internal Auditors, The IIA Research Foundation Request for Proposal (AltamonteSprings, FL: The Institute of Internal Auditors Research Foundation), 2005.

86. Van der Nest, D.P., Audit committees in government departments: an internal audit perspective,The South African Journal of Accountability and Audit Research 6, 2005, pp. 75-83.

87. Van der Nest, D.P., Audit committees and accountability in the South African public service,D. Tech dissertation, Pretoria, Tshwane University of Technology, 2007.

88. Van Peursem, K.A., “Conversations with internal auditors - The power of ambiguity,”Managerial Auditing Journal 20 (5), 2005, pp. 489-512.

89. Van Peursem, K.A., “Internal auditors’ role and authority - New Zealand evidence,” ManagerialAuditing Journal 19 (3), 2004, pp. 378-393.

90. Wang, X., “Development trends and future prospects of internal audit,” Managerial AuditingJournal 12 (4/5),1997, pp. 200-204.

91. Warren, J.D., and X.L. Parker, Continuous Auditing: Potential for Internal Auditors(Altamonte Springs, FL: The Institute of Internal Auditors), 2003.

92. Zoellick, B., and T. Frank, Governance, Risk Management, and Compliance: AnOperational Approach (The Compliance Consortium), 2005.



APPENDIX 10-A

Pre-scope Questionnaire for CBOK

Do you agree that the global CBOK scope should include the following: Yes NoDemographics for respondents and companies. 53 7Percentage of time spent on different types of audit (scope) in 2005:

• Operational 60 2• Financial (include work with external auditor) 58 2• Governance (ethics, control framework, Sarbanes-Oxley, linkage of 61 1

strategy, and company performance)o The role of internal auditing in organizational governance

• Consulting 60 3• Enterprise risk management (ERM) Need more specification 59 3• Fraud investigations (forensic accounting/auditing) 59 3• Work done by consultants (outsourcing) 57 5• Other:• Belgium

o Procedures developmento Benchmark analyses (meant to steer company decisions and action

plans for performance improvement)o Role of internal audit in project managemento IT audit (!)o Direct operational responsibilities (even limited)

• U.K. Irelando Work done by consultants (co-sourcing)o Assurance work

• U.S.o I think the work spent with the external auditor should be its own

classificationo With respect to Sarbanes Oxley, the governance component should

be separate from the work done in an advisory capacity(i.e., monitoring separate from management documentation, testing,and assessment)

o Outsourced work may be better defined as subject matter expertiserequired versus outsourced internal auditing (i.e., is the internal auditactivity outsourced or complemented?)

o Compliance (non-Sarbanes-Oxley)



Percentage of time spent on different types of audit (scope) Yes Noin 2005: (Cont.)

o Regulatoryo Technologyo Audit of IT function

• Asiao IT audito Probity auditingo Information technology audito Ad hoc/special audit

• Italyo Compliance programs for the prevention of corporate crime: risk

assessment, compliance audit, monitoring, compliance programsupdating.

• South Africao Integrated assurance services (audits that combine financial,

operational, ICT, and governance).

Adherence to the International Standards for the Professional Practice Yes Noof Internal Auditing (Standards) (The IIA, 2004):

• 1000 Purpose, Authority, and Responsibility 62 1o Charter outlining nature of assurance and consulting services

• 1100 Independence and Objectivity 61 1o Reporting structure administratively and functionallyo Support of upper managemento Support of the audit committee

• 1200 Proficiency and Due Professional Care 62 0o Level of education required of entry-level auditorso Certificationso Skills required of each audit position

• 1230 Continuing Professional Development - number of hours required 53 5• 1300 Quality Assurance and Improvement Program 59 4

o How often internal quality review is performedo How often external quality review is performed

• 2000 Managing the Internal Audit Department 58 5o CAE - rotating or permanent positiono Written policies and procedureso Staff rotation policy



Adherence to the International Standards for the Professional Practice Yes Noof Internal Auditing (Standards) (The IIA, 2004):

• 2010 Planning 56 7o Percentage of audit budget spent on planning activities

• 2210 Engagement Objectives 58 5o Set audit objectives during the planning stages of the audit

• 2240 Engagement Work Program 56 7o % of audit programs written specifically for each engagemento % of audit programs from prior auditso % of purchased audit programs

• 2400 Communicating Results 62 1o A written audit report is prepared for what percent of engagementso Audit report includes a grade or score for the audit process

• 2500 Monitoring Progress 62 1o Follow-up procedures are performed on what % of auditso Audit department has the support of upper management to ensure

improvements are made by auditee• Other: Belgium

o Follow-up on implementation of critical recommendationso Calculation/estimation of “return” of audit work (through

implementation of audit recommendations or through audit review assuch on e.g., double payments: savings achieved; doubledisbursements prevented or corrected; etc.)

• U.K. Irelando Adherence to the International Standards for the Professional

Practice of Internal Auditing (Standards) (The IIA)o Adherence to national or sectoral standards, based on the standardso Adherence to national or sectoral standards, not based on the

standards• U.S.

o Determination of IA as either a cost center or profit centero Calculation of cost savings and/or opportunity income gained arising

from internal audit recommendations as part of reporting (estimation)and monitoring (actual).



Specific areas of knowledge required of internal auditors: Yes No• Traditional business school topics (finance, operations, accounting, 52 11

marketing)• Business terminology 45 16• Technology 57 6• Financial reporting 50 12• Costing methods/managerial accounting 45 17• Economic theories 25 35• Accounting standards 49 14• Auditing standards 54 8• Other:• Belgium

o Language skills (2 x mentioned)o IT knowledge and skills (company ERP package) (2 x mentioned)

• U.K. Irelando Internal auditing standardso Statistics and analytical techniqueso General management

• U.S.o Should there be more in the way of operational and compliance

auditing? The above categories seem traditional and exclusive tothe operational and compliance COSO components

o Should technology be more specific as to systems etc- should therebe some additional requirements as to ERM, ERP, etc.?

o Should there be more in the “Other” areas such as forensics, fraud,money laundering, etc.

o Statistical analyses, Six-sigma, etc.o Regulatoryo Various industrieso Fraudo Regulation relevant to the industry

• Asiao Record keeping electronico Risk management practices

• Italyo Statisticso New legislation (SOX, D.Lgs 231/01)

• South Africao Legislation



Role of the board of directors and audit committee: Yes No• How often the CAE reports to the audit committee 60 2• Board’s role in governance issues 57 5• Audit committee/board role in review of annual audit plan 59 3• Other:• Belgium

o Board’s role in the definition of “risk” as used by the internal auditorin his risk assessmento Audit committee support for internal audit activity, internal audit

recommendations• U.S.

o Directors Loan Committee & Trust Committee interactiono Board appointment of CAE, salary determination, etc.o Administrative chain of commando AC structure and experienceo Reporting relationships, agendas

• Asiao Induction program for AC memberso Board review of IA performance

• Italyo Audit committee/board role in budget definition

Evaluation of staff: Yes No• Questionnaire at end of audit by client 53 10• Staff evaluated at end of each audit 55 8• Other:• Belgium

o Staff evaluations mid-year and year-end: rotation/career opportunitiesinside the company or audit staff

o Evaluation of the overall internal audit activity• U.S.

o Staff evaluation at certain minimum hours if audit is long term?o Other internal audit quality metrics and measurementso Core competency developmento Goal achievement (results)o Performance evaluation (annual or more frequent).

• Asiao Preference for annual survey of branch performance

• South Africao Ethics



Emerging trends in internal auditing: Yes No• Laws requiring companies to have an internal audit activity 56 7• Internal auditors in advisory role for strategy development 50 11• Implemented an internal control framework (COSO, COSO-ERM, 57 4

Cadbury, or CoCo)• Utilize self-directed, integrated work teams. 48 14• Involved in corporate directives to introduce ERP - Enterprise Resource 45 16

Planning software such as SAP, Oracle, Peoplesoft, BAAN, and JDEdwards

• Implement computer library (Web or CD-ROM) for audit reports, 55 7workpapers, and reference materials

• Implement knowledge management systems 49 13• Work with management to develop ERM system 52 11• Provide training to audit committee 47 14• Share audit programs with “Other” companies’ internal audit departments 53 8• Introduce improvements in cycle time 44 19• Utilize groupware such as Lotus Notes 36 26• Review electronic commerce applications 43 19• Utilize CAATs 56 6• Develop intranet site to educate company personnel about internal 55 7

controls, risk management, Sarbanes-Oxley requirements, etc.• Other:• Belgium

o Provide control awareness trainings to managers (new recruitedmanagers: as part of company introduction program; newlypromoted managers - individually; newly acquired companymanagement team; etc.)

o Implementing total quality related frameworks (e.g., EFQM)• U.K. Ireland

o Refocused internal audit on role of providing objective assurance incontext of organization's overall assurance framework

o Introducing full risk-based internal auditing• U.S.

o Analytical (audit) reviewso Is there a need to address independence if internal audit is used to

“introduce erp,” implement knowledge systems and develop erm-how to audit?

o Regulatoryo Attorney client privilege work



Emerging trends in internal auditing: (Cont.) Yes No• Asia

o Audit time recording system of allocation of audit hours• Italy

o Supporting internal control system definition in BPR projectso Web-based training for personnel according to D.Lgs 231/01

requirements

Certification: Yes No• Need for certification exams for audit managers and CAEs above 45 17

CIA certificate. Already part of the “adherence to Standards”?• Other:• Belgium

o Need for a CIA more oriented toward non-profit organizations• U.K. Ireland

o Need for specific qualification or certification for internal auditorso Need for certification for practicing internal auditors

• U.S.o Certifications for seniors (level below mgrs)o Skills needed - CISA, CFE, etc.

• Asiao Specialized internal auditing certifications CGAP for public sector,

CFSA for financial services auditor• Italy

o CPA, ACFE, CSA

Salaries: Yes No• Entry-level salary at each audit position 42 18• How internal audit salaries compare with managers at similar levels 45 16

in the organization• Other:• U.K. Ireland

o How internal audit salaries for those with internal audit qualificationscompare

• U.S.o Does IA have possibility to rotate to another position within the

company? How often does it happen? What is the average time IAstays within the IA function?

o Staff levels to include bonus and option programs



Salaries: (Cont.) Yes Noo Mobility within the organization - how many transfers to the

departments, functions?o Changes too often and varies globallyo Incentive compensation - bonuses, stock options

• Asiao Essential criteria for CAEs and staff, i.e., degree

• Italyo Other benefits

Audit Methods, Tools, and Techniques: Yes No• ACL, Idea, SAS 59 3• Control self-assessment 57 6• Continuous auditing 52 11• Electronic workpapers 58 3• Sampling 59 4• Data mining 54 8• Whistle-blowing hot line 49 13• Comparisons of performance measures to targets in entity’s objectives 52 9• Flowchart software 46 15• Other:• Belgium

o Generic office IT tools/groupware• U.S.

o Outsourcing of highly technical/specialized reviewso Lotus Noteso Issue tracking repositorieso Intranet portalso Knowledge management

• Asiao PowerPoint presentations for audit

• Italyo Process Modeling Softwareo Risk assessment (No: control risk self-assessment)

• South Africao Include ERM, benchmarking, QAR, the IA process - procedures,

e.g., compliance, substantive and analytical - Refer PA 2320



Auditee Skill Set (at each level): Yes No• Organization 56 7• Interpersonal 57 6• Writing 57 5• Critical thinking 56 7• Ability to do root cause analysis 53 9• Negotiation 56 7• Conflict resolution 57 6• Interview 57 5• Other:• Belgium

o IT skills (knowledge of company ERP capabilities and controlfeatures + use of system to prepare projects and substantiate findings)

o Synthesis: know how to extract just that information that is necessaryto put context around a finding and recommendation

• U.K. Irelando Influencingo Presentation of complex results

• U.S.o Computer skillso Foreign languageso Strategic agilityo Facilitationo Consensus buildingo Teamwork

• Asiao Communicationo Time managemento Judgmento Business acumen

• Italyo Corporate crime, fraud

• Franceo Courage



Other: Please list “Other” topics that you would like to include in the survey: Yes No• Belgium

o Interaction between internal and external audito Co-sourcing/outsourcingo Auditor’s career: recruitment into internal audit and/or internal move

“in”/career path with internal audit and/or internal move “out”/externalmove “out”

• U.K. Irelando Knowledge areas are too narrow: should include governance, ethics,

ethnographic methodso Involvement in corporate social responsibilityo Benchmarking regarding I.A. size (i.e., no. of employees, mixture of

qualified and non-qualified staff, types of qualification of I.A. staff, etc.)• U.S.

o How is the internal audit plan developed, on the basis of what information(scoping using risk assessment, particular needs of BU, fraudinvestigation, what is the % of each component)?

o What is the duration of the audit plan (1 year, 3 years, etc.)? How oftenis it revised?

o Whom does the IA report to (audit committee, CEO, CFO, etc…arethey independent?

o How is the IA founded: special budget, re-invoiced to BU, etc…?What is the budget?

o What are the yearly training expenses?o Does IA use any indicator to measure its performance? If yes, what are

they?o The views expressed are solely my own and do not necessarily reflect

to the position of Fidelity Investments or its associateso Trend toward outsourcing/partneringo Resource management and planningo Internal audit department structure and geographic locationso Global focuso Reporting relationship of CAE to board/audit committee, CEO, CFO,

“Other”o Frequency of private meeting of CAE and board/audit committee

chair/committee - never, once per year, etc.o Asset size of company/annual saleso Number of internal auditors



Other: Please list “Other” topics that you would like to include in Yes Nothe survey: (Cont.)

o Annual audit department salaries & benefitso Public/private/other org.o Core competency frameworko Soft skill developmento Training and developmento Career pathingo Knowledge management

• Asiao Will 1312 review be completed by Jan 1, 2007o Probity auditingo Project managemento Standardization of audit reportso Freedom of information/privacy concernso Performance indicators for internal audito Standardization of ranking audito Balanced scorecards for internal audito Disclosure and confidentiality principles for internal audito International auditing standards (Global)o Globalization of auditing professiono Academic qualifications for internal audit in tertiary institutionso Career planning for internal audito Marketing of the internal audit activityo “Recognized Professional Association”o Benchmarking of internal audito Introduce CAE within organization for signoff on internal controlso Ratio of internal audit cost vs. external audit costo Boardroom skillso Personnel management skillso Managerial skillso Split information required for financial audit between financial control

work and supporting/interacting on external audit worko Emerging new technology and trends in business that impact audito New business organizational formations that affect audit capability



Other: Please list “Other” topics that you would like to include in Yes Nothe survey: (Cont.)

• Italyo Information about staff and outsourcingo Role of the Collegio sindacale

− The relationship between the collegio sindacale and the internal auditunit (collegio sindacale is a specific body of the Italian corporategovernance system). The features involves in this relationship couldconcern:∗ The support of the collegio sindacale to the internal audit

independence.∗ The review of the audit plan.∗ The communication of audit results to the collegio sindacale.∗ Other.

o Planning and priority settingo Role of the collegio sindacale in the Italian corporate governance

system and the relationship with the internal audit department.• France

o How do IA, MA, compliance, quality control, and “Other” controlfunctions fit together?

o What are the job positions in internal auditing?o How can we go from one position to another?o How to be prepared to get out of the audit department to disseminate

the control culture.• South Africa

o Environmental auditingo QARo ISO standards relating to internal auditing, e.g., ISO 14000, etc.



APPENDIX 10-B

Topical Areas That Are Addressed inPast and Current IIA CBOK Studies

Gabeil Barrett et al. Albrecht et al. Birkett et al. CBOK(1972) (1985) (1991) (1999) (2006)

Accounting Accounting* Accounting** Accounting Accounting***Auditing Auditing Auditing Auditing Auditing@

Audit Committee/Oversight CommitteeAudit Plan

Behavioral Behavioral Skills/Sciences Technical

Skills/CompetenciesCommunications Communications Communications Communications Communications

Competency Benchmarks/QualityAssessment, AssessmentBenchmark,CompetencyStandards

Government Compliance/ Compliance/Government RegulationsCorporate CorporateGovernance Governance

Computers Basis Computer SoftwareUsed in the Audit

Computers & Computer & Computers & Computers & InformationSystems Information Information Information Technology

Systems Systems SystemsConsulting/AdvisoryServices

Data Gathering Data Data Mining& Delivery Warehousing

*Specifies as financial, management, and government accounting**Specifies as financial and managerial accounting***Financial and managerial accounting as well as specialized accounting appropriate for the type of organization



Topical Areas That Are Addressed inPast and Current IIA CBOK Studies (Cont.)


Economics Economics EconomicsEthics Ethics Ethics/Ethics Audits

Expertise Expertise (Experience,(Experience, Knowledge, Skills)Knowledge, Skills)

ExternalRelationsFinance & Finance Finance Finance FinanceControl

Forensic ForensicAccounting/ Accounting/Auditing Auditing

Fraud FraudFuture of the Emerging IssuesProfession andInfluencing FactorsIA Staff Position IAA Position in thein Organizations OrganizationInternal Auditor’s Internal Auditor’sWork Environment, Work Environment,Context, Population, Context, Population,and Scope of Work and Scope of Work

International International/culture International/Globalization/Culture

Legal Aspects Legal Aspects Legal Aspects Legal Regulationsof Business of Business (Commercial and

Regulatory Law)Secretarial& LegalManagement Management Management Managementand theManagementFunctions



Topical Areas That Are Addressed inPast and Current IIA CBOK Studies (Cont.)


Marketing Marketing & Marketing Marketing MarketingDistributionOrganizations Organizations/

IndustriesOrganizational Organizational OrganizationalBehavior Behavior Behavior

Outsourcing/Co-sourcing theAudit/AuditFunction

PersonnelAdministration

Professional ProfessionalQualification, Qualifications,Education, Education,Development, Development,Training Training

ProductionNeed for a Global ProfessionalValidated PracticesFramework Framework(CommonLanguage, GlobalProfession ofInternal Auditing)

Quantitative Statistics Quantitative Quantitative StatisticsMethods Methods Methods

& Statistics & StatisticsResearch & R&D AuditDevelopment

Reasoning Reasoning Reasoning ReasoningRisk Control/ Risk ManagementInternal Control and Control/Internal

ControlRole of the CAE

Taxes Taxes Taxes



APPENDIX 10-CCBOK 2006 CAE AND PRACTITIONER

QUESTIONNAIRE

Note: This is the final English Questionnaire. On the next two pages is a summary ofwhich questions were on both, on just CAE, or on just Practitioner questionnaire. TheIIA combined the two questionnaires as some of the questions appeared on bothquestionnaires.

The Institute of Internal Auditors Research FoundationCOMMON BODY OF KNOWLEDGE (CBOK) 2006

Chief Audit Executive (CAE) or Service Provider Equivalent,Head of Internal Audit Activity,

Engagement Leader, or Service Provider Principal

Welcome to the Common Body of Knowledge (CBOK) 2006! You are about to participate in oneof the most important projects ever undertaken by The IIA Research Foundation. CBOK will helpUnderstand, Guide, and Shape the future of Internal Auditing! Your participation will ensure thisproject is a success.

We anticipate that this survey will take approximately 40 minutes of your valuable time. All of youranswers will be strictly confidential and will not be associated with your personal information ororganization information. Please answer the questions honestly.

Please complete the survey in one session. If you have any technical problems or questions, pleasesend an e-mail to [email protected].

At the end of the survey you will be given the opportunity to enter an optional drawing for twenty-five US$200 VISA Gift Cards.



Questions for CAE and Practitioner (Per Word file version)

Question Question Description Both CAE PractitionerNumber

Part I Personal/Background Information1a How long member *1b Affiliate/Chapter *2 Age *3 Level of Education *4 Academic Major *5 Organization Position *6 Professional Qualification *7 Total Professional Experience *8 Total Years as CAE, GA, TAP, VP *9 Reporting Status *10 Training hours over last 36 months *11 Training hours over last 12 months *12 Type of organization you work in *13 Classification of the industry you offer *

internal audit services14 Organization Size - (total employees, assets, *

revenue)15 Area Served *16 How long has your organization existed? *17a Does organization have an Internal Audit Activity *

(IAA)?17b How long has the IAA existed? *18 Organization Documents *19 Who is involved in appointing the CAE? *20 Who evaluates CAE’s performance *21 Is there an Audit Committee? *22a Number of Audit Committee meetings *22b Number of Audit Committee meeting invitations *22c Number of Audit Committee meetings attended *22d Meet Audit Committee in addition to regular *

meetings?23 Have appropriate access to Audit Committee? *24 How is value added by IAA measured? *




25a How many times is the audit plan updated? *25b How do you establish audit plan *26a Provide IA services to external organizations? *26b External Organizations that receive IA services *26c Do you agree with the statements below? *27 Number of Staff in IAA *28 Incentives to hire IA professionals *29 Methods to fill staff vacancies *30 Methods to compensate for missing skills *31 Percentage of activities out or co-sourced *32 Will budget for out/co-sourced activities change? *33 Number of Members who have Certifications *34 Need additional certification beyond CIA? *35 Method of staff evaluation *36 Frequency of training *37 Use IIA’s Int’l Standards in whole or part? *38 Guidance from International standard Adequate? *39 Standard of Professional Practices Framework *

adequate?40 Reasons for not using The IIA’s Int’l Standards *41 IAs have quality assessment and improvement *

program?42 When was last formal internal quality *

assessment?43 When was last formal internal quality *

assessment?44 Activities performed as part of IAA quality *

assessment45 Who performs following activities/audits? *46 Percentage time spent on the following activities *47 Resolution of major differences *48 Who reports auditing findings to management *49 Who monitors corrective actions? *50 How much is IA going to use the following *

audit tools?




51 Behavioral skills for staff *52 Technical skills for staff *53 Competencies for staff *51a Important behavioral skills *52a Important technical skills *53a Important competencies *53b Importance of certain knowledge *54 Will changes in the IAA scope occur? *55 Roles of IAA *56 Indicate whether statements apply to *

organization

I. Personal/Background Information

Note: Background information will be used anonymously for aggregate data analysis. No individualinformation will be revealed in research reports.

1a. How long have you been a member of The IIA?1-5 years6-10 years11 years or moreI am not a member of The IIA (Skip to question 2.)

1b. Please select your IIA Affiliate or if you are located in North America or the Caribbean, pleaseselect your Chapter. Affiliate: _______________ Chapter: ________________

2. Your age: _________

3. Your highest level of formal education (not certification) completed:Secondary/High School EducationBachelors/Diploma in BusinessBachelors/Diploma in fields other than BusinessMasters/Graduate Degree/Diploma in BusinessMasters/Graduate Diploma in fields other than BusinessDoctoral DegreeOther



4. Your academic major(s): (Please mark all that apply.)AccountingArts or HumanitiesAuditingComputer ScienceEconomicsEngineeringFinanceGeneral Business/ManagementInformation SystemsInternal AuditingLawMathematics/StatisticsScience or Technical FieldOtherNo degree

5. Your position in the organization:Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service Provider EquivalentInternal Audit Management/Service Provider ManagementInternal Audit Senior or Supervisor/Service Provider Senior or SupervisorInternal Audit Staff/Service Provider StaffSupport Staff (administration, secretarial, and clerical)Other

6. Your professional qualification(s): (Please mark all that apply.)Internal Auditing (such as CIA/MIIA/PIIA)Information Systems Auditing (such as CISA/QiCA/CISM)Government Auditing/Finance (such as CIPFA/CGAP/CGFM)Control Self-Assessment (such as CCSA)Public Accounting/Chartered Accountancy (such as CA/CPA /ACCA/ACA)Management/General Accounting (such as CMA/CIMA/CGA)Accounting - technician level (such as CAT/AAT)Fraud Examination (such as CFE)Financial Services Auditing (such as CFSA/CIDA/CBA)Fellowship (such as FCA/FCCA/FCMA)Certified Financial Analyst (such as CFA)Other



7. Specify your total years of professional experience using the following categories: (Use wholenumbers.)

Service Years in Years in Years in Years inProvider Private Publicly/ Govern- Not-for-

Company Listed mental ProfitCompany

a. Accounting _____ _____ _____ _____ ______b. Engineeringc. External (Independent)

Auditing _____ _____ _____ _____ ______d. Financee. Information Technology _____ _____ _____ _____ ______f. Internal Auditing _____ _____ _____ _____ ______g. Management _____ _____ _____ _____ ______h. Other Professional

Experience _____ _____ _____ _____ ______

Total Professional Experience _____ _____ _____ _____ ______

8. How many total years have you been the Chief Audit Executive/General Auditor/Top AuditPosition/Vice President - Audit/Service Provider equivalent at your current organization andprevious organizations you have worked for? Years: __________

9. Your reporting status in your organization is:Staff position reporting to a managerManagerial position reporting to executive management/high-level government officialOfficer position reporting to the executive management/high-level government officialIndependent position reporting to the audit committee of the board/oversight boardOther

10. On average, how many hours of formal training have you received over the last 36 monthperiod or while you have been in the Internal Audit Activity if less than three years? Trainingincludes, but is not limited to seminars, conferences, workshops, and in-house informationsessions provided by either your organization or another organization.Hours: ____________

11. How many hours of training over a 12-month period are required by law/statute where youwork?Hours: ____________



II. Your Organization

Note: Organization information will be used anonymously for aggregate data analysis. No individualorganization information will be revealed.

12. The type of organization for which you currently work:Service Provider/ConsultantPublicly Traded (Listed) CompanyPrivately Held (Non-listed) CompanyPublic Sector/GovernmentNot-for-Profit OrganizationOther

13. The broad industry classification(s) of the organization for which you work or provide internalaudit services: (Please mark all that apply.)

Agricultural/ForestryBanking/Financial Services/Credit UnionBuilding and ConstructionCommunication/TelecommunicationConsumer GoodsEducationFinancial, Accounting, and/or Business ServicesHealthcareHospitality/Leisure/TourismInsuranceManufacturingMining and OilNon-Professional ServicesPharmaceutical/ChemicalProfessional ServicesReal EstateRetail/WholesaleTechnologyTrade ServicesTransport and LogisticsUtilitiesOther



14. Size of the entire organization for which you work as of December 31, 2005 or the end of thelast fiscal year: (Please use whole numbers and no abbreviations: use 1,000,000 not 1M.)

Total Employees (Full-time Equivalent):Employees: ___________________

Total Assets (U.S. Dollar Equivalent):Assets: _______________________

Total Revenue or Budget if Government or Not-for-Profit (U.S. Dollar Equivalent)Revenue: _____________________

15. Is your organization:LocalState/ProvincialRegionalNationalInternational/Multinational

16. How long has your organization been in existence?Years: _________________

III. Internal Audit Activity

17a. Does your organization have an Internal Audit Activity or provide Internal Audit services?YesNo (Skip to question 18.)

17b. If yes, for how long? (Please use whole numbers only.)Years:

18. Which of the following documents exist in your organization? (Please mark all that apply.)Corporate Governance CodeLong-term Strategic Plan for the OrganizationAudit Oversight/Committee CharterInternal Audit CharterMission Statement for the Internal Audit ActivityInternal Audit Operating Manual/Policy Statement



Corporate Ethics Policy/Code of Ethics/Code of ConductAnnual Internal Audit Plan/Rolling Audit Plan/Quarterly Audit PlanLong-term Audit Plan (longer than 1 year)Internal Audit Risk Assessment (to determine what areas to audit)

19. Who is involved in appointing the Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service Provider equivalent? (Please mark all that apply.)

Chairperson of the BoardChief Executive OfficerAudit Committee/Oversight Committee/Committee ChairpersonChief Financial OfficerAnother person reporting to CFOOther

20. Who evaluates your performance? (Please mark all that apply.)Board of DirectorsChairperson of the BoardChief Executive OfficerAudit Committee/Oversight Committee/Committee ChairpersonSenior ManagementAuditee/Client at the end of auditSupervisor periodicallyPeers/Subordinates periodicallyNot evaluated

21. Is there an Audit Committee/Oversight Committee or equivalent in your organization?YesNo (Skip to question 24.)

22a. Number of Audit Committee/Oversight Committee meetings held in the last fiscal year:Number: _______________

22b. Number of Audit Committee/Oversight Committee meetings you were invited to attend (entirelyor in part) during the last fiscal year:Number: ______________

22c. Number of Audit Committee/Oversight Committee meetings you attended (entirely or in part)during the last fiscal year:Number: ______________



22d. Do you meet with the Audit Committee/Oversight Committee/Chairperson in addition to theregularly scheduled meetings?

Yes No

23. Do you believe that you have appropriate access to the Audit Committee/Oversight Committee?Yes No

24. How does your organization measure the value added by the Internal Audit Activity? (Pleasemark all that apply.)

Customer/Auditee surveys from audited departmentsRecommendations accepted/implementedCost savings and improvements from recommendations implementedNumber of management requests for internal audit assurance or consulting projectsReliance by external auditors on the Internal Audit ActivityBudget to actual audit hoursCycle time from entrance conference to draft reportNumber of major audit findingsOtherNo formal measurement of value added

25a. How frequently do you update the audit plan?Multiple times per yearEvery yearEvery two yearsMore than every two yearsNo audit plan (Skip to question 26.)

25b. How do you establish your audit plan? (Please mark all that apply.)Use of a risk-based methodologyConsult previous years audit planConsultation with divisional or business headsRequests from managementAudit Committee/Oversight Committee requestsCompliance/regulatory requirementsRequests from or consultation with external auditorsOther

26a. Are you currently a service provider of internal audit services to external organizations?YesNo (Skip to question 27.)



26b. What is the number of external organizations to which you provide internal audit services?Number: ________________

Note: If you have identified yourself as a provider of internal audit services to externalorganizations, whenever you see the phrase “Internal Audit Activity” please answerthe question based on your experiences as a service provider, not as an internalauditor for your organization.

26c. Please indicate your agreement with the following statements as they relate to your currentorganization or organizations that you audit.

1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree

____ a. Your Internal Audit Activity is an independent objective assurance and consultingactivity.

____ b. Your Internal Audit Activity adds value.____ c. Internal Audit brings a systematic approach to evaluate the effectiveness of risk

management.____ d. Your Internal Audit Activity brings a systematic approach to evaluate the

effectiveness of internal controls.____ e. Your Internal Audit Activity brings a systematic approach to evaluate the

effectiveness of governance processes.____ f. Your Internal Audit Activity proactively examines important financial matters,

risks, and internal controls.____ g. Your Internal Audit Activity is an integral part of the governance process by

providing reliable information to management.____ h. The way our Internal Audit Activity adds value to the governance process is

through direct access to the Audit Committee.____ i. Your Internal Audit Activity has sufficient status in the organization to be effective.____ j. Independence is a key factor for your Internal Audit Activity to add value.____ k. Objectivity is a key factor for your Internal Audit Activity to add value.____ l. Your Internal Audit Activity is credible within your organization.____ m. Compliance with The IIA’s International Standards for the Professional

Practice of Internal Auditing is a key factor for your Internal Audit Activity toadd value to the governance process.

____ n. Compliance with The IIA’s Code of Ethics is a key factor for your Internal AuditActivity to add value to the governance process.



IV. Staffing

27. How many staff are in your Internal Audit Activity? Temporary or co-sourced staff should beincluded to the nearest full-time equivalent.

Full-time Part-time

CAE/General Auditor/Top Audit Position/Service ProviderEquivalent/Vice President - Audit ______ ____

Internal Audit Managers ______ ____

Internal Audit Supervisors ______ ____

Internal Audit Staff ______ ____

External Auditors (co-sourced) ______ ____

Contract Audit Staff (co-sourced) ______ ____

Support Staff (Administrative, Secretarial, and Clerical) ______ ____

Other ______ ____

28. Is your organization currently offering any special incentives to hire internal audit professionals?(Please mark all that apply.)

Relocation expensesSigning bonusStock optionsAccelerated raisesVehicle provided by the organizationTransportation allowanceOther

29. What methods do you use to make up for staff vacancies? (Please mark all that apply.)Facilitate Control Self-assessments in place of auditsReduce areas of coverageIncreased use of audit software



Borrowing staff from other departmentsCo-sourcing from internal audit service providersNo vacanciesOther

30. What methods is your organization employing to compensate for missing skill sets (e.g., ITaudit, statistical analysis)? (Please mark all that apply.)

Reduce areas of coverageMore reliance on audit softwareBorrowing staff from other departmentsCo-sourcing/outsourcingNo missing skill setsOther

31. What percentage of your Internal Audit Activity activities are currently outsourced / co-sourced?

No outsourcing/co-sourcing0-10 %11-20%21-30%31-40%41-50%51-60%61-70%71-80%81-90%91-100%

32. Do you anticipate that your budget for outsourced/co-sourced activities will change in the nextthree years?

IncreaseDecreaseRemain the same



33. How many members of the Internal Audit Activity hold the following certifications? If a staffmember has more than one certification, include them in all applicable categories.

NumberInternal Auditing (such as CIA/MIIA/PIIA)

Information Systems Auditing (such as CISA/QiCA/CISM)

Government Auditing/Finance (such as CIPFA/CGAP/CGFM)

Control Self-Assessment (such as CCSA)

Public Accounting/Chartered Accountancy (such as CA/CPA/ACCA/ACA)

Management/General Accounting (such as CMA/CIMA/CGA)

Accounting - technician level (such as CAT/AAT)

Fraud Examination (such as CFE)

Financial Services Auditing (such as CFSA/CIDA/CBA)

Fellowship (such as FCA/FCCA/FCMA)

Certified Financial Analyst (such as CFA)

Other

34. Do you see a need for additional certification beyond the CIA for audit managers and CAEs?a. Need for additional certification exams for audit managers Yesb. Need for additional certification exams for CAEs No

35. What method of staff evaluation do you use? (Please mark all that apply.)By supervisor periodically Customer/auditee feedbackPeers/subordinates periodically Other



36. How frequently do you and your staff receive the following types of training?

More frequently than annuallyAnnuallyLess frequently than annuallyAs neededNever

a. Standards and professional practices ___________________________________

b. Basic/advanced technology ___________________________________

c. Anti-fraud techniques ___________________________________

d. Ethics training ___________________________________

e. Communication skills ___________________________________

f. Team-building skills ___________________________________

V. Internal Auditing Standards

37. Does your organization use The IIA’s International Standards for the Professional Practiceof Internal Auditing in whole or in part? If you are a service provider do you use The IIA'sInternational Standards for the Professional Practice of Internal Auditing in whole or inpart for your audits of your clients?

YesNo (Skip to question 40.)



38. If your Internal Audit Activity follows any of The IIA’s International Standards for theProfessional Practice of Internal Auditing, please indicate if the guidance provided bythese standards is adequate for your Internal Audit Activity and if you believe your organizationcomplies with the Standards.

[provide links to all below] Guidance is Your OrganizationAdequate is in Compliance

Yes Yes, fullNo complianceDo not use Yes, partialI do not complianceknow No, not in

complianceI do not know

AS 1000 - Purpose, Authority, and Responsibility

AS 1100 - Independence and Objectivity

AS 1200 - Proficiency and Due Professional Care

AS 1300 - Quality Assurance and Improvement

PS 2000 - Managing the Internal Audit Activity

PS 2100 - Nature of Work

PS 2200 - Engagement Planning

PS 2300 - Performing the Engagement

PS 2400 - Communicating Results

PS 2500 - Monitoring Progress

PS 2600 - Resolution of Management’s Acceptance of Risks



39. If your Internal Audit Activity uses any of the Practice Advisories provided by The IIA in theInternational Professional Practices Framework, indicate if they are adequate for your InternalAudit Activity. If your organization does not use any of the Practice Advisories, skip to question40.

[provide links to all below] Guidance isAdequate

YesNoDo Not Use

AS 1000 - Purpose, Authority, and Responsibility

AS 1100 - Independence and Objectivity

AS 1200 - Proficiency and Due Professional Care

AS 1300 - Quality Assurance and Improvement

PS 2000 - Managing the Internal Audit Activity

PS 2100 - Nature of Work

PS 2200 - Engagement Planning

PS 2300 - Performing the Engagement

PS 2400 - Communicating Results

PS 2500 - Monitoring Progress

PS 2600 - Resolution of Management’s Acceptance of Risks



40. What are the reasons for not using The IIA’s International Standards for the ProfessionalPractice of Internal Auditing, in whole or in part? (Please mark all that apply.) Skip toquestion 41 if your organization is in full compliance with The IIA’s International Standardsfor the Professional Practice of Internal Auditing.

Standards or Practice Advisories are too complexNot appropriate for small organizationsToo costly to complyToo time consumingSuperseded by local/government regulations or standardsNot appropriate for my industryCompliance not supported by management/boardNot perceived as adding value by management/boardInadequate Internal Audit Activity staffCompliance not expected in my countryOtherPlease explain: _______________________________________________________

41. Does your Internal Audit Activity have a quality assessment and improvement program inplace in accordance with The IIA’s International Standards for the Professional Practiceof Internal Auditing Standard 1300?

Yes, currently in placeTo be put in place within the next twelve monthsNo plans to put in place in the next twelve monthsYour quality assurance program is not in accordance with Standard 1300I do not know

42. When was your Internal Audit Activity last subject to a formal internal quality assessment,periodic or ongoing, in accordance with The IIA’s International Standards for the ProfessionalPractice of Internal Auditing Standard 1311 on internal assessments?

Scheduled to be completed prior to January 1, 2007, but not yet completedWithin the last 12 months1-3 years ago4-5 years agoMore than 5 years agoNeverThe internal review was not done in accordance with Standard 1311I do not know



43. When was your Internal Audit Activity last subject to a formal external quality assessment inaccordance with The IIA International Standards for the Professional Practice of InternalAuditing Standard 1312 on external assessments?

Scheduled to be completed prior to January 1, 2007, but not yet completedWithin the last 12 months1-3 years ago4-5 years agoMore than 5 years agoNeverThe external review was not done in accordance with Standard 1312I do not know

44. For your Internal Audit Activity, which of the following activities are performed as part of yourinternal audit quality assessment and improvement program? (Please mark all that apply.)

Verification that the Internal Audit Activity is in compliance with The IIA’s InternationalStandards for the Professional Practice of Internal AuditingCompliance with non-IIA standards or codesInternal audit professionals are in compliance with The IIA’s Code of EthicsChecklists/manuals to provide assurance that proper audit processes are followedEngagement supervisionFeedback from audit customers at the end of an auditReviews by other members of the Internal Audit ActivityReview by external partyI do not knowNot applicable



VI. Audit Activities

45. Please indicate who performs the following activities and/or audits: (Please mark all that apply.)

Internal AuditActivityOtherdepartmentin theorganizationCo-sourcedOutsourcedNot Performed

a. Administrative (audit plan, assign tasks)

b. Business viability assessments

c. Compliance with company privacy policies

d. Compliance with corporate governance and regulatorycode requirements

e. Control framework monitoring and development

f. Corporate takeovers/mergers

g. Enterprise risk management

h. Ethics audits

i. External audit assistance

j. Health, safety, and environment

k. Financial auditing

l. Information risk assessment



m. Information technology department assessment

n. Internal auditing

o. Internal control testing/systems evaluation

p. Investigations of fraud and irregularities

q. Linkage of strategy and company performance

r. Management effectiveness review/audit

s. Operational audits

t. Project management

u. Quality assessment of internal audit activity

v. Quality/ISO audits

w. Resource management and controls

x. Security issues

y. Social and sustainability audits

z. Special projects

aa. Technical competency training for auditors



46. Please estimate the percentage of time spent by the Internal Audit Activity on each of thefollowing activities for the most recent fiscal year:

3 Years Currently 3 YearsAgo From Now

a. Compliance audits (laws, regulations,and policy ______ ______ ______

b. Consulting/Advisory ______ ______ ______

c. Financial process audits (includingassistance to the external auditor) ______ ______ ______

d. Fraud investigations (forensicaccounting/auditing) ______ ______ ______

e. Governance (ethics, control framework,regulatory, linkage of strategy andcompany performance) ______ ______ ______

f. Information technology audits ______ ______ ______

g. Operational ______ ______ ______

h. Management audits ______ ______ ______

i. Other ______ ______ ______

Total should add to 100% in each column ______ ______ ______



47. If major differences arise around audit issues (audit results versus policy or between auditorand auditee/client), when are they resolved?

NeverRarelySometimesUsuallyAlways

During planning

During audit fieldwork

During audit reporting

After audit report is issued

Never

48. After the release of an audit report in the organization, who has the primary responsibility forreporting findings to senior management?

Auditee/clientChief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/ServiceProvider equivalentInternal auditor managerBoth internal audit manager and auditee/clientBoth Chief Audit Executive and auditee/clientOtherNo formal reporting of results

49. After the release of an audit report with findings that need corrective action, who has theprimary responsibility to monitor that corrective action has been taken?

Auditee/clientInternal auditorBoth internal audit and auditee/clientNo formal follow-upOther



VII. Tools, Skills, and Competencies

50. Indicate the extent the Internal Audit Activity uses or plans to use the following audit tools /techniques on an audit engagement:

1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used

Currently Plan to useUsed in the next

3 years1 12 23 34 45 5

a. Analytical review

b. Balanced scorecard or similar framework

c. Benchmarking

d. Computer Assisted Audit Techniques

e. Continuous/real-time auditing

f. Control Self-assessment

g. Data mining

h. Electronic workpapers

i. Flowchart software

j. Other electronic communication (e.g., Internet, e-mail)

k. Process mapping application

l. Process modeling software



m. Risk-based audit planning

n. Statistical sampling

o. The IIA’s Quality Assessment Review tools

p. Total quality management techniques

51. Please mark the five most important of the following behavioral skills for each professionalstaff level to perform their work. (Behavioral skills are actions towards others measured bycommonly accepted standards and management of one’s own actions).

Staff Supervisor Management Head ofAudit

Activity

a. Confidentiality

b. Facilitating

c. Governance and ethics sensitivity

d. Interpersonal skills

e. Leadership

f. Objectivity

g. Relationship building

h. Staff management

i. Team building

j. Team player

k. Working independently

l. Work well with all levelsof management



52. Please mark the five most important of the following technical skills for each level of professionalstaff to perform their work. (Technical skills are using terminology or subject matter in aparticular field)


Activity

a. Data collection and analysis

b. Financial analysis

c. Forensic skills/Fraud awareness

d. Identifying types of controls(e.g., preventative, detective)

e. Interviewing

f. ISO/quality knowledge

g. Negotiating

h. Research skills

i. Risk analysis

j. Statistical sampling

k. Total Quality Management

l. Understanding business

m. Use of information technology



53. Please mark the five most important of the following competencies for each level of professionalrank to perform their work. (Competencies are skills essential to perform certain tasks).


Activity

a. Ability to promote the InternalAudit Activity within theorganization

b. Analytical (ability to workthrough an issue)

c. Change management

d. Communication

e. Conflict resolution

f. Critical thinking

g. Conceptual thinking

h. Foreign language skills

i. Keeping up to date withprofessional changes inopinions, standards andregulations

j. Organization skills

k. Presentation skills

l. Problem identificationand solution




Activity

m. Project planning andmanagement

n. Report development

o. Time management

p. Training and developing staff

q. Understanding complexinformation systems

r. Writing skills

51a. Please indicate the importance of the following behavioral skills for you to perform your workat your position in the organization. (Behavioral skills are actions towards others measured bycommonly accepted standards and management of one's own actions).

Rank from 1 (minimally important) to 5 (very important)

___ a. Confidentiality

___ b. Facilitating

___ c. Governance and ethics sensitivity

___ d. Interpersonal skills

___ e. Leadership

___ f. Objectivity

___ g. Relationship building

___ h. Staff management



___ i. Team building

___ j. Team player

___ k. Working independently

___ l. Work well with all levels of management

52a. Please indicate the importance of the following technical skills for you to perform your workat your position in the organization (Technical skills means using terminology or subject matterin a particular field).


___ a. Data collection and analysis

___ b. Financial analysis

___ c. Forensic skills/Fraud awareness

___ d. Identifying types of controls (e.g., preventative, detective)

___ e. Interviewing

___ f. ISO/quality knowledge

___ g. Negotiating

___ h. Research skills

___ i. Risk analysis

___ j. Statistical sampling

___ k. Total Quality Management

___ l. Understanding business

___ m. Use of information technology



53a. Please indicate the importance of the following competencies for you to perform your work atyour position in the organization (Competencies are skills essential to perform certain tasks).


___ a. Ability to promote the Internal Audit Activity within the organization

___ b. Analytical (ability to work through an issue)

___ c. Change management

___ d. Communication

___ e. Conflict resolution

___ f. Critical thinking

___ g. Conceptual thinking

___ h. Foreign language skills

___ i. Keeping up to date with professional changes in opinions, standards, and regulations

___ j. Organization skills

___ k. Presentation skills

___ l. Problem identification and solution

___ m. Project planning and management

___ n. Report development

___ o. Time management

___ p. Training and developing staff

___ q. Understanding complex information systems

___ r. Writing skills



53b. How important are the following areas of knowledge for satisfactory performance of your jobat your position in the organization?


___ a. Accounting

___ b. Auditing

___ c. Business law and government regulation

___ d. Business management

___ e. Changes to professional standards

___ f. Enterprise risk management

___ g. Ethics

___ h. Finance

___ i. Fraud awareness

___ j. Governance

___ k. Human resource management

___ l. Internal auditing standards

___ m. Information technology

___ n. Managerial accounting

___ o. Marketing

___ p. Organization culture

___ q. Organizational systems



___ r. Strategy and business policy

___ s. Technical knowledge for your industry

VIII. Emerging Issues

54. Do you perceive likely changes in the role of the Internal Audit Activity in the organization overthe next 3 years?

IncreaseDecreaseStay the same

a. Review of financial processes

b. Risk management

c. Governance

d. Regulatory compliance

e. Operational auditing

55. Please identify the roles that the Internal Audit Activity currently has in your organization orwill have in the next 3 years. Role means that it is within the scope of your work.

Currently have a roleLikely to have a role withinthe next 3 yearsUnlikely to have a roleNot applicable

a. Alignment of strategy and performancemeasures (e.g., Balanced Scorecard)

b. Benchmarking

c. Corporate governance

d. Corporate social responsibility



e. Develop training and education oforganization personnel (e.g., internalcontrols, risk management, regulatoryrequirements)

f. Disaster recovery

g. Evidential issues

h. Emerging markets

i. Environmental sustainability

j. Executive compensation

k. Fraud prevention/detection

l. Globalization

m. Intellectual property and knowledgeassessment

n. IT management assessment

o. Knowledge management systemsdevelopment review

p. Mergers and acquisitions

q. Project management

r. Provide training to the audit committee

s. Regulatory compliance assessment monitoring

t. Risk management

u. Strategic frameworks



56. Please indicate if the following statements apply to your organization now, in the next 3 yearsor will not apply in the foreseeable future.

Currently ApplyLikely to Apply Withinthe Next 3 YearsWill Not Apply in theForeseeable FutureNot Applicable

a. Internal auditing is required by law or regulationwhere the organization is based.

b. Internal auditors in the organization have anadvisory role in strategy development.

c. The organization complies with a corporategovernance code.

d. The organization has implemented an internalcontrol framework.

e. The organization has implemented a knowledgemanagement system.

f. The Internal Audit Activity has provided trainingto audit committee members.

g. The Internal Audit Activity assumes an importantrole in the integrity of financial reporting.

h. The Internal Audit Activity educates organizationpersonnel about internal controls, corporategovernance, and compliance issues.

i. The Internal Audit Activity places more emphasison assurance than consulting services.

_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 455


THE WILLIAM G. BISHOP III, CIA,MEMORIAL FUNDCONTRIBUTORS

DIAMOND LEVELAssociation of Certified Fraud ExaminersThe Institute of Internal Auditors (IIA)IIA BaltimoreIIA DallasIIA New YorkIIA Washington, DC

EMERALD LEVELThe Bishop FamilyJane Lee and William L. TaylorThomas J. Warga, CIAJCPenney Company Inc.Jefferson Wells International Inc.Protiviti IncIIA Central IllinoisIIA Central PennIIA Houston

RUBY LEVELRobert Antoine, CIADennis K. Beran, CIA, CCSAJohn J. Fernandes, CIA, CCSAJohn J. Flaherty, CIAJean-Pierre Garitte, CIA, CCSAEric HespenheideAl HolzingerBruce MeiklePatricia K. Miller, CIASandra L. Pundmann

Sridhar Ramamoorti, Ph.D., CIA, CPA,CFE, CFSA, CGAP

Anthony J. Ridley, CIAC. Wayne Rose, CIARichard M. Serafini, CIA, CFSAAmerican Institute of Certified Public

Accountants (AICPA)Asian Confederation of Institute of Internal

Auditors (ACIIA)Association of Healthcare Internal AuditorsFannie MaeMicrosoft CorporationIIA Ak-Sar-BenIIA AlbanyIIA AustinIIA AustraliaIIA Birmingham (AL)IIA Green Mountain (VT)IIA Los AngelesIIA MilwaukeeIIA MontrealIIA NashvilleIIA New ZealandIIA North JerseyIIA NorwayIIA Orange County (CA)IIA PhoenixIIA Southern New EnglandIIA United Kingdom and IrelandIIA VancouverIIA Wichita



FRIEND LEVELUrton L. Anderson, Ph.D., CIA, CCSAAudley L. Bell, CIAAndrew J. Dahle, CIAStephen D. Goepfert, CIATimothy R. HolmesHoward J. Johnson, CIACarman Lapointe-Young, CIA, CCSAJohn M. Polarinakis, CIARalph E. PurpurLarry E. Rittenberg, Ph.D., CIARoderick M. Winters, CIAAssociation of Credit Union

Internal Auditors (ACUIA)MIS Training InstituteSalt River ProjectIIA BaltimoreIIA Central FloridaIIA Central IowaIIA Central KentuckyIIA DetroitIIA Greater BostonIIA IndianapolisIIA Kansas CityIIA Long IslandIIA MadisonIIA MalaysiaIIA MiamiIIA Ocean State (RI)IIA Salem (OR)IIA SaskatchewanIIA St. LouisIIA SwedenIIA TallahasseeIIA TidewaterIIA TulsaIIA Twin CitiesIIA Westchester FairfieldIIA Winnipeg

DONOR LEVELRonald W. Acker, CIABruce Alan Adamec, CIAAugusto BaetaThomas J. BeirneJoanna BerensLucia B. BishopSten Bjelke, CIALeRoy E. Bookal, CIAKaty BrownRobert BullenJudith K. Burke, CCSARichard F. Chambers, CIA, CCSA, CGAPNicolette CreatoreProf. Mortimer Dittenhofer, CIAWilliam J. Duane, CIA, CFSAEdward M. Dudley, CIACharles B. EldridgeIvy N. EstesRobert A. Ferst, CIARobert B. FosterHal A. Garyn, CIAKimberly Parker Gavaletz, CIAGaston L. Gianni, Jr., CGAPAudrey A. Gramling, CIATrish HarrisRudy Hernandez, Jr., CIAGlenn P. Hoffman, CIA, CFSAJohn Gregory HutsellCynthia HuysmanSteven Earl Jameson, CIA, CCSA, CFSAThomas A. Johnson, CIAWendy W. Kerins, CIADonald E. Kirkendall, CIAJoel F. KramerKevin KuntzDaniel B. Langer, CIA, CCSASusan B. Lione, CIA, CCSA, CFSA, CGAPPhilip B. Livingston

_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 457


Melani P. Lovik, CIAMarjorie A. Maguire-Krupp, CFSAStacy M. Mantzaris, CIA, CCSA, CGAPCarlo L. MastropaoloDorick V. MauroJill E. Mayhew, CIASam Michael McCall, CIARobert N. McDonald, CIABetty L. McPhilimy, CIAGuenther MeggenederT. Fred MillerJames A. MolzahnPerry Glen Moore, CIAWayne G. Moore, CIAKevin M. MorrisseyD. Richard Moyer, CIAJane F. MutchlerDonald J. Nelson, CIAFrank M. O’Brien, CIAAmy B. OwenPaula W. Parker, CIADolores C. Pasto-Ziobro, CIABasil H. Pflumm, CIAJarred and Shannon PittmanDavid PolanskyRobert B. PowellCharity A. Prentice, CIA, CCSA, CGAPWalter D. PughMichael S. Raphael, CIARichard K. RobinsonAnastasia Rodriguez Ford, CIAH. David RosensteinJames P. Roth, Ph.D., CIA, CCSACharles T. Saunders, Jr., CIA, CCSAMitchell James SmithPaul J. Sobel, CIADonald E. SparksPeteris Strazdins, CIAMargaret G. Summers

Johanna S. Swauger, CIA, CCSA, CFSADeborah L. SwordDeborah Wheless Tanju, CIADavid A. Tenney, CIAArchie R. Thomas, CIABena G. Tinsley, CIABonnie L. UlmerDallal Helen Van Hoeck, CIACurtis C. Verschoor, CIADominique Vincenti, CIAH.C. Warner, CIAJohn K. Watsen, CIABilly G. WeathersScott D. White, CIA, CFSADouglas E. Ziegenfuss, Ph.D., CIA, CCSAMichael A. ZowineAmerican International GroupAssociation of College and University Auditors

(ACUA)Board of Environmental, Health & Safety

Auditor Certifications (BEAC)JPA International Inc.Junior Achievement of Central FloridaKraus-Manning Inc.Majestic Star CasinoMemphis Blues Rugby ClubOffice Depot Inc.Omni Hotels CorporationPaisley Consultants/CARDdecisions Inc.PBD Worldwide Fulfillment Services Inc.Shenandoah GroupSimon Operation Services Inc.IIA AtlantaIIA CalgaryIIA Central VirginiaIIA Chattanooga AreaIIA ChicagoIIA Chinese TaiwánIIA Coastal Georgia



IIA Downeast MaineIIA EdmontonIIA El PasoIIA Granite State (NH)IIA Lansing (MI)IIA Las VegasIIA Monroe

IIA OzarksIIA RochesterIIA Santa FeIIA Sioux FallsIIA SpokaneIIA TucsonIIA U.S. Pacific

THE IIA RESEARCH FOUNDATIONCHAIRMAN’S CIRCLE

Cargill Inc.Chevron

Deloitte & Touche LLPErnst & Young LLP

ExxonMobil CorporationJCPenney Company

Lockheed Martin CorporationMicrosoft Corporation

PricewaterhouseCoopers LLPProtiviti Inc.

Raytheon CompanyDavid A. Richards, CIA

Paul J. Sobel, CIARod and Donna Winters

_________________________________ The IIA Research Foundation Board of Trustees 459


The IIA Research FoundationBoard of Trustees

PresidentRoderick M. Winters, CIA, CPA

Microsoft Corporation

Vice President - StrategyEric J. Hespenheide, CPADeloitte & Touche LLP

Vice President - ResearchRobert B. Foster, CFEFidelity Investments

Vice President - DevelopmentDennis K. Beran, CIA, CCSA, CPA, CFE

JCPenney Company, Inc.

TreasurerStephen W. Minder, CIA

Archer Daniels Midland Company

SecretaryOliver Ray Whittington, Ph.D., CIA

DePaul University

Members

Mark HamillProtiviti Inc.

Michael A. HerzogErnst & Young LLP

Robert B. Hirth, CPA, CAProtiviti Inc.

Howard J. Johnson, CIA, CPA.

Michael Lickteig, CIA, CCSASusan J. Komen Breast Cancer Foundation

Marjorie A. Maguire-KruppAmerican International Group

Wayne G. Moore, CIA, CPA

Johannes (Hans) NieuwlandsNUON

Sridhar Ramamoorti, Ph.D., CIA, CPA, CFE,CFSA, CGAP

Grant Thornton Chicago

Gregory C. RedmondChevron Corporation

Paul J. Sobel, CIA, CPAMirant Corporation

Jay R. Taylor, CIAGeneral Motors Corporation

William L. Taylor, CPA, CGFM

Donald E. Tidrick, Ph.D., CIANorthern Illinois University

Susan D. UlreyKPMG LLP

Anton B. van Wyk, CIA, CFAPricewaterhouseCoopers LLP

Shi XianNanjing Audit University

Douglas Ziegenfuss, Ph.D., CIA, CCSAOld Dominion University



The IIA Research FoundationBoard of Research and Education Advisors

ChairmanRobert B. Foster, CFE, Fidelity Investments

Vice ChairmanSusan D. Ulrey, KPMG LLP

Members

George R. Aldhizer III, Ph.D., CIA, Wake ForestUniversity

Lalbahadur Balkaran, CIA, FCMA, KPMG LLPKevin W. Barthold, CPA, CISA, San Antonio Credit

UnionEdmund Beemer, HudsonThomas J. Beirne, CFSA, CPA, CBA, Protiviti Inc.Audley L. Bell, CIA, CPA, CFE, CISA, Habitat for

Humanity InternationalIva Cerna, CIA, Zentiva a.s.Thomas J. Clooney, CCSA, CPA, CBA, CSP, KPMG

LLPKathryn Constantopoulos, Deloitte & Touche LLPJean Coroller, Ernst & Young LLPMary Christine Dobrovich, Jeffersonwells

InternationalHelen Dozois, CIA, Burger King CorporationSusan Page Driver, CIA, CPA, CISA, Comptroller

of Public AccountsDonald A. Espersen, CIA, CBA, despersen &

associatesGareth Evans, MIIA, United KingdomPhilip E. Flora, CIA, CCSA, CFE, CISA, Texas

Guaranteed Student LoanJohn M. Furka, CPA, Brown Brothers Harriman &

Co.John C. Gazlay, CPA, CCP, Freddie MacDan B. Gould, CIA, JCPenney Company, Inc.Peter M. Hughes, Ph.D., CIA, CPA, CFE, Orange

County

Ronald W. Lackland, University of Central EnglandRichard B. Lanza, CPA, Cash Recovery Partners

LLCDavid J. MacCabe, CIA, CGAP, Teacher Retirement

System of TexasGary J. Mann, Ph.D., CPA, University of Texas at El

PasoTrevor B. Martin, National Oilwell VarcoGary R. McGuire, CIA, CPA, Lennox International

Inc.John D. McLaughlin, Smart and Associates LLPSteven S. Mezzio, CIA, CCSA, CFSA, CPA, CISSP,

CBA, Resource ConnectionAnna Rebecca Nicodemus, CIA, CPA, CFE, Belo

CorporationClaire Beth Nilsen, CFSA, CRCM, CFE, CRP,

Yardville National BankJacob Nuss, Israel Aircraft Industries Ltd.Daniel Pantera, The Methodist HospitalMark R. Radde, CIA, CPA, Buffets Inc.M. Rajeshwaran, EID Parry India Ltd.Alan Reinstein, Ph.D., CPA, PBA, Wayne State

UniversityDavid G. Royal, Texas Department of InsuranceMark L. Salamasick, CIA, CISA, CDP, CSP,

University of Texas at DallasJesus Antonio Serrano Nava, CIA, Banco AztecaKatherine E. Sidway, Ernst & Young LLPJames G. Swearingen, CPA, Weber State University