CBOK Combined

_________________________________________________________ Table of Contents 1
A GLOBAL SUMMARY
OF THE
COMMON BODY
OF KNOWLEDGE 2006
Principal Researchers
Priscilla A. Burnaby, PhD, CPA
Mohammad J. Abdolmohammadi, DBA, CPA
Susan Hass, CPA
Rob Melville, PhD, MIIA, FIIA
Marco Allegrini, PhD, CPA
Giuseppe DOnza, PhD
Leen Paape, PhD, RA, RO, CIA
Gerrit Sarens, PhD
Marinda M. Marais, M Com Auditing, CIA
Elmarie Sadler, DCompt CA
Houdini Fourie, M Tech: Internal Auditing
Barry J. Cooper, PhD
Philomena Leung, PhD
William L. Taylor, CPA, CGFM
Chairman, CBOK Steering Committee
2 CGAP Examination Study Guide ___________________________________________
Disclosure
Copyright 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States
of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
in any form by any means electronic, mechanical, photocopying, recording, or otherwise
without prior written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is
intended to provide information, but is not a substitute for legal or accounting advice. The IIARF
does not provide such advice and makes no warranty as to any legal or accounting results through
its publication of this document. When legal or accounting issues arise, professional assistance
should be sought and retained.
The IIAs International Professional Practices Framework for Internal Auditing (IPPF) comprises
the full range of existing and developing practice guidance for the profession. The IPPF provides
guidance to internal auditors globally and paves the way to world-class internal auditing.
The mission of The IIA Research Foundation (IIARF) is to expand knowledge and understanding
of internal auditing by providing relevant research and educational products to advance the profession
globally.
ISBN 978-0-89413-618-4
08063 01/08
First Printing
_________________________________________________________ Table of Contents 7
The Institute of Internal Auditors Research Foundation
DEDICATION
This research is dedicated to the memory of
William G. Bishop III, CIA
William G. Bishop III, CIA, served as president of The Institute of Internal Auditors (IIA) from
September 1992 until his untimely death in March 2004. With a motto of Im proud to be an
internal auditor, he strived to make internal auditing a truly global profession. He was the driving
force behind the rapid growth of The IIA to over 120,000 members in approximately 100 countries.
Bill Bishop advocated quality research for the enhancement of the stature and practice of internal
auditing. To help enhance the future of this profession, it is vital for the profession to document the
evolution of the similarities and differences in the Common Body of Knowledge (CBOK) of internal
auditing worldwide.
________________________________________________________________ Contents iii
CONTENTS
Acknowledgments ........................................................................................................................ ix
Chapter 1: Introduction ............................................................................................................. 1
CBOK 2006............................................................................................................................ 1
Overview................................................................................................................................. 1
CBOK 2006 - Benefits to the Profession ............................................................................... 3
Prior IIA CBOK Studies......................................................................................................... 4
Project Teams ......................................................................................................................... 5
CBOK 2006 Questionnaires.................................................................................................... 6
Clustering for Groups............................................................................................................ 10
Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires .......................... 12
Appendix 1-B: Clustering of Groups and Number of Responses.......................................... 19
Chapter 2: A Worldwide Picture of the Internal Audit Activity ......................................... 25
Introduction ........................................................................................................................... 25
Survey Demographics Summary........................................................................................... 26
Compliance with Internal Auditing Standards ...................................................................... 29
Staffing and Professional Development ................................................................................ 43
Internal Auditor Skills............................................................................................................ 44
Internal Auditor Competencies and Knowledge Areas......................................................... 48
Emerging Roles of the Internal Audit Activity....................................................................... 53
Summary ............................................................................................................................... 58
Chapter 3: Survey Demographics .......................................................................................... 61
Introduction ........................................................................................................................... 61
Staff Levels of Respondents................................................................................................. 63
IIA Membership.................................................................................................................... 64
Age of the Respondents........................................................................................................ 67
Highest Level of Formal Education....................................................................................... 70
Professional Qualifications.................................................................................................... 76
Areas of Professional Experience......................................................................................... 80
Years of Existence of IAA and Years of CAE Experience.................................................. 81
Types of Organizations.......................................................................................................... 86
Service Providers of Internal Audit Services........................................................................ 89
Age of Organizations ............................................................................................................ 90
iv A Global Summary of the Common Body of Knowledge 2006 ______________________
Industry Classification(s)....................................................................................................... 91
Geographical Area Served by Organization.......................................................................... 96
Appendix 3............................................................................................................................ 99
Chapter 4: The Professional Practices Framework .......................................................... 105
Introduction ......................................................................................................................... 105
CBOK 2006 Survey Questions Related to the Standards .................................................. 107
Use of the Standards in Whole or in Part .......................................................................... 108
Compliance with the Standards ........................................................................................... 110
Adequacy of the Guidance Provided by the Standards....................................................... 115
Use of and Adequacy of the Guidance Provided by the Practice Advisories......................118
Reasons for Not Complying with the Standards ................................................................ 121
Quality Assurance and Improvement Program................................................................... 128
Compliance with The IIAs Code of Ethics......................................................................... 146
Appendix 4-A: The IIAs Standards, Practice Advisories, and
Glossary to the Standards as of September 2006........................................................ 147
Appendix 4-B ...................................................................................................................... 165
Chapter 5: Current Status of the Internal Audit Activity ................................................. 183
Introduction ......................................................................................................................... 183
The IAAs Relationship within the Organization................................................................. 184
Relationship with the Audit Committee............................................................................... 191
External Relationships - Legislation Affecting Internal Auditing......................................... 192
Organizations and CAEs Perceptions About the IAA ...................................................... 194
Methods Used to Measure the Value Added by the IAA ................................................... 197
Internal Audit Activity ......................................................................................................... 200
Managing the Internal Audit Activity .................................................................................. 202
Creating the Audit Plan....................................................................................................... 204
Allocation of IAAs Time.................................................................................................... 207
Performing the Engagement - The Use of Tools................................................................ 214
Current Usage of Audit Tools and Techniques ................................................................... 216
Predictive Changes in the Use of Audit Tools and Techniques
Over the Next Three Years.......................................................................................... 227
Resolution of Major Differences......................................................................................... 233
Reporting of Findings .......................................................................................................... 235
Monitoring Corrective Action.............................................................................................. 237
Summary ............................................................................................................................. 239
Appendix 5.......................................................................................................................... 240
________________________________________________________________ Contents v
Chapter 6: Staffing and Professional Development ........................................................... 251
Introduction ......................................................................................................................... 251
Staffing................................................................................................................................ 252
Service Providers................................................................................................................ 259
Continuing Professional Development................................................................................. 266
Summary ............................................................................................................................. 271
Appendix 6.......................................................................................................................... 272
Chapter 7: Internal Audit Skills ........................................................................................... 279
Introduction ......................................................................................................................... 279
Technical Skills.................................................................................................................... 281
Behavioral Skills.................................................................................................................. 289
Summary ............................................................................................................................. 299
Appendix 7.......................................................................................................................... 300
Chapter 8: Internal Auditor Competencies ........................................................................ 305
Introduction ......................................................................................................................... 305
Competencies...................................................................................................................... 307
Areas of Knowledge........................................................................................................... 323
Summary ............................................................................................................................. 331
Appendix 8.......................................................................................................................... 332
Chapter 9: Emerging Roles of Internal Audit Activities .................................................. 339
Introduction ......................................................................................................................... 339
Years That the IAA and Organizations Have Existed........................................................ 340
Changing Emphasis on Types of Audits.............................................................................. 344
Emerging Roles in Organizations Activities........................................................................ 346
Organizational Environment and Key Activities of the IAA ............................................... 352
Summary ............................................................................................................................. 357
Chapter 10: Research Method and Literature Review ................................................... 359
Research Method................................................................................................................ 359
Project Teams............................................................................................................... 359
Pilot Test and Literature Review.................................................................................. 361
CBOK 2006 Questionnaires......................................................................................... 363
Clustering for Groups.................................................................................................... 364
vi A Global Summary of the Common Body of Knowledge 2006 ______________________
Literature Review............................................................................................................... 367
Introduction................................................................................................................... 367
Prior IIA CBOK Studies .............................................................................................. 367
North American Literature Review on Internal Auditing............................................. 372
Summary....................................................................................................................... 379
Asia Pacific Literature Review on Internal Auditing.................................................... 380
European Literature Review on Internal Auditing........................................................ 390
South African Literature Review on Internal Auditing................................................. 398
Appendix 10-A: Pre-scope Questionnaire for CBOK ........................................................ 406
Appendix 10-B: Topical Areas That Are Addressed in Past and Current
IIA CBOK Studies ....................................................................................................... 418
Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire................................... 421
The William G. Bishop III, CIA, Memorial Fund Contributors.................................................. 455
The IIA Research Foundation Chairmans Circle..................................................................... 458
The IIA Research Foundation Board of Trustees..................................................................... 459
The IIA Research Foundation Board of Research and Education Advisors............................ 460
_________________________________________________________ Acknowledgments ix
ACKNOWLEDGMENTS
With a project of this magnitude and importance, there are literally thousands of people who have
contributed to the successful completion of the Common Body of Knowledge (CBOK) 2006 research
report. I would like to start by thanking William Taylor, chair of the CBOK Steering Committee,
who was the heart of the project. His goal was to make sure that this report honored the memory
of William G. Bishop III, CIA, past president of The Institute of Internal Auditors (IIA) who was
the driving force behind the rapid growth of The IIA to over 120,000 members in approximately
100 countries. At The IIA, the entire staff provided guidance and input. Special thanks to J effrey
Swerdlow, PMP, chair of the CBOK Oversight Committee and the director of project management
for The IIA Research Foundation. He worked tirelessly to keep the project on time and performed
numerous duties such as monitoring the translations of the questionnaires into 16 additional languages,
keeping all of us on track, and coordinating the many needs and demands of those involved at The
IIA and on the research teams. It is a true tribute to his skills that this expansive project was
completed on time with such a quality product. Two other key people on The IIA staff that I would
like to recognize are Donna Batten, director of Global Audit Information Network (GAIN), and
Sylvia Boyd, director of affiliate relations. Both were instrumental in the success of the project. I
would also like to thank all the IIA members who participated by completing the pilot study, the
questionnaires, and editing the text.
Team Americas was truly blessed with four wonderful graduate research assistants. On the first
phase of the project, Lisa Hsi was instrumental with the literature review, development of the
questionnaires, and creation of a database for the affiliates. After Lisa graduated, we were fortunate
to hire Diana Tien. She helped with data cleansing, completing the report for the affiliates, and
transferring the data into tables. Yi Zhou worked on the tables and the editing process to make sure
that all the references and numbers were correct in the text. On the final phase of writing the
report, Shubin Liang converted tables into figures. From Bentleys Academic Technology Center,
Maria Skaletsky and Gaurav Shah helped with the many software packages needed to complete
this product.
The cooperation and sharing among the three research teams made this project a truly collaborative
effort. On the two occasions when we had summits, we all agreed it was extremely exciting and
exhilarating to have so many professors who selected internal auditing as their primary field of
teaching and research together in one room. As team coordinators, Barry Cooper and Rob Melville
did a great job getting participants for the pilot study and working with local affiliates. All the
members of both teams made significant contributions to the research project.
x A Global Summary of the Common Body of Knowledge 2006 ______________________
I saved the members of my team to thank last. Both Mohammad (Ali) Abdolmohammadi and
Susan Hass made significant contributions to the planning and construction of the CBOK 2006. Ali
did a heros job on the data cleansing and analysis. He worked tirelessly to provide data for the
tables. Susan Hass and I did most of the work on the development of the questionnaires, data
presentation for the tables, writing many of the chapters, and editing the other teams contributions
to the final text. Each did an extraordinary job under a great deal of pressure. Audrey Gramling and
Richard Cleary contributed in a consulting capacity.
This report owes its contents to thousands of IIA members all over the world, each of whom
contributed to The IIAs Common Body of Knowledge 2006. Thank you all!
Priscilla A. Burnaby, PhD, CPA
Professor of Accountancy
Bentley College
Waltham, MA, USA
Coordinator of CBOK 2006
_________________________________________________________ Acknowledgments xi
It has been my pleasure to be the chair of the CBOK Steering Committee and The William G.
Bishop III, CIA, Memorial Fund from which this project was funded. As a former IIA chair of the
board, I recognize the importance of this project as we seek to further understand our profession,
how it is practiced throughout the world, and how we will continue to add value to our organizations
in the future.
Completing this project has been a monumental accomplishment. We were fortunate to have a
tremendously talented group of IIA committees, volunteers, and IIA staff working with us. I would
like to personally thank several people and groups without whom this project would not have been
possible.
The IIA Research Foundation Board of Trustees provided sound guidance and advice throughout
the project. Their input, feedback, and suggestions ensured that the project lived up to its expectations.
A special thank you goes to Roderick Winters, CIA, president of The Research Foundation and
vice chair of The IIA Board. Rod provided a great deal of support to this project and truly established
the vision for what we accomplished.
The CBOK Steering Committee was an active participant throughout the project. This committee
provided valuable guidance and overall direction to the project. I am proud that the Steering Committee
is comprised of individuals from throughout the world. Members of the Steering Committee are
J ackie Cain, Phil Tarling, Warren Hersch, Sri Ramamoorti, Urton Anderson, Louis Vaurs, Chris
McRostie, Thijs Smit, Charity Prentice, and J effrey Swerdlow.
The Research Foundations Board of Research and Education Advisors (BREA) played a critical
role throughout the project. This extremely dedicated committee is responsible for reviewing all
proposals received and reviewing all research and educational products produced by The Research
Foundation. Throughout the course of the project, BREA provided valuable opinions and helped to
shape the format of the complete research report. Bob Foster has been the chair of BREA during
this project and has contributed immensely to our success.
Considering the importance of this project, we wanted to ensure that we received a wide variety of
input and feedback. To this end, we recruited almost 100 volunteers from all of The IIAs international
committees to review and provide feedback on the early first drafts of the complete research
report. The reviewers provided us with candid and valuable feedback which helped shape the
report. To manage a review effort of this magnitude, six members of BREA graciously volunteered
their time to act as review team leaders. Thomas Clooney, Susan Driver, Don Espersen, Dan
Gould, Raj Muthu Venkatachalam, and Mark Radde deserve special recognition for performing
this vital role.
xii A Global Summary of the Common Body of Knowledge 2006 ______________________
Dominique Vincenti, CIA, chief advocacy officer of The IIA and executive director of The Research
Foundation, dedicated a great deal of her time to the project. Dominique was able to bring her
background as a CAE to the project. She provided feedback and leadership at all stages of the
project and her contribution was critical to its success.
J effrey Swerdlow, PMP, director of project management for The Research Foundation, was the
primary reason the project was completed on time and within budget. He proved that managing
such an expansive project required participation from not only all worldwide affiliates and members
but also the knowledge leaders of The IIA and staff. His overall plans and programs required
participation from many interested groups and he performed in an exemplary manner, truly indicating
that a project of this magnitude requires not only audit leaders, but a dedicated and professional
project manager.
I would be remiss if I did not thank each and every person and organization that donated to The
William G. Bishop III, CIA, Memorial Fund. This fund underwrote the cost of CBOK 2006. Thanks
to the generous donations we received, CBOK was funded to ensure a top quality result.
William L. Taylor, CPA, CGFM
Former IIA Chair of the Board
McLean, Virginia, U.S.A.
CBOK Steering Committee Chair
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 1

Chapter 1: Introduction.............................................................................................................. 1
CBOK 2006............................................................................................................................ 1
Overview................................................................................................................................. 1
CBOK 2006 - Benefits to the Profession................................................................................ 3
Prior IIA CBOK Studies......................................................................................................... 4
Project Teams......................................................................................................................... 5
CBOK 2006 Questionnaires................................................................................................... 6
Clustering for Groups........................................................................................................... 10
Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires.......................... 12
Appendix 1-B: Clustering of Groups and Number of Responses......................................... 19

Disclosure
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means electronic, mechanical, photocopying, recording, or otherwise without prior
written permission of the publisher.

The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.

The IIAs International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
_____________________________________________________ Chapter 1: Introduction 1
CHAPTER 1
INTRODUCTION
CBOK 2006
The Common Body of Knowledge (CBOK) 2006 study is part of an ongoing global research
program funded by The Institute of Internal Auditors Research Foundation (IIARF) to broaden the
understanding of how internal auditing is practiced throughout the world. The overall purpose of
the CBOK 2006 project is to develop the most comprehensivedatabase ever to capture a current
view of the global state of the internal audit profession. The database contains information about
compliance with The Institute of Internal Auditors (IIA) International Standards for the
Professional Practice of Internal Auditing (Standards), the state of the internal audit activity
(IAA), staffing, skills, competencies, and the emerging roles of the IAA. Some information was
collected about the influences of cultural and legal factors about the development and practice of
internal auditing around the world. The objective is to establish a baseline for comparison when the
CBOK study is repeated in the future. The database will be updated to understand the evolution of
global internal audit practices. Future studies will build upon this baseline, allowing for comparison,
analysis, and trending.
Overview
1
The objectives of this chapter are to introduce CBOK 2006, provide a brief overview of past
CBOK studies, review actions taken to perform the study, and to explain how the groupings of
chapters and affiliates were determined. Within the United States and Canada, local groups of The
IIAs members are called chapters. Affiliates are independent organizations outside North America
that provide services to members in their geographic locations. IIA affiliates are now referred to
as chapters and institutes. This change officially took place after the CBOK 2006 survey was
conducted. It was approved by The IIAs Board of Directors on J uly 14, 2007, for implementation
on J anuary 1, 2008. For this reason, the use of affiliates is maintained throughout the CBOK
2006 report.
1
The CBOK review and the Team Americas literature review were published in a special CBOK 2006 issue of
Managerial Auditing Journal (MAJ ), Volume 21, Issue 8, in October 2006. With permission from the publisher of
MAJ , this section uses portions of the following article: Abdolmohammadi, M.J ., P.A. Burnaby, and S. Hass, A
review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK
2006, Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J . Abdolmohammadi, and P.A. Burnaby,
The Americas literature review on internal auditing, Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
2 A Global Summary of the Common Body of Knowledge 2006 ______________________
At the core of the CBOK 2006 study were three surveys sent to internal auditors worldwide to
gather information concerning how they comply with the Standards, how their IAAs function, and
emerging roles of the IAA. One survey was sent to chief audit executives (CAEs), another to all
other levels of internal auditing Practitioners, and a third to the leadership of The IIAs affiliates.
Since the Standards were first promulgated, internal auditors have had the opportunity to apply
them to create a high level of standardization resulting in best practices for internal auditors
worldwide. While the Standards provide a unifying mechanism for enhancing value and consistency
across diverse legal and economic environments, research suggests that cultural, legal, and economic
differences influence the practice of internal auditing in each country. The CBOK 2006 study has
produced a body of data for the continuing study of the evolution of the global practice of internal
auditing.
As discussed in The IIARFs Competency Framework for Internal Auditing: An Overview,
core competencies change over time (McIntosh, 1999). Some of the major factors influencing
these changes are the needs of organizations, technology, and the complexity of business transactions
and systems. CBOK 2006 adds to this body of literature and expands the scope by extending the
population surveyed to the entire international membership of The IIA. To include current practices
and explore emerging roles for the profession, CBOK 2006 added several topical areas that were
not included in prior CBOK studies. In Chapter 10, Appendix 10-B lists the topics studied in the
current and past CBOK studies. As described below in The IIAs 1999 definition of internal auditing,
CBOK 2006 uses the expanded scope of the IAA as the basis for its focus.
The IIAs 1999 vision for the future task force recommended that the new Professional Practices
Framework should be a more comprehensive and elastic framework. Based on this
recommendation, the task force provided the following definition of internal auditing which was
adopted by The IIAs Board of Directors in J une 1999:
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organizations operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
The expanded definition of internal auditing includes consulting activities and value-added services
for evaluation and improvement of the effectiveness of the risk management and governance
processes. Since the CBOK 2006 questionnaires were sent out in September 2006, all references
to The IIAs Standards are as of that date.
The expansion of the internal audit scope has necessitated that internal auditors continuously develop
new skills and learn new audit tools and technologies. There is very little information about the
current state of skills, tools, and technologies used on engagements in existing internal auditing
literature. The CBOK 2006 database includes the skills, tools, and techniques respondents indicate
are necessary for internal auditors currently, and in the future, to perform their jobs and enhance
audit efficiency and effectiveness. It also identifies emerging roles that The IIA will need to address
in support of its members and the profession. The resulting CBOK 2006 database and research
report can be used to improve the understanding of the current state of internal audit practices,
anticipate the use of new skills, tools, and technologies, and promote the enhancement of
standardization and performance of internal auditing worldwide.
Chapter 2 provides a brief summary of selected CBOK 2006 data. Chapters 3 through 9 provide
details of all the data collected in total from all respondents and by staff level and/or by groups as
applicable. Chapter 10 contains the process used to collect the data and a detailed literature review
of previously published articles about internal auditing around the world.
CBOK 2006 - Benefits to the Profession
The Standards have three purposes: educating internal auditors about the role and responsibilities
of internal auditing, providing a basis for measuring performance, and improving the practice of
internal auditing. Internal auditing is performed in diverse economic and cultural environments
within organizations that vary in purpose, size, and structure. These differences affect compliance
with the Standards. CBOK 2006 identifies some of these diverse environments and groups culturally
similar chapters and affiliates together. The groups usage of the Standards and the scope of the
IAA are then compared.
The information gathered in CBOK 2006 can be useful in many different ways. For example, the
results of the study can be used as a resource, reference, or comparison mechanism by internal
auditors and other stakeholders of the internal audit profession. Where there is a need for knowledge
and skills to be enhanced, the CBOK 2006 results can be used as a guide for The IIA to develop
continuing education materials so their members can acquire and then implement the appropriate
knowledge and skills in their work.
CBOK results can also provide useful information when periodically updating the competency
framework. The IIA has expressed interest in conducting CBOK studies at regular intervals in the
future to provide a mechanism for comparison and improvement. The CBOK 2006 results will
contribute to future internal audit Standards and practices as well as identify important new
knowledge and skills to be included in the CIA exam. The results can also be utilized during an
IAAs self-assessment program and/or the completion of external quality assessments.
Prior IIA CBOK Studies
The IIA has sponsored four prior CBOK studies. Table 1-1 compares the number of participating
countries and usable questionnaire responses used in each CBOK study. While all prior CBOK
studies were only conducted in English, CBOK 2006 translated the questionnaires into 16 additional
languages.
Table 1-1
Comparison of CBOKs Number of Countries
and Number of Respondents
CBOK Year Number of Number of Usable
Number Countries Respondents
I 1972 1 75
II 1985 2 340
III 1991 2 1,163
IV 1999 21 136
V 2006 91 9,366
CBOK 2006 is the first study that invited The IIAs entire worldwide membership to participate.
The participation of members from 91 countries and 9,366 usable respondents makes CBOK 2006
the most comprehensive study in The IIAs history.
Project Teams
The research team was comprised of three international teams that were selected from the responses
to the CBOK Request for Proposals. Based on the location of the selected research teams, the
international affiliates and North American chapters were broken down into three broad geographical
areas. Table 1-2 lists the members of the three CBOK 2006 teams.
Table 1-2
Research Teams
Teams General Areas
of Responsibilities
Lead Team
Priscilla A. Burnaby (Bentley College, United States) - North, Central, and
Project Coordinator and Team Coordinator South America and
Mohammad J . Abdolmohammadi (Bentley College, the Caribbean
United States)
Susan Hass (Simmons College, United States)
Rob Melville (Cass Business School, United Kingdom) - Europe and Africa
Team Coordinator
Marco Allegrini and Giuseppe DOnza
(University of Pisa, Italy)
Leen Paape (Erasmus University, Netherlands)
Gerrit Sarens (University of Ghent, Belgium)
Marinda M. Marais (University of South Africa)
Elmarie Sadler (University of South Africa)
Houdini Fourie (Tshwane University of
Technology, South Africa)
Barry J . Cooper (Deakin University, Australia) - Asia and Pacific
Team Coordinator
Philomena Leung (Deakin University, Australia)
CBOK 2006 Questionnaires
To gain an understanding of what had been published about internal auditing and to develop an
inventory of questions to use as a basis for developing the global CBOK 2006 questionnaires, an
extensive literature review was conducted. Each team prepared a literature review for their general
areas of responsibility. Based on this work, the teams then prepared a pilot study to poll members
about the types of questions that should be included in the final survey. The three literature reviews
and the results of the pilot study can be found in the CBOK 2006 issue of Managerial Auditing
Journal (MAJ ), Volume 21, Issue 8, published in October 2006. A summary is included in Chapter
10 of this research report. Based on the results of the pilot study, the survey questions were refined
and finalized. The CBOK Steering Committee decided that the surveys should take a respondent
approximately 40 minutes to complete. As a result, it was decided to create three CBOK 2006
questionnaires:
1. Affiliates: The IIA is fortunate to have numerous affiliates around the world that provide
services to their geographic area in cooperation with The IIA headquarters. This questionnaire
asked affiliate leaders questions about regulatory and cultural differences affecting the application
of ethics and The IIA Standards in their area. One questionnaire was sent to each participating
affiliate.
2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest position
within the organization responsible for the internal audit activity (IAA). Data on the status of
the IAA within the organization, application of the Standards, skills needed at each staff level,
and emerging audit roles were collected from CAEs worldwide.
3. Practitioners: For purposes of this study, Practitioners are all other internal auditors who are
not CAEs. Data about the application of the Standards, how an audit is performed, skill sets
needed, and the emerging role of internal auditing were collected from internal auditors
worldwide.
The three detailed questionnaires developed by the CBOK 2006 teams were subjected to careful
scrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, the
questionnaires were reviewed by a group of over 100 internal auditors worldwide to ensure
completeness and validity. Based on their comments, the final questionnaires were developed in
English. The IIA translated them into 16 additional languages for the convenience of The IIA
membership (Arabic, Bulgarian, Czech, Simplified Chinese, Unsimplified Chinese, French, German,
Indonesian, Italian, J apanese, Polish, Portuguese, Russian, Spanish, Swedish, and Turkish). The
combined CAE and Practitioner questionnaires are in Appendix 10-C in Chapter 10.
In September 2006, using the survey software Perseus, the CAE and Practitioner questionnaires
were distributed electronically to members outside North America by participating international
affiliates and by IIA headquarters to members within North America. The questionnaire to affiliate
leadership was distributed by The IIA in December 2006. The Glossary in Appendix 1-A was
provided with the questionnaires so respondents could reference definitions of key terms and
words. This glossary is a combination of the glossary from The IIAs Professional Practices
Framework dated J anuary 2005 and other key words used in the questionnaires.
Number of Respondents
The total number of responses to the CAE and Practitioner questionnaires was 15,028. After
consultation with an independent statistical expert, responses were determined to be not useable
for reasons such as a blank reply or the respondent did not answer enough questions on important
sections such as the use and application of the Standards. Upon completion of this process, 9,366
useable responses remained. This results in an overall 7.3% response from the 127,735 IIA members
as of September 30, 2006. Due to some affiliates not participating and some members who have
opted not to receive e-mail from The IIA, the invitation to participate in the survey was sent to
approximately 99,000 members resulting in an estimated 9.5% response rate.
Table 1-3 indicates the chapters (United States, Canada, and Caribbean) and affiliates (organizations
around the world that serve their geographical area) listed on The IIAs Web site as of September
2006 and notes the number that participated in this study for each one. A total of 133 United States
chapters, all of the Canadian chapters, and 7 of the Caribbean chapters had at least one member
who participated in CBOK 2006. Eighty-three affiliates had at least one usable CAE or Practitioner
response. Forty-six affiliate leaders returned the CBOK Affiliate questionnaire by the J anuary 15,
2007, cutoff date for data collection.
Table 1-3
Number of Participating Chapters and Affiliates
Area Number of 1 or More Usable Number of
Chapters/Affiliates* Responses from Affiliates that
Chapters/Affiliates Returned CBOK
Affiliate
Questionnaire
U.S.A. 143 133 Not Applicable
Canada 11 11 Not Applicable
Caribbean 9 7 Not Applicable
IIA Affiliates 94 83 46
*Tallied from The IIAs Web site
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
Not all of those that participated in the survey answered all the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
Below is a list of all the affiliates, the United States, Canada, and Caribbean chapters, from which
one or more usable responses were received. Please note that the individual chapters within the
United States and Canada from which responses were received are not listed here.
Algeria
Argentina
Aruba
Australia
Austria
Azerbaijan
Bahamas
Bangladesh
Barbados
Belgium
Bermuda
Bolivia
Botswana
Brazil
Bulgaria
Cameroon
Canada
Chile
China
Chinese Taiwan
Colombia
Congo-Kinshasa
Costa Rica
Cyprus
Czech Republic
Denmark
Dominican Republic
Ecuador
Egypt
Estonia
Ethiopia
Finland
France
Germany
Ghana
Greece
Guatemala
Hong Kong, China
Iceland
India
Indonesia
Israel
Italy
Jamaica
Japan
Kenya
Korea
Latvia
Lebanon
Lithuania
Luxembourg
Malawi
Malaysia
Mexico
Netherlands
New Zealand
Nicaragua
Nigeria
Norway
Oman
Pakistan-Islamabad
Pakistan-Karachi
Pakistan-Lahore
Panama
Paraguay
Peru
Philippines
Poland
Portugal
Puerto Rico
Qatar
Romania
Russia-Moscow
Singapore
Slovenia
South Africa
Spain
Sri Lanka
Sweden
Switzerland
Thailand
Trinidad and Tobago
Tunisia
Turkey
Uganda
Ukraine
United Arab Emirates
United Kingdom and
Ireland
United States of America
Venezuela
Zambia
Zimbabwe
Clustering for Groups
As data was collected from numerous affiliates and chapters, a methodology was sought to combine
them into groups for the comparison of responses. Clustering literature was reviewed for plausible
ways to combine affiliates and chapters by cultural classification. Hofstede (1980; 1983) introduced
this concept and proposed a number of dimensions to classify 50 countries into cultural clusters.
Expanding on Hofstedes work, House et al. (2004) classified 62 societies into various cultural
clusters.
Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62
societies was insufficient for complete classification of the CBOK 2006 participants. By using
additional information from the Central Intelligence Agency World Fact Book (2006), language(s)
spoken in the affiliates geographical area, geographical location, and discussions with The IIA
staff and leadership, the affiliates and chapters were classified into 12 groups. Respondents who
did not indicate membership in a specific affiliate or chapter were clustered into a 13
th
group that
was included in statistical summaries for the aggregate results but not in discussions of affiliate or
chapter cultural cluster group results. Appendix 1-B lists the 13 groups used for the discussion of
responses for CBOK 2006. WHENEVER GROUPS ARE MENTIONED IN THE TEXT, TO
DETERMINE WHICH CHAPTERS OR AFFILIATES ARE IN EACH GROUP, PLEASE
REFER TO APPENDIX 1-B IN CHAPTER 1 OF THIS REPORT.
References
1. Abdolmohammadi, M.J ., P.A. Burnaby, and S. Hass, A review of prior common body of
knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,
Managerial Auditing Journal 21 8, 2006, pp. 811-821.
2. CIA World Fact Book, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.
3. Hofstede, G, Cultures consequences: International differences in work-related values
(London, UK: Sage), 1980.
4. Hofstede, G., Dimensions of National Culture in Fifty Countries and Three Regions, in J .B.
Deregowski, S. Dziurawiec and R.C. Annis (Eds.), Explications in Cross-Cultural
Psychology, Swets and Zeitling, 1983.
5. House, R.J ., P.J . Hanges, M. J avidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,
and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage
Publications), 2004.
6. McIntosh, E.R, Competency Framework for Internal Auditing: An Overview (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation), 1999.
7. The Institute of Internal Auditors, A Vision for the Future: Professional Practices Framework
for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research
Foundation), 1999.
8. The Institute of Internal Auditors, Professional Practices Framework (Altamonte Springs, FL:
The Institute of Internal Auditors Research Foundation), 2005.
APPENDIX 1-A
GLOSSARY OF TERMS SENT WITH
CBOK 2006 QUESTIONNAIRES
Add Value
Value is provided by improving opportunities to achieve organizational objectives, identify operational
improvement, and/or reducing risk exposure through both assurance and consulting services.
Adequate Control
Present if management has planned and organized (designed) in a manner that provides reasonable
assurance that the organizations risks have been managed effectively and that the organizations
goals and objectives will be achieved efficiently and economically.
Advisory Role
A position having or exercising the power to advise and function purely as a consultative role.
Assurance Services
An objective examination of evidence for the purpose of providing an independent assessment on
risk management, control, or governance processes for the organization. Examples may include
financial, performance, compliance, system security, and due diligence engagements.
Audit Committee
An audit committee assists the board of directors in discharging its responsibilities with respect to
the accounting policies, internal controls, and financial reporting of the entity.
Balanced Scorecard
A concept for measuring a companys activities in terms of its vision, strategies, and performance
measures. It gives managers a comprehensive view of the performance of a business. It balances
a financial perspective with customer, internal process, and learning and growth perspectives.
Board
A board is an organizations governing body, such as a board of directors, supervisory board, head
of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any
other designated body of the organization, including the audit committee, to whom the chief audit
executive may functionally report.
Charter
The charter of the internal audit activity is a formal written document that defines the activitys
purpose, authority, and responsibility. The charter should (a) establish the internal audit activitys
position within the organization; (b) authorize access to records, personnel, and physical properties
relevant to the performance of engagements; and (c) define the scope of internal audit activities.
Chief Audit Executive (CAE)
Top position within the organization responsible for internal audit activities. Normally, this would be
the internal audit director. In the case where internal audit activities are obtained from outside
service providers, the chief audit executive is the person responsible for overseeing the service
contract and the overall quality assurance of these activities, reporting to senior management and
the board regarding internal audit activities, and follow-up of engagement results. The term also
includes such titles as general auditor, chief internal auditor, and inspector general.
Code of Ethics
The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the profession
and practice of internal auditing, and rules of conduct that describe behavior expected of internal
auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.
The purpose of the Code of Ethics is to promote an ethical culture in the global profession of
internal auditing.
Compliance
Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Conflict of Interest
Any relationship that is or appears to be not in the best interest of the organization. A conflict of
interest would prejudice an individuals ability to perform his or her duties and responsibilities
objectively.
Consulting Services
Advisory and related client service activities, the nature and scope of which are agreed with the
client and which are intended to add value and improve an organizations governance, risk
management, and control processes without the internal auditor assuming management responsibility.
Examples include counsel, advice, facilitation, and training.
Continuous Monitoring
Continuous monitoring is an ongoing systematic process for acquiring, analyzing, and reporting on
business information to identify and respond to operational business risks.
Contract Audit Staff
Audit staff that has been hired to perform specific internal audit projects. Members of the contract
audit staff are not employed as permanent audit staff at the organization.
Control
Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes, and
directs the performance of sufficient actions to provide reasonable assurance that objectives and
goals will be achieved.
Control Environment
The attitude and actions of the board and management regarding the significance of control within
the organization. The control environment provides the discipline and structure for the achievement
of the primary objectives of the system of internal control. The control environment includes the
following elements:
Integrity and ethical values
Managements philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
Competence of personnel
Control Processes
The policies, procedures, and activities that are part of a control framework, designed to ensure
that risks are contained within the risk tolerance established by the risk management process.
Control Self-assessment
CSA is a process through which internal control effectiveness is examined and assessed. The
objective is to provide reasonable assurance that all business objectives will be met.
Co-sourcing
Working with external professionals to meet requirements for the organizations audit plan and
obtaining value-added solutions from the cooperative effort.
Corporate Governance
The set of processes, customs, policies, laws, and institutions affecting the way a corporation is
directed, administered, or controlled.
Emerging Market
Is a term used to refer to markets in newly industrialized or developing countries with capital
markets at early stages of institutional development.
Engagement
A specific internal audit assignment, task, or review activity, such as an internal audit, control self-
assessment review, fraud examination, or consultancy. An engagement may include multiple tasks
or activities designed to accomplish a specific set of related objectives.
Engagement Objectives
Board statements developed by internal auditors that define intended engagement accomplishments.
Engagement Work Program
A document that lists the procedures to be followed during an engagement, designed to achieve the
engagement plan.
Enterprise Risk Management (ERM)
A continuous process that establishes risk management objectives and develops tolerances and
limits for all the enterprises significant risks.
Environmental Sustainability
In compliance with International Standard for Environmental Management System (ISO 14001
certified).
External Quality Assurance Review
External assessment should be conducted at least once every five years by a qualified, independent
reviewer or review team from outside the organization.
External Service Provider
A person or firm, outside of the organization, who has special knowledge, skill, and experience in a
particular discipline.
Fraud
Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the application of threat of violence or of physical force. Frauds are perpetrated
by parties and organizations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.
Global Audit Information Network (GAIN)
The information network enables organizations to compare their audit departments size, experience,
expertise, and other metrics against the aggregated averages of similar-sized organizations in their
industry.
Governance
The combination of processes and structures implemented by the board in order to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
Impairments
Impairments to individual objectivity and organizational independence may include personal conflict
of interest, scope limitations, restrictions on access to records, personnel, and properties, and
resource limitations (funding).
Independence
The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats
to objectivity must be managed at the individual auditor, engagement, functional, and organizational
levels.
Information Risk Assessment
Assessment of information threats and opportunities to ensure proper controls are in place to
minimize the risks to the organizations information assets.
Internal Audit Activity or Internal Audit Function
A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an organizations
operations. The internal audit activity helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
Internal Quality Assurance Review
Internal assessments include: ongoing reviews of the performance of the internal audit activity and
periodic reviews performed through self-assessment or by other persons within the organization
with knowledge of internal auditing practices and the Standards.
Knowledge Management System
A distributed system in organizations supporting creation, capture, storage, and dissemination of
expertise and information.
Management Effectiveness
The metrics used to evaluate management effectiveness include: leadership, delegation, motivation,
return on investment, return on assets, and return on equity.
Manager
A manager is normally an advanced senior rank position.
Managerial Accounting
The branch of accounting that uses both historical and estimated data in providing information that
management uses in conducting daily operations in planning future operations, and in developing
overall business strategies.
Objectivity
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner
that they have an honest belief in their work product and that no significant quality compromises
are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters
to that of others.
Partner
This is the highest professional rank in an accounting firm. By achieving this rank, a partner is
admitted as a co-owner of the firm.
Residual Risk
The risk remaining after management takes action to reduce the impact and likelihood of an adverse
event, including control activities in responding to a risk.
Risk
The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Risk Management
A process to identify, assess, manage, and control potential events or situations to provide reasonable
assurance regarding the achievement of the organizations objectives.
Semi-government
The semi-government sector comprises the corporations, statuary boards, authorities, and state
banks under the central government.
Should
The use of the word should in the Standards represents a mandatory obligation.
Staff
The position of a staff accountant (also called assistant) is the entry-level position.
Standard
A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates
the requirements for performing a broad range of internal audit activities, and for evaluating internal
audit performance.
Total Quality Management (TQM)
Total Quality Management is a management approach that emphasizes superior quality in all aspects
of the companys operations. It is an ongoing process that utilizes synergistic relationships to exercise
continuous improvement and self evaluation.
APPENDIX 1-B
CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or Primary IIA Usable Percentage
Chapter Language(s) Members Responses of Members
Group Spoken 9/30/06 12-15-06
Group 1
**Aruba English 8 4 50.0
**Bahamas English 59 3 5.1
**Barbados English 70 17 24.3
**Bermuda English 73 5 6.9
**Canada French/English 5,255 430 8.2
**J amaica English 327 17 5.2
**Trinidad and English 169 13 7.7
Tobago
**Puerto Rico Spanish 386 17 4.4
*United States English 54,686 3,139 5.7
of America
Total 61,033 3,645 6.0
Group 2
*+Australia English 2,602 177 6.8
*+New Zealand English 486 38 7.8
Total 3,088 215 7.0
Group 3
**+South Africa English 4874 464 9.5
*+UK and Ireland English 7185 271 3.8
Total 12,059 735 6.1
Group 4
*China Chinese 2,248 62 2.8
*+Chinese Taiwan Chinese 3,144 239 7.6
*+Hong Kong, English 375 6 1.6
China
*+J apan J apanese 2,053 66 3.2
*Korea Korean 557 1 0.2
Total 8,377 374 4.5
*House, R.J ., P.J . Hanges, M. J avidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership, and Organizations: The
GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage Publications), 2004.
**Classification by Team Americas in consultation with The IIA, world map, and CIA World Factbook, https://www.cia.gov/
cia/publications/factbook/fields/2145.html
+Responded to the Affiliate CBOK questionnaire.
APPENDIX 1-B (Cont.)
NUMBER OF RESPONSES
Group Spoken 9/30/06 12-15-06
Group 5
**+Azerbaijan Azari/Russian 133 1 0.8
**+Bulgaria Bulgarian 357 71 19.9
**+Cyprus Greek/Turkish 276 30 10.9
**Czech Republic Czech/English 886 166 18.7
**Estonia Estonian 135 16 11.9
*+Greece Greek 456 80 17.5
**Latvia Latvian 123 1 0.8
**+Lithuania Lithuanian 130 3 2.3
*Poland Polish 520 69 13.3
**Romania Romanian 214 42 19.6
*+Russia-Moscow Russian 492 129 26.2
*+Slovenia Slovenian 15 1 6.7
*Ukraine Ukrainian 25 2 8
Total 3,762 611 16.2
Group 6
*+Austria German 277 84 30.3
**+Belgium English/French/Dutch 1,154 102 8.8
*+Germany German 1,728 131 7.6
*+Luxembourg French/English 325 1 0.3
*+Netherlands Dutch 1,741 112 6.4
*Switzerland German/French 305 33 10.8
Total 5,530 463 8.4
NUMBER OF RESPONSES
Group Spoken 9/30/06 12-15-06
Group 7
*+Argentina Spanish 562 57 10.1
*+Bolivia Spanish 215 8 3.7
*+Brazil Portuguese 1,358 97 7.1
**Chile Spanish 33 4 12.1
*+Colombia Spanish 432 94 21.8
*Costa Rica Spanish 186 40 21.5
**+Dominican Republic Spanish 213 3 1.4
*Ecuador Spanish 531 7 1.3
*Guatemala Spanish 75 4 5.3
*+Mexico Spanish 842 91 10.8
**+Nicaragua Spanish 136 6 4.4
**Panama Spanish 69 6 8.7
**Paraguay Spanish 114 3 2.6
**+Peru Spanish 328 72 22.0
*+Venezuela Spanish 376 36 9.6
Total 5,470 528 9.7
Group 8
*+France French 2,937 235 8.0
*+Israel Hebrew 1,028 4 0.4
*+Italy Italian 2,531 456 18.0
*Portugal Portuguese 375 84 22.4
*+Spain Spanish 1,556 249 16.0
Total 8,427 1,028 12.2
Group 9
**Algeria French 45 4 8.9
*Egypt Arabic/English 61 4 6.6
**+Lebanon Arabic/English 105 13 12.4
**Oman Arabic/English 176 5 2.8
**+Qatar Arabic/English 233 8 3.4
**Tunisia Arabic/French 306 2 0.7
*+Turkey Turkish 554 80 14.4
**United Arab Emirates English 349 16 4.6
Total 1,829 132 7.2
NUMBER OF RESPONSES
Group Spoken 9/30/06 12-15-06
Group 10
*+Denmark Danish 390 3 0.8
*+Finland Finnish 584 43 7.4
**Iceland Icelandic 100 3 3.0
**+Norway Norwegian 662 45 6.8
*+Sweden Swedish 542 52 9.6
Total 2,278 146 6.4
Group 11
**Bangladesh English 116 1 0.9
*India English 2,795 57 2.0
*Indonesia Indonesian/English 654 11 1.7
*+Malaysia English 2,150 60 2.8
**Pakistan - Karachi English 172 3 1.7
**Pakistan Islamabad English 186 3 1.61
**Pakistan - Lahore English 339 1 0.3
*+Philippines English 1,280 5 0.4
**+Singapore English 1,343 74 5.5
**+Sri Lanka Sinhala/English 50 6 12.0
*+Thailand Thai 1,446 29 2.0
Total 10,531 250 2.4
Group 12
**Botswana English 134 1 0.8
**Cameroon French 161 1 0.6
**+Congo-Kinshasa French 37 1 2.7
**Ethiopia English 288 16 5.7
**Ghana English 57 2 3.5
**Kenya English 589 4 0.7
**+Malawi English 169 1 0.6
*Nigeria English 48 4 8.3
**+Uganda English 117 13 11.1
*Zambia English 63 2 3.2
*Zimbabwe English 557 3 0.5
Total 2,220 48 2.2
NUMBER OF RESPONSES
Group Spoken 9/30/06 12-15-06
Group 13
Not Classified 1,191
respondent did not
specify affiliate or
chapter
Affiliates that did 3,131
not participate
Total Membership 127,735 9,366 7.3
Less members that were
not sent an invitation
to participate:
Membership of affiliates (3,131)
that did not participate
Eleven affiliates with (2,098)
only one response
(2,109 members
11 respondents)
39% of U.S. members (21,328)
who have opted not to
receive e-mail from
The IIA (54,686 x .39 =
21,328)
39% of Canadian (2.049)
members who have opted
not to receive e-mail
from The IIA
(5,255 x .39 = 2,049)
Total estimated 99,129 9,366 9.5
membership that was
sent an invitation to
participate and estimated
response rate

CONTENTS
Chapter 2

Chapter 2: A Worldwide Picture of the Internal Audit Activity .......................................... 25
Introduction........................................................................................................................... 25
Survey Demographics Summary.......................................................................................... 26
Compliance with Internal Auditing Standards ..................................................................... 29
Staffing and Professional Development................................................................................ 43
Internal Auditor Skills........................................................................................................... 44
Internal Auditor Competencies and Knowledge Areas......................................................... 48
Emerging Roles of the Internal Audit Activity..................................................................... 53
Summary............................................................................................................................... 58

Disclosure


profession.
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 25
CHAPTER 2
A WORLDWIDE PICTURE OF THE
INTERNAL AUDIT ACTIVITY
Introduction
Who would have thought that internal auditors would be described by the media as rock stars?
The current demand for qualified internal auditors is greater than the supply. Business scandals
around the world have not only reminded organization fiduciaries and management of their
responsibilities in the areas of governance, control, and risk management, but have also resulted in
increased legislation and regulation. The internal audit activity (IAA) has become a necessary or
mandatory activity in organizations around the world. Some organizations are over 100 years old
with large, well established IAAs, while many younger companies are just starting to develop and
utilize their IAAs. Regardless of the size, type, or age of an organization, the role of internal
auditing is evolving into a value-added activity that helps an organization manage its risks and take
advantage of opportunities to improve. With the increase in scope of audit responsibility since
1999, the IAA must act to monitor the adequacy and effectiveness of managements internal
control framework and contribute to the integrity of corporate governance, risk assessment, and
the financial, operating, and IT systems.
Since 1941, The IIA has grown tremendously. Between J une 2003 and September 2006, The IIAs
membership grew from 82,645 members to 127,735 members, a 54.6% increase in just over three
years. The November 2006 IIA Insight stated that there are members in 165 countries and territories.
Also, as of September 2006 there are 6,000 new Certified Internal Auditors (CIAs) for a total of
60,000 CIAs worldwide. There are 90 countries with CIA exam sites.
What do internal auditors really need to know to perform their jobs with due care and to add value
to their organizations? This CBOK 2006 research report summarizes the information gathered
from respondents around the world regarding the current state of the internal auditing profession.
It identifies the attributes of an effective IAA; internal auditor skills, competencies, and knowledge;
internal audit tools and techniques; and emerging roles of the IAA. This informs the profession and
those who benefit from its activities and services as well as serving as a basis for educating and
testing the competence of those who enter and want to succeed in the profession.
Since the CAE and Practitioner CBOK 2006 questionnaires were released in September 2006,
adherence to The IIAs International Standards for the Professional Practice of Internal
Auditing (Standards) as of September 2006 provides the basis for this study. The overall purpose
of the CBOK 2006 project is to develop the most comprehensive database ever to capture a
current view of the global state of the internal audit profession. The database will be updated to
recognize the evolution of global internal audit practices. Future studies will build upon this baseline,
allowing for comparison, analysis, and trending.
The major topics covered in this chapter are a summary of the demographics of respondents and
their organizations, compliance with the Standards, current status of the IAA, staffing and
professional development, internal auditor skills, internal auditor competencies and knowledge,
internal audit tools and techniques, and the emerging roles of the IAA.
Not all of those who participated in the survey answered all of the questions asked. Results
question.
not CAEs).
o Some questions were asked of all respondents: both CAEs and Practitioners.
Some participants responses are presented according to the respondents position in the IAA.
These more detailed summaries of results may be provided for the five categories of respondents:
CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the
Other category consist primarily of other professional staff whose positions are not captured by
the traditional job titles included in the survey. They may be members of the IAA, employed by
service providers, or in organizations where their titles are less traditional but with duties within
internal auditing.
Survey Demographics Summary
The following is a brief summary of the demographics of the respondents and their organizations.
Detailed tables and a discussion of the demographics are presented in Chapter 3. Respondents
represent the following staff levels: CAEs (26.5%), Audit Managers (22.8%), Audit Seniors/
Supervisors (25.2%), Audit Staff (18.2%), and Others (7.3%).
Duration of Respondents IIA and/or Affiliate Membership and Respondents Age
Survey results indicate that 58.6% of respondents have been members of The IIA for five years or
less, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or more
years. Although distribution of the original survey instrument was only to IIA members, 6.9% of
the respondents indicated they are not members of The IIA.
When asked about their age, respondents indicated 3.5% are 25 years old or under, 27.8% are
between 26 and 34 years old, 34.8% are between the ages of 35 and 44, and 24.2% are between
45 and 54 years old. Only 9.3% are 55-64 years old and .4% are older than 65. The largest
percentage of Audit Managers (41.5%) is between 35 and 44 years old.
Highest Level of Formal Education and Academic Major
Thirty-eight point one percent of the respondents have obtained their bachelors (undergraduate)
degree in business, and 28.9% have obtained a masters (graduate) degree in business. Fourteen
point three percent have a bachelors degree in a non-business subject and 9.4% have a masters
degree in a non-business field. There appears to be no pronounced relationship between the
respondents highest level of education and their current position in the IAA. It also appears that
for most respondents, a bachelors degree or comparable level of education is necessary to enter
the profession.
The top six academic majors of respondents are accounting (55.8%), general business/management
(27%), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%) (NOTE:
since respondents could mark all that apply, percentages exceed 100%). A higher percentage of
CAEs (60.0%) and Audit Managers (59.9%) have an accounting major than members of the Audit
Staff (45.0%).
Professional Qualification(s) and Area(s) of Professional Experience
There are many professional organizations that have qualifying tests and certifications for those
employed in accounting and auditing. Survey respondents were asked about their own qualifications.
More than one-third (39.4%) of the respondents have a specific certification in internal auditing
and about one-fourth (26.7%) of the respondents have a certification in public accounting/chartered
accountancy. A much smaller number of respondents have certifications in information systems
auditing (10.2%), management/general accounting (5.4%), and fraud examination (5.3%). Internal
auditing is the most common certification for respondents followed by public accounting/chartered
accountancy. The possession of additional qualifications appears more common as individuals
move up in the IAA.
The five areas in which respondents have the most business experience are internal auditing (6.1
years), management (5.4 years), accounting (5.3 years), other professional experience (4.9 years),
and finance (4.4 years). This pattern is consistent for those currently employed by service providers,
privately held (non-listed) companies, publicly traded (listed) companies, and public sector. Service
providers, for the purpose of this study, are defined as those who work on a contractual basis to aid
organizations with assurance and consulting engagements. The not-for-profit sector respondents
indicated less overall work experience.
Years of Existence of IAA and Years of CAE Experience
The largest numbers of respondents work for IAAs that have been in existence for 0-5 years
(28.4%) and another 21% of the respondents work for IAAs that have been in existence for 6-10
years. A total of 13.8% of respondents organizations have IAAs that have been in existence for
31 or more years. This is a very positive development for internal auditing as it shows that growth
has accelerated in the past 10 years. Given the corporate governance issues and regulatory
developments in recent years, this could be a reflection of the recognition by organizations and
their boards of the need for internal auditing.
When CAEs were asked about their years of experience as a CAE, more than half (56%) indicated
they had been a CAE for 5 years or less and one-fourth of CAE respondents have between 6 and
10 years of CAE experience. Nineteen percent of CAE respondents have more than 10 years of
experience in this position.
Organization Type, Service Providers, and Industry Classifications
When asked about their current employers, 38% of all respondents indicate that they work for a
publicly traded (listed) company, while 19.5% work for a privately held (non-listed) company.
Twenty-three percent of all respondents currently work in the public sector. Ten point five percent
of the respondents work for a service provider or as a consultant. Internal auditing is performed by
members of the IAA as well as by external service providers.
The survey population covered a broad range of industries. Since the respondents were asked to
select all industries that applied to their organization, the total of industries selected is greater than
100%. The top 10 industries indicated by respondents are: banking/financial services/credit union
(24.5%), other (13.9%), manufacturing (13.4%), financial, accounting, and/or business services
(11.1%), insurance (9.3%), utilities (7.9%), education (7.0%), communication/telecommunication
(7.0%), healthcare (6.4%), and retail/wholesale (6.2%).
Geographical Areas and Legislation Affecting Internal Auditing
Recognizing that organizations operate differently, in part based on the locations they service, data
was collected on geographical areas served by the respondents organizations. Of the respondents,
39.2% indicate that their employer operates on an international/multinational scale, while 29.1% of
employers operate on a national scale. The remaining 31.7% operate on a local, state/provincial, or
regional basis.
In the CBOK Affiliate questionnaire, affiliate leaders were asked about local and federal regulations
and legislation affecting the profession of internal auditing. Of the 46 affiliates that responded, 36
(78%) indicate that their countries have legislation or regulations that affect the internal auditing
profession in the public sector. In most of these affiliates, financial entities, banks, and insurance
companies are subject to legislation that prescribes the establishment of, or the role of, internal
auditing in an organization. The United States and Canada also have legislation affecting internal
auditing.
In 22 (61%) of the 36 affiliates where legislation or regulation affecting internal auditing exists,
The IIA affiliate had an influence on the final form of the legislation or regulation. Those IIA
affiliates that assisted in the development of the legislation or regulations took part in the discussions
or provided input through participation in committees, work groups, and conferences. IIA affiliates
also regularly issue their own opinions on drafts of local and national laws and regulations. The
publication of position papers and articles reflecting their members ideas and opinions is a common
method of participation in the evolution of local and national laws and regulations.
Compliance with Internal Auditing Standards
Most of the participants in this study indicate that their IAAs are using the Standards and Practice
Advisories. They also believe that the guidance provided to them by the Standards and Practice
Advisories is adequate. Standards 1300, Quality Assurance and Improvement Program, and 2600,
Resolution of Managements Acceptance of Risk, received lower adequacy responses indicating
that more or clearer guidance may be appropriate in the fields of quality assurance and improvement
and resolution of managements acceptance of risk. The respondents are using these two standards
to a lesser extent when compared to the other standards. Overall, the guidance provided by the
Attribute Standards is perceived by respondents to be better than that provided in the Performance
Standards.
Respondents at all staff levels indicate that 81.9% of their IAAs use the Standards in whole or in
part. In Figure 2-1, CAEs report the highest level of usage (85.1%) of the Standards by their IAA,
while all other respondents report usage between 72.2% and 84.3.
Figure 2-1
Organizations Use of the Standards in Whole or in Part by Staff Level
All Respondents (8,647) in Percentages
The most common reasons given by those respondents whose IAA does not adhere to the Standards
are:
Inadequate IAA staff (12.6%).
Management of organization does not think it adds value (12.2%).
Too time-consuming to comply with the Standards (12.2%).
Percentage of Respondents
Compliance not supported by management of organization (11.9%).
Superseded by local/government regulations/standards (10.7%).
Quality Assurance and Improvement Programs
To supplement the research on compliance with the Standards, respondents were asked specific
questions about their compliance with Standards 1300, 1311, and 1312 which require quality assurance
and improvement programs, internal quality assessments, and external quality assessments. Standard
1300 requires the CAE to develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity and continuously monitors its effectiveness.
The level of compliance is lowest for Standard 1300, Quality Assurance and Improvement Program.
Approximately one-third of the respondents currently have a quality assurance and improvement
program in accordance with Standard 1300. Approximately one-third of the respondents have had
an internal assessment. One-third has never had an internal assessment. Almost one quarter of the
respondents do not plan to have a quality assurance and improvement program in place within the
next 12 months in accordance with Standard 1300, although approximately one-third of the
respondents have such a program currently in place. Forty percent indicate that no external
assessment has been performed.
Less than 50% of the respondents indicate that their quality assessment and improvement programs
include certain activities to monitor the effectiveness of these programs as suggested by PA1300-
1, Quality Assurance and Improvement Program. Monitoring activities most often include
engagement supervision and checklists to provide assurance that proper audit processes are followed.
Approximately 30% of the respondents indicate that compliance with The IIAs Standards or
Code of Ethics are explicitly monitored as part of these activities.
According to Standard 1311, Internal Assessments, the IAA should adopt a process to monitor and
assess the overall effectiveness of the quality program. The process should include both internal
and external assessments. There is no formal requirement mentioned in the standard regarding the
frequency of the self-assessment, only that it be ongoing. The respondents were requested to
indicate when their IAAs were last subject to a formal internal assessment. Of those responding,
23.6% have had an internal review within the last 12 months and an additional 8.7% had an internal
review within the last five years. The CAE respondents indicated that 47.4% of their IAAs have
never had an internal assessment.
According to Standard 1312, External Assessments, the IAA should have an external assessment
at least once every five years by a qualified, independent reviewer or review team external to the
organization. All IAAs that existed on J anuary 1, 2002, when this standard became effective
should have had an external assessment performed by J anuary 1, 2007. Of all respondents, 39.7%
have never had an external assessment. When analyzing this response by staff level, 53.7% of
CAE respondents indicate that their organizations have not been subject to a formal external
quality assessment and are not in compliance with Standard 1312. Note in Figure 2-2 that 28.4% of
the respondents IAAs are five years old or less. This could be the reason why some of the IAAs
have not had an external assessment.
Compliance with The IIAs Code of Ethics
As The IIAs Code of Ethics must be followed by all those that provide internal auditing services,
affiliate leaders were asked whether they required their members to follow The IIAs Code of
Ethics. Forty-six affiliate leaders responded to this question and all answered in the affirmative
except for one which adopted a local version. When the affiliate leaders were asked how they
handled ethical complaints against their members, the wide variety of responses ranged from the
use of an ethics or disciplinary committee to action being left to the affiliates full board of directors.
Current Status of the Internal Audit Activity
The IAA adds value in multiple ways. It helps the organization achieve its goals by providing
suggestions for improvements to vital systems, processes, and procedures. The IAA helps ensure
that controls are in place to provide safety and security for transactions and activities. Consulting
services assist management in planning for the future and addressing difficult strategic and operational
issues. The IAA is vital to the success and health of any organization operating today.
Some parts of the world are just starting to recognize the importance of internal auditing and
beginning to develop the internal auditing activity. Many IAAs are small or have been in existence
for less than five years. Newer IAAs and/or those with smaller audit staffs may not have sufficient
staff or personnel with all of the necessary skills and competencies to meet the needs of their
organizations. Depending upon priorities and availability of resources, some audits or audit skills
may need to be outsourced.
Years That the IAA and the Organization Have Existed
To gain a perspective on the length of time respondents organizations have had IAAs, Figure 2-2
lists the number of years the respondents IAAs have been in existence. The largest number of
respondents work for IAAs that have been in existence for 0-5 years (28.4%). Another 21% of
the respondents work for IAAs that have been in existence for 6-10 years. Respondents indicate
that 13.8% work in IAAs that have been in existence for 31 or more years. Given the corporate
governance issues and regulatory developments in recent years, the large number of newer IAAs
could be a reflection of the recognition by organizations of the need for the IAA and the need to
conduct audits in these areas. A new IAA could also be the result of a corporate merger or
acquisition. Although a newer IAA may not be as developed or have the same level of experience
or expertise as a more mature one, a younger department does not necessarily equate to a weak or
unskilled department.
Figure 2-2
Number of Years the IAA Has Existed in the Organization
0-5 Years
28.4%
41+Years
8.1%
31-40 Years
5.7%
21-30 Years
14.1%
11-20 Years
22.7%
6-10 Years
21.0%
Figure 2-3 reports how long respondents organizations have been in existence. A separate correlation
test performed by the researchers confirms that there is a relationship between how long an
organization has been in existence and how long the organization has had an IAA. Older companies
tend to have established IAAs longer than younger companies.
Figure 2-3
Number of Years Organizations Have Existed
IAAs Relationships within the Organization
Relationship with the Audit/Oversight Committee
To maintain independence, the IAA should have a charter approved by the audit committee of its
governing board. An internal audit charter is required by The IIAs Attribute Standard 1000, Purpose,
Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal Audit Charter. The
charter provides the power from which the IAA can insist that they have the authority to conduct
0-5 Years
7.2%
6-10 Years
10.5%
11-20 Years
14.0%
21-30 Years
9.3%
31-40 Years
8.0%
41+Years
51.0%
the audits deemed necessary. The survey confirms that this practice is generally the case in the
majority of IAAs with 72.3% of the respondents indicating their organization has an internal audit
charter. IAAs without a charter may be less empowered from the audit customers perspective.
The reporting relationships of the respondent CAEs are generally in accordance with the Standards
and Practice Advisories. There is also a high level of input by the audit committee in the appointment
and performance evaluation of CAEs. In the majority of cases, CAEs are reporting to the audit
committee of the board and/or to a member of senior management. The survey did not allow the
CAE to indicate a dual reporting relationship as recommended by The IIA. Dual reporting allows
the IAA to build organizational independence while also serving senior management.
Practice Advisory 2060-2, Relationship with the Audit Committee, defines the IAAs and the audit
committees relationship. As noted in Table 2-1, CAEs confirm that an audit/oversight committee
exists in 72.6% of their organizations. The CAEs relationship with the audit committee chairperson
is very important. Of the respondent CAEs with audit committees, 63.2% meet regularly with the
audit committee chair in addition to regular audit committee meetings. It is notable that of those
that have audit committees, 91.3% of CAEs believe they have appropriate access to the audit
committee. Public sector IAAs often do not have an audit committee structure in their organizations.
Table 2-1
CAEs Relationship with Audit/Oversight Committee
CAE Respondents Percentage of Yes Responses
Question Total Respondents Yes
Percent of
Total Responses
Is there an audit/oversight
committee in your organization? 2,315 72.6
Does the CAE meet with the
audit/oversight committee
chairperson in addition to the
regularly scheduled meetings? 1,669 63.2
Does the CAE believe that
he/she has appropriate access
to the audit committee? 1,671 91.3
Organizations and CAEs Perceptions of the IAA
A set of general questions asked all respondents to rank their perceptions about how their IAA is
perceived by their organization. All respondents were asked to rank their level of agreement with
the statements in Table 2-2 on a scale of 1 to 5 from Strongly Disagree (1) to Strongly Agree (5).
The mean response for each question was calculated for the four levels of audit staff responding
to the survey.
Table 2-2
Relationship of IAA to the Organization
All Respondents in Means*
CAE Audit Manager Audit Senior/ Audit Staff
Statement (Mean of (Mean of 2,033 Supervisor (Mean of 1,626
2,374 Responses) (Mean of 2,251 Responses)
Responses) Responses)
Your internal audit activity is an 4.45 4.34 4.25 4.10
independent objective assurance
and consulting activity.
Your internal audit activity adds 4.41 4.32 4.26 4.20
value.
Internal audit brings a systematic 4.03 3.99 3.98 3.95
approach to evaluate the
effectiveness of risk management.
Your internal audit activity brings 4.35 4.27 4.21 4.11
a systematic approach to evaluate
the effectiveness of internal controls.
Your internal audit activity brings a 3.80 3.73 3.71 3.74
systematic approach to evaluate the
effectiveness of governance
processes.
Your internal audit activity 4.10 4.05 3.96 3.88
proactively examines important
financial matters, risks, and
internal controls.
Your internal audit activity is an 4.10 4.04 3.97 3.91
integral part of the governance
process by providing reliable
information to management.
*The mean is the average response to: 1 =Strongly Disagree, 2 =Disagree, 3 =Neutral, 4 =Agree, 5 =Strongly Agree.
Table 2-2 (Cont.)
CAE Audit Manager Audit Senior/ Audit Staff
Statement (Mean of (Mean of 2,033 Supervisor (Mean of 1,626
2,374 Responses) (Mean of 2,251 Responses)
Responses) Responses)
The way our internal audit activity 3.52 3.81 3.66 3.51
adds value to the governance
process is through direct access
to the audit committee.
Your internal audit activity has 4.07 3.97 3.86 3.75
sufficient status in the organization
to be effective.
Independence is a key factor for 4.46 4.40 4.32 4.29
your internal audit activity to add
value.
Objectivity is a key factor for 4.58 4.47 4.42 4.36
your internal audit activity to add
value.
Your internal audit activity is 4.30 4.17 4.08 3.99
credible within your organization.
Compliance with The IIAs 3.86 3.90 3.89 3.90
International Standards for the
Professional Practice of Internal
Auditing is a key factor for your
internal audit activity to add value
to the governance process.
Compliance with The IIAs Code 4.03 4.04 3.98 3.99
of Ethics is a key factor for your
With the majority of means above 4.0, respondents, who are all members of the IAA giving their
opinion about how others see the IAA, indicate that they believe their organizations perceive that
IAAs are independent, objective, add value, and effectively evaluate internal controls. There is
less certainty among respondents concerning their perceptions about the effectiveness of the IAAs
approach to risk management and evaluation of the effectiveness of governance processes. These
two areas are specifically addressed in the 1999 definition of internal auditing. Respondents
perceptions indicate strong support for the IAAs independence, objectivity, and credibility. While
the IAA appears to be highly credible within the organization, there is less agreement about
compliance with The IIAs Standards and Code of Ethics.
Statements with means around 4.0 indicate respondents agreement that the IAA has an effective
approach to risk management; is proactive in looking at important financial matters, risks, and
internal controls; has sufficient status in the organization; and compliance with The IIAs Code of
Ethics is a key factor for the IAA to add value to its organization.
The statements ranked under 4.0 but above 3.5 indicate respondents have less support for the
statements about effectiveness in the evaluation of corporate governance and compliance with the
Standards. Overall, the perceptions by the respondents provide a very positive view of the IAA
within their organizations.
Methods Used to Measure the Value Added by the IAA
The responses to the questions about the methods used to measure the value added to the organization
by the IAA show a variety of methods being used. These include self-assessment and assessment
by others in the organization. The measures used include acceptance of recommendations (51.4%),
auditee (customer) surveys (34.6%), and the number of management requests (26.8%). Reliance
by the external auditors on the IAA is also used as a value indicator (33.5%). No formal measurement
of value added exists in 32.6% of respondents IAAs.
Internal Audit Activity
Managing the IAA
Standard 2000 requires that the CAE, should effectively manage the internal audit activity to
ensure it adds value to the organization. These activities include administrative activities such as
developing an audit plan and assigning audit tasks. Performance Standard 2200 states, Internal
auditors should develop and record a plan for each engagement, including the scope, objectives,
timing, and resource allocations. Over 91.5% of all respondents believe that their IAA performs
these administrative tasks.
Creating the Audit Plan
Eighty-one point three percent of respondents follow Practice Advisories PA 2010-2, Linking the
Audit Plan to Risk and Exposures, and PA 2040-1, Policies and Procedures, indicating that most
IAAs use a proper planning process. Of the organizations served by the IAA, 73.3% have a
corporate ethics policy/code of conduct. Internal audit risk assessments are performed by 69.5%
of the respondents. In the IAA, 63.0% have an internal audit operating manual/policy statement.
These are all positive indicators of effective internal audit processes.
To comply with IIA Standard 2010, Planning, the IAA should create an audit plan using a risk-
based technique. Respondents indicate that 95.6% of their IAAs create a plan for their audit
activities at least annually, while 36.4% plan or revise their intentions multiple times a year. The use
of risk-based methodology to determine the audit plan is required by IIA Performance Standard
2010 and elaborated in Practice Advisory PA 2010-1, Planning. Of CAE respondents, 86.7% use
risk-based techniques in audit planning. When preparing their audit plans, requests from management
are an additional consideration used by 73.1% of CAEs.
Scope of Work and Who Performs the Audits
The definition of internal auditing and Standard 2100 includes three broad areas of responsibility
for IAAs to evaluate and contribute to the improvement of risk management, control, and governance
processes. The respondents were asked what percentage of the audits their IAAs performed and
what percent are outsourced or done by other departments in the organization. The IAA performs
85.6% of the internal audits, 79.1% of the operational auditing, 56.3% of the investigations of fraud
and irregularities, and 56% of the financial audits. IAAs also perform 47.1% of the ethics audits
and 48.5% of the management effectiveness audits.
Other types of work performed include control framework monitoring and development (58.9%)
and compliance with corporate governance and regulatory code requirements (51.4%). Information
risk assessment (47.5%), internal control testing and evaluation engagements (70.8%), and enterprise
risk management (37.6%) are also performed by the IAA to determine what areas may need to be
made more effective and efficient.
The three largest audit areas that are outsourced/co-sourced outside the IAA are financial auditing
(27.2%), information technology department assessment (18.8%), and quality/ISO audits (14.1%).
The three areas where fewer audits are performed by the IAA are social and sustainability audits
(40%), quality/ISO audits (32.5%), and ethics audits (27.4).
Risk management work performed within organizations includes business viability assessments,
enterprise risk management support and information risk assessment. The majority of business
viability assessments are performed by other departments within the organization (51.6%). IAAs
perform 24.6% of these audits while 16.8% of the respondents report that these audits are not
performed at all. For enterprise risk management assessment activities, IAAs perform 37.6% of
these activities, other departments within the organization perform 43.6%, and 6.5% of these
activities are co-sourced or outsourced. In the area of information risk assessment, the IAA performs
47.5% of the activities and other departments perform 30.9%.
Practice Advisory 2120.A1-1, Assessing and Reporting on Control Processes, states that testing
compliance with laws, regulations, and contracts is part of the IAAs study and evaluation of
internal controls. Two areas where the IAA performs compliance activities are compliance with
company privacy policies (43.1%) and health, safety, and environment (22.1%).
The definition of internal auditing includes consulting in its scope of acceptable audit activities.
Areas of consulting included in the study indicate that 11.3% of the activities for corporate takeovers/
mergers are performed by IAAs while 50.4% are handled by other departments in the organization.
The IAA provides 46.2% of the support for external auditors, while other departments provide
28.1% and co-sourced or outsourced work accounts for 14% of the activities required. Project
management activities are performed mainly by other departments (58.3%) with 27.7% of these
activities provided by the IAA. Both the IAA and other departments in the organization provide
39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
Performing the Engagement
The demands on the IAA and its staff are increasing as the significance and usefulness of the
work of the IAA become better known and valued. This can strain the resources of most IAAs as
they enhance their presence in the organization. The use of tools and techniques helps the auditor
successfully plan, monitor progress, document, analyze data, complete the audit, and determine the
magnitude of audit findings. The objective for this area of the study was to determine which tools
the IAA finds necessary for internal auditors to successfully perform their engagements.
The tools and techniques included in this survey were identified by reviewing the Standards and
Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOKs pilot
study. Based on this review, 16 tools and techniques were identified as being important for the IAA
and its staff when performing the audit. Some tools/techniques are in the area of audit administration
(planning or managing) while others relate to helping internal auditors perform their engagements
(analyzing data or statistical sampling). Respondents could not add to or amend the list that was
included in the CBOK 2006 survey. The respondents were asked to indicate which listed tools and
techniques their IAAs currently use or plan to use in the next three years by rating all the tools/
techniques listed on a five point scale: 1, Not Used, through 5, Extensively Used. Results are
shown in Table 2-3, indicating the ranking of response means by position in the IAA.
The results in Table 2-3 show that that all respondents, regardless of their position, almost uniformly
rank the same three tools as most used by the IAA. Other electronic communications was the
highest ranked tool. Risk-based audit planning uniformly ranked second with a mean approximately
one-half a percentage point less than that of electronic communications. Other than electronic
communications (e.g., Internet, e-mail) and risk-based audit planning, only analytical review has a
mean above 3.00 for all respondents. These three tools match the core tasks of the IAA: planning,
documenting fieldwork, and communication. Documentation and communication can be very
labor intensive when completed without technological support. As such, it is appropriate that the
IAA would have first invested and developed tools in these areas.
Table 2-3
Extent the IAA Currently Uses Audit Tools and Techniques
All Respondents by Rank*
Tools/Techniques Overall CAE Audit Audit Senior/ Audit Other
Manager Supervisor Staff
Other electronic communication 1 1 1 1 1 1
(e.g., Internet, e-mail)
Risk-based audit planning 2 2 2 2 2 2
Analytical review 3 3 4 3/4 4 3
Electronic workpapers 4 4 3 3/4 3 4
Statistical sampling 5 5 6 5 5 5
Computer-assisted audit 6 6 5 6 6 6
techniques
Flowchart software 7 8 7 7 8/9 7/8
Benchmarking 8 7 8 9/10 11 7/8
Process mapping application 9 9 9 8 8/9 10
Control self-assessment 10 11 10 9/10 10 9
Data mining 11 10 11 12 12 12
Continuous/real-time auditing 12 12 13 11 7 11
The IIAs quality assessment 13 13 12 14 14 14
review tools
Balanced scorecard or similar 14 14 14 13 15 15
framework
Total quality management 15 15 15 15 13 13
techniques
Process modeling software 16 16 16 16 16 16
*In some cases the rankings were tied. For example, rankings of Benchmarking and Control self-assessment at the Audit
Senior/Supervisor level were tied.
Process modeling software is a tool that is generally not used (ranked 16 of 16) by the respondents.
Based on ranks and means, other tools and techniques not currently used by many respondents are
total quality management techniques, the balanced scorecard, the IIAs quality assessment review
tools, continuous/real-time auditing, data mining, and control self-assessment.
Respondents were also asked to indicate their planned use of the listed tools and techniques in the
next three years. Results show that in the next three years a higher number of CAEs and Practitioners
will extensively use the listed tools and techniques, more than they presently do. Significant increases
in usage were indicated for risk-based audit planning and computer-assisted audit techniques.
Increased usage was also noted for The IIAs quality assessment review tools, process modeling
software, the balanced scorecard or similar frameworks, continuous real-time auditing, data mining,
and control self-assessment.
These findings are very important since these are the tools and techniques suggested by the
Standards, practice advisories, and best practices.
Resolution of Major Differences
Practice Advisory 2410-1, Communication Criteria, suggests, As part of the internal auditors
discussions with the engagement client, the internal auditor should try to obtain agreement on the
results of the engagement and on a plan of action to improve operations, as needed. CAE
respondents were asked to indicate at what points in the audit process major differences are
resolved. Several categories could be selected by each respondent indicating major issue resolution
in multiple phases of the audit process. Of those responding, 44.5% usually resolve major differences
during audit fieldwork and 45.2% usually resolve them during the audit reporting phase. Thirty-two
point four percent sometimes resolve audit issues during planning, while 28.5% indicated that
resolution rarely happens during the planning stage.
Reporting of Findings
Standard 2440, Disseminating Results, states, The chief audit executive should communicate
results to the appropriate parties. The majority of the respondents agree that the responsibility of
reporting audit findings rests with the CAE. CAEs believe they should report the findings alone
(75.1%) or jointly with the client (10.3%), while Audit Managers indicate they should report the
findings alone (28.2%) or with the client (9.4%).
Monitoring Corrective Action
In Standard 2500, Monitoring Progress, The chief audit executive should establish and maintain a
system to monitor the disposition of results communicated to management. Standard 2500.A1
goes on to require a follow-up process to monitor and ensure that management actions have been
effectively implemented or that senior management has accepted the risk of not taking action. Of
the respondents in varying positions in the IAA, 37.5% to 54.5% believe that both the internal
auditor and client together have the primary responsibility to monitor adoption of needed corrective
action. From 25.8% to 35.7% of the respondents indicated that the internal auditor has the primary
responsibility. The majority of respondents indicated that their organizations have some formal
monitoring system. With the exception of the Other respondents (8.5%), only 2.0% to 3.4% indicated
they had no formal follow-up procedures. Although these results indicate that this responsibility is
often shared with management, the Standards state that the CAE is responsible for monitoring
corrective action.
Staffing and Professional Development
Staffing
In most organizations, in-house internal auditors cover over 90% of the work. Publicly listed
companies average the highest in-house audits with 95.4% coverage. Despite the opportunity for
outsourcing and co-sourcing, most organizations are conducting their internal audits with in-house
staff. Consultants are the largest group of service providers for IAAs. Thirty-three percent of
CAEs indicated that their budget for co-sourcing and outsourcing will increase in the next three
years.
The survey responses indicate that most respondents IAAs are relatively small operations in
terms of staffing but that staff is skewed to more experienced internal auditors. In 44% of the
organizations, there are only two to five general Audit Staff members. The two main methods
CAEs use to cover staff vacancies are reduction in areas of coverage (30.7%) and co-sourcing
with internal audit service providers (28.7%).
Continuing Professional Development and Certification in Internal Auditing
The IIA requires 80 hours of continuing professional development (CPD) every two years. The
IIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to
enhance their knowledge, skills, and other competencies through continuing professional
development. Respondents were asked how many hours of formal training they received over the
last 36 months or while they have been working in their IAA if less than 3 years. Training includes,
but is not limited to, seminars, conferences, workshops, and in-house information sessions provided
by either the respondents organization or other organizations.
The range in hours of formal training reported is from none to more than 240 hours. There is an
expectation that all respondents would have taken at least 120 hours of CPD over the prior three-
year period. Of the CAEs, 48.2% achieved or exceeded 120 hours of CPD. Another 16.4% of the
CAEs attained the 80-119 hour level of CPD. The percentages of respondents at the other staff
levels that achieved 120 or more hours of formal training are: 49.1% for Audit Managers, 42.4%
for Audit Seniors/Supervisors, 35.5% for Audit Staff, and 34.1% for Others.
Compliance with the Standards mandates 40 hours of CPD annually. In some parts of the world,
due to the small size of the internal auditor population, it may be difficult to find the continuing
professional development needed to upgrade skills. There are many ways that IAAs can obtain
CPD for their staff even if funding or scarcity of local CPD courses are a concern. With the use
of the Internet, members can attend online conferencing events provided by The IIA, download
IIA position statements, and research online how to perform such activities as control self-assessment.
The IIA has monographs and other materials on multiple topics to aid in training internal auditors.
Of the respondents, 39.4% have a certification in internal auditing (e.g., CIA, MIIA), and about
one-fourth of the respondents have a certification in public accounting/chartered accountancy.
Possession of additional certification appears more common as individuals progress professionally
in the IAA.
Internal Auditor Skills
Since the scope of audit responsibilities outlined in the definition of internal auditing expanded in
1999, the types of audits and consulting activities performed by IAAs have increased. Skills used
by internal auditors have evolved and changed to meet the challenges of performing these new
types of audits.
Standard 1220, Due Professional Care, requires internal auditors to apply the care and skill expected
of a reasonably prudent and competent internal auditor. The objective for this question is to
determine the behavioral and technical skills necessary for internal auditors to successfully perform
their jobs at their position in the IAA. Recognizing the evolutionary nature of the profession, the
following two sections summarize the skills internal auditors are currently expected to possess as
they perform their roles.
All respondents were provided a list of technical and behavioral skills developed from the Standards
and Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK
2006 pilot survey . Respondents were unable to amend or change the list of skills provided. CAEs
were asked to identify the five most important technical and behavioral skills they and their staff
need to possess in order to be successful at their position in the IAA. Practitioners were asked to
indicate the importance of the listed skills to perform their work at their current staff position by
ranking the skills on a scale of 1 (minimally important) to 5 (very important). As a guide when
answering the survey questions, respondents were given the following definition of technical skills:
using terminology or subject matter in a particular field. Behavioral skills were defined in the
survey as actions towards others measured by commonly accepted standards and management
of ones own actions.
Technical Skills
CAEs believe that understanding the business and risk analysis are skills that are most important
for themselves. There is no individual technical skill that is highly rated by CAE respondents for all
staff levels in the IAA. Technical skills that are considered more important for the Audit Staff but
less critical for CAEs are identifying types of controls, use of information technology, statistical
sampling, and data collection and analysis. Other skills, such as forensic skill/fraud awareness, risk
analysis, and negotiating, are considered more important for CAEs and not as vital for the Audit
Staff or Audit Seniors/Supervisors.
As shown in Table 2-4, when reviewing the mean ranking of technical skills by Practitioners, the
consistency in rankings among the three traditional staff levels (Audit Manager, Audit Senior/
Supervisor, and Audit Staff) is very noticeable. The decreasing importance of certain skills as one
achieves higher levels in the IAA is indicated for some technical skills, but the direction of the
change is more significant than the magnitude of the decrease. Statistical sampling and data collection
and analysis have the largest changes between professional ranks.
Table 2-4
Importance to Respondent of Technical Skills to Perform Work
Practitioner Respondents by Means*
Technical Skills Audit Audit Audit
Manager Senior/ Staff
Supervisor
Data collection and analysis 4.1 4.3 4.4
Financial analysis 3.8 3.9 3.7
Forensic skills/fraud awareness 3.6 3.6 3.6
Identifying types of controls 4.3 4.2 4.1
(e.g., preventative, detective)
Interviewing 4.3 4.3 4.3
ISO/quality knowledge 2.9 2.9 3.0
Negotiating 3.7 3.6 3.5
Research skills 3.9 4.0 4.0
Risk analysis 4.4 4.3 4.2
Statistical sampling 3.2 3.3 3.5
Total quality management 2.9 2.9 3.0
Understanding the business 4.5 4.4 4.3
Use of information technology 4.1 4.1 4.1
*The mean is the average response to: 1 =minimally important to 5 =very important.
Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
Behavioral Skills
The results show that CAEs and Practitioners almost uniformly consider confidentiality and objectivity
among the five most important behavioral skills. The CAEs responses for other behavioral skills
indicate a difference among the skills needed based on the professional levels analyzed (CAE,
Audit Manager, Audit Senior/Supervisor, and Audit Staff). While leadership is considered the most
important skill that CAEs should possess, CAEs indicate that for the Audit Staff, interpersonal
skills and being a team player are most important. From the CAEs perspective, when viewing the
importance of behavioral skills across the array of hierarchical positions in the IAA, leadership,
governance and ethics sensitivity, and staff management show a trend of increasing importance.
As one progresses to higher levels of professional responsibility and status, being considered a
team player and being able to work independently decline in importance.
Practitioners were asked to indicate the importance of the same 12 behavioral skills for performing
their work at their current position in the organization. Respondents indicated importance on a
scale of 1 (minimally important) to 5 (very important). Analysis broken up into three professional
levels (Audit Manager, Audit Senior/Supervisor, and Audit Staff) is shown in Table 2-5. As indicated
by a mean of 4.0 and above, practitioners consider almost all the behavioral skills listed to be
important to perform their work at their current position in the IAA.
Table 2-5
Importance of Behavioral Skills to Perform Work
Practitioner Respondents by Mean*
Behavioral Skills Audit Audit Audit
Supervisor
Confidentiality 4.8 4.8 4.7
Facilitating 4.1 4.0 3.9
Governance and ethics sensitivity 4.4 4.3 4.3
Interpersonal skills 4.6 4.5 4.5
Leadership 4.3 4.1 3.9
Objectivity 4.8 4.8 4.7
Relationship building 4.4 4.4 4.3
Staff management 4.1 3.8 3.5
Team building 4.2 4.0 3.9
Team player 4.3 4.2 4.2
Work well with all levels of management 4.6 4.6 4.5
Working independently 4.2 4.2 4.2
Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
No one person can possess all the behavioral and technical skills needed by the IAA to perform the
different types of audits and consulting engagements necessary to fulfill all the needs of the
organization. Although many of the staff can be generalists, IAAs may need to hire specialists and/
or outsource audits as needed.
Internal Auditor Competencies and Knowledge Areas
Competency and knowledge areas are essential for the success of an individual internal auditor,
the completion of an audit, and the overall success of the IAA. Standard 1210, Proficiency, requires
the internal audit activity collectively should possess or obtain the knowledgeand other
competencies needed to perform its responsibilities. Standard 1230, Continuing Professional
Development, indicates that these competencies and knowledge areas must be continually updated
and current. Internal auditors at all levels need to obtain and develop a range of competencies and
knowledge areas that enable them to perform their work effectively and enable the IAA to function
properly.
Competencies
Competencies range from generally applicable individual skills such as time management and
presentation skills to qualities that are specific to internal auditors such as the ability to promote the
IAA within the organization. Internal auditors also must have different competencies for satisfactory
performance at various hierarchical positions in the IAA. As a guide for respondents, competencies
were defined in the survey as skills essential to perform certain tasks. The importance of
competencies is highlighted since it is one of four principles in The IIAs Code of Ethics. The Code
of Ethics states that competency is when internal auditors apply the knowledge, skills, and
experience needed in the performance of internal auditing services. Respondents were unable to
amend or add to the list of competencies that was given.
CAEs were asked to identify the five most important competencies they need to possess in order
to be successful as the leader of their IAA. They were also asked to identify the five most important
competencies that Audit Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform
their jobs.
As shown in Table 2-6, CAEs commonly indicated as their most important competency the ability
to promote the IAA within the organization. This is consistent with the Standards. Standard 2000,
Managing the Internal Audit Activity, states that the CAE should effectively manage the internal
audit activity to ensure it adds value to the organization. CAEs view the ability to be analytical and
communicate as the most important competencies for Audit Seniors/Supervisors and the Audit
Staff. Based on the CAEs responses, writing and analytical skills decline in importance as one
advances in positional responsibility and status.
Table 2-6
Most Important Competencies by Staff Level
CAE Respondents (2,092 ) in Percentages
Competencies CAE Audit Audit Audit
Supervisor
Ability to promote the internal audit activity within 78.1 28.3 10.9 9.3
the organization
Analytical (ability to work through an issue) 24.9 31.5 47.7 63.9
Change management 34.7 20.4 7.6 4.1
Communication 60.3 46.7 43.2 51.9
Conceptual thinking 38.0 20.7 16.1 17.8
Conflict resolution 41.2 35.3 20.2 7.2
Critical thinking 31.3 26.3 31.0 43.9
Foreign language skills 13.4 10.8 8.1 12.4
Keeping up to date with professional changes in 41.3 31.0 22.9 22.5
opinions, standards, and regulations
Organization skills 30.3 27.9 22.0 20.9
Presentation skills 37.4 25.5 15.5 13.0
Problem identification and solution 21.6 23.8 34.5 47.0
Project planning and management 24.7 35.7 24.3 7.1
Report development 13.0 23.0 27.3 22.1
Time management 15.8 18.7 28.2 40.2
Training and developing staff 30.1 38.2 20.9 2.6
Understanding complex information systems 12.4 14.9 16.1 16.3
Writing skills 23.6 24.2 32.0 51.0
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
Table 2-7
Importance of Competencies to Perform Work
Practitioner Respondents in Means*
Competencies Audit Audit Audit
Supervisor
Ability to promote the internal audit activity 4.32 4.15 4.11
within the organization
Analytical (ability to work through an issue) 4.52 4.53 4.45
Change management 4.03 3.89 3.72
Communication 4.61 4.59 4.54
Conceptual thinking 4.33 4.29 4.25
Conflict resolution 4.27 4.24 4.13
Critical thinking 4.48 4.43 4.36
Foreign language skills 2.59 2.54 2.66
Keeping up to date with professional changes 4.05 4.01 4.02
in opinions, standards, and regulations
Organization skills 4.15 4.13 4.13
Presentation skills 4.13 4.03 4.02
Problem identification and solution 4.50 4.48 4.44
Project planning and management 4.13 4.02 3.84
Report development 4.31 4.27 4.19
Time management 4.26 4.25 4.21
Training and developing staff 4.06 3.74 3.56
Understanding complex information systems 3.79 3.73 3.65
Writing skills 4.49 4.47 4.39
Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and
4,735.
Practitioners, when asked to indicate the importance of the eighteen competencies to their own job
performance at their current position in the organization, considered almost all of the competencies
equally important across the positional levels in the IAA. This is indicated by only marginal differences
across staff levels in the means on Table 2-7. CAEs appear to be viewing competencies appropriate
for a positional level from a department managers perspective, while Practitioners appear to view
a variety of competencies necessary for their success.
Knowledge Areas
This section looks at 19 areas of knowledge to determine which are important to internal auditors
for the satisfactory performance of their job in the IAA. As indicated in Table 2-8, Practitioners
were asked to indicate the importance of these 19 areas of knowledge to perform their work at
their current position in their organization on a scale of 1 (minimally important) to 5 (very important).
They were unable to amend or add to the list. Knowledge of auditing is overwhelmingly ranked
first for Practitioner respondents at all levels, and Ethics is ranked second by all levels except for
Audit Seniors/Supervisors where it is ranked third. Other knowledge areas consistently ranked in
the top five for all Practitioner respondents are internal auditing standards, technical knowledge for
your industry, and fraud awareness. There is an overall consistency of means for knowledge areas
at all staff levels.
Table 2-8
Importance of Areas of Knowledge to Perform Work
Areas of Knowledge Audit Audit Audit
Supervisor
Accounting 3.83 3.77 3.71
Auditing 4.68 4.66 4.61
Business law and government regulation 3.68 3.70 3.68
Business management 3.75 3.60 3.53
Changes to professional standards 3.71 3.64 3.68
Enterprise risk management 3.85 3.74 3.71
Ethics 4.21 4.18 4.26
Finance 3.70 3.68 3.64
Fraud awareness 4.00 3.93 3.91
Governance 3.95 3.80 3.77
Human resource management 3.44 3.23 3.15
Internal auditing standards 4.19 4.19 4.24
Information technology 3.85 3.84 3.79
Managerial accounting 3.35 3.30 3.27
Marketing 2.70 2.60 2.64
Organization culture 3.91 3.79 3.82
Organizational systems 3.75 3.76 3.78
Strategy and business policy 3.73 3.61 3.60
Technical knowledge for your industry 3.97 3.92 3.96
Note: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and
4,751.
Emerging Roles of the Internal Audit Activity
Changing Emphasis on Types of Audits
This section focuses on the anticipated changes in the demand for general types of audits that will
be performed by the IAA in the next three years. The definition of internal auditing in The IIAs
1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,
acknowledges the importance of assurance services and consulting engagements in the areas of
risk management, governance, and controls. With this expansion of scope, audits are expected to
be performed by IAAs in these three areas. In order to assess the amount of staff, their required
competencies, and the skills needed in the near future, the profession needs to anticipate changes
in the demand for the IAAs services. The IAA also must consider changes in their organizations
risk maturity profiles and stakeholder requirements. Table 2-9 shows the opinions of all respondents
to the question about whether they perceive the general types of audits performed by the IAA will
increase, decrease, or stay the same over the next three years.
Table 2-9
Anticipated Changes in Types of Audits to Be Performed
Within the Next Three Years
All Respondents in Percentages
Activity Total Increase Decrease Stay the Total
Responses Same Percent
Risk management 6,728 79.5 2.3 18.2 100.0
Governance 6,704 63.2 4.0 32.8 100.0
Regulatory compliance 6,698 46.9 11.7 41.4 100.0
Operational auditing 6,715 46.2 14.7 39.1 100.0
Review of financial processes 6,724 43.5 14.6 41.9 100.0
Of respondents, 79.5% predict that the greatest increase in the type of audits performed in the next
three years will be for risk management and 63.2% predict an increase in governance audits. The
increase in these types of audits will need to be reflected in the IAAs internal audit plan, resources
allocated, and in the audit staffs competencies. For many of the respondents, reviews of financial
processes (43.5%), regulatory compliance (46.9%), and operational auditing (46.2%) show increases.
Some respondents anticipate that less time will be spent on operational audits (14.7%), review of
financial processes (14.6%), and regulatory compliance audits (11.7%).
IAAs Emerging Roles in Organizations Activities
To gain an understanding of what roles IAAs have and will have in various types of activities
performed within the organization, respondents were provided with a list of important tasks
performed by organizations. They were asked to indicate if their IAA currently has a role in the
area, if the IAA will likely have a role in the next three years, or if it is unlikely that the IAA will
have a role. Role was defined as being within the IAAs scope of work. The list was created by
reviewing internal auditing literature and from the CBOK 2006 pilot survey. An overview of all
responses is shown in Table 2-10.
The respondents IAAs do some type of work in many of the areas listed. The four highest-rated
areas where respondents indicate that their IAAs currently perform audits are fraud prevention
(69% of respondents), risk management (66.6%), regulatory compliance assessment monitoring
(64%), and corporate governance (52.2%). Areas where respondents IAAs currently have less
developed roles are globalization (15.3%), environmental sustainability (14%), and emerging markets
(11.5%). For areas where there is no current IAA involvement, respondents indicate that 17.7% to
38.1% of their IAAs plan some engagements in the next three years. Areas where the IAAs
current involvement is low and is expected to remain low are executive compensation (45.4%),
environmental sustainability (39.9%), emerging markets (39.5%), globalization (35.2%), intellectual
property and knowledge assessment (35.1%), and mergers and acquisitions (30.8%).
Table 2-10
Emerging Roles of the IAA
Total Responses in Percentages
Roles Total Currently Likely to Have Unlikely to Not Total
Respon- Have a Role a Role Within Have a Role Applicable
dents the Next 3
Years
Alignment of strategy 6,500 23.1 35.2 30.1 11.6 100.0
and performance
measures (e.g., Balanced
Scorecard)
Benchmarking 6,476 28.6 35.7 26.0 9.7 100.0
Corporate governance 6,511 52.2 31.2 11.4 5.2 100.0
Corporate social 6,415 23.6 31.6 33.8 11.0 100.0
responsibility
Develop training and 6,522 46.6 34.4 15.3 3.7 100.0
education of organization
personnel (e.g., internal
controls, risk management,
regulatory requirements)
Disaster recovery 6,490 34.0 26.1 29.0 10.9 100.0
Evidential issues 6,385 39.8 23.9 23.5 12.8 100.0
Emerging markets 6,426 11.5 22.5 39.5 26.5 100.0
Environmental sustainability 6,436 14.0 24.7 39.9 21.4 100.0
Executive compensation 6,429 16.0 17.7 45.4 20.9 100.0
Fraud prevention/detection 6,530 69.0 22.9 5.7 2.4 100.0
Globalization 6,431 15.3 21.1 35.2 28.4 100.0
Intellectual property and 6,391 19.2 28.4 35.1 17.3 100.0
knowledge assessment
IT management assessment 6,453 46.1 32.2 16.8 4.9 100.0
Knowledge management 6,387 26.1 38.1 26.9 8.9 100.0
systems development review
Mergers and acquisitions 6,437 18.4 23.7 30.8 27.1 100.0
Project management 6,410 39.8 27.6 25.1 7.5 100.0
Provide training to the 6,436 31.2 34.4 21.7 12.7 100.0
audit committee
Regulatory compliance 6,442 64.0 23.0 9.2 3.8 100.0
assessment monitoring
Risk management 6,509 66.6 25.5 5.6 2.3 100.0
Strategic frameworks 6,407 27.0 36.8 27.7 8.5 100.0
Changing Legal Environment, Organization Systems, and Role of the IAA
Table 2-11 captures CAE and Audit Manager respondents agreement with statements about their
organizations and their IAA. The question asked if a statement currently applies, is likely to apply
within the next three years, or will not apply in the foreseeable future. The respondents indicate
that 61.2% of the IAAs currently reside in countries that have mandatory laws or regulations that
require organizations to have an IAA and 13.1% anticipate their countries will have such requirements
in the next three years. Corporate governance codes are complied with in 67.7% of the organizations
with 22.7% of the respondents organizations anticipating compliance with corporate governance
codes in the next three years. In 70.5% of the respondents organizations, there is an internal
control framework and 24.3% indicate that their organizations will have a framework in the next
three years. Assurance audits receive more emphasis than consulting services in 71.5% of the
organizations.
Table 2-11
How Statements Apply to Your Organization
CAEs and Audit Managers Agreement with Statements in Percentages
Statement Number of Currently Likely to Will Not Not Total
Respondents Applies Apply Apply in the Applicable
Within the Foreseeable
Next 3 Future
Years
Internal auditing is required 3,464 61.2 13.1 12.9 12.8 100
by law or regulation where
the organization is based.
Internal auditors in the 3,445 28.9 32.7 30.3 8.1 100
organization have an
advisory role in strategy
development
The organization complies 3,447 67.7 22.7 4.3 5.3 100
with a corporate governance
code.
The organization has 3,443 70.5 24.3 3.5 1.7 100
implemented an internal
control framework.
The organization has 3,423 25.6 43.9 20.6 9.9 100
implemented a knowledge
management system
The internal audit activity 3,424 34.0 32.3 18.5 15.2 100
has provided training to
audit committee members.
assumes an important role
in the integrity of financial
reporting.
educates organization
personnel about internal
controls, corporate
governance, and compliance
issues.
places more emphasis on
assurance than consulting
services.
The IAAs (64.3% currently, 25.3% more in three years) educate the organizations personnel
about internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,
25.6% more in three years) have an important role in the integrity of their organizations financial
reporting. Internal auditors have growing advisory roles in strategy development (28.9% currently,
32.7% more in three years) and training of audit committee members (34% currently, 32.3% more
in three years). The top three statements that some respondents selected as will not apply in the
foreseeable future are that internal auditors have a role in strategy development (30.3%), in the
training of audit committee members (18.5%) and in the integrity of financial reporting (13.8%).
Summary
Compliance with The IIAs International Standards for the Professional Practice of Internal
Auditing is essential if the responsibilities of internal auditors to their organizations are to be met.
Respondents strongly believed that their organizations comply overall with the Standards. Reasons
for not using the Standards related to organizational attributes, such as managements perceptions
that the Standards do not add value, lack of adequate IAA staff, and that it is too time-consuming
to comply with them. IAAs should strive to fully comply with the Standards. It appears that
Standard 1300, Quality Assurance and Improvement Program, is a barrier to full compliance for
many organizations worldwide. Additional guidance with suggestions for less costly ways to comply
with this standard could result in more members fully complying with the Standards.
The CBOK 2006 database provides information about the evolving role of internal auditing as a
value-added activity that helps an organization manage its risks and take advantage of opportunities.
The profession of internal auditing is a rich resource for organizations as the IAA monitors the
adequacy and effectiveness of managements internal control framework and contributes to the
integrity of corporate governance; risk assessment; and financial, operating, and IT systems. The
CBOK 2006 database identifies the attributes of an effective IAA; internal auditor skills,
competencies, and knowledge; internal audit tools and techniques; and the emerging roles of the
IAA. This database can be used to inform the business community about what resources and
services the internal auditor can provide and what skills and knowledge are needed by internal
auditing professionals. The database will be updated to document the evolution of global internal
audit practices. Future studies will build upon this baseline, allowing for comparison, analysis, and
trending.
References
1. Morton, Peter, The New York Stars, camagazine.com,
www.camagazine.com/index.cfm?ci_id=33982&la_id=1&print=true
2. Sams, Rachel, New Accounting Laws Make Internal Auditors Rock Stars, Baltimore
Business Journal, J une 5, 2006,
baltimore.bizjournals.com/baltimore/stories/2006/06/05/story3.html
3. The Institute of Internal Auditors, By the Numbers, IIA Insight, Vol. 1/November 2006, pp.
8-9.
4. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: The Institute of Internal Auditors Research Foundation), 2005.

CONTENTS
Chapter 3

Chapter 3: Survey Demographics............................................................................................ 61
Introduction........................................................................................................................... 61
Staff Levels of Respondents................................................................................................. 63
IIA Membership.................................................................................................................... 64
Age of the Respondents........................................................................................................ 67
Highest Level of Formal Education...................................................................................... 70
Professional Qualifications................................................................................................... 76
Areas of Professional Experience......................................................................................... 80
Years of Existence of IAA and Years of CAE Experience................................................... 81
Types of Organizations......................................................................................................... 86
Service Providers of Internal Audit Services........................................................................ 89
Age of Organizations............................................................................................................ 90
Industry Classification(s)...................................................................................................... 91
Geographical Area Served by Organization......................................................................... 96
Appendix 3............................................................................................................................ 99

Disclosure


profession.
_____________________________________________ Chapter 3: Survey Demographics 61
CHAPTER 3
SURVEY DEMOGRAPHICS
Introduction
The following is a summary of the demographics of the CBOK 2006 respondents and their
organizations. The total number of responses to the CAE and Practitioner questionnaires was
15,028. After consultation with an independent statistical expert, responses were determined to be
not useable if the reply was blank or the respondent did not answer enough questions on important
sections such as the use and application of the Standards. Upon completion of this process, 9,366
useable responses remained. This results in an overall 7.3% response from the 127,735 IIA members
on September 30, 2006. Due to some affiliates not participating and some members who have
opted not to receive e-mails from The IIA, the survey was sent to approximately 99,000 members
resulting in an estimated 9.5% response rate.
The overall purpose of the CBOK 2006 project is to develop the most comprehensivedatabase
ever to capture a current view of the global state of the internal audit profession. The database will
be updated to recognize the evolution of global internal audit practices. Future studies will build
upon this baseline, allowing for comparison, analysis, and trending.
Not all of those who participated in the survey answered all the questions asked. Results
question.
not CAEs).
Some participants responses are presented according to the respondents position in the internal
audit activity (IAA). These more detailed summaries of results may be provided for the five
categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and
Other. The respondents in the Other category consist primarily of other professional staff whose
positions are not captured by the traditional job titles included in the survey. A review of their
credentials indicates they may be members of the IAA, employed by service providers, or in
organizations where their titles are less traditional but with duties within internal auditing.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
For example, Table 3-2 is the total of all respondents for that question with a related Table 3-2-1
showing the responses by group. A table can have more than one related table, where the second
related table would be Table 3-2-2. Additional related tables may be located in Appendix 3 at the
end of this chapter. A table that is in the Appendix can be clearly identified by an A at the end of
its number. For example, Table 3-6-1-A is located in Appendix 3.
Included in this chapter is information about the respondents, their IAA, and their organizations in
the areas of:
Duration of respondents IIA membership.
Age.
Highest level of formal education.
Academic major(s).
Professional qualification(s).
Area(s) of professional experience.
Hierarchical position of the IAA.
Years of experience as CAE.
Years organizations have had an IAA.
Organization type.
Service providers.
Industry classifications.
Geographical area(s) served by respondent organizations.
Legislation affecting internal auditing.
Staff Levels of Respondents
Respondents were asked about their position in their organization. As indicated in Figure 3-1,
26.5% of the respondents are CAEs, 22.8% are Audit Managers, and 25.2% are Audit Seniors/
Supervisors. These three highest positional levels combined represent 74.5% of respondents.
Members of the Audit Staff comprise 18.2% of the respondents and Others 7.3%. As indicated in
Table 3-5, the Other respondents have as many credentials or more credentials as those respondents
who identify themselves as Audit Seniors/Supervisors or Audit Staff.
Figure 3-1
Staff Level
Audit Staff
18.2%
Other
7.3%
Chief Audit
Executive
26.5%
Audit Manager
22.8%
Audit Senior/
Supervisor
25.2%
IIA Membership
Figure 3-2 shows that 58.6% of the respondents became members of The IIA within the last 5
years, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or more
years. This relatively high number of new members can be linked to the surge in importance of the
profession. In J une 2003, IIA membership was 82,645. It grew to 127,735 in September 2006, a
54% increase in three years. D.L. Clemmons noted in The IIAs November 2006 edition of IIA
Insight that, Since 2005 The IIAs strategic objectives have been to raise the profile of internal
auditing and The IIA itself through strong advocacy efforts, globalization, and service to
members...membership has risen 20 percent. Although distribution of the original survey instrument
was only to IIA members, 6.9% of the respondents indicated they are not members of The IIA.
Figure 3-2
Number of Years as a Member of The IIA
Table 3-1 indicates that more than three-fourths (76.5%) of the Audit Staff respondents have been
members of The IIA for 5 years or less. Forty-six point six percent of CAEs have been members
for 5 years or less. Approximately one-fourth of the CAEs (24.3%) and Audit Managers (23.9%)
and only 16.7% of the Other respondents have been IIA members for 6 to 10 years. One-fourth of
CAEs (25.7%), 17.1 % of Audit Managers and 21.7% of the Other respondents have been members
for 11 or more years.
Table 3-1
Number CAE Audit Audit Audit Staff Other Average
of Percent of Managers Senior/Supervisor Percent of Percent of Percent of
Years 2,357 Percent of Percent of 2,240 1,617 642 8,874
Respondents 2,018 Respondents Respondents Respondents Total
Respondents Responses
5 or less 46.6 53.2 65.2 76.5 51.8 58.6
6 to 10 24.3 23.9 19.8 7.6 16.7 19.5
11 or 25.7 17.1 8.4 3.3 21.7 15.0
more
Not a 3.4 5.8 6.6 12.6 9.8 6.9
Member
Total 100.0 100.0 100.0 100.0 100.0 100.0
Table 3-1-1 provides an overview of the duration of IIA membership in each of the 13 groups. The
number of relatively new IIA members (5 years or less) is higher than the overall average in
groups 9 (83.5%), 7 (80.6%), 5 (74.8%), 12 (74.5%), 4 (72.5%), and 8 (72.4%). These groups may
represent a large number of countries where the internal audit profession is relatively new. The
number of respondents with a longer membership history in The IIA (6 years or more) are in
groups 10 (51.4%), 2 (48.6%), 6 (43.9%), 1 (43.4%), and 3 (43.0%). These groups appear to
represent countries where the internal audit profession is more established.
Table 3-1-1
Number of Years as a Member of The IIA by Groups*
Years 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
5 or less 56.6 51.4 57.0 72.5 74.8 56.1 80.6 72.4 83.5 48.6 68.2 74.5 18.5
6 to 10 20.4 19.2 25.6 23.4 23.4 25.0 14.8 19.6 10.2 31.3 20.2 14.9 5.1
11 or 23.0 29.4 17.4 4.1 1.8 18.9 4.6 8.0 6.3 20.1 11.3 10.6 3.4
more
Not a 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.4 0.0 73.0
Member
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C =Respondents did not indicate Affiliate or Chapter membership.
Age of the Respondents
Figure 3-3 provides an overview of the age of the survey respondents. The figure indicates that
34.8% of the survey respondents are between the ages of 35 and 44, 27.8% are between 26 and
34 years old, and 24.2% are between 45 and 54 years old. Only 9.3% are 55-64 years old, 3.5%
are 25 years old or under, and as seen in Figure 3-3, 0.4% are older than 64.
Figure 3-3
Age of Respondents
Table 3-2 breaks down the respondents age information into the 5 categories of survey respondents.
Based on this information, a positive relationship between the respondents age and position in the
IAA can be ascertained. More than half of the audit staff (52.4%) is younger than 35 years old,
while slightly more than half of the CAEs (50.4%) are older than 44 years old. The largest percentage
of Audit Managers (41.5%) are between 35 and 44 years old.
Table 3-2
Age of Respondents
Number CAE Audit Audit Senior/ Audit Staff Other Average
of Percent of Manager Supervisor Percent of Percent of Percent of
Years 1,944 Percent of Percent of 1,376 535 7,356
Respondents 1,653 1,848 Respondents Respondents Total
Respondents Respondents Responses
25 or less 0.4 0.5 3.3 11.2 4.7 3.5
26 to 34 11.0 25.8 39.2 41.2 20.2 27.8
35 to 44 38.2 41.5 32.1 26.4 33.8 34.8
45 to 54 34.5 23.6 18.9 16.3 27.3 24.2
55 to 64 15.1 8.5 6.2 4.8 12.5 9.3
65 or 0.8 0.1 0.3 0.1 1.5 0.4
more
Total 100.0 100.0 100.0 100.0 100.0 100.0
Table 3-2-1 specifies the average age of the respondents in each of the 13 groups. Group 9
consists of relatively young respondents (35.2 years on average). Group 10 consists of relatively
older respondents (46.1 years on average). This compares with the overall average age for all
survey respondents of 40.5 years.
Table 3-2-1
Average Age of Respondents by Group*
Group* Average Age of the
Respondents
1 41.6
2 42.9
3 37.4
4 39.9
5 38.2
6 42.6
7 39.9
8 40.8
9 35.2
10 46.1
11 38.8
12 37.3
N/C** 39.8
Total 40.5
Highest Level of Formal Education
The survey asked about the educational background of the respondents. Figure 3-4 shows the
highest level of formal education indicated by the respondents. Of the respondents, 38.1% have
obtained their bachelors degree in business, and 28.9% have obtained a masters degree in business.
Fourteen point three percent have a bachelors degree in a non-business subject and 9.4% have a
masters degree in a non-business field.
Figure 3-4
Respondents Highest Level of Education
Doctoral Degree
Diploma in Business
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
C
h
a
p
t
e
r

3
:

S
u
r
v
e
y

D
e
m
o
g
r
a
p
h
i
c
s

7
1
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
T
a
b
l
e

3
-
3

p
r
e
s
e
n
t
s

a
n

o
v
e
r
v
i
e
w

o
f

t
h
e

h
i
g
h
e
s
t

l
e
v
e
l

o
f

e
d
u
c
a
t
i
o
n

f
o
r

e
a
c
h

o
f

t
h
e

5

c
a
t
e
g
o
r
i
e
s

o
f
r
e
s
p
o
n
d
e
n
t
s

s
u
r
v
e
y
e
d
.

T
h
e
r
e

a
p
p
e
a
r
s

t
o

b
e

n
o

p
r
o
n
o
u
n
c
e
d

r
e
l
a
t
i
o
n
s
h
i
p

b
e
t
w
e
e
n

t
h
e

r
e
s
p
o
n
d
e
n
t
s
h
i
g
h
e
s
t

l
e
v
e
l

o
f

e
d
u
c
a
t
i
o
n

a
n
d

t
h
e
i
r

c
u
r
r
e
n
t

p
o
s
i
t
i
o
n

i
n

t
h
e

I
A
A
.

I
t

a
l
s
o

a
p
p
e
a
r
s

t
h
a
t

f
o
r

m
o
s
t
r
e
s
p
o
n
d
e
n
t
s
,

a

b
a
c
h
e
l
o
r
s

d
e
g
r
e
e

o
r

c
o
m
p
a
r
a
b
l
e

l
e
v
e
l

o
f

e
d
u
c
a
t
i
o
n

i
s

n
e
c
e
s
s
a
r
y

t
o

e
n
t
e
r

t
h
e
p
r
o
f
e
s
s
i
o
n
.
T
a
b
l
e

3
-
3
R
e
s
p
o
n
d
e
n
t
s

H
i
g
h
e
s
t

L
e
v
e
l

o
f

E
d
u
c
a
t
i
o
n
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
L
e
v
e
l

o
f
C
A
E
A
u
d
i
t
A
u
d
i
t

S
e
n
i
o
r
/
A
u
d
i
t

S
t
a
f
f
O
t
h
e
r
A
v
e
r
a
g
e
E
d
u
c
a
t
i
o
n
P
e
r
c
e
n
t

o
f
M
a
n
a
g
e
r
s
S
u
p
e
r
v
i
s
o
r
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
2
,
3
7
0
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
1
,
6
2
3
6
4
9
8
,
9
2
0
R
e
s
p
o
n
d
e
n
t
s
2
,
0
2
9
2
,
2
4
9
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
T
o
t
a
l
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
s
e
s
S
e
c
o
n
d
a
r
y
/
5
.
1
4
.
1
4
.
0
7
.
0
5
.
6
5
.
0
H
i
g
h

S
c
h
o
o
l
B
a
c
h
e
l
o
r
s
/
3
6
.
1
3
7
.
7
4
0
.
3
4
0
.
3
3
3
.
3
3
8
.
1
B
u
s
i
n
e
s
s
B
a
c
h
e
l
o
r
s
/
1
2
.
1
1
4
.
0
1
5
.
4
1
6
.
8
1
3
.
1
1
4
.
3
N
o
t

B
u
s
i
n
e
s
s
M
a
j
o
r
M
a
s
t
e
r
s
/
3
2
.
8
3
0
.
9
2
7
.
4
2
1
.
4
3
3
.
4
2
8
.
9
G
r
a
d
u
a
t
e
/
D
i
p
l
o
m
a

i
n
B
u
s
i
n
e
s
s
M
a
s
t
e
r
s
/
9
.
0
9
.
7
9
.
5
9
.
4
9
.
7
9
.
4
G
r
a
d
u
a
t
e
/
D
i
p
l
o
m
a

i
n
O
t
h
e
r

F
i
e
l
d
s
D
o
c
t
o
r
a
l
2
.
4
1
.
5
0
.
6
0
.
9
3
.
4
1
.
6
D
e
g
r
e
e
O
t
h
e
r
2
.
5
2
.
1
2
.
8
4
.
2
1
.
5
2
.
7
T
o
t
a
l
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
7
2

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Table 3-3-1 provides the educational profile of the respondents in each of the 13 groups. Several differences among
the groups can be highlighted. Bachelors degrees in business seem to be dominant in group 4 (56.3%), while
masters degrees in business are more prevalent in groups 6 (48.3%), 10 (44.7%), and 5 (40.9%). Group 12, with
83.3% of respondents and group 1 with 78.1% of those responding have either a bachelors or masters degree in
business. Group 9 is the only group to have less than 50.5% of respondents with a degree (bachelors or masters) in
business.
Table 3-3-1
Highest Level of Formal Education by Group*
Level of 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Education
Secondary/High 1.8 4.7 11.2 1.9 13.9 7.2 0.4 10.3 1.5 6.9 1.2 0.0 5.5
School
Bachelors/ 49.3 41.5 33.8 56.3 11.5 15.5 33.6 31.6 26.7 22.8 23.2 41.7 35.3
Business
Bachelors/Not 13.0 13.6 16.6 14.1 4.6 3.7 26.3 16.5 31.3 8.3 20.3 12.5 17.4
Business Major
Masters/Graduate/ 28.8 28.5 24.7 19.3 40.9 48.3 21.8 27.7 23.7 44.7 34.2 41.6 20.1
Diploma in Business
Masters/Graduate/ 5.3 8.4 7.0 5.4 20.6 14.2 14.2 10.8 15.3 12.4 12.6 2.1 13.8
Diploma in Other
Fields
Doctoral Degree 0.9 0.5 0.8 0.8 3.6 7.0 0.8 1.9 1.5 1.4 1.6 0.0 1.4
Other 0.9 2.8 5.9 2.2 4.9 4.1 2.9 1.2 0.0 3.5 6.9 2.1 6.5
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
Academic Major(s)
Figure 3-5 lists the top six academic concentrations/majors indicated by survey respondents.
Accounting is the most popular academic major (55.8%) followed by general business/management
(27 %), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%).
Figure 3-5
Top Six Academic Majors
Note: Since respondents were able to select all the majors that apply, percentages may not add up to 100%.
Table 3-4 on the following page provides additional information about respondents academic majors
by staff level. A higher percentage of the CAEs (60.0%) and Audit Managers (59.9%) have
accounting as a major than members of the Audit Staff (45.0%). Auditing as a major is more
common for Audit Managers (22.1%) and CAEs (19.8%) than for the Audit Staff (12.5%).
T
a
b
l
e

3
-
4
A
c
a
d
e
m
i
c

M
a
j
o
r
(
s
)
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
*
M
a
j
o
r
C
A
E
A
u
d
i
t
A
u
d
i
t
A
u
d
i
t

S
t
a
f
f
*
O
t
h
e
r
*
A
v
e
r
a
g
e
P
e
r
c
e
n
t

o
f

2
,
3
7
4
M
a
n
a
g
e
r
s
*
S
e
n
i
o
r
/
P
e
r
c
e
n
t

o
f

1
,
6
2
6
P
e
r
c
e
n
t

o
f

6
5
1
P
e
r
c
e
n
t

o
f
R
e
s
p
o
n
d
e
n
t
s
P
e
r
c
e
n
t

o
f

2
,
0
3
3
S
u
p
e
r
v
i
s
o
r
*
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
8
,
9
3
5

T
o
t
a
l
*
R
e
s
p
o
n
d
e
n
t
s
P
e
r
c
e
n
t

o
f

2
,
2
5
1
R
e
s
p
o
n
s
e
s
R
e
s
p
o
n
d
e
n
t
s
A
c
c
o
u
n
t
i
n
g
6
0
.
0
5
9
.
9
5
5
.
1
4
5
.
0
5
7
.
5
5
5
.
8
A
r
t
s

o
r
3
.
5
3
.
5
3
.
2
4
.
6
4
.
8
3
.
9
H
u
m
a
n
i
t
i
e
s
A
u
d
i
t
i
n
g
1
9
.
8
2
2
.
1
1
7
.
9
1
2
.
5
1
6
.
9
1
7
.
8
C
o
m
p
u
t
e
r
4
.
1
4
.
8
4
.
7
4
.
2
4
.
1
4
.
4
S
c
i
e
n
c
e
E
c
o
n
o
m
i
c
s
2
4
.
3
1
9
.
3
1
7
.
9
1
6
.
5
2
0
.
9
1
9
.
9
E
n
g
i
n
e
e
r
i
n
g
3
.
6
2
.
7
4
.
3
3
.
7
3
.
5
3
.
6
F
i
n
a
n
c
e
2
5
.
6
2
4
.
3
2
4
.
2
1
9
.
5
2
4
.
9
2
3
.
8
G
e
n
e
r
a
l
2
9
.
4
2
6
.
0
2
6
.
6
2
5
.
7
2
6
.
6
2
7
.
0
B
u
s
i
n
e
s
s
/
M
a
n
a
g
e
m
e
n
t
I
n
f
o
r
m
a
t
i
o
n
7
.
1
1
0
.
1
9
.
8
7
.
7
9
.
8
8
.
9
S
y
s
t
e
m
s
I
n
t
e
r
n
a
l
1
2
.
7
1
4
.
9
1
3
.
2
1
1
.
3
1
1
.
4
1
2
.
7
A
u
d
i
t
i
n
g
L
a
w
6
.
8
6
.
2
6
.
0
6
.
6
6
.
9
6
.
5
M
a
t
h
e
m
a
t
i
c
s
/
5
.
4
5
.
6
5
.
5
4
.
7
5
.
4
5
.
3
S
t
a
t
i
s
t
i
c
s
S
c
i
e
n
c
e

o
r
3
.
4
2
.
9
3
.
0
3
.
5
2
.
8
3
.
1
T
e
c
h
n
i
c
a
l
F
i
e
l
d
N
o

D
e
g
r
e
e
2
.
6
2
.
2
2
.
4
3
.
5
1
.
2
2
.
5
*

N
o
t
e
:

S
i
n
c
e

r
e
s
p
o
n
d
e
n
t
s

c
o
u
l
d

m
a
r
k

a
l
l

t
h
a
t

a
p
p
l
y
,

p
e
r
c
e
n
t
a
g
e
s

m
a
y

n
o
t

a
d
d

u
p

t
o

1
0
0
%
.
Table 3-4-1 shows the rankings of the top five academic majors for the groups. Accounting is the
most prevalent major in most groups, except for group 9 (2nd place), group 5 (3rd place), and
group 8 (3rd place). In six of the groups, a general business/management major is second. The
importance of a finance major varies among the groups. Three majors, accounting, general business/
management, and finance, appear in the top 5 of all groups. Auditing appears in the rankings of 11
of the groups. Despite the importance of technology, data management systems, and the accepted
use of computer auditing, a major in information systems only appears in the top 5 of group 1 (5th
place).
Table 3-4-1
Rankings of theTop Five Academic Major(s) by Group*
All Respondents
Major 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Accounting 1 1 1 1 3 1 1 3 2 1 1 1 1
Auditing 4 2 5 4 2 5 5 5 3 4 2
Economics 4 3 4 1 3 1 1 3 5 5
Finance 3 5 4 3 2 5 5 4 3 4 2 2 3
General Business/ 2 2 5 2 4 2 4 2 4 2 4 3 4
Management
Information Systems 5
Internal Auditing 3 5 3 5
Professional Qualifications
There are many professional organizations that have qualifying tests and certifications for individuals
employed in accounting and auditing. Survey respondents were asked about their own qualifications
and CAEs were asked about certification held by employees in their departments. The top five
areas of respondents professional certification are shown in Figure 3-6. More than one-third
(39.4%) of the respondents have a specific certification in internal auditing and about one-fourth
(26.7%) of the respondents have a certification in public accounting/chartered accountancy. Internal
auditing and public accounting are the most common areas for professional certification. A much
smaller number of respondents have certifications in information systems auditing (10.2%),
management/general accounting (5.4%), and fraud examination (5.3%).
Figure 3-6
Top Five Areas of Professional Certification(s)
All Respondents in Percentages*
*Since respondents were able to select all the certifications that apply, percentages may not add up to 100%.
Fraud Examination
T
a
b
l
e

3
-
5

p
r
o
v
i
d
e
s

s
p
e
c
i
f
i
c
s

a
b
o
u
t

t
h
e

p
r
o
f
e
s
s
i
o
n
a
l

q
u
a
l
i
f
i
c
a
t
i
o
n
s

o
f

t
h
e

5

c
a
t
e
g
o
r
i
e
s

o
f

r
e
s
p
o
n
d
e
n
t
s
.

I
n
t
e
r
n
a
l

a
u
d
i
t
i
n
g
i
s

t
h
e

m
o
s
t

c
o
m
m
o
n

c
e
r
t
i
f
i
c
a
t
i
o
n

f
o
r

r
e
s
p
o
n
d
e
n
t
s

i
n

a
l
l

5

c
a
t
e
g
o
r
i
e
s

f
o
l
l
o
w
e
d

b
y

p
u
b
l
i
c

a
c
c
o
u
n
t
i
n
g
/
c
h
a
r
t
e
r
e
d

a
c
c
o
u
n
t
a
n
c
y
c
e
r
t
i
f
i
c
a
t
i
o
n
.

T
h
e

p
o
s
s
e
s
s
i
o
n

o
f

a
d
d
i
t
i
o
n
a
l

q
u
a
l
i
f
i
c
a
t
i
o
n
s

a
p
p
e
a
r
s

m
o
r
e

c
o
m
m
o
n

a
s

i
n
d
i
v
i
d
u
a
l
s

p
r
o
g
r
e
s
s

p
r
o
f
e
s
s
i
o
n
a
l
l
y
i
n

t
h
e

I
A
A
.

F
o
r

e
x
a
m
p
l
e
,

m
o
r
e

C
A
E
s

(
4
0
.
6
%
)

a
n
d

A
u
d
i
t

M
a
n
a
g
e
r
s

(
4
6
.
4
%
)

h
a
v
e

a
n

i
n
t
e
r
n
a
l

a
u
d
i
t
i
n
g

c
e
r
t
i
f
i
c
a
t
i
o
n
t
h
a
n

m
e
m
b
e
r
s

o
f

t
h
e

A
u
d
i
t

S
t
a
f
f

(
2
6
.
8
%
)
.
T
a
b
l
e

3
-
5
P
r
o
f
e
s
s
i
o
n
a
l

Q
u
a
l
i
f
i
c
a
t
i
o
n
(
s
)
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
*
T
y
p
e

o
f

P
r
o
f
e
s
s
i
o
n
a
l
C
A
E
A
u
d
i
t
A
u
d
i
t

S
e
n
i
o
r
/
A
u
d
i
t

S
t
a
f
f
*
O
t
h
e
r
*
A
v
e
r
a
g
e
Q
u
a
l
i
f
i
c
a
t
i
o
n
P
e
r
c
e
n
t

o
f
M
a
n
a
g
e
r
s
*
S
u
p
e
r
v
i
s
o
r
*
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
2
,
3
7
4
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
1
,
6
2
5
6
5
1
8
,
9
3
4
R
e
s
p
o
n
d
e
n
t
s
2
,
0
3
3
2
,
2
5
1
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
T
o
t
a
l
*
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
s
e
s
I
n
t
e
r
n
a
l

A
u
d
i
t
i
n
g

(
s
u
c
h

a
s

C
I
A
/
4
0
.
6
4
6
.
4
3
8
.
9
2
6
.
8
4
4
.
2
3
9
.
4
M
I
I
A
/
P
I
I
A
)
I
n
f
o
r
m
a
t
i
o
n

S
y
s
t
e
m
s

A
u
d
i
t
i
n
g
1
1
.
0
1
2
.
6
1
0
.
5
4
.
6
1
2
.
4
1
0
.
2
(
s
u
c
h

a
s

C
I
S
A
/
Q
i
C
A
/
C
I
S
M
)
G
o
v
e
r
n
m
e
n
t

A
u
d
i
t
i
n
g
/
F
i
n
a
n
c
e
5
.
1
3
.
1
4
.
3
2
.
7
3
.
5
3
.
7
(
s
u
c
h

a
s

C
I
P
F
A
/
C
G
A
P
/
C
G
F
M
)
C
o
n
t
r
o
l

S
e
l
f
-
a
s
s
e
s
s
m
e
n
t

(
s
u
c
h
4
.
8
5
.
0
3
.
6
2
.
0
5
.
2
4
.
1
a
s

C
C
S
A
)
P
u
b
l
i
c

A
c
c
o
u
n
t
i
n
g
/
C
h
a
r
t
e
r
e
d
3
8
.
3
3
2
.
7
2
3
.
0
1
1
.
0
2
8
.
7
2
6
.
7
A
c
c
o
u
n
t
a
n
c
y

(
s
u
c
h

a
s

C
A
/
C
P
A
/
A
C
C
A
/
A
C
A
)
M
a
n
a
g
e
m
e
n
t
/
G
e
n
e
r
a
l
6
.
2
6
.
0
3
.
6
3
.
6
7
.
8
5
.
4
A
c
c
o
u
n
t
i
n
g

(
s
u
c
h

a
s

C
M
A
/
C
I
M
A
/
C
G
A
)
A
c
c
o
u
n
t
i
n
g

-

T
e
c
h
n
i
c
i
a
n
2
.
1
2
.
9
2
.
5
2
.
9
3
.
4
2
.
8
L
e
v
e
l

(
s
u
c
h

a
s

C
A
T
/
A
A
T
)
F
r
a
u
d

E
x
a
m
i
n
a
t
i
o
n

(
s
u
c
h
7
.
6
5
.
6
4
.
8
2
.
2
6
.
1
5
.
3
a
s

C
F
E
)
*

N
o
t
e
:

S
i
n
c
e

r
e
s
p
o
n
d
e
n
t
s

c
o
u
l
d

m
a
r
k

a
l
l

t
h
a
t

a
p
p
l
y
,

p
e
r
c
e
n
t
a
g
e
s

m
a
y

n
o
t

a
d
d

u
p

t
o

1
0
0
%
.
T
a
b
l
e

3
-
5
P
r
o
f
e
s
s
i
o
n
a
l

Q
u
a
l
i
f
i
c
a
t
i
o
n
(
s
)
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
*
T
y
p
e

o
f

P
r
o
f
e
s
s
i
o
n
a
l
C
A
E
A
u
d
i
t
A
u
d
i
t

S
e
n
i
o
r
/
A
u
d
i
t

S
t
a
f
f
*
O
t
h
e
r
*
A
v
e
r
a
g
e
Q
u
a
l
i
f
i
c
a
t
i
o
n
P
e
r
c
e
n
t

o
f
M
a
n
a
g
e
r
s
*
S
u
p
e
r
v
i
s
o
r
*
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
2
,
3
7
4
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
1
,
6
2
5
6
5
1
8
,
9
3
4
R
e
s
p
o
n
d
e
n
t
s
2
,
0
3
3
2
,
2
5
1
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
T
o
t
a
l
*
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
s
e
s
F
i
n
a
n
c
i
a
l

S
e
r
v
i
c
e
s

A
u
d
i
t
i
n
g
5
.
0
3
.
7
3
.
1
1
.
3
0
.
4
2
.
7
(
s
u
c
h

a
s

C
F
S
A
/
C
I
D
A
/
C
B
A
)
F
e
l
l
o
w
s
h
i
p

(
s
u
c
h

a
s

F
C
A
/
4
.
2
2
.
0
1
.
2
0
.
5
1
.
1
1
.
8
F
C
C
A
/
F
C
M
A
)
C
e
r
t
i
f
i
e
d

F
i
n
a
n
c
i
a
l

A
n
a
l
y
s
t
0
.
8
0
.
4
0
.
3
0
.
4
1
.
7
0
.
7
(
s
u
c
h

a
s

C
F
A
)
*

N
o
t
e
:

S
i
n
c
e

r
e
s
p
o
n
d
e
n
t
s

c
o
u
l
d

m
a
r
k

a
l
l

t
h
a
t

a
p
p
l
y
,

p
e
r
c
e
n
t
a
g
e
s

m
a
y

n
o
t

a
d
d

u
p

t
o

1
0
0
%
.
Table 3-5-1 presents the rankings of the top five areas of professional qualifications for the groups.
In only 2 of the groups (groups 7 and 11) is certification in public accounting/chartered accountancy
more prevalent than internal auditing certification. The importance of certification in the areas of
internal auditing (1st place), public accounting (2nd place), and information systems auditing (3rd
place) is consistent for 75% of the groups.
Table 3-5-1
Rankings of the Top Five Professional Qualifications by Group*
All Respondents
Qualifications 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Internal Auditing (such 1 1 1 1 1 1 2 1 1 1 2 1 1
as CIA/MIIA/PIIA)
Information Systems 3 3 3 3 5 3 4 5 3 2 3 3 5
Auditing (such as
CISA/QiCA/CISM)
Government Auditing/ 3 5 4
Finance (such as
CIPFA/CGAP/CGFM)
Control Self-assessment 4 4 4 3 5
(such as CCSA
Public Accounting/ 2 2 2 2 2 2 1 2 2 3 1 2 2
Chartered Accountancy
(such as CA/CPA/
ACCA/ACA)
Management/General 4 4 5 4 5 4 5 4
Accounting (such as
CMA/CIMA/CGA)
Accounting - 5 5 3 3
Technician Level (such
as CAT/AAT)
Fraud Examination 4 5 4
(such as CFE)
Financial Services 5
Auditing (such as
CFSA/CIDA/CBA)
Fellowship (such as 5 4
FCA/FCCA/FCMA)
Areas of Professional Experience
Table 3-6 lists the respondents average years of experience by business area. This data was
cross-tabulated with the respondents current business sector.
Table 3-6
Total Years of Professional Experience by Sector
All Respondents Average Responses
Type of Service Private Publicly Governmental Not-for- Overall
Experience Provider Company Listed Profit Average
Company Response
Accounting 5.6 6.0 5.5 5.9 3.6 5.3
Engineering 2.3 3.7 2.8 3.6 0.3 2.5
External 5.4 4.5 3.1 5.6 1.1 3.9
(Independent)
Auditing
Finance 4.7 5.1 5.1 4.7 2.2 4.4
Information 4.4 5.3 5.5 4.4 1.7 4.3
Technology
Internal Auditing 5.4 6.4 6.7 7.2 4.9 6.1
Management 5.2 6.1 6.0 6.4 3.4 5.4
Other Professional 4.2 5.3 4.8 6.2 3.8 4.9
Experience
The five areas in which respondents have the most business experience are:
Internal auditing (6.1 years).
Management (5.4 years).
Accounting (5.3 years).
Other professional experience (4.9 years).
Finance (4.4 years).
This pattern is consistent for those currently employed by service providers, private companies,
publicly listed companies, and governments. Service providers work on a contractual basis to assist
organizations with assurance and consulting engagements. The not-for-profit sector respondents
indicate less overall work experience.
In Appendix 3, Tables 3-6-1-A to 3-6-5-A provide an overview of the types of work experience for
each of the 5 categories of respondents tabulated by their current employers business sector.
While Table 3-6-1-A shows the same top five types of professional experience for CAEs as the
overall average for all respondents in Table 3-6, CAEs have relatively more experience in each of
the business areas.
For members of the Audit Staff, Table 3-6-4-A shows a different ranking for the top five types of
experience than the overall average for all respondents in Table 3-6. Audit Staff members appear
to have the most experience in professional areas other than those specified on the survey list. For
the Audit Staff, accounting is the second most common area of experience and internal auditing
and management are tied for third.
The respondents classified as Other in Table 3-6-5-A have significant years of experience in
accounting, internal auditing, and management. Other professional experience is also common for
these individuals. Such high levels of experience provides support that those respondents classified
as Other are qualified individuals working in less traditional environments.
Years of Existence of IAA and Years of CAE Experience
Figure 3-7 on the following page lists the number of years the respondents IAAs have been in
existence. The largest numbers of respondents work for IAAs that have been in existence for 0-
5 years (28.4%) and another 21% of the respondents work for IAAs that have been in existence
for 6-10 years. A total of 13.8% of respondents organizations have IAAs that have been in
existence for 31 or more years. This is a positive development for internal auditing as it shows that
growth has accelerated in the past 10 years. Given the corporate governance issues and regulatory
developments in recent years, this could be a reflection of the recognition by organizations and
their boards of the need for internal audit.
Figure 3-7
A young department does not necessarily equate to an unskilled or weak department. Newer
IAAs may employ more experienced CAEs who start an audit activity based on their prior
experiences and knowledge.
Table 3-7 provides the number of years respondent organizations have had IAAs by groups. In
group 5, respondents indicate that 60.5% of their IAAs are 0-5 years old and another 22.5% are 6-
10 years old. Respondents in the other groups indicate between 20% - 33.9% of the IAAs are
between 0-5 years old and an additional 16.1% - 33.1% indicate their IAAs are between 6-10
years old. A review of the countries in each group and historical events explain some of these
differences since in some areas of the world, economies are more developed than others. In
Appendix 3, Table 3-7-1-A shows the number of years respondent organizations have had IAAs
by industry.
0-5 Years
28.4%
41+Years
8.1%
31-40 Years
5.7%
21-30 Years
14.1%
11-20 Years
22.7%
6-10 Years
21.0%
Table 3-7
Number of Years the IAA Has Existed by Groups*
More
t han
Group Respon- 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50
dents Years Years Years Years Years Years Years Years Years Years Years Total
1 3,025 23.8 16.1 10.9 12.6 9.2 8.9 3.1 4.8 .7 4.5 5.4 100.0
2 188 26.1 20.7 17.0 13.3 5.9 6.9 2.7 2.7 1.1 1.1 2.5 100.0
3 636 25.8 26.6 11.9 10.2 5.8 7.1 2.7 1.9 .5 4.2 3.3 100.0
4 347 25.6 33.1 15.9 13.3 3.2 3.5 1.2 2.0 .6 .8 .8 100.0
5 550 60.5 22.5 8.0 2.7 1.5 1.3 .0 1.1 .2 1.3 .9 100.0
6 423 23.6 18.0 10.4 7.6 8.0 11.6 3.1 2.6 .9 5.2 9.0 100.0
7 467 23.1 20.3 13.1 9.9 8.4 11.8 2.8 3.2 .6 2.6 4.2 100.0
8 910 32.7 25.3 14.3 11.1 5.5 3.7 1.9 1.3 .2 1.3 2.7 100.0
9 118 33.9 29.7 15.3 7.6 5.1 .8 .0 .0 .8 3.4 3.4 100.0
10 125 22.4 25.6 11.2 8.0 6.4 4.8 3.2 6.4 .0 3.2 8.8 100.0
11 226 28.8 24.3 11.9 10.2 5.8 8.4 1.3 4.0 .9 2.2 2.2 100.0
12 40 20.0 27.5 10.0 10.0 5.0 12.5 2.5 .0 7.5 2.5 2.5 100.0
N/C** 692 27.6 23.3 11.6 13.0 4.8 7.4 1.4 3.6 .6 3.3 3.4 100.0
Overall 7,747 2,194 1,628 914 847 529 566 181 255 48 257 328
Respondents
in Category
Overall 28.4 21.0 11.8 10.9 6.8 7.3 2.4 3.3 .6 3.3 4.2 100.0
Percent in
Category
**N/C =Respondents did not indicate affiliate or chapter membership.
Figure 3-8 summarizes the respondents years of experience as CAEs. More than half (56%)
indicated they have been a CAE for 5 years or less, 25% of CAE respondents have between 6 and
10 years of CAE experience, and 19% of CAE respondents have more than 10 years of experience
in this position.
Figure 3-8
Years of Experience as a CAE
CAE Respondents in Percentages
16 to 20 Years
6%
21 or More
Years
3%
5 Years or Less
56%
11 to 15 Years
10%
6 to 10 Years
25%
Figure 3-9 lists the average years of work experience for CAEs by groups. The overall average
number of years of experience as a CAE is 6.6 years. The CAEs in groups 5 (4.5 years) and 12
(4.7 years) have less experience as a CAE than their peers. The CAEs in groups 6 (8.2 years), 10
(8.1 years), and 11 (8.1 years) have relatively more experience as a CAE than the overall average.
Figure 3-9
Average Years of Experience as a CAE by Groups*
CAE Respondents
Average Years of Experience
Types of Organizations
As indicated in Figure 3-10, when asked about their current employers, 38% of all respondents
indicate that they work for a publicly traded (listed) company, while 19.5% work for a privately
held (non-listed) company. Twenty-three percent of all respondents currently work in the public
sector and 10.5% work for a service provider or as a consultant. Internal auditing is performed by
members of the IAA as well as by external service providers and consultants.
Figure 3-10
All Participants (8,848) in Percentages
6.2%
23.0%
19.5%
38.0%
10.5%
2.8%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Other
Not-for-Profit Organization
Public Sector / Government
Privately Held (Non-listed) Company
Publicly Traded (Listed) Company
Service Provider / Consultant
While Table 3-8 shows that sector representation is relatively consistent for all 5 categories of
respondents, only 44.5% of the Other respondents work in traditional public or private companies.
Publicly traded and private (non-listed) employers tend to represent approximately 53% to 60% of
the other four categories. The Other four respondent categories have the highest percentage
(17.3%) of respondents working for service providers. This is approximately double that of CAEs,
Senior/Supervisors, and Audit Staff members.
Table 3-8
Type of CAE Audit Audit Audit Staff Other Overall
Organization Percent of Managers Senior/ Percent of Percent of Average
2,356 Percent of Supervisor 1,608 637 of Percent of
Respondents 2,016 Percent of Respondents Respondents 8,848
Respondents 2,231 Total
Respondents Responses
Service 8.8 13.5 9.2 8.3 17.3 10.5
Provider/
Consultant
Publicly 34.9 42.2 40.7 37.1 29.7 38.0
Traded
(Listed)
Company
Privately 24.9 18.3 18.4 16.2 14.8 19.5
Held
(Non-listed)
Company
Public Sector/ 21.9 18.5 23.7 30.3 20.6 23.0
Government
Not-for-Profit 7.1 5.4 6.3 5.2 7.1 6.2
Organization
Other 2.4 2.1 1.7 2.9 10.5 2.8
Total 100.0 100.0 100.0 100.0 100.0 100.0
Table 3-8-1 summarizes information about the types of organizations represented within the groups.
Compared to the overall average of respondents working for service providers/consultants (shown
in Table 3-8 as 10.5%), group 4 (4.1%) is well below the overall average and group 11 (18.3%) is
significantly above the overall average. Publicly traded company representation is considerably
below the overall average of 38% in group 2 (24.9%), while much above the overall average in
groups 4 (68.8%) and 11 (49.3%). Privately held company representation is greatly above the
overall average of 19.5% in groups 9 (38.1%) and 8 (30.8%). Compared to the public sector
overall average of 23%, groups 4 (4.4%), 9 (10.3%), and 11 (12.9%) are much lower, and groups
2 (42.7%), 10 (35.4%), and 3 (35.3%) are well above the overall average. Not-for-profit organizations
are represented significantly below the overall average of 6.2% in groups 5 (1.9%) and 10 (2.1%),
but much above the overall average in group 12 (17.0%).
Table 3-8-1
Types of Organizations by Group*
Type of 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Organization
Service Provider/ 10.0 12.2 13.8 4.1 11.8 12.0 11.9 9.5 7.1 8.3 18.3 10.6 9.4
Consultant
Publicly Traded 41.6 24.9 31.3 68.8 27.4 35.5 28.6 37.5 31.8 36.1 49.3 27.7 31.8
(Listed) Company
Privately Held 14.8 11.3 12.0 16.9 23.5 25.6 28.7 30.8 38.1 14.6 13.7 19.2 23.9
(Non-listed)
Company
Public Sector/ 22.7 42.7 35.3 4.4 31.3 19.9 20.4 17.6 10.3 35.4 12.9 23.4 23.2
Government
Not-for-Profit 8.9 7.0 4.4 3.3 1.9 5.7 5.6 3.4 3.2 2.1 3.3 17.0 5.3
Organization
Other 2.0 1.9 3.2 2.5 4.1 1.3 4.8 1.2 9.5 3.5 2.5 2.1 6.4
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
Service Providers of Internal Audit Services
Internal auditing is performed by members of the IAA as well as by external service providers. As
shown in Figure 3-11, 14% of the survey respondents provide internal audit services to client
organizations. As some respondents did not answer all the questions, this percentage is close to but
not totally consistent with Figure 3-10, which indicates that 10.5% of respondents work for a
service provider or consulting company.
Figure 3-11
Service Provider of Internal Audit Services
Service
Provider
14.0%
In-house
Internal
Audit Activity
86.0%
Age of Organizations
Table 3-9 reports on how long respondents organizations have been in existence. A separate
correlation test performed by the researchers confirmed that there is a relationship between how
long an organization has been in existence and how long the organization has had an IAA.
Table 3-9
Number of Years Total Responses Percentage of Total
Respondents
0-5 590 7.2
6-10 856 10.5
11-15 648 7.9
16-20 496 6.1
21-25 321 3.9
26-30 442 5.4
31-35 299 3.7
36-40 355 4.3
41-45 165 2.0
46-50 461 5.6
More than 50 years 3,532 43.4
Total 8,165 100.0
In Appendix 3, Table 3-9-1-A lists the number of years the respondents organizations have existed
by group. Groups 1, 2, 6, and 10 have a large number of respondents (43.5% - 59.3%) working in
organizations that are more than 50 years old. Groups 4, 5, and 11 have respondents whose
organizations have greater than 24% of their organizations (24.1% - 29.4%) that are less than 11
years old. Respondents for group 12 indicate that none of their employer organizations are over 70
years old.
Industry Classification(s)
The survey population covers a broad range of industries. Since the respondents were asked to
select all industries that applied to their organization, the total of the industries selected is greater
than 100%. Figure 3-12 on the following page classifies survey respondents by the industry in
which they work. The top 10 industries indicated by respondents are:
1. Banking/Financial Services/Credit Union (24.5%).
2. Other (13.9%).
3. Manufacturing (13.4%).
4. Financial, Accounting, and/or Business Services (11.1%).
5. Insurance (9.3%).
6. Utilities (7.9%).
7. Education (7.0%).
8. Communication/Telecommunication (7.0%).
9. Healthcare (6.4).
10. Retail/Wholesale (6.2%).
9
2

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Figure 3-12
Industry Classification
All Respondents (8,934) in Percentages*
*Respondents were able to select all the classifications that apply, resulting in a total greater than 100%.
Table 3-10 indicates that this pattern is basically consistent for all 5 categories of respondents.
Table 3-10
Industry CAE* Audit Audit Senior/ Audit Staff* Other* Average
Classification Percent of Manager* Supervisor* Percent of Percent of Percent of
2,374 Percent of Percent of 1,625 651 8,934
Respondents 2,033 2,251 Respondents Respondents Total
Respondents Respondents Responses*
Agricultural/ 2.9 3.0 2.7 2.7 3.8 3.0
Forestry
Banking/ 25.3 25.3 24.8 26.5 20.6 24.5
Financial
Services/
Credit Union
Building and 5.4 5.3 3.8 3.1 3.4 4.2
Construction
Communication/ 6.8 9.0 6.6 6.5 6.0 7.0
Telecommuni-
cation
Consumer 5.6 6.5 4.1 3.1 4.6 4.8
Goods
Education 8.1 5.3 5.0 5.0 11.7 7.0
Financial, 7.8 10.1 10.2 10.3 17.2 11.1
Accounting,
and/or Business
Services
Healthcare 6.4 7.7 6.3 5.4 6.0 6.4
Hospitality/ 4.3 4.6 2.6 2.5 2.9 3.4
Leisure/Tourism
Insurance 9.2 10.3 11.2 10.3 5.4 9.3
Manufacturing 14.3 14.4 13.1 11.5 13.8 13.4
Mining and Oil 4.5 5.0 5.4 3.0 4.5 4.5
Non- 1.0 1.7 0.8 0.7 1.7 1.2
professional
Services
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Table 3-10 (Cont.)
Industry CAE* Audit Audit Senior/ Audit Staff* Other* Average
Classification Percent of Manager* Supervisor* Percent of Percent of Percent of
2,374 Percent of Percent of 1,625 651 8,934
Respondents 2,033 2,251 Respondents Respondents Total*
Respondents Respondents Responses
Pharmaceutical/ 3.4 3.7 2.5 1.9 3.1 2.9
Chemical
Professional 4.7 4.9 3.6 3.2 5.8 4.4
Services
Real Estate 4.0 4.1 2.8 2.4 2.5 3.2
Retail/Wholesale 6.7 8.8 6.4 4.3 4.6 6.2
Technology 5.5 6.1 4.3 3.9 5.2 5.0
Trade Services 2.6 2.7 1.6 1.3 1.7 2.0
Transport and 7.0 5.9 5.3 5.5 4.8 5.7
Logistics
Utilities 7.5 8.4 8.3 7.6 7.8 7.9
Other 14.2 12.1 12.5 14.8 16.1 13.9
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Table 3-10-1 provides an overview of the industry representation in each of the groups. The largest
group of respondents overwhelmingly work in the manufacturing sector in groups 4 (46.8%) and
11 (31.3%). These are significantly larger percentages than the total respondents average for
manufacturing of 13.4% shown in Figure 3-12. The banking/financial services/credit union sector
is considerably above the total respondents average of 24.5% in groups 7 (37.9%) and 6 (36.7%)
but considerably below the average in group 4 (9.1%). The education sector is well represented in
group 2 (15.8%) which is well above the total respondents average of 7%. In groups 4 (3.8%) and
7 (5.3%), the financial, accounting, and/or business services industry is less prevalent than elsewhere
when compared with the total respondents average of 11.1%. The insurance industry has much
less representation in groups 11 (4.0%), 5 (4.9%), and 4 (5.9%) than the total respondents average
of 9.3%. In groups 4 (2.2%) and 9 (3%), organizations with employees in the utilities sector is
much lower than the average of 7.9% for all respondents.
Table 3-10-1
Industry Classification by Group*
Industry 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Classification
Agricultural/ 2.6 5.1 4.9 0.8 3.3 2.2 5.9 1.6 1.5 4.1 2.4 8.3 1.6
Forestry
Banking/Financial 22.2 20.5 22.3 9.1 25.0 36.7 37.9 27.3 30.3 25.3 21.3 22.9 21.1
Services/Credit
Union
Building and 3.3 8.4 5.3 3.0 5.6 2.4 6.6 4.5 8.3 6.2 10.4 2.1 2.9
Construction
Communication/ 4.6 6.1 7.4 5.4 9.1 5.8 10.0 13.1 5.3 8.9 10.4 10.4 5.2
Telecommunication
Consumer Goods 3.8 6.1 3.4 3.2 4.3 3.9 8.9 5.6 14.4 4.8 13.7 2.1 3.4
Education 8.1 15.8 9.4 2.2 3.3 3.7 5.5 1.7 2.3 8.2 8.0 12.5 3.2
Financial, 10.8 11.2 15.0 3.8 9.1 8.9 5.3 8.2 9.1 10.3 14.1 16.7 6.7
Accounting,
and/or Business
Services
Healthcare 8.7 13.0 7.8 1.3 3.6 6.7 5.1 3.2 4.6 5.5 5.2 4.2 2.5
Hospitality/ 3.4 5.6 4.9 2.2 2.8 1.5 2.3 3.9 7.6 3.4 9.2 2.1 1.7
Leisure/Tourism
Insurance 11.3 10.7 8.6 5.9 4.9 10.4 7.0 13.3 10.6 15.1 4.0 6.3 5.7
Manufacturing 11.8 9.3 8.4 46.8 11.7 10.6 12.1 9.1 13.6 13.7 31.3 6.3 10.6
Mining and Oil 3.4 5.6 6.8 2.7 8.1 1.9 9.1 4.6 6.1 4.8 7.2 10.4 1.9
Non-professional 0.6 5.1 1.5 1.3 0.5 0.7 1.5 1.5 0.0 1.4 1.6 2.1 1.2
Services
Pharmaceutical/ 2.0 1.9 2.2 1.9 3.1 5.0 4.4 4.2 4.6 1.4 5.6 0.0 3.0
Chemical
Professional 4.4 9.3 4.5 4.8 2.8 2.8 6.1 2.4 2.3 4.1 5.2 4.2 3.7
Services
Real Estate 3.0 3.7 3.3 1.9 2.6 2.6 4.0 3.4 4.6 8.9 4.0 4.2 2.9
Retail/Wholesale 7.0 8.4 7.2 4.8 6.9 4.3 7.6 4.1 12.9 4.8 9.2 2.1 4.2
Technology 5.2 6.1 4.9 4.0 2.8 3.7 4.2 5.3 3.8 4.8 14.1 2.1 3.0
Trade Services 0.9 2.8 2.3 2.7 3.3 0.9 4.4 3.0 5.3 1.4 7.2 0.0 1.4
Transport and 4.0 9.8 7.5 3.2 6.4 7.1 4.9 9.6 4.6 7.5 9.6 16.7 4.2
Logistics
Utilities 7.7 10.2 5.4 2.2 12.2 5.8 9.7 12.1 3.0 5.5 6.4 4.2 4.8
Other 13.3 23.3 20.3 6.2 14.5 13.0 11.0 10.7 15.2 15.8 12.9 12.5 9.0
Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Geographical Area Served by Organization
Recognizing that companies compete differently, in part based on the locations they serve, data
was collected on the geographical areas served by the respondents organizations. Their responses
are shown in Figure 3-13. Of the respondents, 39.2% of the respondents indicate that their employer
operates on an international/multinational scale, while 29.1% of employers operate on a national
scale. The remaining 31.7% operate on a local, state/provincial, or regional basis.
Figure 3-13
Geographical Area Served by the Organization
Table 3-11 indicates that the geographical regions served by the organizations employing the
respondents are fairly consistent. Table 3-11-1 provides more detail on the geographical area
served by the organizations for each of the 13 groups. Comparing these two tables, international/
multinational companies represent more than half of the respondents in groups 6 (58.6%) and 8
(53.4%) compared to the average percentage of 39.2% for all respondents. National companies
seem to be more prevalent than the total average percentage of 29.1% in groups 10 (42.6%) and
12 (41.2%), while group 6 (19.7%) is well under the average percentage. Companies serving
state/provincial regions are significantly above the average percentage response (10.9%) in group
2 (23.1%).
T
a
b
l
e

3
-
1
1
G
e
o
g
r
a
p
h
i
c
a
l

A
r
e
a

S
e
r
v
e
d

b
y

t
h
e

O
r
g
a
n
i
z
a
t
i
o
n
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
A
r
e
a
C
A
E
A
u
d
i
t

M
a
n
a
g
e
r
s
A
u
d
i
t

S
e
n
i
o
r
/
A
u
d
i
t

S
t
a
f
f
O
t
h
e
r
A
v
e
r
a
g
e
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
S
u
p
e
r
v
i
s
o
r
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
P
e
r
c
e
n
t

o
f
2
,
3
2
6
2
,
0
0
4
P
e
r
c
e
n
t

o
f
1
,
5
8
8
6
2
0
8
,
7
5
0

T
o
t
a
l
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
2
,
2
1
2
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s
R
e
s
p
o
n
d
e
n
t
s

L
o
c
a
l
1
4
.
6
8
.
9
9
.
4
1
1
.
1
1
6
.
6
1
2
.
1
S
t
a
t
e
/
P
r
o
v
i
n
c
i
a
l
1
1
.
8
8
.
9
1
0
.
3
1
1
.
9
1
1
.
6
1
0
.
9
R
e
g
i
o
n
a
l
1
0
.
7
6
.
8
9
.
3
8
.
2
8
.
7
8
.
7
N
a
t
i
o
n
a
l
2
7
.
0
2
9
.
7
2
7
.
3
3
2
.
9
2
8
.
4
2
9
.
1
I
n
t
e
r
n
a
t
i
o
n
a
l
/
3
5
.
9
4
5
.
7
4
3
.
7
3
5
.
9
3
4
.
7
3
9
.
2
M
u
l
t
i
n
a
t
i
o
n
a
l
T
o
t
a
l
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
T
a
b
l
e

3
-
1
1
-
1
G
e
o
g
r
a
p
h
i
c
a
l

A
r
e
a

S
e
r
v
e
d

b
y

G
r
o
u
p
*
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
A
r
e
a
1
*
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
L
o
c
a
l
1
4
.
6
9
.
4
1
3
.
5
1
9
.
4
6
.
8
4
.
8
7
.
2
2
.
3
7
.
4
5
.
0
2
1
.
3
1
3
.
0
1
3
.
2
S
t
a
t
e
/
P
r
o
v
i
n
c
i
a
l
1
7
.
3
2
3
.
1
8
.
2
3
.
2
1
4
.
4
7
.
9
1
.
9
0
.
8
2
.
5
4
.
3
1
.
7
2
.
2
6
.
6
R
e
g
i
o
n
a
l
1
1
.
0
4
.
3
5
.
1
9
.
1
8
.
5
9
.
0
7
.
8
6
.
0
1
2
.
3
2
.
8
8
.
8
4
.
6
9
.
3
N
a
t
i
o
n
a
l
2
2
.
4
3
3
.
0
3
3
.
4
2
6
.
1
3
4
.
6
1
9
.
7
3
6
.
9
3
7
.
5
3
7
.
7
4
2
.
6
2
8
.
0
4
1
.
2
3
4
.
9
I
n
t
e
r
n
a
t
i
o
n
a
l
/
M
u
l
t
i
n
a
t
i
o
n
a
l
3
4
.
7
3
0
.
2
3
9
.
8
4
2
.
2
3
5
.
7
5
8
.
6
4
6
.
2
5
3
.
4
4
0
.
1
4
5
.
3
4
0
.
2
3
9
.
0
3
6
.
0
T
o
t
a
l
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
1
0
0
.
0
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

A
f
f
i
l
i
a
t
e

o
r

C
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
References
1. Clemmons, D.L., 2006 A year of growth and change, IIA Insight, Vol. 1/November 2006, p. 5.
APPENDIX 3
Table 3-6-1-A
CAEs Average Responses
Type of Service Private Publicly Governmental Not-for- Average
Experience Provider Company Listed Profit Response
Company
Accounting 7.3 6.9 6.8 6.9 4.5 6.5
Engineering 5.0 4.9 3.8 4.6 1.0 3.9
External 7.1 6.2 4.4 7.5 1.8 5.4
(Independent)
Auditing
Finance 6.1 6.8 6.8 6.1 2.7 5.7
Information 5.8 6.1 4.9 4.2 3.5 4.9
Technology
Internal Auditing 6.9 8.1 8.3 8.9 7.1 7.9
Management 6.9 7.5 7.2 8.2 5.2 7.0
Other Professional 5.2 6.7 5.4 6.7 4.4 5.7
Experience
Table 3-6-2-A
Audit Managers Average Response
Type of Service Private Publicly Listed Governmental Not-for- Average
Experience Provider Company Company Profit Response
Accounting 6.0 6.2 5.7 5.7 4.0 5.5
Engineering 1.9 3.3 3.5 4.7 0.5 2.8
External 4.9 4.8 3.0 5.4 1.0 3.8
(Independent)
Auditing
Finance 4.7 5.0 4.7 4.6 1.7 4.1
Information 4.4 5.8 7.1 5.8 1.8 5.0
Technology
Internal 5.9 7.4 7.8 8.0 4.8 6.8
Auditing
Management 5.0 6.1 6.5 6.2 3.9 5.5
Other 3.4 4.7 4.7 6.9 3.6 4.7
Professional
Experience
Table 3-6-3-A
Audit Supervisors/Seniors Average Response
Accounting 4.7 5.0 4.6 5.6 2.7 4.5
Engineering 1.8 4.6 3.7 3.7 0.3 2.8
External 4.1 3.5 3.2 4.7 1.3 3.4
(Independent)
Auditing
Finance 4.2 3.7 4.2 4.0 1.8 3.6
Information 4.6 5.0 5.7 4.1 1.7 4.2
Technology
Internal 3.3 5.4 5.5 6.9 4.2 5.1
Auditing
Management 4.5 5.1 4.7 6.0 2.1 4.5
Other 3.2 4.7 4.8 4.3 3.3 4.1
Professional
Experience
Table 3-6-4-A
Audit Staffs Average Response
Accounting 3.2 5.1 4.1 4.9 2.2 3.9
Engineering 1.2 2.3 0.9 2.4 0.0 1.4
External 2.7 2.4 1.4 2.7 0.3 1.9
(Independent)
Auditing
Finance 3.1 3.6 3.5 3.9 1.3 3.1
Information 2.8 4.6 4.4 3.7 0.6 3.2
Technology
Internal 3.3 3.4 3.5 4.7 2.3 3.4
Auditing
Management 3.1 4.1 3.3 5.1 1.5 3.4
Other 4.9 5.0 4.5 6.8 2.1 4.7
Professional
Experience
Table 3-6-5-A
Others Average Response
Accounting 7.3 6.8 5.5 6.9 6.2 6.5
Engineering 3.5 3.3 2.7 2.5 0 2.4
External 6.4 3.1 3.1 7.1 1.1 4.2
(Independent)
Auditing
Finance 6.1 6.5 5.6 4.6 4.4 5.4
Information 4.4 4.7 5.1 4.6 1.5 4.1
Technology
Internal 5.4 7.0 7.0 6.3 4.8 6.1
Auditing
Management 5.7 6.9 6.4 5.4 4.8 5.8
Other 4.6 4.7 4.8 6.5 7.8 5.7
Professional
Experience
T
a
b
l
e

3
-
7
-
1
-
A
N
u
m
b
e
r

o
f

Y
e
a
r
s

t
h
e

I
A
A

H
a
s

E
x
i
s
t
e
d

b
y

I
n
d
u
s
t
r
y
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
0
-
5
6
-
1
0
1
1
-
1
5
1
6
-
2
0
2
1

-
2
5
2
6
-
3
0
3
1
-
3
5
3
6
-
4
0
4
1
-
4
5
4
6
-
5
0
M
o
r
e
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
Y
e
a
r
s
t
h
a
n

5
0
Y
e
a
r
s
N
u
m
b
e
r

o
f

R
e
s
p
o
n
d
e
n
t
s
2
,
1
9
1
1
,
6
2
8
9
1
4
8
4
7
5
2
9
5
6
6
1
8
1
2
5
5
4
8
2
5
7
3
2
8
A
g
r
i
c
u
l
t
u
r
a
l
/
F
o
r
e
s
t
r
y
2
.
6
3
.
1
3
.
1
2
.
2
1
.
9
3
.
5
2
.
8
3
.
5
4
.
2
3
.
5
2
.
4
B
a
n
k
i
n
g
/
F
i
n
a
n
c
i
a
l

S
e
r
v
i
c
e
s
/
C
r
e
d
i
t

U
n
i
o
n
1
7
.
4
2
1
.
.
9
2
6
.
7
2
7
.
3
2
7
.
8
3
2
.
7
2
6
.
5
3
4
.
9
4
1
.
7
3
7
.
7
4
4
.
5
B
u
i
l
d
i
n
g

a
n
d

C
o
n
s
t
r
u
c
t
i
o
n
5
.
8
4
.
8
4
.
5
5
.
1
1
.
7
3
.
4
2
.
2
5
.
5
6
.
3
3
.
1
3
.
4
C
o
m
m
u
n
i
c
a
t
i
o
n

a
n
d

T
e
l
e
c
o
m
m
u
n
i
c
a
t
i
o
n
s
8
.
8
9
.
4
7
.
4
5
.
4
6
.
2
4
.
6
6
.
6
6
.
7
0
.
0
3
.
5
4
.
9
C
o
n
s
u
m
e
r

G
o
o
d
s
5
.
8
5
.
8
4
.
8
5
.
3
2
.
5
2
.
3
3
.
3
5
.
5
2
.
1
3
.
5
4
.
3
E
d
u
c
a
t
i
o
n
5
.
1
5
.
8
6
.
3
7
.
7
6
.
4
7
.
4
9
.
9
9
.
0
8
.
3
5
.
4
4
.
0
F
i
n
a
n
c
i
a
l
,

A
c
c
o
u
n
t
i
n
g
,

o
r

B
u
s
i
n
e
s
s
1
0
.
2
1
0
.
4
9
.
8
7
.
8
7
.
9
9
.
2
9
.
4
9
.
8
6
.
3
8
.
9
9
.
8
S
e
r
v
i
c
e
s
H
e
a
l
t
h
c
a
r
e
7
.
9
7
.
0
5
.
4
6
.
7
4
.
7
5
.
7
5
.
0
5
.
5
2
.
1
4
.
3
5
.
2
H
o
s
p
i
t
a
l
i
t
y
/
L
e
i
s
u
r
e
/
T
o
u
r
i
s
m
3
.
6
5
.
0
4
.
9
3
.
2
1
.
7
1
.
9
.
6
3
.
5
2
.
1
1
.
6
1
.
8
I
n
s
u
r
a
n
c
e
7
.
4
8
.
5
1
2
.
4
1
2
.
3
1
1
.
7
1
0
.
4
7
.
7
1
2
.
2
6
.
3
8
.
9
1
0
.
7
M
a
n
u
f
a
c
t
u
r
i
n
g
1
6
.
1
1
6
.
0
1
4
.
0
1
3
.
1
8
.
5
8
.
3
9
.
4
1
2
.
9
8
.
3
1
2
.
8
1
1
.
6
M
i
n
i
n
g

a
n
d

O
i
l
5
.
5
3
.
9
4
.
2
5
.
8
3
.
2
5
.
7
1
.
1
3
.
9
6
.
3
4
.
3
2
.
4
N
o
n
-
p
r
o
f
e
s
s
i
o
n
a
l

S
e
r
v
i
c
e
s
1
.
1
.
7
1
.
4
1
.
4
.
8
.
5
1
.
7
1
.
2
4
.
2
.
4
1
.
2
P
h
a
r
m
a
c
e
u
t
i
c
a
l
/
C
h
e
m
i
c
a
l
3
.
6
2
.
9
2
,
7
3
.
3
1
.
7
1
.
9
3
.
9
4
.
3
2
.
1
2
.
3
2
.
7
P
r
o
f
e
s
s
i
o
n
a
l

S
e
r
v
i
c
e
s
4
.
6
5
.
4
4
.
3
3
.
4
2
.
3
3
.
4
2
.
2
3
.
1
0
.
0
2
.
7
3
.
0
R
e
a
l

E
s
t
a
t
e
4
.
3
2
.
8
3
.
5
3
.
8
2
.
3
1
.
9
2
.
2
4
.
3
4
.
2
1
.
6
3
.
0
R
e
t
a
i
l
/
W
h
o
l
e
s
a
l
e
7
.
2
7
.
2
6
.
3
5
.
9
4
.
5
5
.
3
3
.
3
1
1
.
0
1
2
.
5
5
.
8
8
.
5
T
e
c
h
n
o
l
o
g
y
5
.
9
5
.
9
4
.
5
5
.
0
2
.
5
4
.
1
3
.
3
4
.
7
0
.
0
3
.
5
5
.
8
T
r
a
d
e

S
e
r
v
i
c
e
s
2
.
4
2
.
9
1
.
9
1
.
8
.
9
1
.
2
2
.
2
2
.
7
0
.
0
.
8
2
.
1
T
r
a
n
s
p
o
r
t

a
n
d

L
o
g
i
s
t
i
c
s
6
.
8
7
.
0
6
.
5
5
.
0
4
.
3
6
.
0
6
.
6
7
.
1
2
.
1
4
.
7
3
.
4
U
t
i
l
i
t
i
e
s
8
.
7
5
.
8
7
.
8
7
.
4
7
.
0
9
.
9
8
.
8
1
0
.
6
8
.
3
1
3
.
2
9
.
5
O
t
h
e
r
1
5
.
0
1
3
.
1
1
3
.
9
1
2
.
6
1
1
.
2
1
2
.
2
1
4
.
9
1
0
.
6
1
0
.
4
8
.
9
1
1
.
9
Table 3-9-1-A
Number of Years Organizations Have Existed by Groups*
Group Respondents 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More Total
Years Years Years Years Years Years Years Years Years Years t han
50
Years
1 3,241 4.4 6.8 4.7 4.8 3.9 5.0 3.7 4.8 1.7 5.7 54.5 100.0
2 189 8.5 11.1 3.7 6.3 3.7 6.9 4.2 2.6 2.1 7.4 43.5 100.0
3 648 8.3 13.1 9.3 5.9 5.4 5.1 3.1 5.2 1.4 5.7 37.5 100.0
4 354 11.6 17.8 9.9 12.7 3.4 9.0 5.9 5.1 4.0 3.7 16.9 100.0
5 552 12.0 17.4 24.8 6.7 2.2 3.1 2.2 3.1 1.1 4.3 23.1 100.0
6 434 4.8 8.5 6.0 2.5 1.8 4.4 2.5 3.7 .9 8.5 56.4 100.0
7 504 6.0 14.1 10.3 5.0 4.0 6.7 5.0 3.4 3.6 6.5 35.4 100.0
8 954 11.3 10.6 7.0 6.2 3.6 5.8 2.5 4.8 1.5 5.6 41.1 100.0
9 125 8.0 9.6 7.2 13.6 11.2 3.2 7.2 1.6 5.6 8.0 24.8 100.0
10 135 6.7 6.7 3.7 4.4 3.0 3.7 5.2 1.5 3.7 2.2 59.2 100.0
11 228 11.4 12.7 10.1 11.0 8.3 6.1 5.7 6.1 4.8 4.8 18.8 100.0
12 39 5.1 10.3 7.7 10.3 5.1 15.4 10.3 10.3 7.7 0.0 17.8 100.0
N/C** 762 8.7 14.3 9.4 7.9 3.5 6.2 3.1 3.3 1.8 5.4 36.4 100.0
Total/ 8,165 590 856 648 496 321 442 299 355 165 461 3532
Overall
Respondents
in Category
Overall
Percent in
Category 7.2 10.5 7.9 6.1 3.9 5.4 3.7 4.3 2.0 5.6 43.4 100.0
*For a list of affiliate groups, please see Appendix 1-B.

CONTENTS
Chapter 4

Chapter 4: The Professional Practices Framework ............................................................. 105
Introduction......................................................................................................................... 105
CBOK 2006 Survey Questions Related to the Standards................................................... 107
Use of the Standards in Whole or in Part........................................................................... 108
Compliance with the Standards .......................................................................................... 110
Adequacy of the Guidance Provided by the Standards ...................................................... 115
Use of and Adequacy of the Guidance Provided by the Practice Advisories..................... 118
Reasons for Not Complying with the Standards ................................................................ 121
Quality Assurance and Improvement Program................................................................... 128
Compliance with The IIAs Code of Ethics........................................................................ 146
Appendix 4-A: The IIAs Standards and Practice Advisories
as of September 2006................................................................................................... 147
Appendix 4-B...................................................................................................................... 165

Disclosure


profession.
_______________________________ Chapter 4: The Professional Practices Framework 105
CHAPTER 4
THE PROFESSIONAL PRACTICES
FRAMEWORK
Introduction
The Institute of Internal Auditors (IIA) (2005) Professional Practices Framework (PPF) consists
of the Definition of Internal Auditing, The IIAs Code of Ethics, International Standards for the
Professional Practice of Internal Auditing (Standards), and Practice Advisories. The IIAs
Code of Ethics and the Standards are considered mandatory by The IIA for all those who provide
internal auditing services. Guidance regarding how the Standards might be applied is included in
Practice Advisories that are issued by The IIAs Professional Issues Committee. The Practice
Advisories are endorsed by The IIA and are strongly recommended.
This chapter first summarizes the extent to which respondents use and are in compliance with The
IIAs Standards and the related Practice Advisories as of September 2006, when the CBOK
questionnaires were distributed. Next, respondents opinions regarding the adequacy of the guidance
provided in the Standards and Practice Advisories is presented. Then there is a discussion of the
reasons why some respondents do not comply with the Standards. Another section reviews
respondents compliance with Standard 1300, Quality Assurance and Improvement Program. The
chapter concludes with a brief discussion about affiliate responses concerning their areas
compliance with The IIAs Code of Ethics. For reference, The IIAs Standards, Practice Advisories,
and Glossary to the Standards as of September 2006 are included in Appendix 4-A located at the
end of this chapter. The Standards employ terms that have been given specific meanings that are
defined in the Glossary.
Diverse legal and cultural variations together with the purpose, size, and structure of organizations
may affect the practice of internal auditing. The IIA regards full compliance with the Standards as
essential for internal audit activities (IAAs) to meet their responsibilities to their organizations. If
internal auditors are prohibited by law or regulation from complying with certain parts of the
Standards, The IIA believes they should comply with all other parts of the Standards and make
appropriate disclosures.
The Standards were developed to serve the following purposes:
Delineate basic principles that represent the practice of internal auditing as it should be.
Provide a framework for performing and promoting a broad range of value-added internal
audit activities.
Establish the basis for the evaluation of internal audit performance.
Foster improved organizational processes and operations.
The Standards are continuously reviewed to determine when a revision is necessary. The last
major revision occurred when the Board of Directors of The IIA voted to approve a new definition
of internal auditing in 1999 and to update the PPF. The IIA considered the new Standards mandatory
for all those that provide internal auditing services as of J anuary 1, 2004. In December 2005, The
IIAs Executive Committee approved a plan to revise The IIAs current guidance structure.
The Standards consist of Attribute Standards, Performance Standards, and Implementation
Standards. The Attribute Standards address the characteristics of organizations and parties
performing internal audit services. The Performance Standards describe the nature of internal
audit services and provide quality criteria against which the performance of these services may be
evaluated. Implementation Standards expand on the Attribute and Performance Standards by
providing guidance on specific types of engagements for assurance and consulting. The Attribute
and Performance Standards apply to all internal audit activities and are divided into the following
categories:
Attribute Standards
1000 Purpose, Authority, and Responsibility
1100 Independence and Objectivity
1200 Proficiency and Due Professional Care
1300 Quality Assurance and Improvement Program
Performance Standards
2000 Managing the Internal Audit Activity
2100 Nature of Work
2200 Engagement Planning
2300 Performing the Engagement
2400 Communicating Results
2500 Monitoring Progress
2600 Resolution of Managements Acceptance of Risks
CBOK 2006 Survey Questions Related to the Standards
The main objective of the CBOK 2006 study is to develop a summary of the global practice of
internal auditing around the world. The questions included in the CBOK survey pertaining to the
Standards were developed to determine the following:
The extent to which internal auditors and their internal audit activities (IAAs) comply with
the Attribute Standards, Performance Standards, and Practice Advisories.
The level of compliance by internal auditors and their IAAs with individual Standards and
Practice Advisories.
Whether or not the guidance in the Standards is perceived by users to be adequate.
The reasons for noncompliance with the Standards.
Whether internal auditors and IAAs comply with the standards relating to quality assurance
and improvement program.
question.
Not all questions were asked of all respondents:
not CAEs).
Other category consist primarily of other professional staff whose position is not captured by the
traditional job titles included in the survey. A review of their credentials indicates they may be
members of the IAA, employed by service providers, or in organizations where their titles are less
traditional but with duties within internal auditing.
When relevant, results are given for each of the groups. The groups are explained in Chapter 1.
For example, Table 4-14 is the total of all respondents for that question with a related Table 4-14-
1 showing the responses by group. A table can have more than one related table, where the second
related table would be Table 4-14-2. Additional related tables may be located in Appendix 4-B at
the end of this chapter. A table that is in the Appendix can be clearly identified by an A at the end
of its number. For example, Table 4-3-1-A is located in Appendix 4-B.
Use of the Standards in Whole or in Part
All respondents were asked if their organizations use the Standards in whole or in part. Of the
9,366 potential respondents, 8,647 responded to this question. A total of 7,085 (81.9%) of those
responding noted that they use the Standards in whole or in part and 1,562 (18.1%) noted that they
do not comply with the Standards. Those respondents that do not use the Standards were told to
skip the questions on compliance and go directly to the questions asking why they do not use the
Standards.
Figure 4-1 shows the replies to this question by the respondents position in the IAA. While very
similar results are reported by the respondents in other positions in the department, the highest
incidence of use in whole or in part is reported by CAEs (85.1%) who should be in the best position
in the IAA to judge whether the Standards are being applied.
Figure 4-1
Organizations Use of the Standards in Whole or in Part by Staff Level
Use of the Standards by Industry in Whole or in Part
Table 4-1 provides a list of the respondents use of the Standards in whole or in part by industry
and by position in the IAA. The four industries where respondents indicate the most usage of the
Standards in whole or in part are:
Trade Services (88%).
Professional Services (87.1%).
Building and Construction (86.8%).
Utilities (86.7%).
The five industries where the respondents indicate the least usage of the Standards in whole or in
part are:
Pharmaceutical/Chemical (80.2%).
Real Estate (80.4%).
Non-professional Services (81.3%).
Manufacturing (82.2%).
Healthcare (82.2%).
Overall, there is a high level of usage of the Standards in whole or in part by all industries.
Table 4-1
Use of the Standards in Whole or in Part by Industry and Position in the IAA
Industry Number of CAE Audit Audit Audit Other Average
Respondents Manager Senior/ Staff
Supervisor
Agricultural/Forestry 254 88.1 91.7 78.3 88.4 75.0 85.4
Banking/Financial Services/ 2,178 84.8 86.4 83.2 84.1 81.5 84.4
Credit Union
Building and Construction 387 89.8 89.7 77.9 91.8 77.8 86.8
Communication/ 626 88.7 87.8 76.9 88.5 88.9 85.6
Telecommunication
Consumer Goods 427 86.4 84.8 76.1 78.7 83.3 82.7
Education 554 89.4 81.0 85.8 86.3 64.2 83.6
Financial, Accounting, 870 92.3 87.6 85.0 81.5 79.6 85.9
and/or Business Services
Healthcare 566 87.2 83.0 84.4 77.9 59.5 82.2
Hospitality/Leisure/Tourism 306 87.3 86.8 74.1 80.0 86.7 83.7
Insurance 861 88.9 88.5 83.0 83.8 86.2 86.1
Manufacturing 1,166 86.5 86.8 77.7 77.1 75.0 82.2
Mining and Oil 396 92.4 88.2 77.3 84.4 84.0 85.4
Non-professional Services 96 95.8 85.3 76.5 70.0 54.5 81.3
Pharmaceutical/Chemical 257 83.8 82.7 72.7 82.8 72.2 80.2
Professional Services 372 90.1 94.8 80.2 83.7 77.1 87.1
Real Estate 291 84.0 84.1 79.0 73.7 60.0 80.4
Retail/Wholesale 568 87.2 85.3 78.3 74.2 80.8 82.6
Technology 439 88.5 91.1 75.0 73.3 80.0 83.6
Trade Services 183 93.4 96.3 77.8 81.0 63.6 88.0
Transport and Logistics 511 88.3 84.9 73.7 81.8 85.7 83.0
Utilities 694 88.0 88.0 88.0 85.2 76.1 86.7
Other 1,181 83.3 83.4 78.5 78.7 61.5 79.5
Compliance with the Standards
For those 7,085 respondents that indicate they use the Standards in whole or in part, the next
survey question asked if their organizations were in full compliance, partial compliance, not in
compliance, or they did not know their organizations level of compliance for each of the individual
standards. According to The IIAs Tool 19, Standards Compliance Evaluation Summary, of the
Quality Assessment Manual, 5
th
Edition, the extent of compliance with theStandards is expressed
as either generally conforms, partially conforms, or does not conform. General conformance
(full compliance in the questionnaire) implies that the relevant structures, policies, and procedures
of the activity, as well as the processes by which they are applied, comply with the requirements of
the individual Standardin all material aspects. Partial conformance (partial compliance in the
questionnaire) means the activity is making good-faith efforts to comply with the requirements of
the individual Standard. Does not conform (not in compliance in the questionnaire) means the
activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve
many/all of the objectives of the individual Standard.
For those that indicate their organizations use the Standards in whole or in part, Table 4-2summarizes
all respondents input and compares the responses of the CAEs and Practitioners concerning
whether their IAAs fully comply, partially comply, or do not comply with an individual standard.
Eighty-five point five percent (85.5%) of the 7,085 respondents IAAs that noted standards usage
either fully comply (57.2%) or partially comply (28.3%) with the Standards. Of the respondents,
10.6% do not know whether their IAAs comply with any of the Standards.
Table 4-2*
Organizations Compliance Levels with the Standards
CAE, Practitioner, and All Respondents in Percentages
CAE Practitioner All Respondents
Full compliance 59.9 56.1 57.2
Partial compliance 31.6 26.8 28.3
Not in compliance 4.2 3.8 3.9
Do not know 4.3 13.3 10.6
Total 100.0 100.0 100.0
*Table 4-2 was compiled from Tables 4-3-1-A, 4-3-2-A and 4-3-3-A in Appendix 4-B.
The percentage of CAEs who do not know whether their IAAs comply with the Standards is
much lower (4.3%) than that of Practitioners (13.3%). This may be due to the CAEs position as
leader of the IAA providing them with more insight into the use of the Standards. It would appear
that CAEs have more direct access to judge the use of the Standards than other members of the
IAA.
As shown in Table 4-2, when asked about compliance to individual standards, 59.9% of CAE
respondents and 56.1% of Practitioner respondents say that they are in full compliance with the
Standards when in fact they are not. Table 4-3 shows that only 33.2% of CAE respondents and
43% of Practitioner respondents indicate they comply with Standard 1300. The IIAs position is
that full compliance means full compliance with all the Standards.
Table 4-3 reveals that for CAE respondents, the four standards with the highest percentage of full
compliance are Standards 1100 (73.6%), 2400 (68.6%), 1000 (68.1%), and 1200 (67%). This
makes sense as three of the standards, 1100, Independence and Objectivity, 2400, Communicating
Results, 1000, Purpose, Authority, and Responsibility, are all direct responsibilities of CAEs. All
work, regardless of who performs it, should be done in accordance with Standard 1200, Proficiency
and Due Professional Care.
Table 4-3
Full or Partial Compliance with the Standards
Standard CAE Practitioner All Respondents
Full Partial Full Partial Full Partial
1000 Purpose, Authority, and 68.1 26.7 60.8 24.2 63.0 25.0
Responsibility
1100 Independence and 73.6 22.0 64.1 22.2 66.9 22.2
Objectivity
1200 Proficiency and Due 67.0 28.3 61.1 25.1 62.9 26.1
Professional Care
1300 Quality Assurance and 33.2 45.0 43.0 31.7 40.0 35.7
Improvement Program
2000 Managing the Internal 61.8 32.0 55.8 27.5 57.6 28.9
Audit Activity
2100 Nature of Work 59.3 32.8 56.8 26.9 57.5 28.7
2200 Engagement Planning 60.4 32.5 56.7 27.5 57.7 29.0
2300 Performing the Engagement 62.1 31.8 58.7 26.7 59.7 28.2
2400 Communicating Results 68.6 26.2 62.3 23.8 64.1 24.6
2500 Monitoring Progress 56.1 35.5 51.3 30.6 52.6 32.1
2600 Resolution of Managements 49.0 35.0 46.1 28.8 46.9 30.7
Acceptance of Risks
Overall Average 59.9 31.6 56.1 26.8 57.2 28.3
The two standards with less than 50% full compliance according to CAE respondents are 2600,
Resolution of Managements Acceptance of Risks (49.0%), and 1300, Quality Assurance and
Improvement Program (33.2%). Reasons for noncompliance with Standard 1300 are discussed in
more detail in a later section of this chapter. Standard 2600 requires CAEs and senior management
to discuss with the board any areas where the CAE feels that management has accepted residual
risk that is unacceptable to the organization. It involves skills requiring CAEs to analyze many
types of risks and reporting to the board disagreements with management over acceptable levels
of risk for the organization.
In Table 4-3, the order of the four highest standards (1100, 2400, 1000, 1200) for full compliance
are the same for the categories All Respondents and CAEs. For Practitioners, the four standards
with the highest percentages are the same, but the order differs, 1100 (64.1%), 2400 (62.3%), 1200
(61.1%), and 1000 (60.8%).
Standard 1000 (63% full compliance and 25% partial compliance for all respondents) requires that
the purpose, authority, and responsibility of the IAA be formally defined in an audit charter. Having
the internal audit charter accepted by the board and management should be one of the first actions
taken by a CAE when an IAA is established. The charter establishes the authority for IAAs to
perform the scope of work as outlined in the Standards. Standard 1100 (66.9% full compliance
and 22.2% partial compliance for all respondents), which deals with the independence and objectivity
of the IAA, shows the highest incidence of full compliance by the respondents.
Standard 2400 (64.1% full compliance and 24.6% partial compliance for all respondents) addresses
the required communication of the results of the work performed by the IAAs at the end of each
engagement. In Appendix 4-B, Tables 4-3-1-A (all respondents), 4-3-2-A (CAE), and 4-3-3-A
(Practitioner) contain additional details of respondents compliance with each individual standard.
These tables contain the respondents indication of full compliance, partial compliance, not in
compliance, and do not know for each category of theStandards.
Table 4-3-4-A to Table 4-3-6-A in Appendix 4-B lists by groups full compliance by IAAs for the
respondents, partial compliance for all respondents, and the percentages for not in compliance with
the Standards for all respondents. Refer to Appendix 1-B of this report for the list of groups.
Groups 1, 2, 3, 7, 8, and 11 indicate consistently high compliance with the Standards. Although
group 4 has consistently lower compliance with the Standards, it also has the highest partial
compliance of any group. Group 9 has the highest overall percentages for noncompliance with the
Standards. Standard 1300, Quality Assurance and Improvement Program, had the highest
percentages of noncompliance ranging from groups 1 and 2 with 9.1% to a high of 24.2% in group
12.
Compliance by Types of Organization
Table 4-4 shows the percentage of respondents by type of organization that indicate their organizations
are in full compliance with specific standards. Service provider/consultant respondents have the
highest level of full compliance with Standard 1300, Quality Assurance and Improvement Program
(49.6%), and with Standard 2600, Resolution of Managements Acceptance of Risks (53.1%).
Publicly traded (listed) companies place a close second in full compliance for Standard 2600 (50.6%).
Table 4-4
Full Compliance to Standards by Type of Organization
Percentage of All Participants
Standard Service Publicly Privately Public Not-for- Other
Provider/ Traded Held Sector/ Profit
Consultant (Listed) (Non- Government Organization
Company listed)
Company
1000 Purpose, Authority, 62.7 66.8 56.6 62.5 64.4 49.3
and Responsibility
1100 Independence 69.6 69.7 63.5 64.1 71.8 48.6
and Objectivity
1200 Proficiency and 66.2 64.9 57.3 62.6 67.3 50.7
Due Professional Care
1300 Quality Assurance 49.6 42.8 30.2 40.1 37.9 32.8
and Improvement Program
2000 Managing the 62.1 59.6 53.4 56.6 58.8 43.3
2100 Nature of Work 61.6 58.9 51.2 59.8 61.1 45.2
2200 Engagement 61.1 60.0 50.2 58.4 60.2 41.7
Planning
2300 Performing the 63.5 60.1 54.3 62.2 62.8 45.6
Engagement
2400 Communicating 68.0 64.5 59.3 66.0 67.5 52.2
Results
2600 Resolution of 53.1 50.6 38.8 44.9 49.6 31.5
Managements
Acceptance of Risks
Adequacy of the Guidance Provided by the Standards
The development and issuance of the Standards is an ongoing process. The IIAs Internal Auditing
Standards Board engages in extensive consultation and discussions prior to the issuance or revision
of the Standards. This includes worldwide solicitation of public comment through the exposure
draft process. Although this process should provide assurance that the guidance provided by the
Standards is supported by the profession, it is important to determine the views of current users
regarding the adequacy of the guidance provided. Respondents who indicated that they use the
Standards were asked to give their opinion about whether the guidance provided by individual
standards is adequate for their IAA to apply that standard or if more guidance is needed.
As presented in Table 4-5, an overall average of 83.2% of the respondents consider the guidance
provided by the Standards to be adequate. The four standards that received the highest percentage
for adequacy are 1100 (88.1%), Independence and Objectivity, 1200 (87%), Proficiency and Due
Professional Care, 1000 (86.2%) Purpose, Authority, and Responsibility, and 2400 (85.2%)
Communicating Results. These are the same four standards that have the highest compliance
indicated by respondents in Table 4-3. In Table 4-5 all but two standards are rated above 80% for
adequacy.
Table 4-5
Standards Guidance is Adequate
Standard Total Yes No Do Not Do Not
Number of Use Know
Respondents
1000 Purpose, Authority, and Responsibility 5,857 86.2 1.2 2.7 9.9
1100 Independence and Objectivity 6,015 88.1 1.7 1.7 8.5
1200 Proficiency and Due Professional Care 5,994 87.0 1.7 2.3 9.0
1300 Quality Assurance and Improvement Program 5,968 77.3 5.1 6.3 11.3
2000 Managing the Internal Audit Activity 5,970 83.7 3.1 3.3 9.9
2100 Nature of Work 5,916 82.2 3.2 3.5 11.1
2200 Engagement Planning 5,950 83.6 3.3 3.2 9.9
2300 Performing the Engagement 5,931 83.8 3.6 3.0 9.6
2400 Communicating Results 5,941 85.2 3.1 2.6 9.1
2500 Monitoring Progress 5,903 81.8 4.1 4.0 10.1
2600 Resolution of Managements Acceptance 5,908 76.0 5.6 5.3 13.1
of Risks
Overall Average 83.2 3.2 5.7 9.3
Such a high percentage of positive responses indicates that the guidance provided meets the
expectations of the users of the Standards. The slightly lower response for Standards 1300 (77.3%),
Quality Assurance and Improvement Program, and 2600 (76%), Resolution of Managements
Acceptance of Risk, in Figure 4-2 may indicate that more or clearer guidance may be appropriate
in the areas of quality assurance and improvement and resolution of managements acceptance of
risk.
Figure 4-2
Table 4-6 shows that a higher percentage of CAEs (overall average 89%) than Practitioners
(overall average 80.7%) regard the guidance provided by the Standards to be adequate. This may
be due to CAEs having more experience with the Standards.
Table 4-6
Adequacy of Guidance Provided by Each of the Standards
Standard CAE Practitioner All
Respondents
1000 Purpose, Authority, and Responsibility 93.3 83.2 86.2
1100 Independence and Objectivity 94.1 85.6 88.1
1200 Proficiency and Due Professional Care 92.9 84.5 87.0
1300 Quality Assurance and Improvement Program 81.5 75.6 77.3
2000 Managing the Internal Audit Activity 90.0 81.0 83.7
2100 Nature of Work 88.0 79.8 82.2
2200 Engagement Planning 89.4 81.2 83.6
2300 Performing the Engagement 89.3 81.5 83.8
2400 Communicating Results 91.3 82.6 85.2
2500 Monitoring Progress 88.4 79.1 81.8
2600 Resolution of Managements Acceptance of Risks 81.3 73.8 76.0
Overall Average 89.0 80.7 83.2
In Appendix 4-B, Tables 4-6-1-A (CAEs) and 4-6-2-A (Practitioners) list respondents responses
by standard indicating whether the guidance provided is adequate, not adequate, do not use, or do
not know. When asked about the adequacy of the guidance provided, a higher percentage of the
Practitioner respondents replied Do Not Know than CAEs. For all of the Standards, Practitioner
responses for Do Not Know range from 11.1% to 16.3%. In contrast, the CAE responses range
is from a low of 2.3% to a high of 5.3%. This data indicates that CAEs in this study appear to find
the guidance more adequate than do Practitioners.
In Appendix 4-B, Tables 4-6-3-A (all respondents by groups), 4-6-4-A (CAEs by groups), and 4-6-
5-A (Practitioners by groups) show respondents answers by groups to the question about the
adequacy of guidance provided by the Standards. In the groups, CAEs consistently find the
Standards guidance to be more adequate than Practitioners. Table 4-6-3-A indicates that a significant
percentage of all respondents in all groups perceive the guidance provided by each of the Standards
to be adequate. On average, groups 7, 8, and 12 have the highest percentage of satisfaction with
the guidance provided, while groups 1, 2, and 9 have the lowest average percentage of satisfaction.
Table 4-6-6-A in Appendix 4-B provides a summary of all respondents by group who indicate that
the guidance provided by the Standards is not adequate. Indicating a range of 11.6% to 14.5% for
guidance is not adequate, group 9 has the highest level of dissatisfaction with Standards 2200 to
2500. With this groups exception, the overall low percentages in this table support a high level of
satisfaction with the adequacy of the guidance provided.
Use of and Adequacy of the Guidance Provided by the Practice Advisories
Practice Advisories are continuously developed and issued. The purpose of the Practice Advisories
is to provide guidance on the application of the Standards. Compliance with Practice Advisories
is endorsed by The IIA and strongly recommended but not considered mandatory. The 7,085
respondents who use the Standards in whole or in part were asked whether their IAA uses the
Practice Advisories in the PPF and to indicate whether they regard the guidance to be adequate.
Figure 4-3 shows the percentages of all respondents to this question that use each of the Practice
Advisories.
Figure 4-3
Respondents That Use the Practice Advisories
Table 4-7 indicates that on average 85.8% of the respondents that use the Standards also use the
Practice Advisories. The Audit Staff (88.7%) report the highest overall use of the Practice Advisories.
Ninety percent or more of the Audit Staff indicate that they use the Practice Advisories for Standards
1000, 1100, 1200, and 2300.
Table 4-7
Respondents That Use the Practice Advisories
By Staff Level in Percentages
Practice Advisory CAE Audit Audit Audit Other Average
Supervisor
1000 Purpose, Authority, and 88.8 88.2 84.8 90.1 84.7 87.3
Responsibility
1100 Independence and Objectivity 89.3 88.5 86.3 90.7 86.9 88.3
1200 Proficiency and Due Professional 88.6 88.4 85.1 90.2 86.1 87.7
Care
1300 Quality Assurance and 82.7 82.8 80.5 86.5 79.2 82.3
Improvement Program
2000 Managing the Internal Audit 87.7 87.2 83.7 89.7 84.1 86.5
Activity
2100 Nature of Work 86.4 85.9 83.8 89.7 83.8 85.9
2200 Engagement Planning 87.4 87.1 84.5 89.4 84.1 86.5
2300 Performing the Engagement 87.8 86.9 85.2 90.0 84.9 87.0
2400 Communicating Results 88.6 87.2 84.6 87.5 83.4 86.3
2600 Resolution of Managements 81.4 82.2 78.4 83.6 79.0 80.9
Acceptance of Risks
Average 86.9 86.3 83.6 88.7 83.6 85.8
In Appendix 4-B, Table 4-7-1-A shows the percentage of respondents who do not use the Practice
Advisories for all respondents. Groups 6, 1, 2, and 9 use the Practice Advisories the least.
The respondents were asked if they considered the guidance provided by the Practice Advisories
to be adequate. Table 4-8 shows that for all respondents the overall average satisfaction with
Practice Advisories is 82.5%. Standards 1300 (77.2%) and 2600 (75.4%) are the two standards
that received the lowest percent of satisfaction. This corresponds to the lower level of compliance
with these two Standards by all respondents in Table 4-3.
Table 4-8
Practice Advisory Guidance is Adequate
Practice Advisory CAE Practitioner All
Respondents
1000 Purpose, Authority, and Responsibility 86.7 85.7 86.0
1100 Independence and Objectivity 86.7 86.2 86.3
1200 Proficiency and Due Professional Care 86.2 85.1 85.4
1300 Quality Assurance and Improvement Program 76.2 77.7 77.2
2000 Managing the Internal Audit Activity 83.5 83.4 83.4
2100 Nature of Work 81.8 82.5 82.3
2200 Engagement Planning 83.5 83.1 83.2
2300 Performing the Engagement 83.9 83.3 83.5
2400 Communicating Results 84.4 83.8 84.0
2500 Monitoring Progress 82.6 80.5 81.1
2600 Resolution of Managements Acceptance of Risks 75.2 75.4 75.4
In Appendix 4-B, Tables 4-8-1-A (all respondents), 4-8-2-A (CAE), and 4-8-3-A (Practitioner)
show the respondents perception of the adequacy of the guidance provided by the Practice Advisories
and the percentages that do not use each individual Practice Advisory.
Table 4-8-4-A in Appendix 4-B shows all respondents perception of the adequacy of the guidance
provided by the Practice Advisories by groups. This group table also indicates less satisfaction
with the guidance provided to support for Standards 1300 and 2600. Respondents in groups 12, 7,
and 8 indicate the highest levels of satisfaction with the adequacy of the Practice Advisories.
While still indicating a high level of satisfaction with the guidance, groups 6 and 2 show the lowest
relative levels of satisfaction with the guidance provided by the Practice Advisories.
Reasons for Not Complying with the Standards
All respondents were asked their reasons for not using the Standards in whole or in part. The
question listed possible reasons for noncompliance and allowed for individual comments.
Respondents could select more than one reason for noncompliance. Figure 4-4 shows the average
percentage for all respondents for the reasons provided in the question regarding why they do not
comply in whole or in part with the Standards.
Figure 4-4
Reasons for Not Complying in Whole or in Part with the Standards
All Respondents (8,159) in Percentages*
*Respondents who do not comply with the Standards could select more than one reason for noncompliance so the
totals could add to more than 100%.
Table 4-9 shows the reasons respondents selected for not using the Standards in whole or in part
by staff position.
Table 4-9
Reasons for Not Using the Standards in Whole or in Part
All Respondents by Staff Position in Percentages*
Reason Number CAE Audit Audit Senior/ Audit Staff Ot her Average
Who % of 2,263 Managers Supervisor % of 1,442 % of 569 % of 8,159
Sel ect ed Respondents % of 1,845 % of 2,040 Respondents Respondents Respondents
Category Respondents Respondents
Standards or 473 7.1 5.5 5.4 4.4 6.2 5.8
Practice
Advisories are
too complex
Not 846 16.4 8.5 7.4 7.1 11.4 10.4
appropriate
for small
organizations
Too costly to 765 13.3 8.9 7.9 6.2 8.6 9.4
comply
Too time- 992 16.1 12.1 11.4 8.6 8.1 12.2
consuming
Superseded by 875 10.3 10.0 12.6 9.6 11.1 10.7
local/
government
regulations
or standards
Not 342 4.4 3.3 4.1 4.7 5.3 4.2
appropriate
for my
industry
Compliance 970 11.9 12.0 12.6 11.0 11.1 11.9
not supported
by manage-
ment/board
Not perceived 996 13.6 11.4 13.5 9.9 10.5 12.2
as adding
value by
management/
board
Inadequate 1,026 14.4 11.9 11.7 11.6 13.2 12.6
IAA staff
Compliance 467 5.9 5.3 6.6 4.9 5.3 5.7
not expected
in my country
Other 983 11.4 12.7 12.8 8.7 17.9 12.0
*Respondents who do not comply with the Standards could select more than one reason for noncompliance so the
totals could add to more than 100%.
There appears to be three primary causes for noncompliance. The first relates to practitioners
experiences in application and implementation of guidance or constraints within the IAA. Specific
reasons related to this include the following:
Inadequate staff (12.6%)
Too time-consuming (12.2%)
Not appropriate for small organizations (10.4%)
Too costly to comply (9.4%)
Standards or Practice Advisories are too complex (5.8%)
The second primary cause concerns lack of support by the organizations management and includes
the following specific reasons:
Not perceived as adding value by management/board (12.2%)
Compliance not supported by management/board (11.9%)
The third primary cause involves the regulations or standards in the respondents countries or
company, and includes the following reasons:
Superseded by local/government regulations or standards (10.7%)
Compliance not expected in my country (5.7%)
Not appropriate for my industry (4.2%)
This knowledge should aid The IIA in formulating future guidance and in marketing the profession.
Open-ended Question for Noncompliance
Respondents were provided with space to list other reasons why they did not comply with the
Standards in whole or in part. Of the 417 respondents who provided a written response to the
open-ended part of this question, most did not add any new reasons beyond those listed in Table 4-
9, but expanded upon why they selected a particular reason. Table 4-10 categorizes these responses
and lists the percentages of the 417 respondents that gave a particular response. Because seven
respondents gave two reasons why they are not in full compliance with the Standards, there are a
total of 424 responses.
Table 4-10
Reasons for Not Complying with the Standards in Whole or in Part
From Open-ended Question for All Participants
Reasons for Noncompliance Number of Percentage of
Respondents* 417
Respondents
Other standards are used (GAGAS/Yellow Book; 94 22.5
Own standards based on IIAs; CICA; ISACA;
CIPFA; GAAS; INTOSAI)
Informal/partial use of the Standards 57 13.7
Do not have the knowledge to implement 54 12.9
Standards are not: 41 9.8
adequate/relevant/practical/accepted/value added
Working toward full implementation 40 9.6
Newly established IAA or newly appointed in position 36 8.6
Do not know 23 5.5
Management does not support 21 5.0
Not applicable as function is outsourced or 13 3.1
respondents not in internal audit department
Understaffed 10 2.4
Full compliance to the Standards 5 1.2
No IAA 4 1.0
Other 26 6.2
*Since 7 of the 417 respondents provided two reasons for noncompliance with the Standards, there are 424 total
responses.
One respondent suggests that the local affiliate should perform an awareness campaign in his
country for non-listed and small companies to show the need for IAAs to comply with the Standards.
Factors Affecting Compliance
To better understand why some respondents are not in full compliance with the Standards, three
factors were reviewed. First, since The IIAs membership grew 54.6% from J une 2003 to
September 2006, Table 4-11 compares the number of years respondents have been members of
The IIA to respondents compliance with the Standards in whole or in part. For those respondents
who are members of The IIA, the longer they have been members the more likely they are to
comply with the Standards in whole or in part.
Table 4-11
Compliance with the Standards in Whole or in Part
Compared to the
Number of Years as Number of Percentage of
Member of IIA Respondents Respondents in
Compliance in Whole
or in Part
5 or less 5,044 80.7
6 to 10 1,694 86.2
11 or more 1,307 88.4
Not a Member 568 64.8
Total/Overall Average 8,613 81.9
The second factor considered is the number of years an organization has had an IAA. Table 4-12
suggests a trend indicating that the longer an organization has had an internal audit department the
greater the IAAs compliance with the Standards in whole or in part.
Table 4-12
Compared to the
Number of Years Organization has had an IAA
Years Having an Number of Percentage of Respondent
IAA Respondents in Compliance in Whole
or in Part
0-5 2,147 81.0
6-10 1,586 80.9
11-15 902 83.9
16-20 835 81.8
21-25 523 84.9
26-30 561 84.3
31-35 180 83.3
36-40 250 87.2
41-45 48 85.4
46-50 254 88.2
More than 50 323 85.1
The final factor reviewed is the impact of the number of full-time staff in the IAA on compliance
with the Standards in whole of in part. Table 4-13 notes that with the exception of the 22-24 staff
level category, the trend is that the larger the IAAs audit staff, the higher level of compliance to
the Standards in whole or in part.
Table 4 -13
Compared to the
Number of Full-Time Staff at Each Staff
Number of Staff Number of Percentage of
Respondents Respondents in
Compliance in Whole
or in Part
1-3 1,601 75.7
4-6 1,253 82.0
7-9 742 83.2
10-12 448 83.3
13-15 332 84.3
16-18 251 84.5
19-21 179 85.2
22-24 133 84.7
25 or more 1,707 88.0
Total 6,646 82.3
In summary, all three factors, the longer a respondent has been a member of The IIA, or an
organization has had an IAA, or the larger the number of staff in the IAA, positively affect the
level of compliance by the IAA with the Standards.
Quality Assurance and Improvement Program
Since Standard 1300, Quality Assurance and Improvement Program (QA&IP), relates to the
monitoring of IAA compliance with the Standards, the survey included specific questions relating
to internal and external assessments. One of the main objectives of the QA&IP Standard is to
encourage the assessment of, application, and conformance with the Standards. According to
Standard 1300, the CAE should develop and maintain a QA&IP that covers all aspects of the IAA
and continuously monitors its effectiveness. This program includes periodic internal assessments,
external quality assessments, and ongoing internal monitoring. Standard 1300 and the Practice
Advisories further recommend that this program:
Provide assurance that the IAA is in conformity with The IIAs Standards.
Provide assurance that the IAA is in conformity with the IIA Code of Ethics.
Add value and improve the organizations operations.
Include periodic internal and external quality assessments and ongoing internal monitoring.
Each part of the program should be designed to help the IAA provide this assurance and add value.
Standard 1300
Survey participants were asked whether or not their IAAs have QA&IPs in place in accordance
with Standard 1300. Standard 1330, Use of Conducted in Accordance with the Standards, states
that internal auditors are encouraged to report that their activities are conducted in accordance
with the Standards. It further stipulates that internal auditors may use this statement only if
assessment of their QA&IP demonstrates that the IAA is in compliance with the Standards. The
value of this statement is that it implies the credibility of the work performed by the IAA and that
the conclusions reached can be relied upon.
The average response to the question of whether the respondents IAA has a QA&IP in place in
accordance with Standard 1300 is reported in Figure 4-5. Of the total respondents, 32.8% say that
they have a QA&IP in place and thus can use the phrase Conducted in Accordance with the
Standards in reference to their audit engagements. A further 21.9% indicate that a QA&IP
would be put in place within the next 12 months. Some respondents (7.3%) have a quality assurance
program in place, but the program is not in accordance with Standard 1300. Of the respondents,
22.9% report that they do not have plans to put in place a QA&IP in the next 12 months.
Figure 4-5
IAA Has a Quality Assurance and Improvement Program in
Accordance with Standard 1300
If an IAA is not in compliance with Standard 1300, then the IAA is not in full compliance with the
Standards. Of those responding, 38.8% of CAEs and 30.2% of all respondents indicate that they
either do not have plans to put a QA&IP in place or they have quality programs that are not in
accordance with Standard 1300. These organizations will not be able to report that they are in full
compliance with the Standards.
Table 4-14 presents the respondents answers to the question asking whether their IAAs have
QA&IPs in place in accordance with Standard 1300 by staff level. Of CAE respondents, 5.4%
say that they do not know whether their IAA has a QA&IP in accordance with Standard 1300.
The do not know option to this question was selected by 10.6% of Audit Managers, 18.0% of
Audit Seniors/supervisors, and 26.7% of the Audit Staff respondents. As the quality assurance
program is the responsibility of the CAE, practitioners at less senior levels may not know how the
quality assurance requirements have been implemented. Yet, according to the Standards, quality
assurance should form a part of every activity at all levels of the IAA. All internal audit staff
should therefore be trained in the requirements of quality assurance and should be integrally involved
in the quality assessment and improvement programs of their IAAs.
Table 4-14
IAA Has a Quality Assurance and Improvement Program
in Accordance with Standard 1300
All Respondents by Staff Level in Percentages
QA&IP CAE Audit Audit Audit Staff Other Average
Status % of 2082 Manager Senior/ % of 1239 % of 441 % of 7269
Respondents % of 1687 Supervisor Respondents Respondents Respondents
Respondents % of 1820
Respondents
Currently in place 26.6 36.5 36.0 36.1 24.5 32.8
To be put in place 29.2 23.2 19.0 15.8 10.9 21.9
within the next
12 months
No plans to put in 29.2 22.6 19.6 17.6 23.8 22.9
place in the next
12 months
Quality assurance 9.6 7.1 7.4 3.8 7.0 7.3
program is not in
accordance with
Standard 1300
Do not know 5.4 10.6 18.0 26.7 33.8 15.1
Total 100.0 100.0 100.0 100.0 100.0 100.0
Table 4-14-1 shows compliance with Standard 1300 by groups. A noticeably higher than average
percentage (54.7%) of respondents in groups 3 (70.5%), 2 (61.6%), and 1 (61%) indicate that they
have a QA&IP in place or will put one in place within the next 12 months. The groups that have the
highest percentages of respondents indicating that they have no plans to put a QA&IP in place are
groups 12 (34.8%), 4 (34%), 8 (33.5%), and 11 (30.7%). Group 4 (20.7%) has the highest percentage
of respondents who do not know whether they have such a program in place.
Table 4-14-1
IAA Has a Quality Assessment and Improvement Program
in Accordance with Standard 1300 by Groups*
Group Number of Yes, To Be Put in No Plans Program Do Not Total
Respondents Currently Place Within to Put in is Not in Know
in Place the Next 12 Place in Accordance
Months the Next 12 with
Months Standard
1300
1 2,974 40.1 20.9 17.6 5.1 16.3 100.0
2 190 35.8 25.8 16.9 8.9 12.6 100.0
3 600 45.3 25.2 12.7 5.5 11.3 100.0
4 300 19.3 14.3 34.0 11.7 20.7 100.0
5 502 24.4 27.5 27.7 9.8 10.6 100.0
6 374 30.2 21.1 24.1 16.0 8.6 100.0
7 439 25.1 26.9 27.6 10.8 9.6 100.0
8 835 24.0 20.5 33.5 6.9 15.1 100.0
9 97 15.5 28.9 29.8 13.4 12.4 100.0
10 110 30.0 26.4 26.4 7.2 10.0 100.0
11 199 30.2 23.1 30.7 5.5 10.5 100.0
12 43 23.3 27.9 34.8 7.0 7.0 100.0
N/C** 624 20.8 17.5 27.6 7.7 26.4 100.0
Overall 7,287 32.8 21.9 22.9 7.3 15.1 100.0
Average/
Total
**N/C =Respondent did not indicate Affiliate or Chapter membership.
Internal Assessments
According to Standard 1311, Internal Assessments should include a process to monitor and assess
the overall effectiveness of the quality program. Internal assessments should include both:
Ongoing review of the performance of the IAA.
Periodic reviews performed through self-assessment or by other persons within the
organization with knowledge of internal auditing practices and the Standards.
The respondents were asked when their IAAs last had a formal internal quality assessment, periodic
or ongoing, in accordance with Standard 1311. Table 4-15 indicates, by staff level, when the IAA
was last subject to an internal quality assessment. On average, 23.6% of the respondents IAAs
have had an internal review within the last 12 months and a further 8.7% had a review within the
last 5 years. By the end of 2006, an average of 8.1% additional respondents anticipate their IAAs
will have had an internal quality assessment (note that the questionnaires were sent out in September
2006). On average, 35.3% of the respondents indicate that they have never had an internal
assessment. From predominantly lower staff levels and Other, on average 15.9% of the respondents
do not know if their IAA had a formal internal quality assessment.
Only 5.2% of the CAEs indicated they did not know when their IAA was last subject to a formal
internal assessment, while 26.7% of the Audit Staff indicated they did not know. This may be
ascribed to a lack of knowledge at their level of responsibility. A higher percentage (47.4%) of
CAEs indicates that an internal quality assessment has never been done, which may be more
accurate as the CAE is normally the person responsible for organizing such reviews.
Table 4-15
When IAA Was Last Subject to a Formal Internal Quality Assessment
Timing CAE Audit Audit Audit Staff Other Average
% of 2,083 Manager Senior/ % of 1,240 % of 430 % of 7,249
Respondents % of 1,678 Supervisor Respondents Respondents Respondents
Respondents % of 1,818
Respondents
Scheduled to 8.7 8.3 8.4 7.5 4.7 8.1
be completed
prior to
J anuary 1,
2007, but not
yet completed
Within the 21.0 27.9 24.0 24.4 15.3 23.6
last 12 months
1-3 years ago 6.5 8.1 8.9 6.0 7.7 7.4
4-5 years ago 1.2 1.4 1.2 1.6 0.7 1.3
More than 5 1.5 1.3 1.1 1.0 1.2 1.2
years ago
Never 47.4 32.5 30.3 26.1 35.3 35.3
The internal 8.5 7.4 6.6 6.7 3.7 7.2
review was
not done in
accordance
with Standard
1311
Do not know 5.2 13.1 19.5 26.7 31.4 15.9
The following compares the results in Table 4-14 (the IAA has a QA&IP in place) to the percentages
in Table 4-15 (the internal assessment is scheduled to be completed prior to J anuary 1, 2007, or
completed a quality assessment within the last 12 months). The percentages are fairly close for
both tables. For example, Table 4-14 lists CAE respondents indicating that 26.6% have a QA&IP
in place, and Table 4-15 has a total of 29.7% CAE respondents having had a formal quality assessment
in accordance with Standard 1311 complete in the last 12 months or scheduled before J anuary 1,
2007. For all respondents in this comparison, Table 4-14 had 32.8% of respondents having a QA&IP
in place, and Table 4-15 has a total of 31.7% completed within the last 12 months or scheduled to
be completed by J anuary 1, 2007.
In Appendix 4-B, Table 4-15-1-A contains the status of the internal assessment by groups. For six
of the groups, more than 40% of respondents have never had an internal assessment. For groups
6, 8, and 12, more than 11% of the respondents have completed a quality assessment that was not
in accordance with Standard 1311. Only group 3 respondents indicate that 43.4% of their IAAs
have had an assessment in accordance with Standard 1311 in the last 5 years. Eleven point four
percent to 14.9% of the respondents in groups 3, 10, and 12 anticipate completing an assessment
prior to J anuary 1, 2007.
Two factors should be considered when reviewing which respondents organizations have had an
internal quality assessment. The first is whether the length of time the IAA has been in existence
within the organization has any effect on compliance to Standard 1311. Table 4-16 compares the
length of time that respondents organizations have had an IAA with when or if they have had an
internal assessment. IAAs that have been in existence for 0 to 5 years have the highest percentage
(54.2%) of never having had an internal assessment. That percentage drops to 38% for those
organizations whose IAAs have been in existence for 6 to 10 years. It appears that, generally, the
longer the organization has had an IAA the more likely they are to have an internal assessment
program in place.
Table 4-16
Years the IAA has Existed in an Organization Compared to
When the IAA had an Internal Assessment
Years Number of Scheduled Within 1-3 4-5 More Never The I Do Total
IAA Respondents to Be the Last Years Years Than Internal Not Know
Existed Completed 12 Ago Ago 5 Review Was
Prior to Months Years Not Done in
January 1, Ago Accordance
2007, But with
Not Yet Standard
Completed 1311
0-5 1,857 7.7 14.8 4.0 0.5 0.2 54.2 7.3 11.3 100.0
6-10 1,364 7.7 21.8 6.2 1.1 1.2 38.0 8.1 15.9 100.0
11-15 774 8.4 25.2 7.4 1.8 1.4 35.1 7.2 13.5 100.0
16-20 727 10.0 23.4 10.6 2.6 2.3 25.9 6.2 19.0 100.0
21-25 727 9.0 30.4 10.1 2.9 1.3 25.8 7.7 12.8 100.0
26-30 465 8.8 31.0 9.7 1.1 1.5 24.3 8.2 15.4 100.0
31-35 145 8.3 31.7 11.7 1.4 0.7 26.2 8.3 11.7 100.0
36-40 208 7.7 35.1 13.0 0.5 1.4 25.0 4.8 12.5 100.0
41-45 38 13.2 39.5 5.3 5.3 .0 15.8 7.9 13.2 100.0
46-50 198 6.1 31.8 12.1 3.0 3.0 18.7 6.1 19.2 100.0
More 266 9.4 36.1 10.2 1.1 1.5 13.5 8.6 19.6 100.0
than
50 years
The second factor to consider is the number of audit staff in the IAA. Table 4-17 shows that for
staff levels of 1-3, respondents indicate that 58.2% of their IAAs have never had an internal
review. As the size of the IAA staff increases, fewer respondents IAAs have never had an
internal review with one exception (organizations with a staff size of 10-12). With a staff of 25 or
more only 14.2% indicated that their IAA had never had an internal review.
It appears that the number of years the IAA has existed and the number of staff in the IAA affect
whether an IAA has had an internal assessment program.
Table 4-17
Number of Audit Staff in the IAA Compared to
When the IAA had an Internal Assessment
Number Number of Scheduled Within 1-3 4-5 More Never The I Do Total
of Respondents to Be the Last Years Years Than Internal Not Know
Staff Completed 12 Ago Ago 5 Review Was
2007, But with
Not Yet Standard
Completed 1311
1-3 1,859 5.9 11.5 4.1 1.0 1.0 58.2 7.0 11.3 100.0
4-6 1,319 8.6 18.0 6.7 1.1 1.2 42.7 8.3 13.4 100.0
7-9 775 7.7 26.1 8.1 1.8 1.4 30.6 7.7 16.6 100.0
10-12 451 8.2 23.5 9.1 1.3 2.0 31.9 7.3 16.7 100.0
13-15 351 12.3 25.4 9.7 1.1 .9 26.2 7.7 16.7 100.0
16-18 265 12.5 27.2 7.5 .8 1.5 24.9 9.1 16.5 100.0
19-21 186 8.6 30.6 9.1 2.7 .5 19.4 7.5 21.6 100.0
22-24 137 12.4 34.3 10.9 1.5 2.2 18.2 8.8 11.7 100.0
25 or 1,561 9.5 39.4 10.4 1.8 1.3 14.2 5.4 18.0 100.0
more
External Assessments
According to Standard 1312, External Assessments, the IAA should have an external assessment
at least once every 5 years by a qualified, independent reviewer or review team from outside the
organization. All IAAs that existed on J anuary 1, 2002, when this standard became effective
should have had an external assessment performed by J anuary 1, 2007. For external reviews,
Practice Advisory 1312-1, External Assessments, recommends that an opinion on the IAAs
compliance to the Standards based on a structured rating process be communicated to the CAE.
Figure 4-6 indicates when all respondents IAAs were last subject to an external quality assessment.
The average response for all respondents indicates that 39.7% of respondents IAAs have never
had an external assessment.
Figure 4-6
When the IAA was Last Subject to a Formal External Quality Assessment
Table 4-18 indicates by staff level when respondents IAAs were last subject to an external quality
assessment. Comparing the average response (39.7%) indicating the IAA has not had an external
review to the different levels of staff, 53.7% of the CAE respondents indicate their IAA has not
had an external review. This is probably more reflective of the actual status as the CAE is responsible
for arranging the external review. It appears that for 44.4% of those responding to this question,
their organizations have not been subject to a formal external quality assessment and are not in
compliance with Standard 1312 and are therefore not in full compliance with the Standards.
Table 4-18
Timing CAE Audit Audit Audit Staff Other Average
% of 2,073 Manager Senior/ % of 1,241 % of 429 % of 7,230
Respondents % of 1,674 Supervisor Respondents Respondents Respondents
Respondents
Scheduled to 7.7 8.7 7.4 7.2 4.4 7.6
be completed
prior to
January 1, 2007,
but not yet
completed
Within the last 13.8 16.9 17.9 19.1 14.5 16.5
12 months
1-3 years ago 6.9 11.2 12.0 8.8 7.5 9.5
4-5 years ago 2.2 1.8 2.4 1.9 1.6 2.1
More than 5 1.7 2.1 1.7 1.2 1.2 1.7
years ago
Never 53.7 38.6 33.4 28.7 35.0 39.7
The external 7.7 4.9 4.2 2.4 2.3 5.0
review was not
done in
accordance
with Standard
1312
Do not know 6.3 15.8 21.0 30.7 33.5 17.9
Table 4-18-1 shows the results for external quality assessments for the groups. More than 40% of
the respondents in groups 3 (48.9%), 2 (42.2%), 10 (43.9%), and 1 (41.5%) indicate that their IAA
has had a formal external assessment in the last 5 years or will have one completed by J anuary 1,
2007, in accordance with Standard 1312. More than 50% of respondents in groups 9 (59.6%), 12
(59.5%), 5 (54.5%), 4 (51.9%), and 8 (51.5%) noted that they have never had an external assessment.
Table 4-18-1
in Accordance with Standard 1312 by Groups*
Timing 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Scheduled 8.3 7.5 11.9 3.7 8.3 6.2 6.1 5.6 5.1 18.4 9.6 7.1 4.0
to be
completed
prior to
J anuary 1,
2007
Within the 19.7 12.8 19.0 15.5 11.4 13.2 17.9 11.9 14.1 13.2 16.2 14.3 12.6
last 12
months
1-3 years ago 11.0 18.2 15.1 4.7 9.8 8.9 5.4 6.5 9.1 8.8 5.1 4.8 6.3
4-5 years ago 2.5 3.7 2.9 2.7 0.6 3.5 1.4 0.8 1.0 3.5 1.5 0.0 1.3
More than 5 2.0 3.7 2.3 5.7 0.6 1.1 0.9 0.4 0.0 0.9 0.5 2.4 1.1
years ago
Never 31.1 32.6 28.7 51.9 54.5 43.5 48.0 51.5 59.6 40.4 39.6 59.5 48.0
Not done in 2.3 4.3 3.2 3.4 6.8 12.1 8.8 8.2 1.0 4.4 7.7 4.8 7.2
accordance with
Standard 1312
Do not know 23.1 17.2 16.9 12.4 8.0 11.5 11.5 15.1 10.1 10.4 19.8 7.1 19.5
Total percentage 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
Total number of 2,956 187 596 297 499 372 442 827 99 114 197 42 621
respondents
To determine if the length of time the IAA has been in existence within an organization has any
effect on compliance to Standard 1312, Table 4-19 compares the length of time that respondents
organizations have had an IAA to when and if they have had an external assessment. IAAs that
have been in existence for 0 to 5 years have the highest percentage (61.2%) of never having had
an external assessment. The percentage for never having an external assessment drops to 40.4%
for those organizations whose IAAs have been in existence for 6 to 10 years. It appears that,
generally, the longer the organization has had an IAA the more likely they have had an external
assessment.
Table 4-19
Years the IAA has Existed in an Organization Compared to
When the IAA had an External Assessment
All Participants in Percentages
Years Number Scheduled Within 1-3 4-5 More Never The I Do Total
IAA of to Be the Last Years Years Than Internal Not
Been in Respondents Completed 12 Ago Ago 5 Review was Know
Existence Prior to Months Years Not Done in
2007, with
But Not Standard
Yet 1312
Completed
0-5 1,853 5.8 8.9 5.0 0.8 0.2 61.2 4.6 13.5 100.0
6-10 1,365 8.6 14.7 8.2 2.1 1.8 40.4 5.7 18.5 100.0
11-15 770 7.8 16.2 10.3 2.7 2.1 40.6 5.7 14.6 100.0
16-20 723 7.9 17.2 11.3 3.6 3.5 29.6 4.7 22.2 100.0
21-25 449 8.7 26.5 11.6 1.8 2.0 30.3 5.8 13.3 100.0
26-30 462 8.4 22.5 11.7 3.7 2.4 27.3 7.6 16.4 100.0
31-35 142 7.7 16.2 21.8 3.5 0.7 28.9 6.3 14.9 100.0
36-40 210 11.0 27.1 13.8 1.9 1.9 27.1 1.4 15.8 100.0
41-45 39 23.1 20.5 12.8 5.1 .0 15.4 7.7 15.4 100.0
46-50 196 6.1 26.0 14.3 3.1 3.1 23.0 2.0 22.4 100.0
More 266 9.8 24.4 19.5 2.3 2.6 16.9 5.6 18.9 100.0
than
50 years
As shown in Table 4-20, the number of audit staff in the IAA was compared to whether the IAA
has had an external assessment. This factor appears to have a marked influence on the IAA
having an external assessment. IAAs that have an audit staff of 1-3 indicate that 60.4% never
have had an external assessment. This drops to 49% for a staff size of 4-6 and to 17.8% for IAAs
with an audit staff of 25 or more.
Table 4-20
Number of Audit Staff in the IAA Compared to
When the IAA had an External Assessment
All Participants in Percentages
Number Number Scheduled Within 1-3 4-5 More Never The I Do Total
of of to Be the Last Years Years Than Internal Not
Staff Respondents Completed 12 Ago Ago 5 Review was Know
2007, with
But Not Standard
Yet
Completed 1312
1-3 1,854 5.1 7.9 4.9 1.7 1.3 60.4 5.7 13.0 100.0
4-6 1,311 7.8 12.5 6.6 1.8 1.6 49.0 5.9 14.8 100.0
7-9 770 8.4 18.7 9.9 1.9 3.0 37.0 4.8 16.3 100.0
10-12 448 6.0 18.1 8.7 2.7 1.8 39.1 4.5 19.1 100.0
13-15 352 9.9 18.5 13.9 2.3 1.7 31.3 4.3 18.1 100.0
16-18 265 9.4 16.6 10.9 3.8 1.9 32.1 6.4 18.9 100.0
19-21 187 6.4 25.7 10.2 3.7 2.1 25.7 5.3 20.9 100.0
22-24 137 13.1 19.7 18.2 4.4 1.5 19.7 6.6 16.8 100.0
25 or 1,559 10.1 26.5 16.5 2.4 1.6 17.8 3.7 21.4 100.0
more
As with internal assessments, the length of time an IAA has been in existence and the number of
audit staff in the IAA affect whether IAAs have had an external assessment.
Quality Assurance and Improvement Program Activities
Respondents were asked what types of activities their IAAs used when performing internal and
external quality assessments. Practice Advisory 1300-1, Quality Assurance and Improvement
Program, states that the quality assurance and improvement program should include activities that
are designed to provide reasonable assurance of compliance with the Standards such as appropriate
supervision of the audit team.
The respondents were requested to indicate which of the listed activities they performed as part of
their internal audit quality assessment and improvement program. Figure 4-7 shows the responses
given by staff level. As respondents could mark more than one activity the total percentage may be
greater than 100%.
On average, the activities that are included most often are engagement supervision (42.7%),
checklists/manuals to provide assurance that proper audit processes are followed (40.6%), and
feedback from audit customers at the end of an audit (38.5%). The least used activities are
verification that the IAA is in compliance with the Standards (28.4%), review by external party
(20.4%), and compliance with non-IIA standards or codes (19.0%).
Figure 4-7
Activities Performed by IAAs as Part of a QA&IP
13.4%
19.0%
20.4%
28.4%
31.1%
38.5%
40.6%
42.7%
12.2%
30.1%
0% 10% 20% 30% 40% 50%
Do not know
Not applicable
Compliance with non-IIA standards or
codes
Review by external party
Verification that the IAA is in
compliance with The Standards
Reviews by other members of IAA
Internal audit professionals are in
compliance with The IIA's
Code of Ethics
Feedback from audit customers at the
end of an audit
Checklists/manuals to provide assurance
that proper audit processes
are followed
Engagement supervision
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Table 4-21 shows the responses for the types of activities performed as part of a QA&IP given by
staff level.
Table 4-21
Activity CAE Audit Audit Audit Staff Other Average
% of 2,263 Managers Senior/ % of 1,442 % of 569 % of
Respondents % of 1,845 Supervisor Respondents Respondents 8,159
Respondents % of 2,040 Respon-
Respondents dents
Engagement 48.8 54.2 47.4 38.1 24.8 42.7
supervision
Checklists/ 44.8 49.9 43.9 38.0 26.7 40.6
manuals to
provide
assurance that
proper audit
processes are
followed
Feedback from 41.4 47.4 41.7 38.5 23.4 38.5
audit customers
at the end of an
audit
Internal audit 37.6 38.9 31.3 28.7 19.3 31.1
professionals are
in compliance
with The IIAs
Code of Ethics
Reviews by 27.2 39.1 35.6 30.9 17.9 30.1
other members
of the IAA
Verification that 35.6 36.7 27.6 26.0 16.5 28.4
the IAA is in
compliance with
the Standards
Table 4-21 (Cont.)
Activity CAE Audit Audit Audit Staff Other Average
% of 2,263 Managers Senior/ % of 1,442 % of 569 % of
Respondents % of 1,845 Supervisor Respondents Respondents 8,159
Respondents % of 2,040 Respon-
Respondents dents
Review by 21.3 25.4 22.2 18.0 15.1 20.4
external party
Compliance with 19.4 23.1 21.9 17.5 13.5 19.0
non-IIA
standards or
codes
Not applicable 16.4 11.8 10.9 10.1 17.8 13.4
Do not know 3.4 8.2 11.9 17.5 20.0 12.2
Table 4-21-1-A in Appendix 4-B analyzes the responses by groups for the types of activities
performed as part of a QA&IP. Consistently throughout the groups, engagement supervision (63.9%
to 32.1%), checklists/manuals (57.4% to 33.3%), and feedback from audit customers (55.3% to
31.1%) are the most used activities. Least utilized items by groups include review by external party
(34.0% to 12.6%) and reviews of compliance with non-IIA standards or codes (28.0% to 14.7%).
These results are consistent with the summary results in Table 4-21.
Education of key personnel (audit committees and management) to make them aware of the
importance of compliance and the value that may be derived from the quality assessment process
may help to increase compliance with Standard 1300.
Compliance with The IIAs Code of Ethics
As part of the CBOK Affiliate survey, affiliates were asked whether they require their members to
follow The IIAs Code of Ethics. Of the 46 affiliates responding to this question, all but one answered
in the affirmative. One affiliate has adopted a local version of a code of ethics. The affiliates were
then asked how they handled ethical complaints against their members. A wide variety of responses
were received. In a number of instances no complaints had ever been received so no process had
been put in place. In most cases, complaints were handled by an ethics or disciplinary committee,
while some actions were left to the affiliates board of directors. In two cases, investigations were
conducted in consultation with The IIA.
Summary
A large majority of the participants in this study indicate that their IAAs are using the Standards in
whole or in part. Compliance with the Standards is affected by the length of time an individual has
been a member of The IIA, the number of years an organization has had an IAA, and the number
of staff in the IAA. Compliance with Standard 1300 is influenced by the period of time an organization
has had an IAA and the size of the audit staff. A large majority of the respondents also believe that
the guidance provided by the Standards and most Practice Advisories is adequate. Standards
1300, Quality Assurance and Improvement Program, and 2600, Resolution of Managements
Acceptance of Risks, have lower levels of usage and satisfaction with the adequacy of guidance
provided by the Standards. More or clearer guidance may be appropriate in these areas.
References
1. The Institute of Internal Auditors, A Vision for the Future: The Professional Practices
Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors),
1999.
FL: The Institute of Internal Auditors), 2005.
3. The Institute of Internal Auditors, Quality Assessment Manual (Altamonte Springs, FL: The
Institute of Internal Auditors), February 2006.
4. The Institute of Internal Auditors, The Institute of Internal Auditors Executive Summary
(Altamonte Springs, FL: The Institute of Internal Auditors), September 13, 2006.
5. The Institute of Internal Auditors, IIA International Professional Practices Framework
Exposure Document (Altamonte Springs, FL: The Institute of Internal Auditors), 2007.
APPENDIX 4-A
THE IIAS STANDARDS, PRACTICE ADVISORIES,
AND GLOSSARY TO THE STANDARDS
AS OF SEPTEMBER 2006
1
ATTRIBUTE STANDARDS
1000 Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity should be formally defined in
a charter, consistent with the Standards, and approved by the board.
1000.A1 The nature of assurance services provided to the organization should be defined
in the audit charter. If assurances are to be provided to parties outside the organization,
the nature of these assurances should also be defined in the charter.
1000.C1 The nature of consulting services should be defined in the audit charter.
1100 Independence and Objectivity
The internal audit activity should be independent, and internal auditors should be objective in
performing their work.
1110 Organizational Independence
The chief audit executive should report to a level within the organization that allows the internal
audit activity to fulfill its responsibilities.
1110.A1 The internal audit activity should be free from interference in determining the
scope of internal auditing, performing work, and communicating results.
1120 Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.
1130 Impairments to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment
should be disclosed to appropriate parties. The nature of the disclosure will depend upon the
impairment.
1
Standards are always being updated as the profession evolves.
1130.A1 Internal auditors should refrain from assessing specific operations for which
they were previously responsible. Objectivity is presumed to be impaired if an internal
auditor provides assurance services for an activity for which the internal auditor had
responsibility within the previous year.
1130.A2 Assurance engagements for functions over which the chief audit executive
has responsibility should be overseen by a party outside the internal audit activity.
1130.C1 Internal auditors may provide consulting services relating to operations for
which they had previous responsibilities.
1130.C2 If internal auditors have potential impairments to independence or objectivity
relating to proposed consulting services, disclosure should be made to the engagement
client prior to accepting the engagement.
1200 Proficiency and Due Professional Care
Engagements should be performed with proficiency and due professional care.
1210 Proficiency
Internal auditors should possess the knowledge, skills, and other competencies needed to perform
their individual responsibilities. The internal audit activity collectively should possess or obtain
the knowledge, skills, and other competencies needed to perform its responsibilities.
1210.A1 The chief audit executive should obtain competent advice and assistance if the
internal audit staff lacks the knowledge, skills, or other competencies needed to perform
all or part of the engagement.
1210.A2 The internal auditor should have sufficient knowledge to identify the indicators
of fraud but is not expected to have the expertise of a person whose primary responsibility
is detecting and investigating fraud.
1210.A3 Internal auditors should have knowledge of key information technology risks
and controls and available technology-based audit techniques to perform their assigned
work. However, not all internal auditors are expected to have the expertise of an internal
auditor whose primary responsibility is information technology auditing.
1210.C1 The chief audit executive should decline the consulting engagement or obtain
competent advice and assistance if the internal audit staff lacks the knowledge, skills, or
other competencies needed to perform all or part of the engagement.
1220 Due Professional Care
Internal auditors should apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility.
1220.A1 The internal auditor should exercise due professional care by considering the:
Extent of work needed to achieve the engagements objectives.
Relative complexity, materiality, or significance of matters to which assurance
procedures are applied.
Adequacy and effectiveness of risk management, control, and governance processes.
Probability of significant errors, irregularities, or noncompliance.
Cost of assurance in relation to potential benefits.
1220.A2 In exercising due professional care the internal auditor should consider the use
of computer-assisted audit tools and other data analysis techniques.
1220.A3 The internal auditor should be alert to the significant risks that might affect
objectives, operations, or resources. However, assurance procedures alone, even when
performed with due professional care, do not guarantee that all significant risks will be
identified.
1220.C1 The internal auditor should exercise due professional care during a consulting
engagement by considering the:
Needs and expectations of clients, including the nature, timing, and communication of
engagement results.
Relative complexity and extent of work needed to achieve the engagements objectives.
Cost of the consulting engagement in relation to potential benefits.
1230 Continuing Professional Development
Internal auditors should enhance their knowledge, skills, and other competencies through
continuing professional development.
1300 Quality Assurance and Improvement Program
The chief audit executive should develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity and continuously monitors its effectiveness.
This program includes periodic internal and external quality assessments and ongoing internal
monitoring. Each part of the program should be designed to help the internal auditing activity add
value and improve the organizations operations and to provide assurance that the internal audit
activity is in conformity with the Standards and the Code of Ethics.
1310 Quality Program Assessments
The internal audit activity should adopt a process to monitor and assess the overall effectiveness
of the quality program. The process should include both internal and external assessments.
1311 Internal Assessments
Internal assessments should include:
Ongoing reviews of the performance of the internal audit activity; and
Periodic reviews performed through self-assessment or by other persons within the
organization, with knowledge of internal audit practices and the Standards.
1312 External Assessments
External assessments, such as quality assurance reviews, should be conducted at least
once every five years by a qualified, independent reviewer or review team from outside
the organization.
1320 Reporting on the Quality Program
The chief audit executive should communicate the results of external assessments to the
board.
1330 Use of Conducted in Accordance with the Standards
Internal auditors are encouraged to report that their activities are conducted in accordance
with the International Standards for the Professional Practice of Internal Auditing. However,
internal auditors may use the statement only if assessments of the quality improvement program
demonstrate that the internal audit activity is in compliance with the Standards.
1340 Disclosure of Noncompliance
Although the internal audit activity should achieve full compliance with the Standards and
internal auditors with the Code of Ethics, there may be instances in which full compliance is
not achieved. When noncompliance impacts the overall scope or operation of the internal
audit activity, disclosure should be made to senior management and the board.
PERFORMANCE STANDARDS
2000 Managing the Internal Audit Activity
The chief audit executive should effectively manage the internal audit activity to ensure it adds
value to the organization.
2010 Planning
The chief audit executive should establish risk-based plans to determine the priorities of the
internal audit activity, consistent with the organizations goals.
2010.A1 The internal audit activitys plan of engagements should be based on a risk
assessment, undertaken at least annually. The input of senior management and the board
should be considered in this process.
2010.C1 The chief audit executive should consider accepting proposed consulting
engagements based on the engagements potential to improve management of risks, add
value, and improve the organizations operations. Those engagements that have been
accepted should be included in the plan.
2020 Communication and Approval
The chief audit executive should communicate the internal audit activitys plans and resource
requirements, including significant interim changes, to senior management and to the board for
review and approval. The chief audit executive should also communicate the impact of resource
limitations.
2030 Resource Management
The chief audit executive should ensure that internal audit resources are appropriate, sufficient,
and effectively deployed to achieve the approved plan.
2040 Policies and Procedures
The chief audit executive should establish policies and procedures to guide the internal audit
activity.
2050 Coordination
The chief audit executive should share information and coordinate activities with other internal
and external providers of relevant assurance and consulting services to ensure proper coverage
and minimize duplication of efforts.
2060 Reporting to the Board and Senior Management
The chief audit executive should report periodically to the board and senior management on
the internal audit activitys purpose, authority, responsibility, and performance relative to its
plan. Reporting should also include significant risk exposures and control issues, corporate
governance issues, and other matters needed or requested by the board and senior management.
2100 Nature of Work
The internal audit activity should evaluate and contribute to the improvement of risk management,
control, and governance processes using a systematic and disciplined approach.
2110 Risk Management
The internal audit activity should assist the organization by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and control systems.
2110.A1 The internal audit activity should monitor and evaluate the effectiveness of the
organizations risk management system.
2110.A2 The internal audit activity should evaluate risk exposures relating to the
organizations governance, operations, and information systems regarding the:
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts.
2110.C1 During consulting engagements, internal auditors should address risk consistent
with the engagements objectives and be alert to the existence of other significant risks.
2110.C2 Internal auditors should incorporate knowledge of risks gained from consulting
engagements into the process of identifying and evaluating significant risk exposures of
the organization.
2120 Control
The internal audit activity should assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous improvement.
2120.A1 Based on the results of the risk assessment, the internal audit activity should
evaluate the adequacy and effectiveness of controls encompassing the organizations
governance, operations, and information systems. This should include:
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations.
Safeguarding of assets.
Compliance with laws, regulations, and contracts.
2120.A2 Internal auditors should ascertain the extent to which operating and program
goals and objectives have been established and conform to those of the organization.
2120.A3 Internal auditors should review operations and programs to ascertain the extent
to which results are consistent with established goals and objectives to determine whether
operations and programs are being implemented or performed as intended.
2120.A4 Adequate criteria are needed to evaluate controls. Internal auditors should
ascertain the extent to which management has established adequate criteria to determine
whether objectives and goals have been accomplished. If adequate, internal auditors
should use such criteria in their evaluation. If inadequate, internal auditors should work
with management to develop appropriate evaluation criteria.
2120.C1 During consulting engagements, internal auditors should address controls
consistent with the engagements objectives and be alert to the existence of any significant
control weaknesses.
2120.C2 Internal auditors should incorporate knowledge of controls gained from
consulting engagements into the process of identifying and evaluating significant risk
exposures of the organization.
2130 Governance
The internal audit activity should assess and make appropriate recommendations for improving
the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and accountability.
Effectively communicating risk and control information to appropriate areas of the
organization.
Effectively coordinating the activities of and communicating information among the board,
external and internal auditors, and management.
2130.A1 The internal audit activity should evaluate the design, implementation, and
effectiveness of the organizations ethics-related objectives, programs, and activities.
2130.C1 Consulting engagement objectives should be consistent with the overall values
and goals of the organization.
2200 Engagement Planning
Internal auditors should develop and record a plan for each engagement, including the scope,
objectives, timing, and resource allocations.
2201 Planning Considerations
In planning the engagement, internal auditors should consider:
The objectives of the activity being reviewed and the means by which the activity controls
its performance.
The significant risks to the activity, its objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level.
The adequacy and effectiveness of the activitys risk management and control systems
compared to a relevant control framework or model.
The opportunities for making significant improvements to the activitys risk management
and control systems.
2201.A1 When planning an engagement for parties outside the organization, internal
auditors should establish a written understanding with them about objectives, scope,
respective responsibilities, and other expectations, including restrictions on distribution of
the results of the engagement and access to engagement records.
2201.C1 Internal auditors should establish an understanding with consulting engagement
clients about objectives, scope, respective responsibilities, and other client expectations.
For significant engagements, this understanding should be documented.
2210 Engagement Objectives
Objectives should be established for each engagement.
2210.A1 Internal auditors should conduct a preliminary assessment of the risks relevant
to the activity under review. Engagement objectives should reflect the results of this
assessment.
2210.A2 The internal auditor should consider the probability of significant errors,
irregularities, noncompliance, and other exposures when developing the engagement
objectives.
2210.C1 Consulting engagement objectives should address risks, controls, and
governance processes to the extent agreed upon with the client.
2220 Engagement Scope
The established scope should be sufficient to satisfy the objectives of the engagement.
2220.A1 The scope of the engagement should include consideration of relevant systems,
records, personnel, and physical properties, including those under the control of third parties.
2220.A2 If significant consulting opportunities arise during an assurance engagement, a
specific written understanding as to the objectives, scope, respective responsibilities, and
other expectations should be reached and the results of the consulting engagement
communicated in accordance with consulting standards.
2220.C1 In performing consulting engagements, internal auditors should ensure that the
scope of the engagement is sufficient to address the agreed-upon objectives. If internal
auditors develop reservations about the scope during the engagement, these reservations
should be discussed with the client to determine whether to continue with the engagement.
2230 Engagement Resource Allocation
Internal auditors should determine appropriate resources to achieve engagement objectives.
Staffing should be based on an evaluation of the nature and complexity of each engagement,
time constraints, and available resources.
2240 Engagement Work Program
Internal auditors should develop work programs that achieve the engagement objectives. These
work programs should be recorded.
2240.A1 Work programs should establish the procedures for identifying, analyzing,
evaluating, and recording information during the engagement. The work program should
be approved prior to its implementation, and any adjustments approved promptly.
2240.C1 Work programs for consulting engagements may vary in form and content
depending upon the nature of the engagement.
2300 Performing the Engagement
Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the
engagements objectives.
2310 Identifying Information
Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve
the engagements objectives.
2320 Analysis and Evaluation
Internal auditors should base conclusions and engagement results on appropriate analyses
and evaluations.
2330 Recording Information
Internal auditors should record relevant information to support the conclusions and engagement
results.
2330.A1 The chief audit executive should control access to engagement records. The
chief audit executive should obtain the approval of senior management and/or legal counsel
prior to releasing such records to external parties, as appropriate.
2330.A2 The chief audit executive should develop retention requirements for engagement
records. These retention requirements should be consistent with the organizations guidelines
and any pertinent regulatory or other requirements.
2330.C1 The chief audit executive should develop policies governing the custody and
retention of engagement records, as well as their release to internal and external parties.
These policies should be consistent with the organizations guidelines and any pertinent
regulatory or other requirements.
2340 Engagement Supervision
Engagements should be properly supervised to ensure objectives are achieved, quality is assured,
and staff is developed.
2400 Communicating Results
Internal auditors should communicate the engagement results.
2410 Criteria for Communicating
Communications should include the engagements objectives and scope as well as applicable
conclusions, recommendations, and action plans.
2410.A1 Final communication of engagement results should, where appropriate, contain
the internal auditors overall opinion and or conclusions.
2410.A2 Internal auditors are encouraged to acknowledge satisfactory performance in
engagement communications.
2410.A3 When releasing engagement results to parties outside the organization, the
communication should include limitations on distribution and use of the results.
2410.C1 Communication of the progress and results of consulting engagements will
vary in form and content depending upon the nature of the engagement and the needs of
the client.
2420 Quality of Communications
Communications should be accurate, objective, clear, concise, constructive, complete, and
timely.
2421 Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive
should communicate corrected information to all parties who received the original
communication.
2430 Engagement Disclosure of Noncompliance with the Standards
When noncompliance with the Standards impacts a specific engagement, communication of
the results should disclose the:
Standard(s) with which full compliance was not achieved,
Reason(s) for noncompliance, and
Impact of noncompliance on the engagement
2440 Disseminating Results
The chief audit executive should communicate results to the appropriate parties.
2440.A1 The chief audit executive is responsible for communicating the final results to
parties who can ensure that the results are given due consideration.
2440.A2 If not otherwise mandated by legal, statutory, or regulatory requirements, prior
to releasing results to parties outside the organization, the chief executive should:
Assess the potential risk to the organization.
Consult with senior management and/or legal counsel as appropriate.
Control dissemination by restricting the use of the results.
2440.C1 The chief audit executive is responsible for communicating the final results of
consulting engagements to clients.
2440.C2 During consulting engagements, risk management, control, and governance
issues may be identified. Whenever these issues are significant to the organization, they
should be communicated to senior management and the board.
2500 Monitoring Progress
The chief audit executive should establish and maintain a system to monitor the disposition of
results communicated to management.
2500.A1 The chief audit executive should establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action.
2500.C1 The internal audit activity should monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
2600 Resolution of Managements Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of residual
risk that may be unacceptable to the organization, the chief audit executive should discuss the
matter with senior management. If the decision regarding residual risk is not resolved, the chief
audit executive and senior management should report the matter to the board for resolution.
Practice Advisories
Attribute Standards
PA 1000-1 Internal Audit Charter
PA 1000.C1-1 Principles Guiding the Performance of Consulting Activities of Internal Auditors
PA 1000.C1-2 Additional Considerations for Formal Consulting Engagements
PA 1100-1 Independence and Objectivity
PA 1110-1 Organizational Independence
PA 1110-2 Chief Audit Executive (CAE) Reporting Lines
PA 1110.A1-1 Disclosing Reasons for Information Requests
PA 1120-1 Individual Objectivity
PA 1130-1 Impairments to Independence or Objectivity
PA 1130.A1-1 Assessing Operations for Which Internal Auditors Were Previously Responsible
PA 1130.A1-2 Internal Auditings Responsibility for Other (Non-audit) Functions
PA 1200-1 Proficiency and Due Professional Care
PA 1210-1 Proficiency
PA 1210.A1-1 Obtaining Services to Support or Complement the Internal Audit Activity
PA 1210.A2-1 Identification of Fraud
PA 1210.A2-2 Responsibility for Fraud Detection
PA 1220-1 Due Professional Care
PA 1230-1 Continuing Professional Development
PA 1300-1 Quality Assurance and Improvement Program
PA 1310-1 Quality Program Assessments
PA 1311-1 Internal Assessments
PA 1312-1 External Assessments
PA 1312-2 External Assessments Self-assessment with Independent Validation
PA 1320-1 Reporting on the Quality Program
PA 1330-1 Use of Conducted in Accordance with the Standards
Performance Standards
PA 2000-1 Managing the Internal Audit Activity
PA 2010-1 Planning
PA 2010-2 Linking the Audit Plan to Risk and Exposures
PA 2020-1 Communication and Approval
PA 2030-1 Resource Management
PA 2040-1 Policies and Procedures
PA 2050-1 Coordination
PA 2050-2 Acquisition of External Audit Services
PA 2060-1 Reporting to Board and Senior Management
PA 2060-2 Relationship with the Audit Committee
PA 2100-1 Nature of Work
PA 2100-2 Information Security
PA 2100-3 Internal Auditings Role in the Risk Management Process
PA 2100-4 Internal Auditings Role in Organizations Without a Risk Management Process
PA 2100-5 Legal Considerations in Evaluating Regulatory Compliance Programs
PA 2100-6 Control and Audit Implications of E-commerce Activities
PA 2100-7 Internal Auditings Role in Identifying and Reporting Environmental Risks
PA 2100-8 Internal Auditings Role in Evaluating an Organizations Privacy Framework
PA 2110-1 Assessing the Adequacy of Risk Management Processes
PA 2110-2 Internal Auditings Role in the Business Continuity Process
PA 2120.A1-1 Assessing and Reporting on Control Processes
PA 2120.A1-2 Using Control Self-assessment for Assessing the Adequacy of Control
Processes
PA 2120.A1-3 Internal Auditings Role in Quarterly Financial Reporting, Disclosures,
and Management Certifications
PA 2120.A1-4 Auditing the Financial Reporting Process
PA 2120.A4-1 Control Criteria
PA 2130-1 Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture
of an Organization
PA 2200-1 Engagement Planning
PA 2210-1 Engagement Objectives
PA 2210.A1-1 Risk Assessment in Engagement Planning
PA 2230-1 Engagement Resource Allocation
PA 2240-1 Engagement Work Program
PA 2240.A1-1 Approval of Work Programs
PA 2300-1 Internal Auditings Use of Personal Information in Conducting Audits
PA 2310-1 Identifying Information
PA 2320-1 Analysis and Evaluation
PA 2330-1 Recording Information
PA 2330.A1-1 Control of Engagement Records
PA 2330.A1-2 Legal Considerations in Granting Access to Engagement Records
PA 2330.A2-1 Retention of Records
PA 2340-1 Engagement Supervision
PA 2400-1 Legal Considerations in Communicating Results
PA 2410-1 Communication Criteria
PA 2420-1 Quality of Communications
PA 2440-1 Recipients of Engagement Results
PA 2440-2 Communications Outside the Organization
PA 2440-3 Communicating Sensitive Information Within and Outside the Chain
of Command
PA 2500-1 Monitoring Progress
PA 2500.A1-1 Follow-up Process
PA 2600-1 Managements Acceptance of Risks
GLOSSARY TO THE STANDARDS
Add Value
Value is provided by improving opportunities to achieve organizational objectives, identifying
operational improvement, and/or reducing risk exposure through both assurance and consulting
services.
Adequate Control
Present if management has planned and organized (designed) in a manner that provides reasonable
assurance that the organizations risks have been managed effectively and that the organizations
goals and objectives will be achieved efficiently and economically.
Assurance Services
An objective examination of evidence for the purpose of providing an independent assessment on
risk management, control, or governance processes for the organization. Examples may include
financial, performance, compliance, system security, and due diligence engagements.
Board
A board is an organizations governing body, such as a board of directors, supervisory board, head
of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any
other designated body of the organization, including the audit committee, to whom the chief audit
executive may functionally report.
Charter
The charter of the internal audit activity is a formal written document that defines the activitys
purpose, authority, and responsibility. The charter should (a) establish the internal audit activitys
position within the organization; (b) authorize access to records, personnel, and physical properties
relevant to the performance of engagements; and (c) define the scope of internal audit activities.
Chief Audit Executive
Top position within the organization responsible for internal audit activities. Normally, this would be
the internal audit director. In the case where internal audit activities are obtained from outside
service providers, the chief audit executive is the person responsible for overseeing the service
contract and the overall quality assurance of these activities, reporting to senior management and
the board regarding internal audit activities, and follow-up of engagement results. The term also
includes such titles as general auditor, chief internal auditor, and inspector general.
Code of Ethics
The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession
and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal
auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.
The purpose of the Code of Ethics is to promote an ethical culture in the global profession of
internal auditing.
Compliance
Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Conflict of Interest
Any relationship that is or appears to be not in the best interest of the organization. A conflict of
interest would prejudice an individuals ability to perform his or her duties and responsibilities
objectively.
Consulting Services
Advisory and related client service activities, the nature and scope of which are agreed with the
client and which are intended to add value and improve an organizations governance, risk
management, and control processes without the internal auditor assuming management responsibility.
Examples include counsel, advice, facilitation, and training.
Control
Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes,
and directs the performance of sufficient actions to provide reasonable assurance that objectives
and goals will be achieved.
Control Environment
The attitude and actions of the board and management regarding the significance of control within
the organization. The control environment provides the discipline and structure for the achievement
of the primary objectives of the system of internal control. The control environment includes the
following elements:
Integrity and ethical values.
Managements philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.
Control Processes
The policies, procedures, and activities that are part of a control framework, designed to ensure
that risks are contained within the risk tolerances established by the risk management process.
Engagement
A specific internal audit assignment, task, or review activity, such as an internal audit, control self-
assessment review, fraud examination, or consultancy. An engagement may include multiple tasks
or activities designed to accomplish a specific set of related objectives.
Engagement Objectives
Broad statements developed by internal auditors that define intended engagement accomplishments.
Engagement Work Program
A document that lists the procedures to be followed during an engagement, designed to achieve the
engagement plan.
External Service Provider
A person or firm, outside of the organization, who has special knowledge, skill, and experience in a
particular discipline.
Fraud
Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the application of threat of violence or of physical force. Frauds are perpetrated
by parties and organizations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.
Governance
The combination of processes and structures implemented by the board in order to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
Impairments
Impairments to individual objectivity and organizational independence may include personal conflicts
of interest, scope limitations, restrictions on access to records, personnel, and properties, and
resource limitations (funding).
Independence
The freedom from conditions that threaten objectivity or the appearance of objectivity. Such
threats to objectivity must be managed at the individual auditor, engagement, functional, and
organizational levels.
A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an organizations
operations. The internal audit activity helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
Objectivity
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner
that they have an honest belief in their work product and that no significant quality compromises
are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters
to that of others.
Residual Risk
The risk remaining after management takes action to reduce the impact and likelihood of an adverse
event, including control activities in responding to a risk.
Risk
The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Risk Management
A process to identify, assess, manage, and control potential events or situations to provide reasonable
assurance regarding the achievement of the organizations objectives.
Should
The use of the word should in the Standards represents a mandatory obligation.
Standard
A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates
the requirements for performing a broad range of internal audit activities, and for evaluating internal
audit performance.
APPENDIX 4-B
Table 4-3-1-A
IAA is in Full Compliance with the Standards
Standard Number of Full Partial Not in Do Not
Respondents Compliance Compliance Compliance Know
1000 Purpose, Authority, 5,947 63.0 25.0 2.2 9.8
and Responsibility
1100 Independence and 5,953 66.9 22.2 2.7 8.2
Objectivity
1200 Proficiency and Due 5,923 62.9 26.1 2.0 9.0
Professional Care
1300 Quality Assurance 5,896 40.0 35.7 12.1 12.2
2000 Managing the 5,900 57.6 28.9 3.3 10.2
2100 Nature of Work 5,844 57.5 28.7 2.3 11.5
2300 Performing the 5,881 59.7 28.2 1.9 10.2
Engagement
2400 Communicating 5,896 64.1 24.6 2.0 9.3
Results
2600 Resolution of 5,873 46.9 30.7 7.4 15.0
Managements Acceptance
of Risks
Table 4-3-2-A
and Responsibility
Objectivity
1200 Proficiency and Due 1,760 67.0 28.3 1.5 3.2
Professional Care
2000 Managing the 1,754 61.8 32.0 2.7 3.5
2100 Nature of Work 1,730 59.3 32.8 2.6 5.3
2300 Performing the 1,743 62.1 31.8 1.9 4.2
Engagement
2400 Communicating 1,738 68.6 26.2 2.1 3.1
Results
2600 Resolution of 1,742 49.0 35.0 8.0 8.0
of Risks
Table 4-3-3-A
Practitioner Respondents in Percentages
and Responsibility
Objectivity
1200 Proficiency and 4,149 61.1 25.1 2.1 11.7
Due Professional Care
2000 Managing the 4,132 55.8 27.5 3.6 13.1
2100 Nature of Work 4,101 56.8 26.9 2.2 14.1
2300 Performing the 4,124 58.7 26.7 1.9 12.7
Engagement
2400 Communicating 4,144 62.3 23.8 2.0 11.9
Results
2600 Resolution of 4,117 46.1 28.8 7.0 18.1
of Risks
Table 4-3-4-A
IAA is in Full Compliance with the Standards by Groups*
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 68.9 61.8 62.7 51.0 58.1 60.9 58.7 61.7 62.8 63.6 62.4 55.9 48.3
1100 70.6 66.2 65.4 54.3 61.8 71.1 66.9 66.7 66.2 70.0 73.2 63.6 54.0
1200 69.1 69.2 63.3 46.5 52.9 60.5 64.9 59.9 60.5 56.9 61.3 55.9 50.6
1300 47.2 37.7 40.2 25.9 35.5 34.3 38.7 35.2 32.0 30.0 29.5 21.2 33.3
2000 63.8 60.1 57.4 47.0 52.5 56.4 55.9 52.5 50.7 56.0 57.3 48.4 43.8
2100 64.7 61.3 55.4 44.3 46.6 50.0 57.2 56.7 51.3 49.5 57.6 44.8 45.2
2200 63.3 59.1 58.9 33.3 54.6 52.2 57.6 58.3 56.6 50.0 56.6 56.3 46.5
2300 67.3 60.4 61.5 35.0 51.0 55.6 57.8 60.5 55.8 47.7 52.4 40.6 46.7
2400 69.7 66.2 67.9 41.3 56.9 63.5 61.6 63.9 60.5 56.0 64.4 68.8 51.3
2500 60.1 57.1 51.7 31.2 48.2 53.8 47.6 47.7 50.6 39.8 53.1 50.0 40.2
2600 57.9 48.1 50.0 29.1 33.6 41.3 37.7 37.3 35.5 36.4 46.6 40.6 33.4
Table 4-3-5-A
IAA Partially Complies with the Standards by Groups*
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 14.2 23.7 27.8 43.7 34.8 33.2 34.9 29.9 26.9 27.3 31.5 38.2 38.3
1100 13.9 21.4 25.3 38.8 31.8 24.3 28.1 27.2 16.9 23.6 22.8 33.3 32.8
1200 15.0 20.5 28.2 46.5 39.7 33.0 29.8 34.4 28.9 33.9 32.0 41.2 37.3
1300 25.8 40.9 38.3 53.8 43.7 43.7 43.1 38.1 38.7 46.4 53.7 51.5 43.7
2000 19.0 29.4 29.8 43.7 35.2 35.4 37.6 38.7 34.7 28.4 34.0 48.4 39.7
2100 17.0 26.0 32.4 45.5 42.8 38.6 36.1 35.8 36.8 36.7 32.6 48.3 39.3
2200 18.7 27.9 30.5 57.3 35.3 37.9 37.0 34.3 31.6 38.9 33.6 40.6 38.3
2300 16.1 29.2 29.8 55.7 39.6 35.0 37.8 33.1 33.8 41.3 39.9 53.1 38.5
2400 14.5 23.4 23.6 51.0 33.2 30.9 32.6 30.1 31.6 36.7 27.4 28.1 35.3
2500 21.3 29.9 35.8 51.8 39.2 35.5 43.1 40.6 33.8 48.1 36.7 43.8 40.7
2600 19.8 33.1 32.1 48.6 42.0 37.7 43.9 37.6 34.2 37.3 36.5 37.5 38.5
Table 4-3-6-A
IAA is Not in Compliance with the Standards by Groups*
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 1.1 3.9 2.1 1.6 2.6 2.0 3.4 4.0 5.1 1.8 0.7 5.9 3.8
1100 1.6 3.2 3.7 4.1 3.1 1.6 3.6 3.1 11.7 0.0 0.0 3.0 5.5
1200 1.1 1.3 1.9 3.7 3.1 1.6 3.7 2.1 5.3 3.7 1.3 2.9 2.9
1300 9.1 9.1 12.9 14.2 12.6 15.3 14.3 18.2 16.0 14.5 12.1 24.2 11.9
2000 1.5 1.3 5.4 4.0 5.8 3.9 4.2 4.4 8.0 4.6 3.3 3.2 5.4
2100 1.2 1.3 3.1 3.3 2.9 3.4 3.9 2.4 6.6 4.6 2.1 3.4 3.9
2200 1.9 1.9 3.4 3.7 4.3 3.3 3.4 3.8 5.3 2.8 3.5 0.0 3.6
2300 1.2 0.6 1.7 2.8 3.6 2.0 1.7 2.3 3.9 2.8 1.4 6.3 3.9
2400 1.2 0.6 1.7 3.6 5.1 1.0 3.6 2.4 2.6 0.9 2.7 0.0 2.7
2500 2.4 0.6 5.2 8.1 6.3 4.0 6.8 6.4 7.8 5.6 4.1 6.3 7.3
2600 3.1 4.5 7.4 9.7 13.3 8.0 13.2 10.9 21.1 10.0 8.8 18.8 10.2
Table 4-6-1-A
Standard Number of Yes No Do Not Do Not
Respondents Use Know
1000 Purpose, Authority, and 1,791 93.3 1.1 2.7 2.9
Responsibility
1200 Proficiency and Due Professional 1,767 92.9 1.7 2.5 2.9
Care
1300 Quality Assurance and 1,761 81.5 6.1 8.7 3.7
Improvement Program
2000 Managing the Internal Audit 1,755 90.0 3.6 3.3 3.1
Activity
2100 Nature of Work 1,738 88.0 3.7 3.9 4.4
2600 Resolution of Managements 1,729 81.3 6.5 6.9 5.3
Acceptance of Risks
Table 4-6-2-A
Practitioner Responses in Percentages
Standard Number of Yes No Do Not Do Not
Respondents Use Know
1000 Purpose, Authority, and 4,266 83.2 1.3 2.7 12.8
Responsibility
1200 Proficiency and Due Professional 4,227 84.5 1.7 2.2 11.6
Care
1300 Quality Assurance and 4,207 75.6 4.7 5.3 14.4
Improvement Program
2000 Managing the Internal Audit 4,215 81.0 2.9 3.3 12.8
Activity
2100 Nature of Work 4,178 79.8 2.9 3.3 14.0
2600 Resolution of Managements 4,179 73.8 5.2 4.7 16.3
Acceptance of Risks
Table 4-6-3-A
Standards Guidance is Adequate by Groups*
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 81.9 83.8 88.1 90.7 91.6 90.5 90.8 92.7 93.2 91.5 88.0 100.0 81.5
1100 83.7 84.1 89.5 91.5 93.6 92.7 94.3 93.9 93.2 91.6 91.1 100.0 85.2
1200 82.6 87.3 88.3 92.7 89.9 91.1 93.1 93.2 91.5 89.5 88.4 97.1 83.8
1300 75.6 78.3 79.1 79.3 77.7 77.7 86.9 77.3 72.5 77.6 81.2 91.4 72.9
2000 80.8 82.9 83.7 86.1 85.7 89.4 90.4 89.4 80.3 85.7 83.2 97.1 78.1
2100 78.9 82.2 81.1 84.3 82.4 84.0 89.4 90.5 81.7 82.9 85.0 96.9 78.9
2200 80.1 81.0 84.8 82.7 88.2 84.1 92.2 91.3 76.8 86.7 87.5 91.2 78.8
2300 81.0 82.1 83.7 82.7 87.1 86.6 91.2 91.7 76.8 84.6 86.8 85.3 78.2
2400 81.5 83.3 86.9 86.8 88.6 88.6 92.0 91.7 78.3 88.5 88.8 97.1 80.3
2500 79.1 82.1 83.4 79.7 85.6 85.4 88.1 87.6 74.3 79.8 86.2 91.2 75.9
2600 75.7 74.4 79.3 75.2 72.6 74.8 83.6 77.3 64.8 76.9 78.4 90.9 69.8
Table 4-6-4-A
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 92.2 92.9 96.8 96.1 92.4 94.9 91.9 95.5 93.5 100.0 93.3 100.0 87.8
1100 92.4 91.2 96.7 96.1 96.5 96.6 96.0 95.9 93.5 100.0 95.0 100.0 88.5
1200 91.9 98.6 95.2 97.4 91.1 94.9 92.8 92.7 93.3 97.1 89.8 100.0 89.4
1300 82.5 83.8 86.9 87.0 75.7 76.7 89.5 74.9 75.9 82.9 86.7 100.0 78.9
2000 90.6 92.6 91.8 90.8 88.2 92.2 88.5 91.6 82.8 91.4 86.7 100.0 81.9
2100 88.2 92.6 86.9 90.5 80.6 84.8 91.6 91.0 82.1 94.3 89.7 100.0 83.9
2200 89.0 87.0 87.4 89.3 90.3 84.3 92.6 93.0 89.3 94.3 91.4 100.0 85.4
2300 89.6 89.7 88.2 89.3 88.8 87.7 89.7 92.5 79.3 94.3 91.1 87.5 82.8
2400 90.6 91.2 90.9 92.1 93.1 93.9 92.7 93.0 82.8 97.1 91.2 100.0 85.1
2500 89.1 89.6 86.9 86.5 91.5 89.6 89.5 90.0 80.0 82.4 89.3 87.5 79.8
2600 84.7 79.1 83.6 81.1 69.0 80.7 84.4 80.9 66.7 85.7 78.9 100.0 74.5
Table 4-6-5-A
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 77.9 76.7 85.5 88.6 91.0 87.9 90.3 91.3 93.0 87.3 84.7 100.0 79.5
1100 80.4 78.7 87.3 89.8 91.8 90.4 93.7 93.0 92.9 87.5 88.7 100.0 84.0
1200 79.1 78.7 86.1 90.4 89.1 88.8 93.2 93.5 90.2 85.9 87.5 96.3 82.0
1300 73.0 74.2 76.9 76.5 78.6 78.1 86.0 78.5 70.0 75.0 77.7 88.9 71.2
2000 77.0 75.6 81.3 84.3 84.1 87.8 91.0 88.2 78.6 82.9 81.1 96.2 76.9
2100 75.3 74.2 79.3 81.8 83.2 83.5 88.6 90.3 81.4 77.1 82.1 95.8 77.3
2200 76.6 76.4 84.0 80.6 86.9 83.9 92.0 90.5 68.3 82.9 85.1 88.5 76.7
2300 77.7 76.1 82.3 79.4 85.9 85.8 91.7 91.4 75.0 79.7 84.2 84.6 77.0
2400 78.0 77.3 85.7 84.1 86.0 85.4 91.7 91.1 75.0 84.1 87.4 96.2 78.8
2500 75.2 76.4 82.3 77.4 82.1 82.8 87.6 86.4 70.0 78.6 84.4 92.3 74.9
2600 72.3 70.8 78.0 72.7 74.2 71.2 83.3 75.5 63.4 72.5 78.1 88.0 68.5
Table 4-6-6-A
Standards Guidance is Not Adequate by Groups*
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 0.8 1.3 1.3 2.0 1.0 1.3 1.9 1.0 0.0 0.0 2.5 0.0 3.2
1100 1.3 5.1 2.2 2.4 1.0 1.6 1.9 1.5 0.0 0.9 2.5 0.0 3.5
1200 1.5 1.9 2.4 1.2 2.5 1.0 1.7 0.4 1.4 2.9 2.6 2.9 3.2
1300 3.8 4.5 7.9 7.7 5.7 6.5 1.9 5.1 2.9 9.3 7.8 2.9 8.2
2000 2.1 5.1 4.0 4.9 3.2 2.2 2.5 2.5 9.9 4.8 7.7 0.0 4.7
2100 2.4 2.5 5.7 4.1 3.7 3.9 3.3 1.4 7.0 5.7 4.6 0.0 4.3
2200 2.4 4.4 3.8 5.3 2.9 4.2 2.5 2.1 14.5 5.7 4.6 2.9 5.6
2300 2.2 5.1 5.3 5.3 5.5 3.0 2.8 2.1 13.0 7.7 5.3 8.8 6.6
2400 2.4 3.8 3.4 3.7 4.0 3.2 3.6 2.4 11.6 3.8 3.3 0.0 4.7
2500 3.1 3.2 5.1 5.8 3.8 3.2 3.6 3.0 14.3 10.6 5.3 5.9 7.3
2600 4.1 7.1 6.1 6.2 8.5 5.9 5.3 5.0 9.9 7.7 9.2 3.0 8.7
Table 4-7-1-A
IAA Does Not Use Practice Advisories by Groups*
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 15.2 11.5 10.6 8.7 7.3 17.1 10.0 7.6 12.5 12.2 7.3 3.4 13.3
1100 14.6 12.3 11.0 7.3 7.0 16.0 7.1 6.7 14.3 10.2 7.3 3.4 11.6
1200 15.2 13.8 11.0 7.7 8.1 18.6 7.9 7.5 13.1 11.1 7.5 6.9 11.6
1300 17.5 18.0 12.6 15.9 16.8 20.6 16.0 20.1 27.0 16.9 15.8 13.8 16.9
2000 15.6 15.3 12.1 7.2 10.0 18.9 10.5 9.3 14.5 10.2 8.9 3.4 14.2
2100 16.4 17.0 11.6 9.6 11.8 22.2 8.6 9.3 11.1 11.4 9.0 3.4 16.4
2200 15.7 19.0 12.4 10.0 8.4 20.8 8.1 7.1 12.9 12.4 7.4 3.4 15.8
2300 15.4 17.5 11.6 10.1 7.9 18.7 8.7 7.1 11.1 11.4 6.6 6.9 15.6
2400 15.4 15.6 11.1 7.9 9.7 16.7 9.1 7.4 12.9 11.4 7.4 3.4 14.5
2500 16.4 16.1 13.3 9.4 11.1 18.3 12.8 11.0 12.7 13.8 8.3 3.4 16.6
2600 18.2 24.5 14.4 20.2 21.2 27.1 15.9 20.3 28.3 18.2 11.1 13.8 19.9
Table 4-8-1-A
Practice Advisory Number of Yes No Do Not
Respondents Use
1000 Purpose, Authority, and Responsibility 4,801 86.0 1.7 12.3
1100 Independence and Objectivity 4,792 86.3 2.2 11.5
1200 Proficiency and Due Professional Care 4,779 85.4 2.4 12.2
1300 Quality Assurance and Improvement 4,759 77.2 5.5 17.3
Program
2000 Managing the Internal Audit Activity 4,755 83.4 3.4 13.1
2100 Nature of Work 4,735 82.3 3.8 13.9
2200 Engagement Planning 4,748 83.2 3.7 13.1
2300 Performing the Engagement 4,739 83.5 3.7 12.8
2400 Communicating Results 4,747 84.0 3.4 12.6
2500 Monitoring Progress 4,731 81.1 4.5 14.4
2600 Resolution of Managements Acceptance 4,733 75.4 5.8 18.8
of Risks
Table 4-8-2-A
Respondents Use
Program
2100 Nature of Work 1,420 81.8 4.6 13.6
of Risks
Table 4-8-3-A
Respondents Use
Program
2100 Nature of Work 3,315 82.5 3.4 14.1
of Risks
Table 4-8-4-A
Practice Advisory Guidance is Adequate by Groups*
Standard 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
1000 83.6 84.9 87.3 87.4 91.7 81.3 88.9 90.5 87.5 86.7 89.1 96.6 83.2
1100 84.0 81.2 86.4 89.4 90.4 81.0 92.1 91.2 85.7 87.5 89.8 96.6 84.1
1200 83.0 84.1 85.7 89.6 89.3 79.7 90.4 91.0 83.6 84.4 87.3 93.1 83.4
1300 78.4 74.8 81.0 74.2 77.6 73.9 81.5 74.4 66.7 70.8 75.2 86.2 74.3
2000 82.4 78.8 84.6 87.8 85.8 76.8 87.7 87.1 82.3 83.0 80.0 96.6 79.7
2100 81.3 78.5 84.1 84.8 82.7 73.5 87.1 88.1 81.0 77.3 82.1 93.1 78.3
2200 81.9 75.9 82.6 80.6 87.7 73.3 90.2 90.3 79.0 82.0 83.8 96.6 79.5
2300 82.2 79.6 84.4 81.0 84.9 77.4 88.7 90.1 81.0 83.0 85.3 93.1 79.1
2400 82.6 80.7 86.1 85.9 84.7 80.8 87.7 89.2 79.0 79.5 85.2 96.6 79.6
2500 80.8 77.4 81.7 83.9 81.1 77.4 82.0 84.8 79.4 81.6 85.7 93.1 75.2
2600 78.4 66.9 78.5 68.5 68.2 66.9 79.5 75.7 60.0 76.1 75.6 86.2 70.7
Table 4-15-1-A
When IAA was Last Subject to a Formal Internal Quality Assessment in
Accordance with Standard 1311 by Groups*
Timing 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
To be 9.2 7.4 11.4 6.1 7.8 3.5 6.5 7.2 4.0 14.9 7.6 14.3 6.1
completed
prior to
J anuary 1,
2007
Within the 25.5 21.6 30.2 16.4 22.2 25.1 24.8 21.1 18.2 20.3 23.0 16.7 16.5
last 12
months
1-3 years 8.5 8.9 10.9 4.7 5.0 6.7 8.2 5.5 7.1 7.0 5.6 4.8 5.2
ago
4-5 years 1.4 4.2 2.3 1.3 0.8 0.9 0.9 0.7 2.0 2.6 0.0 0.0 0.8
ago
More than 1.4 4.2 1.0 3.0 0.6 0.8 0.5 0.7 1.0 0.0 0.0 0.0 1.3
5 years ago
Never 28.5 27.9 22.9 52.8 47.0 41.2 39.5 43.3 53.5 33.3 36.2 45.2 44.3
Not done in 3.7 5.3 5.9 2.7 8.4 11.6 9.8 16.9 6.1 7.0 9.2 11.9 8.4
accordance
with
Standard
1311
Do not 21.8 20.5 15.4 13.0 8.2 10.2 9.8 4.6 8.1 14.9 18.4 7.1 17.4
know
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
percentage
Total 2,967 190 599 299 500 371 440 830 99 114 196 42 619
respon-
dents
Table 4-21-1-A
Activities Performed by IAAs as Part of a Quality
Assessment and Improvement Program by Groups*
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Engagement 46.0 43.7 53.7 32.1 37.8 52.4 63.9 44.7 38.8 38.5 47.1 53.2 27.1
supervision
Checklists/ 44.8 48.5 51.6 38.4 38.5 52.1 48.8 33.3 34.5 38.5 52.4 57.4 23.2
manuals to
provide
assurance
that proper
audit
processes
are followed
Feedback 41.6 55.3 53.4 42.9 40.4 43.3 40.0 31.1 32.8 40.0 44.0 36.2 24.0
from audit
customers at
the end of an
audit
Internal audit 34.6 33.0 36.9 36.0 36.8 31.2 34.7 30.1 31.0 34.8 28.9 36.2 18.1
professionals
are in
compliance
with The IIAs
Code of
Ethics
Reviews by 33.9 38.8 45.4 26.2 21.3 31.9 35.1 24.4 27.6 33.3 36.4 31.9 17.7
other
members of
the IAA
Table 4-21-1-A (Cont.)
Activities Performed by IAAs as Part of a Quality
Assessment and Improvement Program by Groups*
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Verification 33.3 31.6 38.6 26.8 31.4 29.3 30.8 25.5 24.1 37.0 29.3 31.9 14.0
that the IAA
is in
compliance
with the
Standards
Review by 22.6 31.1 32.7 13.4 18.8 28.1 21.0 12.6 14.7 19.3 22.2 34.0 11.3
external
party
Compliance 19.8 27.7 23.6 21.4 19.9 19.0 28.0 15.7 15.5 14.8 14.7 23.4 13.2
with non-IIA
standards
or codes
Not 13.3 12.1 7.9 7.7 12.9 11.7 9.8 18.1 20.7 8.1 12.9 23.4 9.2
applicable
I do not 14.2 7.8 9.5 7.4 4.9 4.0 2.9 9.2 4.3 10.4 5.8 0.0 7.7
know
Total 3,332 206 661 336 574 420 490 945 116 135 225 47 1,057
number of
respon-
dents

CONTENTS
Chapter 5

Chapter 5: Current Status of the Internal Audit Activity................................................... 183
Introduction......................................................................................................................... 183
The IAAs Relationship within the Organization............................................................... 184
Relationship with the Audit Committee.............................................................................. 191
External Relationships - Legislation Affecting Internal Auditing...................................... 192
Organizations and CAEs Perceptions About the IAA...................................................... 194
Methods Used to Measure the Value Added by the IAA.................................................... 197
Internal Audit Activity........................................................................................................ 200
Managing the Internal Audit Activity................................................................................. 202
Creating the Audit Plan....................................................................................................... 204
Allocation of IAAs Time................................................................................................... 207
Performing the Engagement - The Use of Tools................................................................ 214
Current Usage of Audit Tools and Techniques................................................................... 216
Predictive Changes in the Use of Audit Tools and Techniques
Over the Next Three Years........................................................................................... 227
Resolution of Major Differences........................................................................................ 233
Reporting of Findings......................................................................................................... 235
Monitoring Corrective Action............................................................................................. 237
Summary............................................................................................................................. 239
Appendix 5.......................................................................................................................... 240

Disclosure


profession.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 183
CHAPTER 5
CURRENT STATUS OF THE
INTERNAL AUDIT ACTIVITY
Introduction
This chapter summarizes the respondents perceptions about their internal audit activities (IAAs)
relationships within the organization and how the IAA performs the steps in the audit process. The
chapter follows the outline of the audit process. The topics covered start with respondents IAAs
reporting relationships within their organizations, their relationships with their audit (oversight)
committees, and how IAAs measure the value they add to their organizations. This chapter then
addresses the IAAs processes to perform an audit, including the management of the IAA; planning
and scope of work; the range of internal audit tasks; types of audits that are performed; and
allocation of audit time. The next section of this chapter reviews the tools that are currently used or
plan to be used by internal auditors to prepare audit plans and perform engagements. The final
section covers how respondents report audit findings and how issues are addressed and resolved.
question.
not CAEs).
For a list of groups, please refer to Appendix 1-B of this report. Some tables have additional
details. For example, Table 5-17 is the total of all respondents for that question with a related Table
5-17-2 showing the responses by group. Additional related tables may be located in Appendix 5 at
the end of this chapter. A table that is in the Appendix can be clearly identified by an A at the end
of its number. For example, Table 5-3-1-A is located in Appendix 5.
The IAAs Relationships within the Organization
Reporting Relationships
For the IAA to remain independent, the CAEs reporting status is very important. The IIA
recommends a dual reporting relationship where the CAE reports to the audit committee of the
board as well as to a senior management executive. Such matrix reporting allows the IAA to build
organizational independence while also serving management. Survey questions asked about reporting
relationships for the CAE.
The results of the survey indicate that the reporting status of CAEs was generally in accordance
with the International Standards for the Professional Practice of Internal Auditing (Standards)
Attribute Standard 1110, Organizational Independence. This standard requires the IAA to be
independent and internal auditors to be objective in performing their work. Practice Advisory 1110-
2, Chief Audit Executive (CAE) Reporting Lines states the CAE should report functionally to the
audit committee or its equivalent and administratively to the chief executive officer of the
organization. The largest percentage of responding CAEs indicate that they report to the audit
committee.
As detailed in Figure 5-1, 47.3% of CAEs report to the audit committee level and another 43.4%
report to the executive level of management. Only 5.1% report to a staff manager position.
Figure 5-1
CAEs Reporting Status
CAE Respondents (2,367) in Percentages
Other
4.2%
Staff position
reporting to a
staff manager
5.1%
Officer position
reporting to
executive
management/
high-level
government
official
20.6%
Manager position
reporting to
executive management/
high-level government
official
22.8%
Independent position
reporting to the
audit committee
of the board/
oversight board
47.3%
To gain a better understanding of the factors that could influence the reporting level of the CAE,
Table 5-1 looks at reporting status by type of organization. The IIA believes that the CAE should
functionally report to the audit committee. It is apparent that this occurs in the majority of cases in
publicly listed and not-for-profit organizations. This is not the case in the public sector where there
is a tendency to report to either a line manager or a high government official. This could reflect
differences in the organizational configuration of public sector operations where the audit committee
structure is often absent.
Table 5-1
CAEs Reporting Status by Type of Organization
Type of Number of Independent Officer Managerial Staff Position Other Total
Organization Respondents Position Position Position Reporting to a
Reporting to Reporting to Reporting to Staff Manager
the Audit the Executive Executive
Committee of Management/ Management/
the Board/ High-level High-level
Oversight Government Government
Board Official Official
Not-for- 171 56.1 13.5 21.1 6.4 2.9 100.0
Profit
Organization
Publicly 820 55.3 17.4 19.9 5.1 2.3 100.0
Traded
(Listed)
Company
Privately 587 47.5 22.0 22.5 5.5 2.5 100.0
Held
(Non-listed)
Company
Other 56 41.1 21.4 23.2 3.6 10.7 100.0
Service 205 38.0 22.9 17.7 2.9 18.5 100.0
Provider/
Consultant
Public 521 36.1 25.6 29.8 5.2 3.3 100.0
Sector/
Government
The high level of reporting status and the importance of the CAEs relationship with the board is
reinforced by those involved in the CAEs appointment and performance review. The responses
listed in Figure 5-2 indicate that 51.2% of the CAE respondents were appointed by the audit
committee, and the chairperson of the board was involved in nearly one-third of the CAE respondents
appointments.
Figure 5-2
Position that Appoints CAE
There is evidence of involvement of the CEO in 54.4% of CAE respondents appointments. The
CFO had a role in the CAE respondents appointment 27.8% of the time. This level of involvement
by the board, the audit committee, and senior management in the appointment of the CAE reinforces
the overall high level of CAE reporting status and the importance of the CAE to the organization.
Table 5-2 shows, by group, information about the position that appoints the CAE (see Appendix 1-
B for a list of the groups). There are noticeable differences between the group results for CAEs
that are appointed by the audit committee chairperson in groups 1, 2, 3, 11, and 12 (61.6% to 68%)
and in groups 4 to 10 (26% to 38%).
Table 5-2
Position that Appoints CAE by Group*
Position 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Audit Committee/ 68.0 61.6 67.1 38.0 26.0 26.0 29.8 36.7 37.0 31.9 65.4 66.7 41.6
Oversight Committee/
Committee Chairperson
Chief Executive Officer 55.6 67.4 58.6 37.0 55.0 56.0 50.4 58.4 37.0 59.6 49.4 55.6 47.0
Chairperson of the 18.3 10.5 13.8 68.0 44.0 49.0 44.3 52.8 43.5 40.4 33.3 33.3 38.9
Board
Chief Financial Officer 41.8 32.6 46.7 7.0 10.0 26.0 6.1 15.4 10.9 8.5 14.8 11.1 20.1
Another person 6.8 4.7 5.3 3.0 0.0 3.0 0.8 1.3 2.2 2.1 0.0 0.0 0.7
reporting to CFO
Other 13.4 23.3 15.8 14.0 21.0 10.0 17.6 8.2 6.5 6.4 4.9 0.0 13.4
Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
Tied to the discussion of the reporting level of CAEs within an organization is who undertakes the
performance review of the CAE. Despite the recommended dual reporting structure, evaluation is
primarily a management responsibility (Practice Advisory 1110-2). Board members and/or audit
committee members usually do not have sole responsibility for such functions for the CAE, although
their input in the evaluation process is valuable.
Figure 5-3 summarizes the CAEs responses indicating the level within an organization that performs
their evaluation. The audit committees involvement is most prevalent in the CAEs evaluation
(48.7%) with an almost equal input by the CEO (44.9%) and significant input by senior management
(31.2%). The chairperson of the board is involved with 16.4% of the CAEs evaluations while the
entire board is involved 16.1% of the time. As CAE respondents could indicate all those who
participated in their evaluation and the percentages in Figure 5-3 add up to well over 100.0%, it
appears that input from several high-level officials of an organization are combined to evaluate the
performance of the CAE.
Figure 5-3
Evaluation of CAEs Performance
Table 5-3 shows group differences indicating who evaluates the CAE. Further analysis by type of
organization is provided in Table 5-3-1-A in Appendix 5. This table indicates that the audit committee
is most involved in publicly traded and not-for-profit organizations. The chief executive officer
takes the lead in privately held and public sector organizations.
Table 5-3
Evaluation of CAEs Performance by Group*
Position 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Board of Directors 7.1 5.8 9.9 23.0 34.0 26.0 25.2 24.9 19.6 25.5 19.8 11.1 14.1
Chairperson of the 6.5 4.7 5.9 57.0 20.0 23.0 26.7 31.5 15.2 12.8 13.6 11.1 18.1
Board
Chief Executive Officer 42.1 59.3 46.1 49.0 45.0 44.0 42.7 50.8 39.1 44.7 46.9 77.8 40.3
Audit Committee/ 59.8 62.8 67.8 21.0 27.0 29.0 35.1 44.9 37.0 36.2 64.2 88.9 35.6
Oversight Committee/
Committee Chairperson
Senior Management 38.0 38.4 41.4 25.0 32.0 12.0 25.2 26.6 26.1 23.4 13.6 0.0 28.2
Auditee/Client at the 8.1 19.8 27.6 5.0 14.0 15.0 14.5 9.5 0.0 27.7 7.4 22.2 6.0
end of audit
Supervisor periodically 9.7 5.8 8.6 5.0 11.0 11.0 4.6 4.9 4.3 4.3 2.5 11.1 6.7
Peers/Subordinates 4.6 14.0 15.1 6.0 5.0 7.0 4.6 3.0 4.3 10.6 6.2 11.1 2.7
periodically
Not evaluated 3.0 3.5 3.9 1.0 3.0 6.0 5.3 2.0 6.5 10.6 4.9 0.0 7.4
Relationship with the Audit Committee
Practice Advisory 2060-2, Relationship with the Audit Committee, governs the relationship of the
IAA and the audit committee. As noted in Table 5-4, CAEs confirm that an audit/oversight committee
exists in 72.6% of their organizations. The CAEs relationship with the committee chairperson is
very important. Of respondent CAEs with audit committees, 63.2% meet regularly with their audit
committee chair in addition to attending regular audit committee meetings. It is notable that of
those that have audit/oversight committees, 91.3% of CAEs believe they have appropriate access
to the committee.
Table 5-4
CAEs Relationship with Audit/Oversight Committee
CAE Respondents Percentage of Yes Responses
Question Total Yes
Respondents Percent of
Total
Responses
Is there an audit/oversight committee 2,315 72.6
in your organization?
Does the CAE meet with the audit/ 1,669 63.2
oversight committee chairperson in
addition to the regularly scheduled
meetings?
Does the CAE believe that he/she 1,671 91.3
has appropriate access to the audit/
oversight committee?
As indicated in Table 5-4-1-A in Appendix 5, CAE responses by groups have some major differences
relating to the CAEs relationship with an audit committee. These differences appear to be primarily
related to the existence of the audit committee structure in some groups and not in others. CAEs in
groups 1, 2, 3, and 11 specify that 81.5% to 92.9% of their organizations have an audit committee,
compared to CAEs in the other groups who indicate that 38.7% to 69.5% of their organizations
have an audit committee. In group 12, all respondents have an audit committee.
For those CAEs that have an audit committee, Table 5-5 summarizes the number of audit committee
meetings held in the last fiscal year, the number of meetings CAEs were invited to attend, and the
number of meetings attended by the CAEs. The CAEs responding indicate that 96.9% of audit
committees met between 1 and 12 times per year. The majority of audit committees (82.7%) met
4 or more times per year. There is also a close correlation between the number of audit committee
meetings held, the number of meetings the CAEs were invited to attend, and the number of times
the CAEs actually attended the meetings.
Table 5-5
Audit/Oversight Committee Meetings During Last Fiscal Year
Number of Meetings Held Meetings the CAE Meetings the CAE
Audit Percent of 1,661 Total was Invited to Attend Attended
Committee Respondents Percent of 1,657 Percent of 1,656
Meetings Total Respondents Total Respondents
None 8.0 7.9
1 1.8 4.8 4.7
2 5.9 7.4 7.9
3 9.6 8.6 8.8
4 35.5 31.6 31.6
5 10.2 9.4 9.6
6 11.8 9.7 9.0
7 2.6 2.5 2.8
8 6.1 5.1 5.0
9 1.4 1.3 1.3
10 4.3 3.2 3.5
11 1.3 0.8 1.3
12 6.4 4.8 4.0
More than
12 3.1 2.8 2.6
Total 100.0 100.0 100.0
External Relationships - Legislation Affecting Internal Auditing
In the CBOK Affiliate questionnaire, IIA affiliate leaders were asked about local and federal
regulations and legislation affecting the profession of internal auditing. Of the 46 affiliates that
responded, 78% indicate that their countries have legislation or regulations affecting the internal
auditing profession. Table 5-6 lists the 36 affiliates whose countries have laws and regulations
affecting internal auditing. The United States and Canada also have legislation affecting internal
auditing.
In a majority of the responding affiliates countries, legislation or regulations exist affecting internal
auditing in the public sector. In most of these affiliates, financial entities, banks, and insurance
companies are subjected to legislation that prescribes the establishment or the role of internal
auditing in an organization. In several affiliates (e.g., The Netherlands, Norway, South Africa, and
Spain), corporate governance requirements for listed companies strongly recommend the installation
of an IAA as part of their corporate governance structure. In other affiliates (e.g., France, Italy,
United Kingdom, and Ireland), it is recommended that all private companies, whether listed or not,
have an IAA. In a few affiliates (e.g., Belgium and Turkey), initiatives have been taken to create
a more formal legal framework for the internal audit profession.
Table 5-6
Countries with Legislation or Regulation
Affecting Internal Auditing
Argentina Luxembourg
Australia Mexico
Austria The Netherlands
Azerbaijan Norway
Belgium Peru
Bolivia Philippines
Bulgaria Russia
Canada Singapore
Congo Slovenia
Denmark South Africa
Dominican Republic Spain
Finland Sweden
France Taiwan
Germany Thailand
Israel Turkey
Italy Uganda
J apan United Kingdom and Ireland
Lebanon United States
Lithuania Venezuela
In 61% (22 affiliates) of the 36 responding affiliates where legislation or regulation affecting internal
auditing exists, The IIA affiliate had an influence on the final form of the legislation or regulation.
Table 5-7 provides an overview of these 22 affiliates.
Table 5-7
Countries Where the IIA Affiliate Influenced
Legislation or Regulation Affecting Internal Auditing
Australia The Netherlands
Azerbaijan Norway
Bulgaria Philippines
Denmark Russia
Finland South Africa
France Spain
Germany Sweden
Italy Taiwan
J apan Thailand
Luxembourg Turkey
Mexico United Kingdom and Ireland
Those IIA affiliates that assisted in the development of the legislation or regulations took part in the
discussions and provided input through participation and lobbying in committees, work groups, and
conferences. IIA affiliates also regularly issue their own opinions on drafts of local and national
laws and regulations. The publication of position papers and articles reflecting their members
ideas and opinions is a common method of participation in the evolution of local and national laws
and regulations.
Organizations and CAEs Perceptions About the IAA
To gain an understanding of how the IAA is perceived within their organization, all respondents
were asked to rank their level of agreement with the statements in Table 5-8 on a scale of 1- 5,
from strongly disagree (1) to strongly agree (5). The mean response for each question was calculated
for the four IAA staff levels responding to the survey. With means mostly above 4.2 for all staff
levels, most auditees indicate their IAA is highly independent, objective, adds value, and effectively
evaluates internal controls. This is generally supported by the group results in Table 5-8-1-A located
in Appendix 5.
Statements with means around 4.0 indicate respondents agreement that their IAAs have an effective
approach to risk management; are an integral part of the governance process; are credible within
the organization; are proactive in looking at important financial matters, risks, and internal controls;
have sufficient status in the organization; and that compliance with the IIAs Code of Ethics is a
key factor for their IAAs to add value to their organizations.
The statements ranked under 4.0 but above 3.5 indicate respondents have less support for the
statements about effectiveness in the evaluation of corporate governance and compliance with
The IIAs Standards. Overall, the perceptions by the respondents provide a very positive view
about the IAA within their organizations. In Table 5-8-1-A in Appendix 5, mean responses for
these statements for CAEs by groups show very similar results across all groups.
Table 5-8
Statement CAE Mean Audit Audit Senior/ Audit Staff
of 2,374 Manager Supervisor Mean
Respondents Mean Mean of 1,626
of 2,033 of 2,251 Respondents
Respondents Respondents
Your internal audit function is an 4.45 4.34 4.25 4.10
independent objective assurance
and consulting activity.
Your internal audit function adds 4.41 4.32 4.26 4.20
value.
Internal audit brings a systematic 4.03 3.99 3.98 3.95
approach to evaluate the
effectiveness of risk management.
Your internal audit function brings 4.35 4.27 4.21 4.11
a systematic approach to evaluate
the effectiveness of internal controls.
Your internal audit function brings a 3.80 3.73 3.71 3.74
systematic approach to evaluate the
effectiveness of governance
processes.
Your internal audit function 4.10 4.05 3.96 3.88
proactively examines important
financial matters, risks, and internal
controls.
Table 5-8 (Cont.)
Statement CAE Mean Audit Audit Senior/ Audit Staff
of 2,374 Manager Supervisor Mean
Respondents Mean Mean of 1,626
of 2,033 of 2,251 Respondents
Your internal audit function is an 4.10 4.04 3.97 3.91
integral part of the governance
process by providing reliable
information to management.
The way our internal audit function 3.52 3.81 3.66 3.51
adds value to the governance
process is through direct access to
the audit committee.
Your internal audit function has 4.07 3.97 3.86 3.75
sufficient status in the organization
to be effective.
Independence is a key factor for 4.46 4.40 4.32 4.29
your internal audit function to add
value.
Objectivity is a key factor for your 4.58 4.47 4.42 4.36
internal audit function to add value.
Your internal audit function is 4.30 4.17 4.08 3.99
credible within your organization.
Compliance with The IIAs 3.86 3.90 3.89 3.90
International Standards for the
Professional Practice of Internal
Auditing is a key factor for your
Compliance with The IIAs Code 4.03 4.04 3.98 3.99
of Ethics is a key factor for your
internal audit function to add value
Methods Used to Measure the Value Added by the IAA
The IIA defines internal auditing as an independent, objective assurance and consulting activity
designed to add value and improve an organizations operations. In The IIAs Standards Glossary,
add value is defined as, Value is provided by improving opportunities to achieve organizational
objectives, identifying operational improvement, and/or reducing risk exposure through both assurance
and consulting services.
Figure 5-4 on the following page lists the methods used by the respondents organizations to measure
the value added by their IAAs. The measures include acceptance and implementation of
recommendations (51.4%), assessment by customer surveys from audited departments (34.6%),
and the number of management requests for internal assurance or consulting projects (26.8%).
Reliance by the external auditors on the IAA is also used as a value-added indicator (33.5%). No
formal measurement of value added was indicated in 32.6% of the 2,361 respondents.
As can be seen in Table 5-9, considerable differences exist between groups in the methods used to
evaluate the value added by IAAs. There are significant differences when relying on customer/
auditee surveys (10.9% - 57.9%), reliance by external auditors (9.7% - 77.8%), and the number of
major audit findings (4.3% - 66.7%). There was variation between groups where there is no
formal measurement of value added by IAAs services with a high of 47.5% for group 6.
Figure 5-4
Methods Used to Measure Value Added by the IAA
internal audit activity
internal audit assurance or consulting
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
C
h
a
p
t
e
r

5
:

C
u
r
r
e
n
t

S
t
a
t
u
s

o
f

t
h
e

I
n
t
e
r
n
a
l

A
u
d
i
t

A
c
t
i
v
i
t
y

1
9
9
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Table 5-9
Methods Used to Measure Value Added by the IAA by Group*
All Respondents by Group in Percentages
Method of 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Evaluation
Customer/client 37.5 50.0 57.9 32.0 26.0 24.4 33.6 23.0 10.9 55.3 32.9 44.4 32.0
surveys from audited
departments
Recommendations 46.9 52.3 55.3 59.2 53.7 34.4 62.6 56.3 60.9 31.9 64.6 100.0.0 58.0
accepted/implemented
Cost savings and 30.1 27.9 17.8 49.5 31.1 17.5 34.4 21.7 30.4 17.0 42.7 66.7 36.0
improvements from
recommendations
implemented
Number of management 28.0 44.2 34.9 21.4 21.5 14.4 26.7 23.7 32.6 12.8 39.0 77.8 23.3
requests for internal
audit assurance or
consulting projects
Reliance by external 37.7 46.5 50.7 9.7 16.4 32.5 30.5 33.2 10.9 34.0 34.1 77.8 26.7
auditors on the internal
audit activity
Budget to actual audit hours 17.9 30.2 25.7 8.7 12.4 18.8 22.9 9.9 26.1 19.1 14.6 33.3 12.7
Cycle time from 10.8 12.8 13.8 3.9 5.6 12.5 11.5 10.2 15.2 14.9 13.4 11.1 12.7
entrance conference to
draft report
Number of major audit 15.2 19.8 18.4 44.7 37.3 15.0 29.8 18.4 37.0 4.3 30.5 66.7 29.3
findings
Other 11.1 11.6 17.1 3.9 18.6 7.5 4.6 9.9 8.7 8.5 9.8 11.1 11.3
No formal measurement 34.5 24.4 27.6 35.0 27.1 47.5 31.3 32.6 26.1 31.9 23.2 11.1 30.0
of value added
Total respondents by 914 86 152 103 177 160 131 304 46 47 82 9 150
group
2
0
0

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
I
n
t
e
r
n
a
l

A
u
d
i
t

A
c
t
i
v
i
t
y
G
o
v
e
r
n
i
n
g

D
o
c
u
m
e
n
t
s

i
n

t
h
e

O
r
g
a
n
i
z
a
t
i
o
n
A
c
c
o
r
d
i
n
g

t
o

S
t
a
n
d
a
r
d

2
1
3
0
,

G
o
v
e
r
n
a
n
c
e
,

t
h
e

I
A
A

s
h
o
u
l
d

a
s
s
e
s
s

a
n
d

m
a
k
e

a
p
p
r
o
p
r
i
a
t
e
r
e
c
o
m
m
e
n
d
a
t
i
o
n
s

f
o
r

i
m
p
r
o
v
i
n
g

t
h
e

g
o
v
e
r
n
a
n
c
e

p
r
o
c
e
s
s
.

T
a
b
l
e

5
-
1
0

s
h
o
w
s

t
h
e

t
y
p
e
s

o
f

d
o
c
u
m
e
n
t
s
t
h
a
t

s
u
p
p
o
r
t

t
h
e

e
s
t
a
b
l
i
s
h
m
e
n
t

o
f

c
o
r
p
o
r
a
t
e

g
o
v
e
r
n
a
n
c
e

i
n

a
n

o
r
g
a
n
i
z
a
t
i
o
n
.

R
e
s
p
o
n
d
e
n
t
s

r
e
p
o
r
t

t
h
a
t
7
3
.
3
%

o
f

t
h
e
i
r

o
r
g
a
n
i
z
a
t
i
o
n
s

h
a
v
e

a

c
o
r
p
o
r
a
t
e

e
t
h
i
c
s

p
o
l
i
c
y
/
c
o
d
e

o
f

e
t
h
i
c
s
/
c
o
d
e

o
f

c
o
n
d
u
c
t

a
n
d
6
6
.
3
%

h
a
v
e

a

l
o
n
g
-
t
e
r
m

s
t
r
a
t
e
g
i
c

p
l
a
n
.

O
n
l
y

5
3
.
2
%

o
f

t
h
e

r
e
s
p
o
n
d
e
n
t
s

o
r
g
a
n
i
z
a
t
i
o
n
s

h
a
v
e

a
c
o
r
p
o
r
a
t
e

g
o
v
e
r
n
a
n
c
e

c
o
d
e

a
n
d

5
6
.
9
%

h
a
v
e

a
n

a
u
d
i
t

o
v
e
r
s
i
g
h
t
/
c
o
m
m
i
t
t
e
e

c
h
a
r
t
e
r
.
T
a
b
l
e

5
-
1
0
D
o
c
u
m
e
n
t
s

t
h
a
t

E
x
i
s
t

i
n

t
h
e

O
r
g
a
n
i
z
a
t
i
o
n

S
u
p
p
o
r
t
i
n
g

t
h
e
E
s
t
a
b
l
i
s
h
m
e
n
t

o
f

C
o
r
p
o
r
a
t
e

G
o
v
e
r
n
a
n
c
e
A
l
l

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
D
o
c
u
m
e
n
t
s
N
u
m
b
e
r

o
f

Y
e
s
P
e
r
c
e
n
t

o
f
R
e
s
p
o
n
s
e
s
R
e
s
p
o
n
d
e
n
t
s
C
o
r
p
o
r
a
t
e

E
t
h
i
c
s

P
o
l
i
c
y
/
C
o
d
e

o
f

E
t
h
i
c
s
/
6
,
8
5
9
7
3
.
3
C
o
d
e

o
f

C
o
n
d
u
c
t
L
o
n
g
-
t
e
r
m

S
t
r
a
t
e
g
i
c

P
l
a
n

f
o
r

t
h
e
6
,
2
0
1
6
6
.
3
O
r
g
a
n
i
z
a
t
i
o
n
A
u
d
i
t

O
v
e
r
s
i
g
h
t
/
C
o
m
m
i
t
t
e
e

C
h
a
r
t
e
r
5
,
3
2
2
5
6
.
9
C
o
r
p
o
r
a
t
e

G
o
v
e
r
n
a
n
c
e

C
o
d
e
4
,
9
7
4
5
3
.
2
N
o
t
e
:

T
h
e

r
e
s
p
o
n
d
e
n
t
s

w
e
r
e

a
s
k
e
d

t
o

m
a
r
k

a
l
l

t
h
a
t

a
p
p
l
y

s
o

t
h
e

t
o
t
a
l

r
e
s
p
o
n
s
e
s

m
a
y

b
e

m
o
r
e

t
h
a
n

t
h
e

t
o
t
a
l

n
u
m
b
e
r

o
f
r
e
s
p
o
n
d
e
n
t
s

a
n
d

t
h
e

p
e
r
c
e
n
t
a
g
e
s

m
a
y

b
e

m
o
r
e

t
h
a
n

1
0
0
.
Figure 5-5 shows the type of documents that support the work and performance of the IAA. Each
is important to the success of the IAA. An internal audit charter is required by The IIAs Attribute
Standard 1000, Purpose, Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal
Audit Charter. Documented audit plans are expected to be in use. Compliance with Performance
Standard 2010, Planning, requires the CAE to Establish risk-based plans to determine the priorities
of the IAA.
Figure 5-5
Documents that Exist in the Organization Supporting the
Work and Performance of the IAA
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
The respondents indicate that 81.3% of their IAAs have an audit plan, 72.3% of their IAAs have
an internal audit charter, and 60.1% have a mission statement. A majority of respondents IAAs
(69.5%) use internal audit risk assessments to develop the audit plan. Respondents indicate that
63% of their IAAs have an internal audit operating manual/policy statement and 40.3% have an
audit plan that is longer than one year. These are all positive signs for effective internal audit
procedures.
Audit Activity
Managing the Internal Audit Activity
To gather information about compliance with The IIAs Standards, all respondents were asked
questions about who performed administrative tasks, quality assessments of the IAA, and technical
competency training for internal auditors. The questions required the respondent to indicate what
percentage of these activities are performed by the IAA, by service providers, or not performed at
all.
Performance Standard 2000 requires that the chief audit executive (CAE) should effectively
manage the internal audit activity to ensure it adds value to the organization. These activities
include administrative activities such as developing an audit plan and assigning audit tasks.
Performance Standard 2200 states that, Internal auditors should develop and record a plan for
each engagement, including the scope, objectives, timing, and resource allocations. The results in
Table 5-11 show that 91.5% of all respondents believe that their IAA performs the administrative
tasks appropriate for the department. The vast majority of IAA leadership takes charge of the
administrative responsibilities inherent in the IAA.
Table 5-11
Managing the Internal Audit Activity
Who Performs Audit Activities
Activity Total Number IAA Other Co-Sourced Out- Not Total
of Departments sourced Performed Percent
Respondents in by
by Activity Organization Activity
Administrative 7,750 91.5 3.6 2.3 1.2 1.4 100.0
(audit plan,
assign tasks)
Technical 8,746 44.4 14.1 6.6 21.3 13.6 100.0
competency
training for
auditors
Quality 8,212 37.0 13.5 5.3 17.4 26.8 100.0
assessment of
internal audit
activity
Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same for
each activity.
To continuously monitor the effectiveness of the IAA, Standard 1300 states, The CAE should
develop and maintain a quality assurance and improvement program (QA&IP). The QA&IP
should include both ongoing and periodic internal assessments that cover the entire spectrum of
audit and consulting work performed by the internal audit activity. The quality of the internal audit
activities are assessed by the IAA (37%), other departments (13.5%), or outsourced (17.4%).
About twenty-seven percent (26.8%) of the respondents do not perform quality assessments of
their internal audit activities. More details about respondents QA&IP programs can be found in
Chapter 4.
Standard 1210 requires that internal auditors possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. To be certain that the audit staff has the necessary
skills, 44.4% of the IAAs provide technical competency training for auditors. Other departments
within the organization provide 14.1% of the training, and 27.9% of training is either co-sourced or
outsourced. Of the respondents, 13.6% indicate that no training for the audit staff is provided.
Creating the Audit Plan
In accordance with IIA Performance Standard 2010 on Planning, the CAE should plan what to
audit based on risk assessment. Figure 5-6 indicates that 95.6% of CAEs plan their audit activity at
least annually, including 36.4% who update their plan multiple times a year.
Figure 5-6
Percentage Frequency of Audit Plan Updating
No audit plan
3.2%
Every two years
0.7%
More than every
two years
0.5%
Every year
59.2%
Multiple times
per year
36.4%
Figure 5-7 lists the methods CAEs use to determine the audit plan. The use of risk-based methodology
required by Performance Standard 2010 and Practice Advisory PA 2010-1, Planning, is used by
86.7% of the respondents. This method is supplemented by 73.1% of respondents who include
requests from management. Audit planning is also influenced by consulting the previous years
plan (62.8%) and consultation with divisional or business heads (62.9%). Strong influence on the
audit plan can come from audit committee requests (55.5%) and compliance/regulatory requirements
(58.8%) as well.
Figure 5-7
How the Audit Plan is Established
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
As shown in Table 5-12, the groups CAEs show a consistently high percentage of reliance on risk-
based methodology for audit planning, from a low of 75% to a high of 100%. Audit committee/
oversight committee requests are strongly supported in groups 1, 2, 3, 11, and 12, and there is high
reliance and compliance/regulatory requirements in groups 1, 2, 7, and 12. Requests from
management and review of previous years audit plan are also supported.
Table 5-12
How Audit Plan is Established by Groups*
Method 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Use of a risk-based 89.1 94.2 94.6 87.3 85.1 89.8 82.0 77.2 75.0 93.6 91.3 100.0 78.7
methodology
Consult previous 62.0 61.6 59.2 80.4 60.6 65.6 60.9 59.9 56.8 53.2 66.3 88.9 68.1
years audit plan
Consultation with 73.1 87.2 78.9 42.2 52.6 49.7 46.1 54.1 40.9 80.9 57.5 44.4 49.6
divisional or business
heads
Requests from 78.8 81.4 72.8 53.9 74.9 71.3 64.1 73.5 68.2 59.6 67.5 88.9 62.4
management
Audit committee/ 65.7 81.4 68.0 36.3 28.0 38.9 37.5 51.0 47.7 51.1 71.3 77.8 48.9
oversight committee
requests
Compliance/regulatory 66.2 67.4 58.5 43.1 39.4 59.2 65.6 55.1 52.3 34.0 55.0 77.8 56.0
requirements
Requests from or 40.8 58.1 50.3 22.5 16.6 47.1 22.7 23.1 9.1 38.3 35.0 33.3 30.5
consultation with
external auditors
Other 8.9 9.3 7.5 7.8 14.9 12.1 15.6 7.5 11.4 8.5 6.3 22.2 7.1
Total number of
respondents 878 86 147 102 175 157 128 294 44 47 80 9 141
Note: The respondents were asked to mark all that apply so that the total percent by group may be more than 100.
Allocation of IAAs Time
The definition of internal auditing and Standard 2100, Nature of Work, includes three broad areas
of responsibility for IAAs to evaluate and contribute to the improvement of risk management,
control, and governance processes. The following summarizes the respondents responses about
the how IAAs time is allocated, the types of audits performed in the organization and who performs
them, and what tools are used by the IAA when performing their work. Audits are generally placed
in three categories, (1) general types of audits, (2) audits performed in the areas of risk management,
control, and governance processes, and (3) other audit activities.
In order to gauge the extent of various types of internal audit activities performed by the IAAs,
respondents were asked to estimate the time spent on compliance audits, consulting/advisory,
financial process audits, fraud investigations, governance audits, information technology audits,
operational, management audits, and other types of audits. Table 5-13 on the following page shows
the mean percentage of time spent for all respondents over a period of 6 years (3 years ago,
currently, and an estimate for 3 years from now).
Table 5-13
Average of IAAs Time Spent on Audits
for All Respondents in Mean Percentages
Activity Mean Mean Mean Anticipated
Percentage of Percentage Percentage of Change in Mean
Time Spent 3 of Current Time Expected Percentage of
Years Ago Time Spent to be Spent 3 Time Spent from
Years from Now 2003 to 2009
Compliance audits (laws, 23.4 22.4 19.9 -3.5
regulations, and policy)
Operational 22.5 21.1 19.5 -3.0
Financial process audits 15.5 14.9 13.8 -1.7
(including assistance to the
external auditor)
Consulting/advisory 8.2 9.8 11.5 +3.3
Information technology audits 7.9 9.7 12.3 +4.4
Other 6.6 3.3 2.6 -4.0
Fraud investigations 5.9 6.1 6.2 +0.3
(forensic accounting/auditing
Management audits 5.2 5.5 5.8 +0.6
Governance audits (ethics, 4.8 7.2 8.4 +3.6
control framework, regulatory,
linkage of strategy, and
company performance)
Total 100.0 100.0 100.0
Note: Responses are in percentages and the mean percentage is the average response for that activity.
For the six-year period, while no one type of audit appears to dominate the work performed by
IAAs, respondents indicate that most of the IAAs time was, is, and will be spent on compliance
audits (23.4% past, 22.4% current, and 19.9% future). Time spent on operational auditing is a close
second with 22.5% in the past, 21.1% currently, and 19.5% in the future. The third largest type of
audit is financial with 15.5% of audit time three years ago, 14.9% currently, and 13.8% in the
future. As the time spent on those types of audits has been decreasing, the time spent on consulting,
governance, and information technology is increasing. This seems reasonable since the definition
of internal auditing changed to include consulting and governance in 1999.
Types of Audits Performed
Table 5-14 lists types of audits and who performs them. The top four types of audits performed by
the IAA are internal auditing (85.6%), operational auditing (79.1%), investigations of fraud and
irregularities (56.3%), and financial auditing (56%). Other IAA engagements include ethics audits
(47.1%), management effectiveness audits (48.5%), and information technology department
assessments (45.4%). The three largest audit areas that are co-sourced or outsourced are financial
auditing (27.2%), information technology department assessment (18.8%), and quality/ISO audits
(14.1%). The three areas where audits are less likely to be performed by the IAA are social and
sustainability audits (40.0%), quality/ISO audits (32.6%), and ethics audits (27.4%).
The results in Table 5-13 indicate that IAAs anticipate spending most of their time on compliance
audits, operational audits, and financial process audits. Table 5-14 shows that operational audits
and financial auditing are most often performed by the IAA. The internal auditing category in
Table 5-14 presumes to include compliance auditing since that was not asked separately in this
survey question. The results for where the IAAs time is spent and who performs these audit
activities appear to be consistent for the respondents. Fraud investigations, ethics audits, and
information technology department audits do not consume much IAA time in Table 5-13, but are in
the domain of many IAAs as indicated in Table 5-14.
Table 5-14
Types of Audits
Who Performs Audit Activities
Type of Audit Total IAA Other Co- Out- Not Total
Number Department in Sourced sourced Performed Percent
of Respondents Organization by Activity
by Activity
Internal auditing 7,918 85.6 3.4 4.8 3.3 2.9 100.0
Operational audits 8,443 79.1 11.9 3.6 2.5 2.9 100.0
Investigations of 9,877 56.3 31.4 5.9 3.8 2.6 100.0
fraud and
irregularities
Financial auditing 8,989 56.0 14.7 7.2 20.0 2.1 100.0
Management 8,324 48.5 28.4 3.7 3.1 16.3 100.0
effectiveness
review/audit
Ethics audits 7,828 47.1 21.3 3.0 1.2 27.4 100.0
Information 8,959 45.4 28.8 8.8 10.0 7.0 100.0
technology
department
assessment
Social and 7,648 22.7 30.4 3.4 3.5 40.0 100.0
sustainability
audits
Quality/ISO audits 7,896 20.5 32.8 4.6 9.5 32.6 100.0
Risk, Controls, and Governance Audits
Practice Advisory 1311-1, Internal Assessments, states, The CAE is responsible for establishing
an internal audit activity whose scope of work includes all the activities in the Standards and in the
definition of internal auditing, which includes effectiveness of risk management, control, and
governance processes. Realizing that all audits have some elements of all three, the following
summarizes the type of audit activities performed in these three areas and who performs these
audits.
Effectiveness of Risk Management
The internal auditor has several responsibilities for the effectiveness of risk management within an
organization. Standard 2110, Risk Management, states that the IAA should assist the organization
by identifying and evaluating significant exposures to risk and contributing to the improvement of
risk management and control systems. Standard 2600, Resolution of Managements Acceptance
of Risks, highlights the importance of the CAE discussing risks and other internal audit findings
with senior management. If the decision regarding residual risk is not resolved, the CAE should
report the matter to the board for resolution.
Table 5-15 shows the major audit activities performed in the risk, control, and governance areas.
Risk management work performed within organizations includes business viability assessments,
information risk assessment, and enterprise risk management. While the majority of business
viability assessments are performed by other departments within the organization (51.6%), IAAs
perform 24.6% of these audits and 16.8% of the respondents report that these audits are not
performed. In the area of information risk assessment, the IAA performs 47.5% of the activities
and other departments perform 30.9% and 15.2% of this work is co-sourced or outsourced. For
enterprise risk management activities, IAAs perform 37.6% of these assessment activities, other
departments within the organization perform 43.6%, and 6.5% of these activities are co-sourced or
outsourced.
Table 5-15
Who Performs Risk, Control, and Governance
Audit Activities
Activity Total IAA Other Co- Out- Not Total
by Activity
Internal control 9,366 70.8 17.0 6.3 4.2 1.7 100.0
testing/systems
evaluation
Control framework 8,772 58.9 28.6 4.6 1.5 6.4 100.0
monitoring and
development
Compliance with 9,181 51.4 35.3 5.0 2.0 6.3 100.0
corporate
governance and
regulatory code
requirements
Information risk 9,282 47.5 30.9 8.2 7.0 6.4 100.0
assessment
Enterprise risk 8,679 37.6 43.6 5.0 1.5 12.3 100.0
management
Resource 8,096 32.1 47.9 3.6 2.0 14.4 100.0
management and
controls
Linkage of strategy 8,266 26.3 55.8 3.8 1.6 12.5 100.0
and company
performance
Business viability 7,742 24.6 51.6 4.5 2.5 16.8 100.0
assessments
Audits of Controls
Standard 2120, Control, states that the IAA should assist the organization in maintaining effective
controls. In Table 5-15, respondents indicate that 70.8% of the activities to test internal controls
and systems evaluation are done by the IAA. Other departments perform 17% of the same activities
and 10.5% of these activities are co-sourced or outsourced.
Corporate Governance
Standard 2130, Governance, requires IAAs to assess and make appropriate recommendations for
improving the governance process. Table 5-15 lists several governance audit activities performed
within organizations. The corporate governance activities performed by IAA includes control
framework monitoring and development (58.9%), compliance with corporate governance and
regulatory code requirements (51.4%), resource management and controls (32.1%), and linkage
of strategy and company performance (26.3%). Logically, other departments within organizations
are very active in compliance with corporate governance and regulatory code requirements (35.3%)
and in the areas of linkage of strategy and company performance (55.8%) and resource management
and controls (47.9%).
Compliance or Special Consulting Projects
Table 5-16 shows audit activities from the list provided to the respondents in the CBOK 2006
questionnaire that are compliance activities or special consulting projects. Practice Advisory
2120.A1-1, Assessing and Reporting on Control Processes, states that testing compliance with
laws, regulations, and contracts is part of the IAAs study and evaluation of internal controls.
Two areas where the IAA performs compliance activities are compliance with company privacy
policies (43.1%) and health, safety, and environment (22.1%).
The definition of internal auditing includes consulting in its scope of acceptable audit activity. A
few areas of consulting included in the study indicate that 11.3% of the activities for corporate
takeovers/mergers are performed by IAAs while 50.4 % are handled by other departments in the
organization. The IAA provides 46.2% of the support for external auditors, other departments
provide 28.1% and co-sourced or outsourced work accounts for 14% of the activities required.
Project management activities are performed mainly by other departments (58.3%) with 27.7% of
these activities performed by the IAA. The IAA and other departments in the organization each
provide 39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
Table 5-16
Who Performs Other Audit Activities
Activity Total IAA Other Co- Out- Not Total
by Activity
External audit 8,421 46.2 28.1 5.1 8.9 11.7 100.0
assistance
Compliance with 8,584 43.1 42.1 4.0 1.6 9.2 100.0
company privacy
policies
Special projects 10,414 39.6 39.6 8.3 7.1 5.4 100.0
Project 8,542 27.7 58.3 5.1 2.8 6.1 100.0
management
Health, safety, 8,083 22.1 57.3 4.2 3.0 13.4 100.0
and environment
Corporate 7,796 11.3 50.4 4.9 3.8 29.6 100.0
takeovers/mergers
Performing the Engagement The Use of Tools
This section summarizes the use of 16 tools and techniques currently in place or planned to be used
by IAAs globally. The demands on the IAA and its staff are increasing as the significance and
usefulness of the work of the IAA become better known and valued throughout the organization.
Internal audit is designed to add value and improve an organizations operations by bringing a
systematic, disciplined approach to evaluation, improvement, and effectiveness of risk management,
controls, and governance. As internal auditing resources may be constrained, the IAA must use
audit tools and techniques to use its time efficiently. The tools and techniques in the CBOK survey
were identified by reviewing the Standards and Practice Advisories, internal auditing literature,
past CBOK studies, and the CBOK 2006 pilot study. Based on this review, 16 tools and techniques
were identified as being important for the IAA. Respondents could not add to or amend the list that
was included in the CBOK 2006 survey. Some of the tools listed help with audit administration
(planning, managing, preparing working papers, etc.) while others relate to helping internal auditors
perform their engagements (analyzing data, statistical sampling, etc.). All the tools contribute to the
IAA adding value to the organization.
The selection of tools and techniques in this survey is supported by the Standards and Practice
Advisories. In the Standards and expanded upon in the Practice Advisories, certain tools are
emphasized:
Attribute Standard 1220, Due Professional Care, recommends that the internal auditor in
exercising due professional care should consider the use of computer-assisted audit tools
and other data analysis techniques.
Analytical review is supported in Practice Advisory 2100-10, Audit Sampling.
Risk-based audit planning is addressed in Standard 2010, Planning, which requires the
chief audit executive to establish risk-based plans to determine the priorities of the internal
audit activity, consistent with the organizations goals.
Standard 2010.A1, Assurance Engagement, states that the IAA plan of engagements should
be based on a risk assessment, undertaken at least annually. This issue is also analyzed by
the Practice Advisory 2010-2, Linking the Audit Plan to Risk and Exposures.
Practice Advisory 2100-10, Audit Sampling is defined as the application of audit procedures
to less than 100 percent of the population to enable the auditor to evaluate audit evidence
about some characteristics of the items selected to form or assist in forming a conclusion
concerning the population. Statistical sampling involves the use of techniques from which
mathematically constructed conclusions regarding the population can be drawn.
Practice Advisory 1311-1, Internal Assessments, suggests that Periodic Assessment may
include benchmarking of the IAA practices and performance metrics against relevant best
practices of the internal auditing profession.
The balanced scorecard tool is mentioned in Practice Advisory 1311-2, Establishing Measures
(Quantitative Metrics and Qualitative Assessments) to Support Reviews of Internal Audit
Activity Performance. This Practice Advisory reflects recommended practices for
measuring the performance of internal auditing and it is related to Standard 1311, Internal
Assessments.
Practice Advisory 2120.A1-2, Using Control Self Assessment (CSA) for Assessing the
Adequacy of Control Processes, states that the CSA methodology can be used by managers
and internal auditors for assessing the adequacy of the organizations risk management
and control processes. Internal auditors can utilize CSA programs for gathering relevant
information about risks and controls, for focusing the audit plan on high risk, unusual areas,
and to forge greater collaboration with operating managers and work teams.
Standard 1300, Quality Assurance and Improvement Program, requires the CAE to develop
and maintain a quality assurance and improvement program that covers all aspects of the
internal audit activity and continuously monitors its effectiveness. This program includes
periodic internal and external quality assessments and ongoing internal monitoring.
The respondents were asked to indicate which tools/techniques their IAAs currently use or plan to
use in the next three years by rating all the tools listed on a five point scale from 1, not used, to 5,
extensively used. Results are shown in means and/or in the frequency of respondents selecting a
tool/technique. Tables include responses by position, by response type, and/or by groups.
Current Usage of Audit Tools and Techniques
The use of various tools and techniques is fundamental for the effectiveness and efficiency of the
IAA in performing their engagements. The use of these tools/techniques helps the auditor successfully
plan, monitor progress, document, analyze data, complete the audit, and determine the magnitude
of audit findings. Table 5-17 indicates the extent that respondent IAAs currently use sixteen different
audit tools/techniques. The means listed in the table summarize the responses given by each staff
level of auditors: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The
mean was calculated based on a scale of 1 (not used) to 5 (extensively used). An overall mean for
each item is also presented.
The results show that CAEs and Practitioners almost uniformly rank the tools/techniques currently
used by the IAA the same. Electronic communication (e.g., Internet, e-mail), risk-based audit
planning, analytical review, and electronic workpapers are currently the most utilized tools. Electronic
communication is overwhelmingly the highest ranked tool/technique for all respondents.
Table 5-17
Extent the IAA Currently Uses Audit Tools/Techniques
All Respondents by Mean*
Tools/Techniques Number of Overall CAE Audit Audit Audit Other
Respondents Mean Manager Senior/ Staff
Supervisor
Other electronic 6,629 4.08 3.98 4.15 4.19 4.13 3.64
communication
Risk-based audit 6,596 3.56 3.57 3.63 3.58 3.54 3.08
planning
Analytical review 6,619 3.21 3.12 3.21 3.28 3.23 3.05
Electronic workpapers 6,566 3.19 2.99 3.28 3.28 3.38 2.90
Statistical sampling 6,522 2.77 2.64 2.69 2.83 3.00 2.76
Computer-assisted 6,567 2.67 2.54 2.73 2.73 2.73 2.68
audit techniques
Flowchart software 6,526 2.42 2.31 2.51 2.45 2.46 2.41
Benchmarking 6,494 2.41 2.37 2.44 2.42 2.42 2.41
Process mapping 6,496 2.36 2.22 2.39 2.43 2.46 2.39
application
Control self-assessment 6,497 2.30 2.09 2.27 2.42 2.54 2.40
Data mining 6,385 2.26 2.18 2.26 2.29 2.37 2.18
Continuous/real-time 6,483 2.21 2.06 2.12 2.30 2.47 2.22
auditing
The IIAs quality 6,409 2.06 1.93 2.13 2.07 2.18 2.09
assessment review tools
Balanced scorecard or 6,417 2.02 1.85 2.06 2.09 2.13 2.07
similar framework
Total quality 6,366 1.97 1.79 1.98 2.00 2.19 2.11
management techniques
Process modeling software 6,352 1.69 1.51 1.66 1.78 1.88 1.87
*The mean is the average response to: 1 =Not Used, 2 =Moderately Used, 3 =Average Use, 4 =Very Much Used,
5 =Extensively Used.
Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same for
each audit tool/technique.
The tools/techniques that obtained the highest overall means from all respondents are:
1. Other electronic communication (e.g., Internet, e-mail) (4.08).
2. Risk-based audit planning (3.56).
3. Analytical review (3.21).
4. Electronic workpapers (3.19).
5. Statistical sampling (2.77).
The tools/techniques that received the lowest overall mean responses are:
12. Continuous/real-time auditing (2.21).
13. The IIAs quality assessment review tools (2.06).
14. Balanced scorecard or similar framework (2.02).
15. Total quality management techniques (1.97).
16. Process modeling software (1.69).
As shown in Table 5-17-1-A, even in regions of the world where access to the Internet might not
be easily or readily available, it is generally ranked the highest. Electronic working papers and risk-
based audit planning are uniformly ranked high by all respondents. Many of the remaining tools are
grouped in the 2.00 to 2.50 range, indicating moderate to average use.
Table 5-18 shows the means in rank order of use by staff level of the respondents. Each ranking
goes from 1, the tool/technique with the highest mean, to 16, the tool/technique with the lowest
mean. The consistency in ranking by all staff levels about usage of tools and techniques by their
IAAs is evident.
Table 5-18
Extent the IAA Currently Uses Audit Tools/Techniques
All Respondents by Mean Rank
Tools/Techniques Overall CAE Audit Audit Senior/ Audit
Average Manager Supervisor Staff Other
Other electronic communication 1 1 1 1 1 1
Risk-based audit planning 2 2 2 2 2 2
Analytical review 3 3 4 3/4 4 3
Electronic workpapers 4 4 3 3/4 3 4
Statistical sampling 5 5 6 5 5 5
Computer-assisted audit 6 6 5 6 6 6
techniques
Flowchart software 7 8 7 7 8/9 7/8
Benchmarking 8 7 8 9/10 11 7/8
Process mapping application 9 9 9 8 8/9 10
Control self-assessment 10 11 10 9/10 10 9
Data mining 11 10 11 12 12 12
Continuous/real-time auditing 12 12 13 11 7 11
The IIAs quality assessment 13 13 12 14 14 14
review tools
Balanced scorecard or similar 14 14 14 13 15 15
framework
Total quality management 15 15 15 15 13 13
techniques
Process modeling software 16 16 16 16 16 16
Note: In some cases the rankings were tied. For example, rankings of Benchmarking and Control Self Assessment at
the Audit Senior/Supervisor level were tied.
Although the means are generally lower for CAEs than for other respondents, the comparison of
the overall means with the means and rankings for CAEs and other respondents does not show
any significant differences between the categories of respondents. The only major differences
between the means for the different staff levels relate to:
Continuous real-time auditing (2.06, ranked 12 for the CAE versus 2.47, ranked 7 for
Audit Staff).
Electronic working papers (2.99, ranked 4 for the CAE versus 3.38, ranked 3 for Audit
Staff).
Control self-assessment (2.09, ranked 11 for the CAE versus 2.54, ranked 10 for the Audit
Staff).
Statistical sampling (2.64, ranked 5 for the CAE versus 3.00, ranked 5 for Audit Staff).
The analysis of the means according to the 13 groups is provided in Table 5-17-1-A in Appendix 5.
There are noticeable differences for electronic workpapers (3.53 for group 8 and 1.97 for group
12), risk-based audit planning (3.91 for group 3, 3.86 for groups 2 and 10, and 2.53 for group 4), and
other electronic communication (4.38 for group 10; and 3.15 for group 12). Differences related to
access to electronic resources may be reflected in the results for some of the groups.
Table 5-17-2 shows the rankings by groups. Each ranking goes from 1, the tool/technique with the
highest mean in the group, to 16, the tool/technique with the lowest mean in the group. This
comparison shows that the degree of consensus on most tools and techniques among the different
groups is very high. This is the case for other electronic communications which ranks first or
second in each group. Process modeling software is always ranked between 13 and 16, analytical
review is always ranked between second and sixth and electronic workpapers is ranked between
third and seventh. The highest variability in this comparison, which indicates the lowest level of
consensus, relates to data mining (groups 7 and 9), continuous real-time auditing (groups 4 and 11),
control self-assessment (groups 4 and 12), and process mapping application (groups 8 and 10).
When analyzing the ranking information most groups are within two rankings of the overall ranking.
Exceptions are group 7 with 50% of their rankings more than two places away, group 10 with
37.5% of their rankings more than two places away, and groups 1, 4, and 12 have 31% of their
rankings more than two places away from the overall ranking.
Table 5-17-2
Tools and Techniques Currently Used by Group*
All Respondents by Mean Rank**
Overall 1 2 3 4 5 6 7 8 9 10 11 12 N/C***
Tools/Techniques**** Average
Other electronic 1 1 2 2 1 1 1 2 1 1 1 1 1 1
communication
Risk-based audit 2 2 1 1 6 2 2 1 2 2 2 2 2 2
planning
Analytical review 3 5 4 5 2 4 4 6 4 3 4 3 5 4
Electronic workpapers 4 3 5 3 3 3 3 3 3 5 3 5 7 3
Statistical sampling 5 6 7 6 7 6 6 5 7 7 9 6 4 6
Computer-assisted 6 4 3 4 9 5 5 4 6 4 5 4 3 5
audit techniques
Flowchart software 7 8 11 13 11 9 13 11 11 11 12 13 14 11
Benchmarking 8 11 8 7 10 11 8 14 10 10 6 7 6 12
Process mapping 9 13 10 12 8 7 7 7 5 12 14 10 9 9
application
Control self- 10 12 6 8 4 10 10 8 8 8 7 8 13 8
assessment
Data mining 11 7 9 11 12 8 9 16 9 6 13 11 11 10
Continuous/real-time 12 9 12 10 5 13 11 9 13 9 10 14 10 7
auditing
The IIAs quality 13 10 13 9 14 12 12 10 14 13 8 9 12 13
assessment review
tools
Balanced scorecard 14 15 14 15 16 15 14 15 12 15 11 15 15 15
or similar framework
Total quality 15 14 15 14 13 14 16 12 16 14 15 12 8 14
management
techniques
Process modeling 16 16 16 16 15 16 15 13 15 16 16 16 16 16
software
**The ranking goes from 1 (the tool/technique with the highest mean in the group) to 16 (the tool/technique with the
lowest mean in the group).
***N/C =Respondents did not indicate affiliate or chapter membership.
****The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall means.
Table 5-19 summarizes how all respondents replies are distributed along the 5 options: not used;
moderately used; average use; very much used; and extensively used. The frequencies show the
extent to which the internal audit activity (IAA) currently uses the listed audit tools and techniques
when compared to the overall mean usage of all respondents IAAs. This table provides a more
detailed picture of overall usage of tools and techniques. Since some respondents organizations
and IAAs are much larger and older than others, they may use more audit tools and have more
resources to purchase and apply the listed tools and techniques.
Table 5-19
Extent the IAA Currently Uses the
Listed Audit Tools/Techniques
All Respondents by Mean and Frequency
Tools/Techniques Number of Mean* % % % % %
Respondents Not Moderately Average Very Extensively
Used Used Use Much Used
Used
communication
(e.g., Internet,
e-mail)
Risk-based audit 6,611 3.56 8.0 13.6 21.3 28.8 28.3
planning
Computer-assisted 6,581 2.67 22.3 25.4 25.0 17.5 9.8
audit techniques
Benchmarking 6,505 2.41 24.9 30.9 26.6 13.7 3.9
Process mapping 6,510 2.36 36.1 21.4 20.9 13.9 7.7
application
Control self- 6,511 2.30 34.1 26.0 21.1 13.0 5.8
assessment
Data mining 6,399 2.26 36.1 25.4 20.8 12.1 5.6
auditing
Table 5-19 (Cont.)
Extent the IAA Currently Uses the
Listed Audit Tools/Techniques
Used
The IIAs quality 6,424 2.06 46.6 20.8 17.4 10.5 4.7
assessment review
tools
Balanced scorecard 6,427 2.02 48.4 19.2 18.8 9.8 3.8
or similar framework
Total quality 6,380 1.97 48.6 21.9 17.5 8.5 3.5
Process modeling 6,366 1.69 62.7 16.6 12.4 5.8 2.5
software
Extensively Used
The analysis of the usage frequencies reveals that some tools are used extensively for a significant
portion (more than 25%) by the respondents IAAs:
1. Other electronic communication (e-mail, Internet) (46.2%)
2. Risk-based audit plan (28.3%)
3. Electronic working papers (26.5%)
These particular tools match three core tasks of the IAA, planning, documenting field work, and
communication. The latter two tasks can be very labor intensive when completed without technology
support. For IAAs to have invested and developed tools in these areas seems appropriate.
The frequency of the extensively used category for these three tools and techniques shows their
importance to the IAAs. The use of these tools allows the IAA to function efficiently and effectively.
This is especially true for the use of electronic communication and electronic working papers
which help with audit administration. A risk-based audit plan also helps with the performance of the
audit. When available resources are limited, both financially and by number of staff, technology
allows the IAA to expand its scope.
These findings are consistent with those based on the mean scores for other electronic communication
and risk-based audit plan. As shown on the frequency distribution in Table 5-19, there is a difference
for analytical review, which has a relatively high overall mean (3.21) and ranking (3) but has a
lower percentage in the extensively used category (12.3%). Although electronic workpapers is
ranked fourth with a mean of 3.19, in the frequency distribution it is shown as having 26.5% of
respondents indicating extensively use. The use of a risk-based audit plan is in keeping with Standard
2010.A1, Planning, which states that the IAAs Plan of engagements should be based on a risk
assessment, undertaken at least annually. This is supported elsewhere in the Standards and
Practice Advisories. Over 78% of respondents indicate that they extensively use, very much use,
or have average use of this technique.
In Appendix 5, Table 5-19-1-A shows extensively used responses for tools/techniques by auditor
position. This table reveals that there are usually lower frequencies for the response extensively
used for CAEs. This is consistent with the means analysis. This may be due to the increased
administrative work and outreach that CAEs do in their daily work. As the head of the department,
the CAE must be aware of the activities and audits undertaken, but be less involved in the daily
operating activities and the audit process. Standard 2030, Resource Management, states that the
CAE should ensure that internal audit resources are appropriate, sufficient, and effectively deployed
to achieve the approved plan. The most significant differences in this table are for electronic
communications (41.5% for the CAE, 50.6% for Audit Seniors/Supervisors), electronic workpapers
(21.1% for CAEs, Audit Staff 30.9%), and risk-based audit planning (29.6% for Audit Seniors/
Supervisors, Other 17%).
Not Used
The analysis of frequencies makes it possible to identify those tools that are currently not used at
all by respondents in auditing activities. According to Practice Advisory 1210-1, Proficiency, not
everyone in the IAA must be able to apply the tools and techniques required in performing
engagements. Rather, the IAA must collectively possess this ability. This means that all members
of the IAA should be aware of the use of various tools and techniques in the department, but each
staff member need not have a specific facility and ability to use the tool.
An unusually high number of the listed tools and techniques are indicated as not being used at all
based on Table 5-19. This information can be very important for practitioners, consultants, standard
setters, software companies, and others servicing or involved with the internal audit profession.
More than one-fifth of the respondents do not use benchmarking (24.9%) or computer-assisted
audit techniques (22.3%). The least used tool is process modeling software which is not used by
62.7% of respondents. Many other tools are indicated as not being used by more than 30% of
respondents.
The percentage of respondents that do not currently use the listed tools and techniques that fall into
this category are:
Process modeling software (62.7% of respondents do not use this tool).
Total quality management techniques (48.6%).
The balanced scorecard or similar framework (48.4%).
The IIAs quality assessment review tools (46.6%).
Continuous/real-time auditing (39.0%).
Data mining (36.1%).
Process mapping application (36.1%).
Control self-assessment (34.1%).
Flowchart software (31.7%).
Standard 1300, Quality Assurance and Improvement Program, requires the CAE to develop and
maintain a quality assurance and improvement programand continuously monitors its
effectiveness. This program is designed to help the internal audit activity add value and improve
the organizations operations. Many IAAs see value in implementing this standard. Low use of
The IIAs quality assessment review (QAR) tools makes compliance with this standard and
contributing to the organizations governance, risk management, and effectiveness more difficult.
In Chapter 4, 32.8% of respondents indicated that they currently have a quality assessment and
improvement program in place and 21.9% intend to put one in place in the next 12 months.
According to Practice Advisory 2100-6, Control and Audit Implications of E-commerce Activities,
when control self-assessment (CSA) is used by management to review controls, the IAA should
review the policies for authenticating transactions and evaluating controls. The use of electronic
systems and models is the most effective way to monitor and evaluate e-commerce activities. The
list of tools and techniques above indicates that many respondents do not use the listed tools and
techniques that would enable IAA staff to easily test systems and controls.
Table 5-19 further reveals that statistical sampling (indicated as not used by 18%) is often used in
a moderate or average way. This is in accordance with Practice Advisory 2100-10, Audit Sampling.
The use of benchmarking is similar. Some management techniques, such as total quality management
(48.6% not used) and the balanced scorecard (48.4% not used), are not generally used in internal
audit activities.
Control self-assessment (CSA) is not widely used by the IAA (34.1% not used), so that in most
organizations the involvement of management in self-evaluating the control activity might not be
fully exploited. However, it is important to distinguish between control self-assessment as an audit
technique for the internal auditor to complete an audit engagement and CSA as a management
practice implemented in an organization with or without the involvement of the IAA. Management
should self-assess their internal control on an ongoing basis as part of their managerial responsibilities
external to the IAA.
In Appendix 5, Table 5-19-2-A shows by frequency and positional level of the respondent the audit
tools and techniques that are not currently used by the IAA. The frequencies for the answer not
used are generally higher for CAE respondents than for Practitioners. Differences between the
frequencies for tools not used are markedly different for control self-assessment (40.8% CAE,
27.3% for Audit Staff), process modeling software (69.9% CAE, 55.3% Audit Staff), and total
quality management techniques (54.1% CAE, 41.6% Audit Staff).This continues the pattern
previously noted.
In Appendix 5, Table 5-19-3-A details the frequency for all 13 groups for the response not currently
used. Major differences include the use of electronic workpapers (66.7% in group 12 versus
7.8% in group 8), flowchart software (73.5% in group 12 versus 25.5% in group 1), and process
mapping application (62.5% in group 12 versus 22.5 in group 8). In group 12, for most tools/
techniques the frequency of the not used response is higher than in other groups. Other differences
among the groups indicate a general lack of consistency in the use of the listed tools and techniques
globally.
The groups means and frequencies highlight differences in the current practice globally among the
listed tools and techniques. Electronic communication and electronic working papers are extensively
used. Process modeling software is often not used by auditors (62.7%), while computer-assisted
audit techniques and flowchart software are moderately used. In some respondents organizations,
process mapping application and data mining are not used (frequency of 36.1% for each tool). This
is also true for continuous/real-time auditing (39.0% not used). Standard 1220, Due Professional
Care, recommends that the internal auditor exercise due professional care and consider the use of
computer-assisted audit tools and other data analysis techniques.
Respondents by group indicate that auditing techniques such as analytical review and a risk-based
approach for audit planning are generally used and in many cases used extensively. Data suggests
that IAAs are focusing their resources and activities on critical areas and on the organizations
primary business risks.
Predictive Changes in the Use of Audit Tools and Techniques Over the
Next Three Years
It is important to understand how the IAA plans to change the way it performs audits and how it
plans to become more effective and efficient as it adds value to its organization. Table 5-20 provides
an overall view of the extent to which respondents IAAs intend to use the listed tools and techniques
in the next three years. Again, respondents did not have an opportunity to list tools not mentioned
on the pre-established list. An overall mean response and means by respondents staff level are
provided.
Using the overall mean for all respondents, the top five means for tools where usage is expected to
increase are:
1. Other electronic communication (e.g., Internet, e-mail) (4.16).
2. Risk-based audit planning (3.99).
3. Electronic workpapers (3.68).
4. Analytical review (3.42).
5. Computer-assisted audit techniques (CAAT) (3.37).
Respondents are consistent with their emphasis on the same tools and techniques as they are
currently using. The only change in the top five tools when compared to current use is with number
five. Statistical sampling (currently ranked sixth) has been replaced by computer-assisted audit
techniques which had been ranked sixth.
Table 5-20
Extent the IAA Plans to Use the
Listed Audit Tools/Techniques in the Next Three Years
All Respondents by Mean*
Tools/Techniques Number of Mean CAE Audit Audit Audit Other
Respondents Manager Senior/ Staff
Supervisor
communication (e.g.,
Internet, e-mail)
Risk-based audit planning 4,789 3.99 4.09 4.05 3.96 3.84 3.54
Computer-assisted audit 4,826 3.37 3.36 3.44 3.39 3.26 3.23
techniques
Data mining 4,731 2.84 2.84 2.88 2.86 2.80 2.63
Benchmarking 4,741 2.79 2.80 2.84 2.77 2.73 2.74
auditing
The IIAs quality 4,799 2.73 2.73 2.82 2.69 2.66 2.70
Process mapping application 4,767 2.72 2.65 2.71 2.79 2.79 2.77
Total quality management 4,772 2.43 2.34 2.44 2.46 2.52 2.57
techniques
similar framework
Process modeling software 4,749 2.08 1.95 2.05 2.17 2.23 2.30
In Appendix 5, Table 5-20-1-A shows groups means for use of tools and techniques in the next
three years. Again there is consistency globally when taking out the high and low outliers. There
are noticeable differences for total quality management between group 8 and group 12. Other tools
with a difference of more than 1.25 between groups include benchmarking, CAAT, continuous/
real-time auditing, data mining, risk-based audit planning, and statistical sampling.
By comparing the overall means from Table 5-20 and rankings from Table 5-21, with the means
and rankings for CAEs and other practitioners by staff level, there is a high level of consistency
between the staff levels. This reinforces the expectation that CAEs would adequately communicate
plans and expectations with all members of the IAA staff. The only major difference is for the
planned use of risk-based audit planning (4.09 for the CAE versus 3.54 for Other), but all positions
rank this technique as second most used or to be used.
Table 5-21
Extent the IAA Plans to Use the
Listed Audit Tools/Techniques in the Next Three Years
All Respondents by Rank*
Tools/Techniques Number of Overall CAE Audit Audit Audit Other
Respondents Average Manager Senior/ Staff
Supervisor
Other electronic 4,751 1 1 1 1 1 1
Internet, e-mail)
Risk-based audit planning 4,789 2 2 2 2 2 2
Electronic workpapers 4,816 3 3 3 3 3 3
Analytical review 4,731 4 4 5 4 4 4
Computer-assisted audit 4,826 5 5 4 5 5 5
techniques
Statistical sampling 4,756 6 6 6 6 6 6
Data mining 4,731 7 7 7 8 9 13
Control self-assessment 4,816 8 9 12 7 7 7
Benchmarking 4,741 9 8 8/9 11/12 12 10
Continuous/real-time 4,845 10 10/11 11 9 8 12
auditing
Flowchart software 4,794 11 12 8/9 11/12 11 8
The IIAs quality 4,799 12 10/11 10 13 13 11
Process mapping application 4,767 13 13 13 10 10 9
Total quality management 4,772 14 14 14/15 14/15 14 14
techniques
Balanced scorecard or 4,770 15 15 14/15 14/15 15 15
similar framework
Process modeling software 4,749 16 16 16 16 16 16
Note: In some cases the rankings were tied. For example, rankings of continuous/real-time auditing and The IIAs
quality assessment review tools at the CAE level were tied.
The frequency analysis provides another view of the extent the IAA plans to use the listed audit
tools/techniques in the next three years. Table 5-22 reports the frequencies for all respondents.
Table 5-22
Extent the IAA Plans to Use the Listed Audit Tools/Techniques
in the Next Three Years
Used
Internet, e-mail)
Risk-based audit 4,789 3.99 3.1 6.6 17.6 33.6 39.1
planning
Computer -assisted 4,826 3.37 7.8 15.8 26.8 31.1 18.5
audit techniques
Data mining 4,731 2.84 18.7 21.9 26.5 22.4 10.5
Benchmarking 4,741 2.79 13.5 27.6 31.4 21.3 6.2
auditing
The IIAs quality 4,799 2.73 20.3 23.7 27.5 19.4 9.1
assessment review
tools
Process mapping 4,767 2.72 22.6 22.2 25.6 19.8 9.8
application
Total quality 4,772 2.43 30.0 24.5 24.7 14.6 6.2
similar framework
Process modeling 4,749 2.08 43.9 22.4 19.6 10.0 4.1
software
Tools that Will Be Extensively Used
Generally, respondents expect that there will be an extensive use of a wide range of tools in the
next three years, usually more than at present. The results when comparing the overall frequency
in Table 5-22 with the results in Table 5-19 show several significant increases in the use of the
listed tools.
Risk-based audit planning (usage of 39.1% in the next three years versus 28.3% current
usage)
Computer-assisted audit techniques (18.5% in the next three years versus 9.8% currently)
Electronic workpapers (33.8% in the next three years versus 26.5% currently)
The IIAs quality assessment review tools (9.1% in the next three years versus 4.7%
currently)
The general increase in the frequencies of the extensively used response is consistent for both
CAEs and Practitioners. There are slight differences between the two categories of respondents
when comparing the results in Table 5-19-1-A and Table 5-22-1-A:
Risk-based audit planning (12.9% increase for CAE versus 7.0% increase for Audit Staff)
Other electronic communication (8.3% increase for Other versus 0.7% increase for Audit
Manager)
Tools that Will Not be Used in the Next Three Years
Table 5-23 compares some of the results of Table 5-22-2-A in Appendix 5 that lists the tools that
will not be used in the next three years with Table 5-19-2-A in Appendix 5 that shows tools not
currently used. The decrease in the overall frequencies for all respondents (which means an
increase in the number of respondents who will use a certain tool) is particularly relevant for the
following tools and techniques.
Table 5-23
Comparison of Audit Tools/Techniques Not Currently Used by the IAA
Now and in the Next Three Years
All Respondents Percentage
Tools and Techniques Respondents Respondents Projecting That This
Indicating Tool Will Not Be Used in the Next
Currently Not Used Three Years
Process modeling software 62.7 43.9
Balanced scorecard or similar 48.4 31.2
framework
IIAs quality assessment 46.6 20.3
review tools
Continuous real-time auditing 39.0 18.0
Data mining 36.1 18.7
Control self-assessment (CSA) 34.1 15.1
Computer-assisted audit 22.3 7.8
techniques
These findings are important since they reveal that most CAEs and Practitioners in the near future
intend to use the tools and techniques suggested by the Standards, Practice Advisories, and best
practices even when they are currently not used today. The expected increase for the CSA tool as
well as for continuous/real-time auditing will contribute to making management more aware of and
responsible for the internal control system.
Resolution of Major Differences
Practice Advisory 2410-1, Communication Criteria, suggests As part of the internal auditors
discussions with the engagement client, the internal auditor should try to obtain agreement on the
results of the engagement and on a plan of action to improve operations, as needed. Respondents
were asked to indicate at what points in the audit process major differences are resolved. Each
category could be selected by each respondent since they may resolve major issues in several
phases of the audit process. Table 5-24 shows that 44.5% of the respondents usually resolve major
differences during fieldwork and 45.2% usually resolve them during audit reporting. Thirty-two
point four percent sometimes resolve audit issues during planning, and 28.5% indicated that resolution
rarely happens during the planning stage.
Table 5-24
When Are Major Audit Issues Resolved
for All Respondents by Percentage
When Resolved During During During Audit After the Never*
Planning Audit Reporting Audit % of 4,319
% of 6,358 Fieldwork % of 6,760 Report is Respondents
Respondents % of 6,710 Respondents Issued
Respondents
Never 16.1 1.9 2.0 18.6 61.2
Rarely 28.5 6.6 7.1 31.6 24.4
Sometimes 32.4 37.1 27.8 20.6 9.2
Usually 16.3 44.5 45.2 18.6 2.6
Always 6.7 9.9 17.9 10.6 2.6
Total 100.0 100.0 100.0 100.0 100.0
*The researchers presume this means that issues were never left unresolved throughout the process.
Approximately 23% of all respondents believed that audit issues are always or usually resolved
during planning; about half of them noted that audit issues are usually or always resolved during
audit fieldwork (54.4%); and about 63.1% of them thought that issues are resolved during audit
reporting. About 5.2% of these issues do not appear to ever be followed up. It seems that major
audit issues are resolved throughout the audit process but predominantly during fieldwork and the
audit reporting period.
Reporting of Findings
Standard 2440, Disseminating Results, states, The chief audit executive should communicate
results to the appropriate parties. Figure 5-8 indicates that a majority of 58.8% of the respondents
agree that the responsibility of reporting audit findings rests with the CAE. The next staff level for
reporting results that respondents selected is the Audit Manager (19.6%).
Figure 5-8
Primary Responsibility for Reporting Findings to
Senior Management
No formal
reporting of
results
1.1%
Other
1.9%
Auditee/client
3.4%
Both internal
audit manager
and auditee/client
7.4%
Both CAE and
auditee/client
7.8%
Internal audit
manager
19.6%
CAE
58.8%
As shown in Table 5-25, CAEs believe they have the primary responsibility for reporting the audit
findings alone (75.1%) or jointly (10.3%) with the auditee/client, while Audit Managers indicate
they should report the findings alone (28.2%) or with the auditee/client (9.4%). Audit Senior/
Supervisor, Audit Staff, and Other concur with the Audit Manager respondents.
Table 5-25
Primary Responsibility for Reporting Findings to Senior Management
Responsibility Total CAE Audit Audit Audit Staff Other Overall
for Reporting Respondents Respondents Manager Senior/ Respondents Respondents Average
Findings by % of Total Respondents Supervisor % of Total % of Total %
Position % of Total Respondents
% of Total
CAE 4,187 75.1 51.6 54.7 51.6 43.0 58.8
Internal audit 1,396 6.4 28.2 24.4 24.3 18.0 19.6
manager
Both chief 555 10.3 6.6 5.9 6.9 10.0 7.8
audit
executive
and auditee/
client
Both internal 528 3.6 9.4 9.8 8.0 7.0 7.4
audit
manager and
auditee/client
Auditee/ 240 2.7 2.8 2.5 5.2 7.5 3.4
client
Other 134 0.9 0.8 2.1 2.9 7.5 1.9
No formal 79 1.0 0.6 0.6 1.1 7.0 1.1
reporting of
results
Total respon- 7,119 100.0 100.0 100.0 100.0 100.0 100.0
dents/total
Monitoring Corrective Action
In Standard 2500, Monitoring Progress, The chief audit executive should establish and maintain a
system to monitor the disposition of results communicated to management. Standard 2500.A1
goes on to require that a follow-up process to monitor and ensure that management actions have
been effectively implemented or that senior management has accepted the risk of not taking action.
Figure 5-9 provides respondents beliefs about who has the primary responsibility for monitoring
corrective action on findings listed in audit reports. Fifty percent believe that both the internal
auditor and auditee/client have the primary responsibility for monitoring corrective action.
Figure 5-9
Primary Responsibility for Monitoring Corrective Action Taken
Other
1.9%
No formal
follow-up
3.1%
Auditee/client
13.7%
Internal auditor
31.3%
Both internal
auditor and
auditee/client
50.0%
In Table 5-26, the majority of the respondents (37.5% to 54.5%) believe that both the internal
auditor and auditee/client together have the primary responsibility to monitor that needed corrective
action has been adopted. Between 25.8% and 35.7% of the respondents indicated that the internal
auditor has the primary responsibility. With the exception of the Other respondents (8.5%), only
2.0% to 3.4% indicated they had no formal follow-up procedures.
Table 5-26
Primary Responsibility for Monitoring Corrective Actions Taken
Primary Total CAE Audit Audit Audit Staff Other Overall
Responsibility Respondents Respondents Manager Senior/ Respondents Respondents Average
by Position % of Total Respondents Supervisor % of Total % of Total Total
% of Total Respondents Percent
% of Total
Both internal 3,560 54.5 51.8 47.9 46.9 37.5 50.0
audit and
auditee/client
Internal auditor 2,226 28.0 30.4 34.3 35.7 25.8 31.3
Auditee/client 974 14.0 13.7 12.5 12.9 19.2 13.7
No formal 219 2.0 2.8 3.4 3.0 8.5 3.1
follow-up
Other 137 1.5 1.3 1.9 1.5 9.0 1.9
Total 7,116 100.0 100.0 100.0 100.0 100.0 100.0
respondents
Summary
The operation of the internal audit activity is complex and demanding. The chief audit executive
must manage both internal and external relationships, the administration and organization of the
activity, the plan and functioning of the audits performed, and resolve any issues that arise. The
Standards and Practice Advisories provide the guidance needed to accomplish these tasks, but
compliance may be challenging due to internal and external limitations placed upon the department.
The appointment procedures, performance evaluations, and reporting relationships for CAEs are
generally in accordance with Standard 1100, Independence and Objectivity, and 1110, Organizational
Independence. IAA independence is maintained by having board and senior management
involvement in the CAEs hiring and performance evaluation. The matrix relationship and participation
of key constituents helps maintain independence and the IAAs position in the organization.
Perceptions by CAE respondents provide a very positive view about the IAA within their
organizations, and the IAA is seen as highly credible. Many IAAs are relatively young but follow
the guidance included in the Standards and utilize the documents recommended by The IIA. Most
IAAs use a risk-based approach to engagement planning and allocate time in accordance with the
needs of the organization, focusing on the effectiveness of risk management, control, and governance
processes. CAEs and Practitioners almost uniformly rank the tools currently used by the IAA the
same, with electronic communication (e.g., Internet, e-mail), risk-based audit planning, analytical
review, and electronic workpapers as the most used tools. These tools are also expected to be the
most used in the next three years. Major audit issues are resolved throughout the audit process but
predominantly during fieldwork and the audit reporting period.
A
P
P
E
N
D
I
X

5
T
a
b
l
e

5
-
3
-
1
-
A
E
v
a
l
u
a
t
i
o
n

o
f

C
A
E
s

P
e
r
f
o
r
m
a
n
c
e

b
y

T
y
p
e

o
f

O
r
g
a
n
i
z
a
t
i
o
n
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
T
y
p
e

o
f
T
o
t
a
l
B
o
a
r
d

o
f
C
h
a
i
r
C
h
i
e
f
A
u
d
i
t
S
e
n
i
o
r
A
u
d
i
t
e
e
/
S
u
p
e
r
v
i
s
o
r
P
e
e
r
s
/
N
o
t
O
r
g
a
n
i
z
a
t
i
o
n
/
R
e
s
p
o
n
-
D
i
r
e
c
t
o
r
s
o
f

t
h
e
E
x
e
c
u
t
i
v
e
C
o
m
m
i
t
t
e
e
/
M
a
n
a
g
e
-
C
l
i
e
n
t
P
e
r
i
o
d
i
c
a
l
l
y
S
u
b
o
r
d
i
n
a
t
e
s
E
v
a
l
u
a
t
e
d
N
u
m
b
e
r

o
f
d
e
n
t
s
B
o
a
r
d
O
f
f
i
c
e
r
O
v
e
r
s
i
g
h
t
m
e
n
t
a
t

t
h
e

E
n
d
P
e
r
i
o
d
i
c
a
l
l
y
R
e
s
p
o
n
d
e
n
t
s
C
o
m
m
i
t
t
e
e
/
o
f

A
u
d
i
t
C
o
m
m
i
t
t
e
e
C
h
a
i
r
p
e
r
s
o
n
P
u
b
l
i
c
l
y
8
1
1
1
3
.
3
1
9
.
4
4
1
.
4
6
4
.
6
3
6
.
7
9
.
5
9
.
0
5
.
2
1
.
5
T
r
a
d
e
d
(
L
i
s
t
e
d
)
C
o
m
p
a
n
y
P
r
i
v
a
t
e
l
y
5
8
3
2
2
.
6
2
0
.
4
4
9
.
9
4
4
.
4
2
7
.
1
9
.
4
7
.
0
3
.
6
2
.
4
H
e
l
d
(
N
o
n
-
l
i
s
t
e
d
)
C
o
m
p
a
n
y
P
u
b
l
i
c
5
1
5
1
0
.
9
1
1
.
5
5
0
.
5
3
4
.
8
2
9
.
9
1
2
.
8
7
.
2
7
.
4
5
.
0
S
e
c
t
o
r
/
G
o
v
e
r
n
m
e
n
t
S
e
r
v
i
c
e
2
0
6
2
3
.
8
1
1
.
7
3
0
.
6
3
1
.
6
2
9
.
1
2
0
.
4
9
.
7
1
2
.
1
8
.
7
P
r
o
v
i
d
e
r
/
C
o
n
s
u
l
t
a
n
t
N
o
t
-
f
o
r
-
1
7
1
9
.
9
1
0
.
5
4
8
.
0
5
5
.
6
2
9
.
2
1
1
.
7
7
.
6
4
.
1
9
.
4
P
r
o
f
i
t
O
r
g
a
n
i
z
a
t
i
o
n
O
t
h
e
r
5
5
2
5
.
5
1
6
.
4
4
7
.
3
4
7
.
3
2
5
.
5
3
.
6
5
.
5
1
.
8
3
.
6

N
o
t
e
:

T
h
e

r
e
s
p
o
n
d
e
n
t
s

w
e
r
e

a
s
k
e
d

t
o

m
a
r
k

a
l
l

t
h
a
t

a
p
p
l
y

s
o

t
h
e

t
o
t
a
l

o
f

t
h
e

p
e
r
c
e
n
t
a
g
e
s

m
a
y

b
e

m
o
r
e

t
h
a
n

1
0
0
.
Table 5-4-1-A
CAEs Relationship with Audit/Oversight Committee by Group*
CAE Respondents - Percentage of Yes Responses
Question 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Is there an audit/ 85.2 92.9 91.4 53.5 38.7 49.7 51.2 69.5 65.8 54.3 81.5 100.0 65.5
oversight committee
in your organization?
Does the CAE meet 64.1 75.6 75.5 70.6 62.3 43.4 67.2 48.8 69.2 44.0 77.3 77.8 59.6
with the audit/
oversight committee
chairperson in
addition to the
regularly
scheduled
meetings?
Does the CAE 93.9 91.0 92.0 90.0 88.2 85.5 88.1 88.1 89.3 92.0 93.9 88.9 84.2
believe that he/she
has appropriate
access to the audit/
oversight committee?
T
a
b
l
e

5
-
8
-
1
-
A
R
e
l
a
t
i
o
n
s
h
i
p

o
f

I
A
A

t
o

t
h
e

O
r
g
a
n
i
z
a
t
i
o
n

b
y

G
r
o
u
p
*
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s
*
*
S
t
a
t
e
m
e
n
t
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

i
s

a
n

i
n
d
e
p
e
n
d
e
n
t
4
.
4
5
4
.
5
7
4
.
4
4
4
.
2
1
4
.
4
1
4
.
6
4
4
.
6
3
4
.
4
3
4
.
3
1
4
.
5
7
4
.
4
4
4
.
7
8
4
.
2
7
o
b
j
e
c
t
i
v
e

a
s
s
u
r
a
n
c
e

a
n
d

c
o
n
s
u
l
t
i
n
g

a
c
t
i
v
i
t
y
.
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

a
d
d
s

v
a
l
u
e
.
4
.
4
6
4
.
5
5
4
.
3
0
4
.
1
2
4
.
3
5
4
.
4
0
4
.
5
1
4
.
4
0
4
.
3
9
4
.
4
3
4
.
3
7
5
.
0
0
4
.
2
8
I
n
t
e
r
n
a
l

a
u
d
i
t

b
r
i
n
g
s

a

s
y
s
t
e
m
a
t
i
c

a
p
p
r
o
a
c
h

t
o
3
.
9
9
4
.
2
3
4
.
0
8
3
.
8
0
4
.
0
2
4
.
0
0
4
.
1
9
4
.
1
0
4
.
0
5
3
.
8
0
4
.
1
3
4
.
5
6
4
.
0
0
e
v
a
l
u
a
t
e

t
h
e

e
f
f
e
c
t
i
v
e
n
e
s
s

o
f

r
i
s
k

m
a
n
a
g
e
m
e
n
t
.
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

b
r
i
n
g
s

a

s
y
s
t
e
m
a
t
i
c
4
.
4
1
4
.
5
1
4
.
4
2
3
.
9
3
4
.
2
3
4
.
4
7
4
.
4
0
4
.
3
4
4
.
1
3
4
.
1
3
4
.
4
0
4
.
6
7
4
.
1
5
a
p
p
r
o
a
c
h

t
o

e
v
a
l
u
a
t
e

t
h
e

e
f
f
e
c
t
i
v
e
n
e
s
s

o
f
i
n
t
e
r
n
a
l

c
o
n
t
r
o
l
s
.
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

b
r
i
n
g
s

a

s
y
s
t
e
m
a
t
i
c
3
.
8
4
4
.
0
5
3
.
9
6
3
.
6
5
3
.
8
0
3
.
5
8
3
.
9
0
3
.
6
6
3
.
7
0
3
.
8
5
3
.
9
5
4
.
2
2
3
.
6
2
a
p
p
r
o
a
c
h

t
o

e
v
a
l
u
a
t
e

t
h
e

e
f
f
e
c
t
i
v
e
n
e
s
s

o
f
g
o
v
e
r
n
a
n
c
e

p
r
o
c
e
s
s
e
s
.
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

p
r
o
a
c
t
i
v
e
l
y
4
.
1
6
4
.
1
8
4
.
1
0
4
.
1
6
3
.
8
7
4
.
1
2
4
.
3
4
3
.
9
8
3
.
9
8
3
.
8
0
4
.
1
3
4
.
2
2
4
.
0
2
e
x
a
m
i
n
e
s

i
m
p
o
r
t
a
n
t

f
i
n
a
n
c
i
a
l

m
a
t
t
e
r
s
,

r
i
s
k
s
,
a
n
d

i
n
t
e
r
n
a
l

c
o
n
t
r
o
l
s
.
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

i
s

a
n

i
n
t
e
g
r
a
l

p
a
r
t
4
.
1
9
4
.
3
7
4
.
2
2
3
.
8
8
4
.
0
4
3
.
9
7
4
.
1
1
3
.
9
9
4
.
0
9
3
.
9
6
4
.
1
9
4
.
4
4
3
.
9
0
o
f

t
h
e

g
o
v
e
r
n
a
n
c
e

p
r
o
c
e
s
s

b
y

p
r
o
v
i
d
i
n
g

r
e
l
i
a
b
l
e
i
n
f
o
r
m
a
t
i
o
n

t
o

m
a
n
a
g
e
m
e
n
t
.
T
h
e

w
a
y

o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

a
d
d
s

v
a
l
u
e
3
.
7
0
3
.
8
7
3
.
8
0
3
.
2
7
3
.
0
9
2
.
7
8
3
.
3
3
3
.
5
1
3
.
4
8
3
.
1
5
3
.
9
8
4
.
3
3
3
.
3
4
t
o

t
h
e

g
o
v
e
r
n
a
n
c
e

p
r
o
c
e
s
s

i
s

t
h
r
o
u
g
h

d
i
r
e
c
t
a
c
c
e
s
s

t
o

t
h
e

a
u
d
i
t

c
o
m
m
i
t
t
e
e
.
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

h
a
s

s
u
f
f
i
c
i
e
n
t
4
.
0
7
4
.
2
1
4
.
0
3
3
.
9
0
4
.
0
9
4
.
2
6
4
.
2
7
4
.
0
0
4
.
0
0
3
.
9
1
4
.
0
8
4
.
6
7
3
.
8
9
s
t
a
t
u
s

i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n

t
o

b
e

e
f
f
e
c
t
i
v
e
.
I
n
d
e
p
e
n
d
e
n
c
e

i
s

a

k
e
y

f
a
c
t
o
r

f
o
r

y
o
u
r

i
n
t
e
r
n
a
l
4
.
4
3
4
.
5
5
4
.
3
8
4
.
3
2
4
.
3
0
4
.
6
2
4
.
6
7
4
.
5
5
4
.
4
9
4
.
3
9
4
.
4
5
5
.
0
0
4
.
3
8
a
u
d
i
t

f
u
n
c
t
i
o
n

t
o

a
d
d

v
a
l
u
e
.
O
b
j
e
c
t
i
v
i
t
y

i
s

a

k
e
y

f
a
c
t
o
r

f
o
r

y
o
u
r

i
n
t
e
r
n
a
l
4
.
5
6
4
.
6
4
4
.
6
4
4
.
3
8
4
.
5
1
4
.
7
5
4
.
7
3
4
.
6
4
4
.
5
6
4
.
6
1
4
.
5
1
4
.
7
8
4
.
4
1
a
u
d
i
t

f
u
n
c
t
i
o
n

t
o

a
d
d

v
a
l
u
e
.
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

S
t
r
o
n
g
l
y

D
i
s
a
g
r
e
e
,

2

=

D
i
s
a
g
r
e
e
,

3

=

N
e
u
t
r
a
l
,

4

=

A
g
r
e
e
,

5

=

S
t
r
o
n
g
l
y

A
g
r
e
e
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

5
-
8
-
1
-
A

(
C
o
n
t
.
)
R
e
l
a
t
i
o
n
s
h
i
p

o
f

I
A
A

t
o

t
h
e

O
r
g
a
n
i
z
a
t
i
o
n

b
y

G
r
o
u
p
*
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s
*
*
S
t
a
t
e
m
e
n
t
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
Y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

i
s

c
r
e
d
i
b
l
e

w
i
t
h
i
n
4
.
3
5
4
.
4
5
4
.
2
2
4
.
0
5
4
.
1
9
4
.
5
2
4
.
5
1
4
.
1
6
4
.
2
4
4
.
2
8
4
.
3
3
4
.
3
3
4
.
1
3
y
o
u
r

o
r
g
a
n
i
z
a
t
i
o
n
.
C
o
m
p
l
i
a
n
c
e

w
i
t
h

T
h
e

I
I
A
s

I
n
t
e
r
n
a
t
i
o
n
a
l
3
.
7
4
3
.
8
5
3
.
9
9
3
.
9
9
4
.
0
1
3
.
8
3
4
.
2
7
3
.
7
9
4
.
0
7
3
.
9
8
3
.
9
1
4
.
5
6
3
.
7
7
S
t
a
n
d
a
r
d
s

f
o
r

t
h
e

P
r
o
f
e
s
s
i
o
n
a
l

P
r
a
c
t
i
c
e

o
f
I
n
t
e
r
n
a
l

A
u
d
i
t
i
n
g

i
s

a

k
e
y

f
a
c
t
o
r

f
o
r

y
o
u
r
i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n

t
o

a
d
d

v
a
l
u
e

t
o

t
h
e
g
o
v
e
r
n
a
n
c
e

p
r
o
c
e
s
s
.
C
o
m
p
l
i
a
n
c
e

w
i
t
h

T
h
e

I
I
A
s

c
o
d
e

o
f

e
t
h
i
c
s

i
s
3
.
9
9
4
.
0
4
4
.
1
1
3
.
9
9
4
.
1
1
3
.
9
9
4
.
4
2
3
.
9
1
4
.
2
0
4
.
2
2
4
.
1
3
4
.
7
8
3
.
8
0
a

k
e
y

f
a
c
t
o
r

f
o
r

y
o
u
r

i
n
t
e
r
n
a
l

a
u
d
i
t

f
u
n
c
t
i
o
n
t
o

a
d
d

v
a
l
u
e

t
o

t
h
e

g
o
v
e
r
n
a
n
c
e

p
r
o
c
e
s
s
.
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

S
t
r
o
n
g
l
y

D
i
s
a
g
r
e
e
,

2

=

D
i
s
a
g
r
e
e
,

3

=

N
e
u
t
r
a
l
,

4

=

A
g
r
e
e
,

5

=

S
t
r
o
n
g
l
y

A
g
r
e
e
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

5
-
1
7
-
1
-
A
E
x
t
e
n
t

t
h
e

I
A
A

C
u
r
r
e
n
t
l
y

U
s
e
s

t
h
e

L
i
s
t
e
d

A
u
d
i
t

T
o
o
l
s
/
T
e
c
h
n
i
q
u
e
s

b
y

G
r
o
u
p
*
A
l
l

R
e
s
p
o
n
d
e
n
t
s

b
y

M
e
a
n
s
*
*
T
o
o
l
s
/
T
e
c
h
n
i
q
u
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
n
a
l
y
t
i
c
a
l

r
e
v
i
e
w
3
.
2
4
3
.
1
0
2
.
9
7
2
.
9
8
3
.
4
7
3
.
3
3
3
.
3
1
3
.
1
0
3
.
5
7
3
.
2
0
3
.
4
4
3
.
3
2
3
.
0
7
B
a
l
a
n
c
e
d

s
c
o
r
e
c
a
r
d

o
r

s
i
m
i
l
a
r

f
r
a
m
e
w
o
r
k
2
.
0
4
1
.
9
1
2
.
1
5
1
.
5
2
1
.
9
8
1
.
8
0
2
.
1
3
2
.
1
7
1
.
9
8
2
.
1
1
2
.
0
9
1
.
7
6
1
.
9
7
7
B
e
n
c
h
m
a
r
k
i
n
g
2
.
4
9
2
.
3
9
2
.
4
6
2
.
1
2
2
.
5
8
2
.
2
9
2
.
1
9
2
.
2
8
2
.
7
0
2
.
5
3
2
.
4
5
2
.
4
7
2
.
3
0
2
C
o
m
p
u
t
e
r
-
a
s
s
i
s
t
e
d

a
u
d
i
t

t
e
c
h
n
i
q
u
e
s
2
.
7
5
2
.
7
0
2
.
6
8
2
.
3
9
2
.
5
3
2
.
7
4
2
.
9
1
2
.
4
3
3
.
0
0
2
.
4
0
2
.
5
4
2
.
5
0
2
.
0
5
1
C
o
n
t
i
n
u
o
u
s
/
r
e
a
l
-
t
i
m
e

a
u
d
i
t
i
n
g
2
.
0
6
1
.
9
8
2
.
1
3
2
.
7
9
2
.
4
7
2
.
2
6
2
.
4
6
2
.
0
9
2
.
6
0
2
.
0
1
2
.
1
6
2
.
4
4
2
.
4
9
C
o
n
t
r
o
l

s
e
l
f
-
a
s
s
e
s
s
m
e
n
t
2
.
2
5
2
.
4
1
2
.
3
3
2
.
7
6
2
.
4
1
2
.
1
1
2
.
3
1
2
.
3
2
2
.
5
5
2
.
2
0
2
.
2
4
2
.
1
9
2
.
2
9
D
a
t
a

m
i
n
i
n
g
2
.
3
0
2
.
0
5
2
.
1
1
2
.
1
5
2
.
7
7
2
.
1
9
1
.
8
8
2
.
2
8
2
.
8
6
1
.
8
5
2
.
2
9
2
.
1
2
2
.
1
5
E
l
e
c
t
r
o
n
i
c

w
o
r
k
p
a
p
e
r
s
3
.
2
0
2
.
7
8
3
.
3
1
2
.
7
3
3
.
3
4
3
.
1
0
3
.
1
2
3
.
5
3
3
.
2
6
3
.
2
1
2
.
5
6
1
.
9
7
3
.
1
0
F
l
o
w
c
h
a
r
t

s
o
f
t
w
a
r
e
2
.
6
1
2
.
4
3
2
.
2
0
2
.
1
2
2
.
4
4
2
.
1
8
2
.
3
8
2
.
3
7
2
.
5
1
2
.
1
0
2
.
3
2
1
.
6
8
2
.
2
0
O
t
h
e
r

e
l
e
c
t
r
o
n
i
c

c
o
m
m
u
n
i
c
a
t
i
o
n
4
.
2
6
3
.
9
9
4
.
1
9
3
.
3
9
4
.
0
7
4
.
1
1
3
.
8
4
3
.
9
5
4
.
0
5
4
.
3
8
3
.
9
0
3
.
1
5
3
.
8
4
(
e
.
g
.
,

I
n
t
e
r
n
e
t
,

e
-
m
a
i
l
)
P
r
o
c
e
s
s

m
a
p
p
i
n
g

a
p
p
l
i
c
a
t
i
o
n
2
.
2
1
2
.
4
6
2
.
2
5
2
.
5
9
2
.
4
3
2
.
2
5
2
.
6
7
2
.
6
9
2
.
3
5
1
.
8
9
2
.
4
9
1
.
8
4
2
.
4
0
P
r
o
c
e
s
s

m
o
d
e
l
i
n
g

s
o
f
t
w
a
r
e
1
.
6
1
1
.
6
9
1
.
6
4
1
.
6
7
1
.
7
3
1
.
7
3
1
.
9
5
1
.
7
9
1
.
7
8
1
.
5
6
1
.
7
1
1
.
4
2
1
.
7
7
R
i
s
k
-
b
a
s
e
d

a
u
d
i
t

p
l
a
n
n
i
n
g
3
.
7
1
3
.
8
6
3
.
9
1
2
.
5
3
3
.
5
4
3
.
7
1
3
.
3
8
3
.
3
6
3
.
2
3
3
.
8
6
3
.
5
2
3
.
5
5
3
.
1
7
S
t
a
t
i
s
t
i
c
a
l

s
a
m
p
l
i
n
g
2
.
8
2
2
.
6
0
2
.
7
2
2
.
5
9
2
.
8
1
2
.
5
3
2
.
8
1
2
.
8
2
2
.
8
5
2
.
1
8
2
.
7
1
3
.
0
0
2
.
7
7
T
h
e

I
I
A
s

q
u
a
l
i
t
y

a
s
s
e
s
s
m
e
n
t

r
e
v
i
e
w

t
o
o
l
s
2
.
2
5
1
.
9
2
2
.
1
4
1
.
8
2
1
.
9
8
1
.
9
9
1
.
9
5
1
.
7
8
1
.
8
3
2
.
0
1
2
.
0
6
1
.
9
1
1
.
8
2
T
o
t
a
l

q
u
a
l
i
t
y

m
a
n
a
g
e
m
e
n
t

t
e
c
h
n
i
q
u
e
s
2
.
0
9
1
.
8
4
2
.
1
1
1
.
8
5
1
.
9
7
1
.
8
6
1
.
8
6
1
.
6
3
2
.
0
2
1
.
7
5
2
.
1
4
1
.
9
7
1
.
9
1
*
F
o
r

a

l
i
s
t

o
f

a
f
f
i
l
i
a
t
e

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

N
o
t

U
s
e
d
,

2

=

M
o
d
e
r
a
t
e
l
y

U
s
e
d
,

3

=

A
v
e
r
a
g
e

U
s
e
,

4

=

V
e
r
y

M
u
c
h

U
s
e
d
,

5

=

E
x
t
e
n
s
i
v
e
l
y

U
s
e
d
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
Table 5-19-1-A
Audit Tools/Techniques that are Currently Extensively Used
All Respondents by Frequency*
Tools/Techniques** Mean CAE Audit Audit Audit Other
Supervisor
Other electronic communication 46.3 41.5 49.5 50.6 48.5 31.7
Risk-based audit planning 28.3 28.1 28.8 29.6 29.5 17.0
Electronic workpapers 26.5 21.1 28.4 30.1 30.9 18.4
Analytical review 12.4 10.8 11.5 13.5 15.0 12.8
Computer-assisted audit techniques 9.8 6.9 10.2 11.0 12.5 11.1
Statistical sampling 9.7 7.2 8.1 10.7 15.3 9.8
Flowchart software 8.3 6.2 8.6 9.3 10.7 8.1
Process mapping application 7.7 5.8 8.0 9.1 9.2 6.4
Control self-assessment 5.7 3.8 5.3 6.2 9.0 7.3
Data mining 5.6 4.5 5.2 5.6 8.0 6.1
Continuous/real-time auditing 5.1 3.0 4.3 5.9 8.2 7.0
The IIAs quality assessment 4.6 3.5 5.2 4.4 6.4 4.9
review tools
Balanced scorecard or similar 3.9 1.9 4.1 4.4 6.0 4.9
framework
Benchmarking 3.9 3.6 2.8 4.4 5.1 5.4
Total quality management techniques 3.5 2.3 3.6 3.4 5.9 4.3
Process modeling software 2.5 1.1 2.2 3.0 4.2 4.1
*As this is a frequency for only the currently Extensively Used category, the rows will not add across to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
Table 5-19-2-A
Audit Tools/Techniques Currently Not Used
Supervisor
framework
The IIAs quality assessment review 46.6 49.8 43.8 47.5 43.5 46.0
tools
Data mining 36.1 38.0 34.6 35.5 34.5 39.6
Benchmarking 24.9 23.8 23.0 26.4 26.4 28.4
*As this is a frequency for only the currently Not Used category, the rows will not add across to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
T
a
b
l
e

5
-
1
9
-
3
-
A
A
u
d
i
t

T
o
o
l
s
/
T
e
c
h
n
i
q
u
e
s

C
u
r
r
e
n
t
l
y

N
o
t

U
s
e
d

b
y

G
r
o
u
p
*
A
l
l

R
e
s
p
o
n
d
e
n
t
s

b
y

M
e
a
n
*
*
T
o
o
l
s
/
T
e
c
h
n
i
q
u
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
n
a
l
y
t
i
c
a
l

r
e
v
i
e
w
5
.
8
4
.
9
8
.
2
6
.
7
3
.
5
3
.
4
4
.
5
1
0
.
2
7
.
4
5
.
4
2
.
2
1
4
.
7
9
.
9
B
a
l
a
n
c
e
d

s
c
o
r
e
c
a
r
d

o
r

s
i
m
i
l
a
r

f
r
a
m
e
w
o
r
k
4
9
.
3
4
7
.
5
4
3
.
8
6
8
.
0
4
7
.
0
5
3
.
0
4
2
.
3
4
0
.
0
5
9
.
1
4
6
.
4
4
4
.
3
6
3
.
6
5
2
.
6
B
e
n
c
h
m
a
r
k
i
n
g
2
2
.
8
1
9
.
4
2
3
.
0
3
5
.
7
2
3
.
8
2
2
.
7
3
3
.
3
2
5
.
2
1
9
.
6
1
8
.
8
2
1
.
5
3
7
.
5
3
2
.
2
C
o
m
p
u
t
e
r
-
a
s
s
i
s
t
e
d

a
u
d
i
t

t
e
c
h
n
i
q
u
e
s
1
8
.
8
1
8
.
2
2
1
.
3
2
6
.
5
2
9
.
0
1
8
.
7
1
8
.
6
2
9
.
8
2
1
.
7
2
7
.
3
2
8
.
2
3
8
.
2
2
5
.
4
C
o
n
t
i
n
u
o
u
s
/
r
e
a
l
-
t
i
m
e

a
u
d
i
t
i
n
g
4
4
.
3
5
0
.
0
4
6
.
4
1
6
.
8
3
2
.
2
3
3
.
9
2
7
.
6
4
0
.
8
2
8
.
0
4
6
.
3
4
0
.
9
3
5
.
3
2
7
.
9
C
o
n
t
r
o
l

s
e
l
f
-
a
s
s
e
s
s
m
e
n
t
3
7
.
9
2
9
.
9
3
4
.
9
1
3
.
9
2
9
.
9
4
0
.
4
3
2
.
5
2
9
.
0
3
4
.
4
2
7
.
9
3
7
.
6
5
0
.
0
3
3
.
5
D
a
t
a

m
i
n
i
n
g
3
3
.
0
3
8
.
5
4
0
.
3
3
6
.
8
2
0
.
3
3
4
.
1
5
4
.
9
3
7
.
1
2
2
.
0
5
1
.
8
3
8
.
9
4
8
.
5
4
3
.
0
E
l
e
c
t
r
o
n
i
c

w
o
r
k
p
a
p
e
r
s
2
2
.
7
2
7
.
8
2
0
.
1
2
5
.
7
1
1
.
8
1
7
.
5
1
7
.
9
7
.
8
1
4
.
6
1
4
.
3
3
4
.
8
6
6
.
7
2
0
.
9
F
l
o
w
c
h
a
r
t

s
o
f
t
w
a
r
e
2
5
.
5
3
0
.
0
4
0
.
4
3
8
.
0
3
3
.
0
3
4
.
9
3
2
.
8
3
2
.
2
3
6
.
7
3
9
.
3
3
6
.
2
7
3
.
5
4
1
.
2
O
t
h
e
r

e
l
e
c
t
r
o
n
i
c

c
o
m
m
u
n
i
c
a
t
i
o
n
2
.
0
3
.
3
1
.
8
7
.
2
1
.
5
1
.
2
4
.
3
2
.
7
6
.
4
1
.
8
3
.
3
2
3
.
5
3
.
2
(
e
.
g
.
,

I
n
t
e
r
n
e
t
,

e
-
m
a
i
l
)
P
r
o
c
e
s
s

m
a
p
p
i
n
g

a
p
p
l
i
c
a
t
i
o
n
4
2
.
1
3
4
.
4
4
0
.
3
2
8
.
3
3
1
.
9
3
5
.
7
2
4
.
3
2
2
.
5
3
9
.
1
5
1
.
8
3
7
.
1
6
2
.
5
3
3
.
2
P
r
o
c
e
s
s

m
o
d
e
l
i
n
g

s
o
f
t
w
a
r
e
6
6
.
9
6
0
.
6
6
6
.
3
6
3
.
6
5
9
.
2
5
6
.
2
5
2
.
0
5
6
.
5
6
3
.
7
6
7
.
9
6
2
.
1
8
1
.
8
5
9
.
5
R
i
s
k
-
b
a
s
e
d

a
u
d
i
t

p
l
a
n
n
i
n
g
6
.
3
6
.
6
4
.
8
2
4
.
2
6
.
6
4
.
0
1
0
.
4
8
.
4
1
3
.
7
5
.
4
5
.
6
8
.
8
1
4
.
6
S
t
a
t
i
s
t
i
c
a
l

s
a
m
p
l
i
n
g
1
6
.
8
1
9
.
1
2
0
.
5
1
7
.
0
1
7
.
5
1
8
.
1
1
8
.
1
1
6
.
5
2
0
.
7
3
2
.
4
2
0
.
8
1
4
.
7
2
0
.
0
T
h
e

I
I
A
s

q
u
a
l
i
t
y

a
s
s
e
s
s
m
e
n
t

r
e
v
i
e
w

t
o
o
l
s
3
9
.
7
4
8
.
3
4
5
.
7
4
9
.
0
4
8
.
7
4
5
.
2
5
2
.
4
5
6
.
8
5
9
.
6
4
9
.
5
4
6
.
9
6
0
.
6
5
7
.
1
T
o
t
a
l

q
u
a
l
i
t
y

m
a
n
a
g
e
m
e
n
t

t
e
c
h
n
i
q
u
e
s
4
2
.
6
5
4
.
7
4
4
.
6
4
7
.
8
4
7
.
4
4
9
.
0
5
5
.
7
6
4
.
8
5
2
.
7
5
6
.
0
4
1
.
9
5
9
.
4
5
2
.
2
*
F
o
r

a

l
i
s
t

o
f

a
f
f
i
l
i
a
t
e

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

N
o
t

U
s
e
d
,

2

=

M
o
d
e
r
a
t
e
l
y

U
s
e
d
,

3

=

A
v
e
r
a
g
e

U
s
e
,

4

=

V
e
r
y

M
u
c
h

U
s
e
d
,

5

=

E
x
t
e
n
s
i
v
e
l
y

U
s
e
d
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

5
-
2
0
-
1
-
A
E
x
t
e
n
t

t
h
e

I
A
A

P
l
a
n
s

t
o

U
s
e

t
h
e

L
i
s
t
e
d
A
u
d
i
t

T
o
o
l
s
/
T
e
c
h
n
i
q
u
e

i
n

t
h
e

N
e
x
t

T
h
r
e
e

Y
e
a
r
s

b
y

G
r
o
u
p
*
A
l
l

R
e
s
p
o
n
d
e
n
t
s

b
y

M
e
a
n
*
*
T
o
o
l
s
/
T
e
c
h
n
i
q
u
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
n
a
l
y
t
i
c
a
l

r
e
v
i
e
w
3
.
5
1
3
.
3
6
3
.
3
7
3
.
3
4
3
.
7
4
3
.
5
6
2
.
8
6
3
.
0
2
4
.
1
1
3
.
5
5
3
.
8
2
3
.
9
6
3
.
2
2
B
a
l
a
n
c
e
d

s
c
o
r
e
c
a
r
d

o
r

s
i
m
i
l
a
r

f
r
a
m
e
w
o
r
k
2
.
3
7
2
.
2
4
2
.
6
1
2
.
1
3
2
.
6
0
2
.
2
2
2
.
2
7
2
.
3
0
2
.
5
1
2
.
4
0
2
.
7
7
3
.
3
6
2
.
2
3
B
e
n
c
h
m
a
r
k
i
n
g
2
.
8
6
2
.
1
8
3
.
0
1
2
.
4
9
3
.
0
9
2
.
7
9
2
.
2
9
2
.
5
2
3
.
2
5
2
.
9
9
3
.
0
4
3
.
7
6
2
.
5
0
C
o
m
p
u
t
e
r
-
a
s
s
i
s
t
e
d

a
u
d
i
t

t
e
c
h
n
i
q
u
e
s
3
.
5
4
3
.
2
4
3
.
5
4
2
.
8
3
3
.
4
6
3
.
3
7
3
.
1
4
2
.
7
9
4
.
0
8
3
.
2
4
3
.
4
5
4
.
2
3
3
.
1
4
C
o
n
t
i
n
u
o
u
s
/
r
e
a
l
-
t
i
m
e

a
u
d
i
t
i
n
g
2
.
8
7
2
.
0
7
2
.
9
1
3
.
0
2
2
.
9
7
2
.
6
3
2
.
6
2
2
.
2
6
3
.
3
4
2
.
4
1
2
.
8
0
3
.
5
2
2
.
8
3
C
o
n
t
r
o
l

s
e
l
f
-
a
s
s
e
s
s
m
e
n
t
2
.
7
5
3
.
1
0
2
.
9
8
3
.
1
0
3
.
1
0
2
.
6
7
2
.
6
5
2
.
6
6
3
.
3
6
2
.
8
9
3
.
0
1
3
.
5
0
2
.
7
9
D
a
t
a

m
i
n
i
n
g
3
.
0
3
2
.
7
9
2
.
8
5
2
.
4
6
3
.
1
5
2
.
6
9
2
.
2
2
2
.
5
5
3
.
5
6
2
.
2
8
2
.
9
1
3
.
5
2
2
.
5
7
E
l
e
c
t
r
o
n
i
c

w
o
r
k
p
a
p
e
r
s
3
.
8
2
3
.
2
8
4
.
0
0
3
.
1
5
4
.
0
0
3
.
5
6
3
.
2
9
3
.
5
8
4
.
0
1
3
.
6
1
3
.
3
1
3
.
6
2
3
.
4
0
F
l
o
w
c
h
a
r
t

s
o
f
t
w
a
r
e
2
.
9
3
2
.
7
1
2
.
7
4
2
.
4
9
3
.
1
3
2
.
4
6
2
.
5
6
2
.
4
2
3
.
1
9
2
.
3
0
2
.
8
7
3
.
4
8
2
.
5
3
O
t
h
e
r

e
l
e
c
t
r
o
n
i
c

c
o
m
m
u
n
i
c
a
t
i
o
n
4
.
3
5
4
.
1
2
4
.
3
5
3
.
4
7
4
.
3
5
4
.
2
5
3
.
5
0
3
.
8
6
4
.
3
6
4
.
4
6
4
.
1
0
4
.
3
6
3
.
8
4
(
e
.
g
.
,

I
n
t
e
r
n
e
t
,

e
-
m
a
i
l
)
P
r
o
c
e
s
s

m
a
p
p
i
n
g

a
p
p
l
i
c
a
t
i
o
n
2
.
5
3
2
.
7
2
2
.
8
0
2
.
9
0
3
.
2
9
2
.
8
2
2
.
7
5
2
.
8
0
2
.
9
8
2
.
2
7
3
.
9
8
3
.
5
5
2
.
7
8
P
r
o
c
e
s
s

m
o
d
e
l
i
n
g

s
o
f
t
w
a
r
e
1
.
9
1
1
.
9
5
2
.
1
9
2
.
1
5
2
.
5
6
2
.
2
1
2
.
3
0
1
.
9
9
2
.
3
5
1
.
8
8
2
.
3
3
2
.
8
7
2
.
1
9
R
i
s
k
-
b
a
s
e
d

a
u
d
i
t

p
l
a
n
n
i
n
g
4
.
1
3
4
.
2
8
4
.
3
6
3
.
0
1
4
.
1
8
4
.
1
7
3
.
5
6
3
.
6
6
4
.
1
7
4
.
2
4
4
.
0
7
4
.
3
6
3
.
5
3
S
t
a
t
i
s
t
i
c
a
l

s
a
m
p
l
i
n
g
3
.
0
9
2
.
8
9
3
.
0
8
3
.
0
1
3
.
3
7
2
.
9
2
2
.
8
9
2
.
7
8
3
.
4
4
2
.
5
3
3
.
2
0
4
.
0
0
2
.
9
1
T
h
e

I
I
A
s

q
u
a
l
i
t
y

a
s
s
e
s
s
m
e
n
t

r
e
v
i
e
w

t
o
o
l
s
2
.
8
6
2
.
5
8
2
.
9
2
2
.
4
1
3
.
0
4
2
.
6
0
2
.
6
0
2
.
1
8
2
.
9
4
2
.
8
5
3
.
0
1
3
.
5
2
2
.
4
9
T
o
t
a
l

q
u
a
l
i
t
y

m
a
n
a
g
e
m
e
n
t

t
e
c
h
n
i
q
u
e
s
2
.
4
3
2
.
1
6
2
.
7
3
2
.
4
5
2
.
8
3
2
.
2
1
2
.
4
6
1
.
9
1
2
.
8
7
2
.
0
9
2
.
8
9
3
.
5
7
2
.
4
1
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

N
o
t

U
s
e
d
,

2

=

M
o
d
e
r
a
t
e
l
y

U
s
e
d
,

3

=

A
v
e
r
a
g
e

U
s
e
,

4

=

V
e
r
y

M
u
c
h

U
s
e
d
,

5

=

E
x
t
e
n
s
i
v
e
l
y

U
s
e
d
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
Table 5-22-1-A
Audit Tools/Techniques that Will Be Extensively Used
Supervisor
Data mining 10.4 9.4 10.6 10.8 12.3 10.6
review tools
Benchmarking 6.2 6.4 5.2 6.6 7.3 5.4
framework
*As this is a frequency for only the Extensively Used in the Next Three Years category, the rows will not add across
to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.
Table 5-22-2-A
Audit Tools/Techniques that Will Not Be Used in the Next Three Years
Tools/Techniques** Overall CAE Audit Audit Audit Other
Average Manager Senior/ Staff
Supervisor
framework
review tools
Data mining 18.7 17.1 18.1 18.9 21.7 25.1
Benchmarking 13.5 11.2 11.9 15.7 17.3 17.0
*As this is a frequency for only the Will Not Be Used in the Next Three Years category, the rows will not add across
to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.

CONTENTS
Chapter 6

Chapter 6: Staffing and Professional Development ............................................................. 251
Introduction......................................................................................................................... 251
Staffing................................................................................................................................ 252
Service Providers................................................................................................................ 259
Continuing Professional Development............................................................................... 266
Summary............................................................................................................................. 271
Appendix 6.......................................................................................................................... 272

Disclosure


profession.
_______________________________ Chapter 6: Staffing and Professional Development 251
CHAPTER 6
STAFFING AND PROFESSIONAL
DEVELOPMENT
Introduction
This chapter summarizes the respondents perceptions about staffing their internal audit activities
(IAA) and their staffs qualifications. The topics addressed include staffing of the IAA, service
providers, staff evaluation, number of staff with certifications, and continuing professional
development. The main objective of the CBOK 2006 study is to develop a summary of the global
practice of internal auditing around the world.
question.
not CAEs).
For example, Table 6-1 has a related Table 6-1-1. Additional related tables may be located in
Appendix 6 at the end of this chapter. A table that is in the Appendix can be clearly identified by an
A at the end of its number. For example, Table 6-7-1-A is located in Appendix 6.
Staffing
Number of Staff in the IAA
Practice Advisory 2230-1 states, The number and experience level of the internal auditing staff
required should be based on an evaluation of the nature and complexity of the engagement assignment,
time constraints, and available resources. Several survey questions were asked to gain an
understanding of the type of staff, use of co-sourcing, and size of respondents IAAs. Table 6-1
lists CAE responses to the current number of audit staff by staff level in their IAAs. Of the 359
CAEs that responded to the use of external auditors as staff, 49.3% or 177 indicate they use this
source for audit staff and 255 of 438 CAE respondents use contract audit staff.
Table 6-1
Number of Full-time Staff at Each Staff Level in the IAA
Number CAEs Audit Audit Audit Staff External Contract Support
at Each % of Managers Seniors/ % of Auditors Audit Staff Staff
Staff 2,184 CAE % of Supervisors 1,742 CAE (co-sourced) (co-sourced) (Adminis-
Level Respondents 1,173 CAE % of Respondents % of % of trative,
Respondents 954 CAE 359 CAE 438 CAE Secretarial,
Respondents Respondents Respondents & Clerical)
Total of
936 CAE
Respondents
None 0.4 10.9 13.2 3.9 50.7 41.6 12.7
One 90.1 36.7 27.7 19.5 12.3 22.1 54.6
2-5 6.0 41.6 41.7 44.0 24.5 27.6 25.4
6-10 1.8 6.3 9.1 14.4 7.2 4.3 3.4
11 or 1.7 4.5 8.3 18.2 5.3 4.4 3.9
More
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0
Table 6-1-1 shows that very few of the CAE respondents IAAs have part-time staff and those
tend to be at the audit staff level or with outsourced personnel.
Table 6-1-1
Number of Part-time Staff in the IAA
Number CAE Audit Audit Audit Staff External Contract Support
of Staff % of Managers Seniors/ % of Auditors Audit Staff Staff
153 CAE % of Supervisors 231 CAE (co-sourced) (co-sourced) (Adminis-
Respondents 119 CAE % of Respondents % of % of trative,
Respondents 120 CAE 181 CAE 194 CAE Secretarial,
Respondents Respondents Respondents & Clerical)
% of
206 CAE
Respondents
None 51.6 70.6 65.0 31.2 42.0 42.3 39.8
One 39.2 19.3 21.7 37.7 19.3 29.4 53.4
2-5 6.5 8.4 12.5 26.8 32.6 22.7 4.9
6-10 2.0 0.8 0.0 2.2 3.3 2.1 0.5
11 or 0.7 0.9 0.8 2.1 2.8 3.5 1.4
More
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0
Many of the respondents IAAs have a fairly small number of staff members at each staff level.
Figure 6-1 reports that 24% of the respondents to this question indicate that their IAAs have 1-3
members of the audit staff. Another 18.9% have 4-6 staff members and an additional 11.1% have
7-9 staff members in their IAAs. Of the respondents, 25.8% have 25 or more staff members in
their IAA.
Figure 6-1
Number of Full-time Staff at Each Staff Level
25 or more
25.8%
1-3
24.0%
4-6
18.9%
7-9
11.1%
10-12
6.7%
13-15
5.0%
16-18
3.8%
19-21
2.7%
22-24
2.0%
Open Staff Positions
Several questions were asked about hiring practices for open positions and what methods are used
to make up for staff vacancies. As seen in Figure 6-2, special incentives to hire staff are not
generally used. Only 12.8% of CAEs organizations offer relocation expenses, 10.9% provide a
transportation allowance, and 8.4% give a signing bonus.
Figure 6-2
Special Incentives Offered to Hire Staff
CAEs were also asked what methods are used to make up for staff vacancies. Figure 6-3 show
that 28.2% of CAE respondents replied that their IAAs have no vacancies. CAEs indicate that
the two most common methods used to cover staff vacancies are reduction in the areas of audit
coverage (30.7%) and co-sourcing from internal audit service providers (28.7%).
Figure 6-3
Methods Used to Make Up for Staff Vacancies
For groups, Table 6-2 points out that a reduction in coverage is a general strategy common to all
groups, whereas the use of co-sourcing is primarily practiced in groups 1, 2, 3, and 11. Groups 5
(39.7%) and 6 (39.1%) have the highest percentages of no vacancies. Groups 12 (11.1%) and 11
(14.8%) report the lowest levels of no vacancies and the highest level of reducing the areas of
audit coverage, 44.4% and 37% respectively, due to lack of staff.
Table 6-2
Methods Used to Make Up for Staff Vacancies
CAE Respondents in Percentages by Groups*
Methods 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Facilitate control self- 5.4 14.0 14.7 35.6 16.8 10.3 16.7 11.7 15.2 10.6 18.5 44.4 17.9
assessments in place
of audits
Reduce areas of 35.3 26.7 34.7 23.1 21.2 23.7 26.5 33.0 19.6 23.4 37.0 44.4 25.2
coverage
Increased use of audit 10.6 11.6 18.0 18.3 10.3 17.3 20.5 12.6 26.1 8.5 29.6 33.3 15.9
software
Borrowing staff from 11.4 17.4 13.3 19.2 17.9 12.8 8.3 14.2 4.3 14.9 13.6 33.3 15.9
other departments
Co-sourcing from 34.6 41.9 43.3 11.5 14.7 21.8 22.0 27.5 17.4 29.8 33.3 11.1 17.2
internal audit service
providers
No vacancies 28.0 24.4 21.3 29.8 39.7 39.1 27.3 24.9 30.4 25.5 14.8 11.1 27.8
Other methods 8.4 10.5 14.0 10.6 14.7 8.3 15.2 16.2 19.6 17.0 17.3 22.2 19.9
Respondents 912 86 150 104 184 156 132 309 46 47 81 9 151
Missing Skills
Standard 1210.A1, Proficiency, notes that, The CAE should obtain competent advice and assistance
if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all
or part of the engagement. Standard 1210.C1 goes on to state, The CAE should decline the
consulting engagement or obtain competent advice and assistance if the internal audit staff lacks
the knowledge, skills, or other competencies needed to perform all or part of the engagement.
Skill shortages are an issue that CAEs must often address in creative ways. Methods respondents
use to compensate for missing skill sets are indicated in Figure 6-4. In only 13.1% of the respondents
IAAs are there no missing skill sets. The most typical techniques to address skill shortages are
through the use of co-sourcing/outsourcing (51.4%), reduction of areas of coverage (17.7%), and
borrowing staff from other departments (14.5%).
Figure 6-4
Methods Used to Compensate for Missing Skills
Service Providers
Respondents by Staff Level that are Service Providers
Respondents were asked if they work for a service provider or worked for an in-house IAA. As
shown in Figure 6-5, 86% indicate that they work within an organization and 14% of the respondents
indicate that they work for service providers.
Figure 6-5
Service Provider of Internal Audit Services
Service
Provider
14.0%
In-house
Internal
Audit Activity
86.0%
Table 6-3 shows by staff level if the respondents work for an in-house IAA or work for a service
provider.
Table 6-3
Staff Levels at In-house IAA or Service Provider
Staff Level Number of Percent of Percent of Total
of Respondent Respondents Staff Level Staff Level
Working Working for
In-house a Service
IAA Provider
CAEs 2,337 86.7 13.3 100.0
Audit Managers 2,004 83.0 17.0 100.0
Audit Seniors/Supervisors 2,208 87.2 12.8 100.0
Audit Staff 1,595 88.7 11.3 100.0
Other 630 82.1 17.9 100.0
Total/Average 8,774 86.0 14.0 100.0
Outsourced IAA Activities
Figure 6-6 indicates the percentage of the IAAs activities that are performed by service providers.
Sixty-eight point eight percent of CAE respondents indicate that 10% or less of their IAAs audit
work is being co-sourced/outsourced. All respondents indicated some level of outsourcing/co-
sourcing.
Figure 6-6
IAAs Audit Activities - Percentage Outsourced/Co-sourced
As described in Table 6-4, 33% of CAEs indicate that their budget for co-sourcing/outsourcing is
projected to increase in the next three years. It appears that most organizations are conducting
their internal audits with in-house audit staff.
Table 6-4
Anticipated Budget Changes for Outsourced/Co-sourced Activities
Change Percent of
Anticipated 2,145 Respondents
Remain the same 55.7
Increase 33.0
Decrease 11.3
Total 100.0
Staff Evaluation
Table 6-5 summarizes how audit staff is evaluated. The audit staff is mainly evaluated by a supervisor
on a periodic basis (78.5%). Customer/auditee feedback is the second most commonly used method
for evaluation of audit staff performance (45.6%).
Table 6-5
Method of Staff Evaluation
Methods of Percent of
Staff Evaluation 2,367 Respondents
By supervisor periodically 78.5
Customer/auditee feedback 45.6
Peers/subordinates periodically 23.4
Other 15.5
Certifications
To ensure an adequate grounding of skills and abilities among the audit staff, it is important for
individuals in the IAA to be Certified Internal Auditors (CIA). Other certifications such as CGAP,
CCSA, CFSA, and CISA are also important to show the staffs proficiency in specialized areas.
CAE respondents were asked about the types of certifications held by their staff. Figure 6-7
provides a listing of the staff certification profile from responding CAEs. A staff member could
have more than one certification. This table indicates that the audit staff has a wide range of
certifications. Public accounting is the most common (35.0%), followed by the CIA certification
(28.6%).
Figure 6-7
IAA Staff Members with Certifications
I
n

T
a
b
l
e

6
-
6
,

t
h
e

t
y
p
e
s

o
f

c
e
r
t
i
f
i
c
a
t
i
o
n
s

h
e
l
d

b
y

g
r
o
u
p
s

a
r
e

l
i
s
t
e
d
.

C
A
E
s

i
n

g
r
o
u
p
s

2

(
4
5
.
3
%
)

a
n
d

4

(
4
0
.
9
%
)

i
n
d
i
c
a
t
e
t
h
e
i
r

s
t
a
f
f

h
a
v
e

t
h
e

h
i
g
h
e
s
t

p
e
r
c
e
n
t
a
g
e
s

o
f

C
I
A
s
.

D
i
s
t
r
i
b
u
t
i
o
n

o
f

t
h
e

m
a
i
n

c
e
r
t
i
f
i
c
a
t
i
o
n
s

i
n

F
i
g
u
r
e

6
-
7

a
r
e

g
e
n
e
r
a
l
l
y
c
o
n
s
i
s
t
e
n
t

w
i
t
h

t
h
e

g
r
o
u
p

d
i
s
t
r
i
b
u
t
i
o
n

i
n

T
a
b
l
e

6
-
6
.

W
h
e
n

t
h
e

C
A
E
s

w
e
r
e

a
s
k
e
d

i
f

t
h
e
r
e

i
s

a

n
e
e
d

f
o
r

a
d
d
i
t
i
o
n
a
l
c
e
r
t
i
f
i
c
a
t
i
o
n
s

b
e
y
o
n
d

t
h
e

C
I
A
/
M
I
I
A
/
P
I
I
A

f
o
r

a
u
d
i
t

m
a
n
a
g
e
r
s
,

4
0
.
9
%

o
f

C
A
E
s

a
g
r
e
e
d

i
t

w
a
s

n
e
c
e
s
s
a
r
y
.

M
a
n
y

C
A
E
s
(
4
0
.
4
%
)

b
e
l
i
e
v
e

t
h
a
t

t
h
e
y

n
e
e
d

o
t
h
e
r

c
e
r
t
i
f
i
c
a
t
i
o
n
s

i
n

a
d
d
i
t
i
o
n

t
o

t
h
e

C
I
A
/
M
I
I
A
/
P
I
I
A

d
e
s
i
g
n
a
t
i
o
n
.
T
a
b
l
e

6
-
6
I
A
A

S
t
a
f
f

M
e
m
b
e
r
s

W
i
t
h

C
e
r
t
i
f
i
c
a
t
e
s
C
A
E

R
e
s
p
o
n
d
e
n
t
s

-

P
e
r
c
e
n
t
a
g
e
s

b
y

G
r
o
u
p
s
*
T
y
p
e

o
f

C
e
r
t
i
f
i
c
a
t
e
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
I
n
t
e
r
n
a
l

A
u
d
i
t
i
n
g

(
s
u
c
h
3
1
.
0
4
5
.
3
2
6
.
0
4
0
.
9
2
1
.
9
2
8
.
9
7
.
7
1
7
.
7
2
8
.
8
2
8
.
7
2
3
.
8
1
9
.
3
2
7
.
0
8
a
s

C
I
A
/
M
I
I
A
/
P
I
I
A
)
I
n
f
o
r
m
a
t
i
o
n

S
y
s
t
e
m
s
1
9
.
5
2
0
.
0
1
3
.
0
1
1
.
7
6
.
6
1
8
.
4
9
.
7
9
.
2
1
9
.
1
1
3
.
7
1
3
.
4
1
5
.
5
1
0
.
8
3
A
u
d
i
t
i
n
g

(
s
u
c
h

a
s

C
I
S
A
/
Q
i
C
A
/
C
I
S
M
)
G
o
v
e
r
n
m
e
n
t

A
u
d
i
t
i
n
g
/
1
8
.
5
6
.
4
1
4
.
8
6
.
0
1
3
.
9
6
.
5
2
.
6
.
6
1
.
3
5
.
4
0
.
0
5
.
0
8
.
2
5
F
i
n
a
n
c
e

(
s
u
c
h

a
s

C
I
P
F
A
/
C
G
A
P
/
C
G
F
M
)
C
o
n
t
r
o
l

S
e
l
f
-
a
s
s
e
s
s
m
e
n
t
9
.
1
6
.
9
1
0
.
9
1
4
.
5
9
.
4
1
0
.
1
4
.
3
9
.
3
8
.
0
8
.
1
5
.
0
6
.
6
7
6
.
0
0
(
s
u
c
h

a
s

C
C
S
A
)
P
u
b
l
i
c

A
c
c
o
u
n
t
i
n
g
/
3
9
.
6
5
1
.
4
2
4
.
1
1
7
.
9
1
6
.
3
2
9
.
4
3
9
.
9
2
1
.
3
2
6
.
4
3
4
.
8
3
0
.
8
2
9
.
8
3
1
.
9
5
C
h
a
r
t
e
r
e
d

A
c
c
o
u
n
t
a
n
c
y
(
s
u
c
h

a
s

C
A
/
C
P
A
/
A
C
C
A
/
A
C
A
)
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
N
o
t
e
:

T
h
e

r
e
s
p
o
n
d
e
n
t
s

w
e
r
e

a
s
k
e
d

t
o

m
a
r
k

a
l
l

t
h
a
t

a
p
p
l
y

s
o

t
h
e

t
o
t
a
l

o
f

t
h
e

p
e
r
c
e
n
t
a
g
e
s

m
a
y

b
e

m
o
r
e

t
h
a
n

1
0
0
.
T
a
b
l
e

6
-
6

(
C
o
n
t
.
)
I
A
A

S
t
a
f
f

M
e
m
b
e
r
s

W
i
t
h

C
e
r
t
i
f
i
c
a
t
e
s
C
A
E

R
e
s
p
o
n
d
e
n
t
s

-

P
e
r
c
e
n
t
a
g
e
s

b
y

G
r
o
u
p
s
*
T
y
p
e

o
f

C
e
r
t
i
f
i
c
a
t
e
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
M
a
n
a
g
e
m
e
n
t
/
G
e
n
e
r
a
l
1
7
.
2
2
3
.
3
1
5
.
5
1
4
.
9
2
.
1
5
.
2
1
.
7
1
4
.
6
9
.
0
8
.
0
1
2
.
9
1
9
.
1
1
4
.
4
4
A
c
c
o
u
n
t
i
n
g

(
s
u
c
h

a
s
C
M
A
/
C
I
M
A
/
C
G
A
)
A
c
c
o
u
n
t
i
n
g

-

t
e
c
h
n
i
c
i
a
n
2
.
2
6
.
6
2
0
.
4
2
7
.
5
4
.
1
1
3
.
7
9
.
6
1
8
.
2
7
.
8
0
.
0
1
0
.
1
3
.
9
1
3
.
7
6
l
e
v
e
l

(
s
u
c
h

a
s

C
A
T
/
A
A
T
)
F
r
a
u
d

E
x
a
m
i
n
a
t
i
o
n
1
6
.
2
1
1
.
2
1
0
.
0
4
.
5
8
.
9
3
.
0
2
.
9
2
.
9
1
2
.
2
1
.
9
3
.
6
5
.
0
1
6
.
8
1
(
s
u
c
h

a
s

C
F
E
)
F
i
n
a
n
c
i
a
l

S
e
r
v
i
c
e
s
1
9
.
0
0
.
0
1
.
1
1
.
2
4
.
1
6
.
3
3
.
5
2
.
6
0
.
0
2
.
2
6
.
7
5
.
0
5
.
8
0
A
u
d
i
t
i
n
g

(
s
u
c
h

a
s
C
F
S
A
/
C
I
D
A
/
C
B
A
)
F
e
l
l
o
w
s
h
i
p

(
s
u
c
h

a
s
5
.
4
2
9
.
9
1
7
.
2
8
0
.
0
1
0
.
2
1
9
.
5
8
.
4
6
.
8
6
.
3
0
.
0
1
0
.
8
0
.
0
1
0
.
1
1
F
C
A
/
F
C
C
A
/
F
C
M
A
)
C
e
r
t
i
f
i
e
d

F
i
n
a
n
c
i
a
l
2
.
6
0
.
0
0
.
9
7
1
.
7
1
.
3
8
.
2
1
.
5
5
.
3
0
.
0
0
.
0
4
.
3
8
0
.
0
1
.
4
5
A
n
a
l
y
s
t

(
s
u
c
h

a
s

C
F
A
)
O
t
h
e
r

C
e
r
t
i
f
i
c
a
t
i
o
n
s
2
3
.
7
3
1
.
4
2
6
.
1
9
2
1
.
7
4
4
.
0
4
8
.
3
1
4
.
2
2
9
.
9
1
5
.
2
3
9
.
9
2
9
.
0
6
2
.
9
3
7
.
5
9
T
o
t
a
l

N
u
m
b
e
r

o
f
3
,
0
9
5
2
4
4
5
1
7
2
4
0
3
9
8
4
3
5
4
0
2
6
8
2
1
2
9
1
6
3
3
0
2
3
5
4
3
0
R
e
s
p
o
n
d
e
n
t
s

P
e
r

G
r
o
u
p
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
N
o
t
e
:

T
h
e

r
e
s
p
o
n
d
e
n
t
s

w
e
r
e

a
s
k
e
d

t
o

m
a
r
k

a
l
l

t
h
a
t

a
p
p
l
y

s
o

t
h
e

t
o
t
a
l

o
f

t
h
e

p
e
r
c
e
n
t
a
g
e
s

m
a
y

b
e

m
o
r
e

t
h
a
n

1
0
0
.
Continuing Professional Development
The IIA requires 80 hours of continuing professional development (CPD) every two years. The
IIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to
enhance their knowledge, skills, and other competencies through continuing professional
development. Respondents were asked how many hours of formal training they received over the
last 36 months or while they have been working in their IAA if less than 3 years. Training includes,
but is not limited to, seminars, conferences, workshops, and in-house information sessions provided
by either the respondents organization or other organizations.
Hours of Training Over the Last 36 Months by Staff Level
Table 6-7 lists the number of hours of formal training by staff level taken by the respondents during
the 36-month period prior to responding to the CBOK 2006 survey. The range in hours of formal
training reported is from none to 240 or more hours. There is an expectation that all respondents
would have taken at least 120 hours of CPD over the prior three-year period. Of the CAEs, 48.2%
achieved or exceeded 120 hours of CPD. Another 16.4% of the CAEs attained the 80-119 hour
level of CPD. The percentages of respondents at the other staff levels that achieved 120 or more
hours of formal training are 49.1% for Audit Managers, 42.4% for Senior/Supervisors, 35.5% for
Audit Staff, and 34.1% for Others.
Table 6-7
Hours of Formal Training During the Last 36 Months or
While in IAA if Less Than 3 Years
Number CAE Audit Audit Senior/ Audit Staff Others
of Hours of 2,288 Manager Supervisor of 1,558 of 598
Respondents of 1,947 of 2,159 Respondents Respondents
None 0.9 1.2 1.2 2.2 7.4
1-39 11.6 11.2 13.2 19.1 19.4
40-79 22.9 21.7 24.5 25.4 23.9
80-119 16.4 16.8 18.7 17.8 15.2
120-159 23.9 24.8 20.6 16.9 16.7
160-199 4.9 5.8 5.1 3.1 4.7
200-239 6.5 6.3 5.6 4.6 3.0
240 or More 12.9 12.2 11.1 10.9 9.7
Total 100 100 100 100 100
In Appendix 6, Tables 6-7-1-A through 6-7-6-A provide more detailed data for the groups. The
tables show details about the hours of formal training received by all respondents within the last 36
months and then broken down by category of internal audit staff.
Hours of Training Compared to Years as a Member of IIA
Table 6-8 looks at whether the period of IIA membership has any affect on the amount of CPD
taken by respondents. It does appear that respondents who have been IIA members for a longer
period of time have taken more CPD in the 36 months prior to the survey. For respondents that
have been members for 11 or more years, 54.6% have taken 120 or more hours of CPD compared
to 50.3% of respondents who have been members for 6-10 years, and 39.4% of respondents who
have been members for 1-5 years.
Table 6-8
Comparing Hours of CPD During the Last 36 Months and
Years as a Member of The IIA
Number of IIA Member IIA Member IIA Member
Hours of for 1-5 Years for 6-10 Years for 11 or More
Formal of 5,014 of 1,657 Years of 1,266
Training Respondents Respondents Respondents
None 1.8 0.9 1.4
1- 39 15.5 9.4 9.1
40-79 25.4 21.8 20.5
80-119 17.9 17.6 14.4
120-159 18.5 26.6 30.0
160-199 4.0 5.8 7.9
200-239 5.5 5.8 6.6
240 or More 11.4 12.1 10.1
Total 100.0 100.0 100.0
CIA/MIIA/PIIA Certification and Hours of CPD
Figure 6-8 summarizes the number of hours of CPD taken by respondents who have their CIA/
MIIA/PIIA certification. Of those that indicate that they are a CIA/MIIA/PIIA, 51% have taken
120 or more hours of CPD.
Figure 6-8
Number of Hours of Formal Training During the Last
36 Months for CIA/MIIA/PIIA Respondents
Hours of Training Required by Law/Statute
To further understand the factors impacting the amount of CPD taken by internal auditors,
respondents were asked how many hours of training over a 12-month period are required by law/
statute in the country where they work. The benchmark for a 24-month period is still the 80 hours
required by The IIA, but it is acknowledged that there could be some country specific variation. In
Table 6-9, the replies appear to be consistent across all levels of audit staff. Respondents that
None
1.1%
1-39 hours
9.9%
40-79 hours
21.4%
80-119 hours
16.6%
120-159 hours
26.1%
200-239 hours
6.2%
240 or more
hours
12.7%
160-199 hours
6.0%
indicate they do not have any law/statute requiring CPD in the countries where they work range
from 38.0% to 41.2%. Countries that have statutory requirements for 31-40 hours per year of
CPD range from 25.0% to 32.8%. A few countries require more than 40 hours of CPD annually.
The relatively high percentage of respondents that work in countries that have no or minimum
statutory CPD requirement, may help explain why many of the respondents in Table 6-7 indicate
that they have taken the equivalent of 119 hours or less of CPD in the past 36 months.
Table 6-9
Hours of Training Over a 12-Month Period Required by Law/Statute
Number CAE Audit Audit Senior/ Audit Staff Others
of Hours % of 2,028 Manager Supervisor % of 1,177 % of 513
Respondents % of 1,687 % of 1,832 Respondents Respondents
None 41.0 38.1 41.2 38.0 39.0
1-10 5.6 3.7 4.5 9.0 4.0
11-20 8.5 9.1 8.3 8.0 12.0
21-30 4.8 5.0 5.5 5.0 7.0
31-40 30.3 32.8 29.5 25.0 28.0
41-50 1.9 2.1 2.3 3.0 2.0
51-60 1.6 1.7 2.1 1.0 1.0
61-70 0.1 0.3 0.5 1.0 0.0
Over 70 6.2 7.2 6.1 10.0 7.0
Total 100.0 100.0 100.0 100.0 100.0
Frequency of Types of Training
The survey asked the CAEs to provide information on the frequency of training in several specific
areas for themselves and other members of the IAA. Respondents were asked to indicate whether
the training was more frequent than annually, annually, less frequently than annually, as needed, or
never. The detailed results are shown in Table 6-10. CAEs report that training on the Standards
and professional practices are most common with 46.3% receiving training annually or more
frequently than annually and 37.5% receiving training as needed. Another important training area
is basic/advanced technology, with 36.3% of the training being provided annually or more frequently
2
7
0

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
a
n
d

4
6
.
3
%

b
e
i
n
g

t
r
a
i
n
e
d

a
s

n
e
c
e
s
s
a
r
y
.

T
h
i
s

r
e
s
u
l
t

i
s

e
x
p
e
c
t
e
d

a
s

t
h
e

I
A
A

s
e
e
k
s

s
k
i
l
l

u
p
g
r
a
d
e
s
w
h
e
n

n
e
w

t
e
c
h
n
o
l
o
g
y

b
e
c
o
m
e
s

a
v
a
i
l
a
b
l
e
.
T
a
b
l
e

6
-
1
0
F
r
e
q
u
e
n
c
y

o
f

T
y
p
e
s

o
f

T
r
a
i
n
i
n
g
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
T
y
p
e

o
f
N
u
m
b
e
r

o
f
M
o
r
e
A
n
n
u
a
l
l
y
L
e
s
s
A
s
N
e
v
e
r
T
o
t
a
l
T
r
a
i
n
i
n
g
R
e
s
p
o
n
d
e
n
t
s
F
r
e
q
u
e
n
t
l
y
F
r
e
q
u
e
n
t
l
y
N
e
e
d
e
d
t
h
a
n
t
h
a
n
A
n
n
u
a
l
l
y
A
n
n
u
a
l
l
y
S
t
a
n
d
a
r
d
s

a
n
d
2
,
2
8
6
1
8
.
5
2
7
.
8
1
2
.
1
3
7
.
5
4
.
1
1
0
0
.
0
p
r
o
f
e
s
s
i
o
n
a
l
p
r
a
c
t
i
c
e
s
B
a
s
i
c
/
a
d
v
a
n
c
e
d
2
,
2
3
1
1
3
.
0
2
3
.
3
1
2
.
3
4
6
.
3
5
.
1
1
0
0
.
0
t
e
c
h
n
o
l
o
g
y
A
n
t
i
-
f
r
a
u
d
2
,
2
1
7
9
.
5
2
2
.
5
1
7
.
2
4
1
.
1
9
.
7
1
0
0
.
0
t
e
c
h
n
i
q
u
e
s
E
t
h
i
c
s

t
r
a
i
n
i
n
g
2
,
2
1
1
6
.
7
3
1
.
4
1
3
.
8
3
5
.
9
1
2
.
2
1
0
0
.
0
C
o
m
m
u
n
i
c
a
t
i
o
n
2
,
2
4
2
8
.
8
1
8
.
4
1
5
.
3
4
6
.
9
1
0
.
6
1
0
0
.
0
s
k
i
l
l
s
T
e
a
m
-
b
u
i
l
d
i
n
g
2
,
2
3
2
9
.
4
1
7
.
1
1
5
.
6
4
3
.
5
1
4
.
4
1
0
0
.
0
s
k
i
l
l
s
T
h
e

r
e
s
p
o
n
s
e
s

g
i
v
e
n

t
o

t
h
e

q
u
e
s
t
i
o
n

o
n

e
t
h
i
c
s

t
r
a
i
n
i
n
g

c
o
u
l
d

r
e
f
l
e
c
t

t
h
e

d
e
s
i
r
e

f
o
r

i
m
p
r
o
v
i
n
g

c
o
r
p
o
r
a
t
e
g
o
v
e
r
n
a
n
c
e

o
r

t
h
e

n
e
e
d

f
o
r

m
o
r
e

t
r
a
n
s
p
a
r
e
n
t

b
u
s
i
n
e
s
s

p
r
a
c
t
i
c
e
s

f
o
l
l
o
w
i
n
g

m
a
n
y

w
i
d
e
l
y

p
u
b
l
i
c
i
z
e
d
c
o
r
p
o
r
a
t
e

c
o
l
l
a
p
s
e
s

i
n

r
e
c
e
n
t

y
e
a
r
s
.

I
t

w
a
s

r
e
p
o
r
t
e
d

t
h
a
t

3
8
.
1
%

o
f

e
t
h
i
c
s

t
r
a
i
n
i
n
g

s
e
s
s
i
o
n
s

t
o
o
k
p
l
a
c
e

a
n
n
u
a
l
l
y

o
r

m
o
r
e

f
r
e
q
u
e
n
t
l
y

a
n
d

3
5
.
9
%

a
s

n
e
e
d
e
d
.

I
t

i
s

i
n
t
e
r
e
s
t
i
n
g

t
o

n
o
t
e

t
h
a
t

1
2
.
2
%

o
f
r
e
s
p
o
n
d
e
n
t
s

i
n
d
i
c
a
t
e

t
h
a
t

e
t
h
i
c
s

t
r
a
i
n
i
n
g

i
s

n
e
v
e
r

p
r
o
v
i
d
e
d
,

c
o
m
p
a
r
e
d

w
i
t
h

4
.
1
%

i
n
d
i
c
a
t
i
n
g

n
o
t
r
a
i
n
i
n
g

o
n

t
h
e

S
t
a
n
d
a
r
d
s

a
n
d

p
r
o
f
e
s
s
i
o
n
a
l

p
r
a
c
t
i
c
e
s

a
n
d

5
.
1
%

i
n
d
i
c
a
t
i
n
g

n
o

t
r
a
i
n
i
n
g

o
n

b
a
s
i
c
/
a
d
v
a
n
c
e
d

t
e
c
h
n
o
l
o
g
y
.
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
C
h
a
p
t
e
r

6
:

S
t
a
f
f
i
n
g

a
n
d

P
r
o
f
e
s
s
i
o
n
a
l

D
e
v
e
l
o
p
m
e
n
t

2
7
1
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
S
u
m
m
a
r
y
T
h
e

m
a
j
o
r
i
t
y

(
5
4
%
)

o
f

t
h
e

C
A
E

r
e
s
p
o
n
d
e
n
t
s

I
A
A
s

h
a
v
e

9

o
r

f
e
w
e
r

s
t
a
f
f

a
n
d

2
5
.
8
%

o
f

t
h
e

I
A
A
s
h
a
v
e

2
5

o
r

m
o
r
e

a
u
d
i
t

s
t
a
f
f
.

A

m
i
n
o
r
i
t
y

o
f

r
e
s
p
o
n
d
e
n
t
s

o
f
f
e
r

i
n
c
e
n
t
i
v
e
s

t
o

a
t
t
r
a
c
t

i
n
d
i
v
i
d
u
a
l
s

f
o
r
o
p
e
n

p
o
s
i
t
i
o
n
s

i
n

t
h
e

I
A
A
.

T
h
e

r
e
s
p
o
n
d
e
n
t
s

m
o
s
t

u
s
e
d

m
e
t
h
o
d
s

t
o

c
o
m
p
e
n
s
a
t
e

f
o
r

m
i
s
s
i
n
g

s
k
i
l
l
s
e
t
s

a
r
e

t
o

r
e
d
u
c
e

t
h
e

a
u
d
i
t

s
c
o
p
e

o
r

t
o

o
u
t
s
o
u
r
c
e

t
h
e

t
a
s
k
.

O
v
e
r

2
5
%

o
f

t
h
e

r
e
s
p
o
n
d
e
n
t
s

h
o
l
d

a
C
I
A
/
M
I
I
A
/
P
I
I
A

d
e
s
i
g
n
a
t
i
o
n
.

A
b
o
u
t

h
a
l
f

o
f

t
h
e

C
A
E

r
e
s
p
o
n
d
e
n
t
s

r
e
c
e
i
v
e
d

1
2
0

h
o
u
r
s

o
f

C
P
D

o
v
e
r
t
h
e

3
6

m
o
n
t
h
s

p
r
i
o
r

t
o

t
h
e

C
B
O
K

2
0
0
6

s
u
r
v
e
y
.
2
7
2

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
APPENDIX 6
Table 6-7-1-A
Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years
All Respondents in Percentages by Groups*
Number of Hours 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
None 1.1 1.0 2.9 1.1 1.8 0.7 1.6 1.9 3.3 1.5 2.2 2.4 4.3
1- 39 9.7 13.1 14.2 35.2 10.2 13.6 8.4 16.8 23.6 14.6 20.3 12.2 21.7
40-79 23.5 21.4 27.9 26.4 18.5 25.4 16.7 28.1 25.2 23.4 25.1 19.5 20.4
80-119 16.9 21.8 15.2 16.8 18.9 18.3 14.9 18.7 15.4 20.4 17.3 22.0 17.3
120- 159 30.1 19.4 15.3 10.5 15.7 19.2 16.7 14.6 12.2 13.1 16.5 24.4 14.6
160-199 6.1 3.9 4.9 2.6 6.5 4.5 4.5 3.1 4.1 2.9 3.5 2.4 2.5
200-239 5.9 9.2 4.9 2.0 5.8 4.9 9.6 4.6 6.5 5.8 5.6 4.9 4.8
240 or More 6.7 10.2 14.7 5.4 22.6 13.4 27.6 12.2 9.7 18.3 9.5 12.2 14.4
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
C
h
a
p
t
e
r

6
:

S
t
a
f
f
i
n
g

a
n
d

P
r
o
f
e
s
s
i
o
n
a
l

D
e
v
e
l
o
p
m
e
n
t

2
7
3
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Table 6-7-2-A
CAE Respondents in Percentages by Groups*
None 0.5 0.0 1.4 1.0 1.7 0.6 0.0 1.3 4.8 2.3 0.0 0.0 2.1
1-39 6.5 12.2 8.2 40.4 7.9 16.7 6.9 15.2 19.0 11.6 15.6 0.0 17.5
40-79 21.3 25.6 23.8 21.2 14.1 31.4 15.3 30.7 26.2 23.3 28.6 14.3 19.6
80-119 13.9 12.2 13.6 18.3 23.7 16.7 13.0 20.5 16.7 18.6 13.0 57.1 19.6
120-159 34.7 19.5 21.1 9.6 17.5 18.6 18.3 14.9 9.5 14.0 20.8 0.0 21.7
160-199 7.2 4.9 5.4 1.9 7.3 3.8 2.3 1.7 2.4 2.3 2.6 0.0 2.8
200-239 6.8 11.0 8.2 1.9 7.9 3.2 9.2 4.0 4.8 9.3 10.4 14.3 5.6
240 or More 9.1 14.6 18.3 5.7 19.9 9.0 35.0 11.7 16.6 18.6 9.0 14.3 11.1
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
2
7
4

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Table 6-7-3-A
Audit Manager Respondents in Percentages by Groups*
None 0.7 0.0 2.5 0.0 1.0 2.0 1.5 1.8 0.0 0.0 1.4 0.0 2.0
1-39 7.4 9.8 14.5 28.9 6.0 6.9 3.6 17.3 13.0 0.0 23.0 15.4 22.3
40-79 20.2 21.6 26.0 33.3 23.0 19.6 16.8 25.3 26.1 27.3 24.3 0.0 18.9
80-119 15.0 27.5 12.5 13.3 20.0 27.5 15.3 17.8 17.4 22.7 16.2 15.4 20.3
120-159 35.8 21.6 17.5 20.0 19.0 22.5 18.2 11.6 13.0 18.2 17.6 53.8 12.2
160-199 7.6 3.9 4.5 0.0 9.0 2.9 5.8 4.9 8.7 0.0 4.1 0.0 3.4
200-239 5.9 9.8 5.5 0.0 6.0 6.9 8.8 6.7 17.4 9.1 5.4 7.7 5.4
240 or More 7.4 5.8 17.0 4.5 16.0 11.8 29.9 14.7 4.3 22.7 8.1 7.7 15.5
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
C
h
a
p
t
e
r

6
:

S
t
a
f
f
i
n
g

a
n
d

P
r
o
f
e
s
s
i
o
n
a
l

D
e
v
e
l
o
p
m
e
n
t

2
7
5
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Table 6-7-4-A
Audit Senior/Supervisor Respondents in Percentages by Groups*
None 0.8 0.0 1.6 0.0 0.0 0.0 2.3 2.0 6.5 0.0 2.4 0.0 1.8
1-39 9.2 15.2 17.4 28.8 11.9 7.8 10.5 16.8 29.0 14.3 19.0 22.2 21.6
40-79 25.4 15.2 33.7 27.4 20.3 31.4 16.3 22.8 29.0 25.0 21.4 44.4 19.9
80-119 18.9 30.4 17.9 21.9 16.1 15.7 17.4 17.8 19.4 21.4 26.2 11.1 17.5
120-159 28.3 17.4 10.3 8.2 16.1 15.7 15.7 20.8 6.5 7.1 14.3 11.1 12.3
160-199 5.6 4.3 4.9 6.8 5.6 7.8 5.8 3.0 0.0 3.6 2.4 0.0 3.5
200-239 6.2 6.6 3.3 2.7 3.5 3.9 11.1 4.6 6.5 7.1 2.4 0.0 4.7
240 or More 5.6 10.9 10.9 4.2 26.5 17.7 20.9 12.2 3.1 21.5 11.9 11.2 18.7
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
2
7
6

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Table 6-7-5-A
Audit Staff in Percentages by Groups*
None 1.3 6.3 3.3 2.2 5.0 0.0 0.0 0.5 0.0 3.2 4.2 0.0 4.6
1-39 16.3 12.5 15.8 40.2 14.9 20.0 10.0 17.1 38.1 12.9 29.2 0.0 23.5
40-79 27.0 31.3 30.0 27.2 16.8 11.7 20.0 32.1 14.3 25.8 16.7 28.6 21.8
80-119 20.8 25.0 17.5 10.9 11.9 13.3 12.5 19.2 9.5 19.4 25.0 28.6 15.5
120-159 22.1 18.8 12.5 9.8 11.9 20.0 20.0 13.0 14.3 19.4 8.3 14.3 13.0
160-199 3.4 0.0 4.2 1.1 5.0 3.3 2.5 3.6 9.5 6.5 4.2 0.0 0.8
200-239 4.7 6.1 4.2 2.2 6.9 8.3 5.0 4.1 0.0 0.0 0.0 0.0 5.0
240 or More 4.4 0.0 12.5 6.4 27.6 23.4 30.0 10.4 14.3 12.8 12.4 28.5 15.8
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
C
h
a
p
t
e
r

6
:

S
t
a
f
f
i
n
g

a
n
d

P
r
o
f
e
s
s
i
o
n
a
l

D
e
v
e
l
o
p
m
e
n
t

2
7
7
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n
Table 6-7-6-A
Other Respondents in Percentages by Groups*
None 5.5 9.1 15.4 2.8 2.3 0.0 6.9 10.0 0.0 0.0 14.3 20.0 15.9
1-39 14.1 27.3 15.4 27.8 13.6 29.6 20.7 24.0 16.7 53.8 21.4 20.0 24.6
40-79 25.9 0.0 17.9 27.8 25.0 22.2 20.7 30.0 33.3 7.7 35.7 20.0 18.8
80-119 15.7 27.3 12.8 22.2 20.5 14.8 10.3 12.0 0.0 23.1 7.1 0.0 13.0
120-159 22.7 18.2 15.4 8.3 9.1 18.5 3.4 8.0 50.0 0.0 7.1 20.0 17.4
160-199 5.9 0.0 7.7 2.8 4.5 3.7 3.4 2.0 0.0 0.0 7.1 20.0 2.9
200-239 3.1 9.1 0.0 2.8 2.3 3.7 13.8 2.0 0.0 0.0 0.0 0.0 1.5
240 or More 7.1 9.0 15.4 5.5 22.7 7.5 20.8 12.0 0.0 15.4 7.3 0.0 5.9
Total 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
2
7
8

A

G
l
o
b
a
l

S
u
m
m
a
r
y

o
f

t
h
e

C
o
m
m
o
n

B
o
d
y

o
f

K
n
o
w
l
e
d
g
e

2
0
0
6
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
T
h
e

I
n
s
t
i
t
u
t
e

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t
o
r
s

R
e
s
e
a
r
c
h

F
o
u
n
d
a
t
i
o
n

CONTENTS
Chapter 7

Chapter 7: Internal Audit Skills ............................................................................................ 279
Introduction......................................................................................................................... 279
Technical Skills................................................................................................................... 281
Behavioral Skills................................................................................................................. 289
Summary............................................................................................................................. 299
Appendix 7.......................................................................................................................... 300

Disclosure


profession.
_______________________________________________ Chapter 7: Internal Audit Skills 279
CHAPTER 7
INTERNAL AUDIT SKILLS
Introduction
Recognizing the evolutionary nature of the profession, this chapter summarizes the skills internal
auditors are expected to possess today while they perform as internal auditors in their IAA or for
client organizations. All respondents were provided with a list of technical and behavioral skills
developed from the International Standards for the Professional Practice of Internal Auditing
(Standards), Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK
2006 pilot study. Respondents were unable to amend or change the list of skills provided in the
CBOK 2006 survey. As a guide when answering the survey questions, respondents were given the
following definition of technical skills: using terminology or subject matter in a particular field.
Behavioral skills were defined in the survey as actions toward others measured by commonly
accepted standards and management of ones own actions.
Not all of those that participated in the survey answered all of the questions asked. Results
question.
not CAEs).
These more detailed summaries of results may be provided for the four categories of respondents:
CAEs, Audit Managers, Audit Seniors/Supervisors, and Audit Staff.
related table would be 7-4-2. Additional related tables may be located in Appendix 7 at the end of
this chapter. A table that is in the Appendix can be clearly identified by an A at the end of its
number. For example, Table 7-1-1-A is located in Appendix 7.
The possession and use of certain behavioral and technical skills are necessary elements for
internal audit practitioners to achieve a high level of quality performance in their internal auditing
work. The Standards and Practice Advisories each indicate specific skills that are appropriate for
internal auditors to possess. Standard 1220, Due Professional Care, requires internal auditors to
apply the care and skill expected of a reasonably prudent and competent internal auditor. Standard
1210, Proficiency, states, Internal auditors should possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities. The standard continues, The
internal audit activity collectively should possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.
The possession and application of technical skills enable internal auditors to achieve a high level of
performance in their activities. The selection of technical skills in the survey is supported by the
Standards and Practice Advisories which emphasize certain technical skills:
Attribute Standard 1210.A2 The internal auditor should have sufficient knowledge to
identify the indicators of fraud...
Attribute Standard 1210.A3 Internal auditors should have knowledge of key information
technology risks and controls...
Performance Standard 2120.A1 ...the internal audit activity should evaluate the adequacy
and effectiveness of controls...
Performance Standard 2210.A1 Internal auditors should conduct a preliminary assessment
of the risks relevant to the activity under review
Performance Standard 2320 Internal auditors should base conclusions and engagement
results on appropriate analyses and evaluations.
The objectives for this survey question were to understand the current skill framework of technical
and behavioral skills necessary for internal auditors to successfully perform their jobs in their
position within the internal audit activity (IAA). Figure 7-1 lists the technical and behavioral skills
included in CBOK 2006.
Figure 7-1
Technical and Behavioral Skills
Data collection and analysis
Financial analysis
Forensic skills/fraud awareness
Identifying types of controls
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality management
Understanding business
Use of information technology
Confidentiality
Facilitating
Governance and ethics sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Working independently
Work well with all levels of management
Technical Skills
CAE Respondents
Chief audit executives (CAEs) were asked to identify the five most important technical and
behavioral skills they need to possess in order to be successful as the leader of their IAA. They
were also asked to identify the five most important technical and behavioral skills that the Audit
Technical
Skills
Behavioral
Skills
Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform their jobs. The results
can be used to identify similarities among the CAEs responses.
Table 7-1 shows the CAEs selection of the five most important technical skills by staff level from
the 13 listed in the questionnaire. Understanding the business and risk analysis are skills that on
average get the highest scores. There is no individual technical skill that is highly rated by CAE
respondents for all staff levels in the IAA. The higher the percentages in Table 7-1 for each
technical skill the more CAEs agreed on the importance of that skill.
Table 7-1
Most Important Technical Skills by Staff Level
Technical Skills CAE Audit Audit Audit
Supervisor
Data collection and analysis 15.2 14.7 33.9 77.6
Financial analysis 35.9 35.4 36.4 35.1
Forensic skills/fraud awareness 43.2 38.7 31.7 20.9
Identifying types of controls 30.8 33.6 45.2 52.1
Interviewing 37.7 37.8 44.1 58.3
ISO/quality knowledge 18.9 16.0 10.7 7.6
Negotiating 68.7 49.5 23.5 7.3
Research skills 20.8 19.6 29.9 41.5
Risk analysis 74.9 59.0 41.3 27.5
Statistical sampling 6.5 8.8 20.7 29.5
Total quality management 33.4 21.0 10.6 3.7
Understanding the business 78.3 58.6 43.9 45.5
Use of information technology 28.3 30.4 37.3 51.4
CAE
At the CAE position, high-level technical skills are vital for the IAA to be successful. For their own
category, the technical skills most commonly chosen as important are:
Understanding the business (78.3%).
Risk analysis (74.9%).
Negotiating (68.7%).
Forensic skills/fraud awareness (43.2%).
Interviewing (37.7%).
From the list provided, the CAEs indicate that understanding the business (78.3%), risk analysis
(74.9%), and negotiating (68.7%) are especially important technical skills they need to perform
their role in the IAA. These results are in accordance with Performance Standard 2010, Planning,
and its related Practice Advisories that require the CAE to establish a risk-based audit plan to
determine the priorities of the internal audit activity. As this is a high-level technical skill, it is
appropriate that it is not vital at lower staff levels. Forensic skills/fraud awareness skills were also
commonly chosen as important (43.2%). This seems appropriate as Standard 2210A.2 requires
the internal auditor to consider for all assurance engagements the probability of significant errors,
irregularities, noncompliance, and other exposures when developing the engagement objectives.
Audit Manager
For the Audit Manager category, the technical skills most commonly chosen as important by CAEs
are:
Risk analysis (59%).
Negotiating (49.5%).
Forensic skills/fraud awareness (38.7%).
For Audit Managers, risk analysis (59%) and understanding the business (58.6%) are critical for
successful performance of duties. CAEs also identified negotiating (49.5%) as an important technical
skill for Audit Managers, although there is a more than 19% decrease in the importance of this skill
from the CAE level. The most commonly chosen technical skills are the same at both the CAE and
the Audit Manager level.
Audit Senior/Supervisor
For the Audit Senior/Supervisor category, the technical skills that were most commonly chosen by
CAEs as important are:
Identifying types of controls (45.2%).
Risk analysis (41.3%).
Use of information technology (37.3%).
Some technical skills become less important at the Audit Senior/Supervisor level than the Audit
Manager level. One example shown in Table 7-1 is forensic skill/fraud awareness, which decreases
from 38.7% at the Audit Manager level to 31.7% at the Audit Senior/Supervisor level. Another
decrease is found in risk analysis, which decreases from 59.0% at the Audit Manager level to
41.3% at the Audit Senior/Supervisor level. Understanding the business follows the same pattern,
decreasing from 58.6% at the Audit Manager level to 43.9% at the Audit Senior/Supervisor level.
There are also some technical skills that are newly identified as important by CAEs when they
considered the Audit Senior/Supervisor level. Identifying types of controls (45.2%) and the use of
information technology (37.3%) were chosen by CAEs as important to the Audit Senior/Supervisor
level.
Audit Staff
For the Audit Staff category, the technical skills that were most commonly chosen by CAEs as
important are:
Data collection and analysis (77.6%).
Identifying types of controls (52.1%).
Use of information technology (51.4%).
CAE respondents indicate that the technical skills needed by each staff level change as they
progress to higher staff levels. For example, while 77.6% of the CAEs selected data collection and
analysis as an important technical skill for the Audit Staff, only 14.7% indicate that it is important
for Audit Managers, and 15.2% selected it as important for CAEs. For negotiating, 68.7 % feel
that it is important for CAEs and only 7.3% note that it is considered an important technical skill for
the Audit Staff.
Identifying types of controls was identified by CAEs as slightly increasing in importance from
45.2% at the Audit Senior/Supervisor level to 52.1% at the Audit Staff level. Interviewing also
shows an increase from 44.1% at the Audit Senior/Supervisor level to 58.3% at the Audit Staff
level. The use of information technology shows a relatively large increase from 37.3% at the Audit
Senior/Supervisor level to 51.4% at the Audit Staff level.
In Appendix 7, Tables 71-1-A (CAEs), 7-1-2-A (Audit Managers), 7-1-3-A (Audit Seniors/
Supervisors), and 7-1-4-A (Audit Staff) show CAE responses for technical skills broken out for
the 13 groups. Overall the tabulation by CAE by groups agrees with the top five technical skills for
each staff level. These results clearly indicate that the CAE respondents believe that the technical
skills appropriate for success in the IAA differ at various staff levels in the IAA.
Practitioner Respondents
While CAEs ranked the five most important technical skills for all staff levels including themselves,
the Practitioners were asked to indicate the importance of all thirteen technical skills to perform
their work at their current staff position. The practitioner respondents indicated importance of the
technical skill to them on a scale of 1 (minimally important) to 5 (very important). Table 7-2 divides
the mean responses into the three staff levels: Audit Manager, Audit Senior /Supervisor, and Audit
Staff. The results for technical skills show little variation by staff levels. The skills that consistently
get the highest mean scores from the Practitioner respondents are data collection and analysis,
identifying types of controls, interviewing, research skills, risk analysis, and understanding the
business. The higher the mean in Table 7-2 for each technical skill the more Practitioners agreed
on the importance of that skill.
Table 7-2
Importance to Respondent of Technical Skills to Perform Work
Practitioner Respondents by Means*
Technical Skills Audit Audit Audit
Supervisor
Data collection and analysis 4.1 4.3 4.4
Financial analysis 3.8 3.9 3.7
Forensic skills/fraud awareness 3.6 3.6 3.6
Identifying types of controls 4.3 4.2 4.1
Interviewing 4.3 4.3 4.3
ISO/quality knowledge 2.9 2.9 3.0
Negotiating 3.7 3.6 3.5
Research skills 3.9 4.0 4.0
Risk analysis 4.4 4.3 4.2
Statistical sampling 3.2 3.3 3.5
Total quality management 2.9 2.9 3.0
Understanding the business 4.5 4.4 4.3
Use of information technology 4.1 4.1 4.1
Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
The skills related to quality (ISO/quality knowledge and TQM) received the lowest ranking of all
the skills for all three professional levels in the IAA.
In Table 7-2-1, the main differences that emerge by comparing group data are those skills that are
generally not considered as important by Practitioners: statistical sampling, total quality management,
and negotiating. Group 9 considers statistical sampling to be very important (mean of 3.9) while
group 10 has a much lower mean (2.8). Group 12 differs from the others for TQM with a mean of
3.4 which is very different than group 10s mean of 2.4. Negotiating gets its highest score in groups
2, 3, and 7 (4.0) while group 10 gives this skill a much lower value (2.9).
Table 7-2-1
Importance to Respondent of Technical Skills to Perform Work by Groups*
Practitioner Respondents in Means**
Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C***
Data collection and 4.2 4.0 4.2 4.4 4.5 4.0 4.6 4.2 4.4 4.2 4.3 4.5 4.3
analysis
Financial analysis 3.8 3.5 3.8 4.0 3.9 3.4 4.1 3.5 4.2 3.4 4.3 4.1 3.9
Forensic skills/fraud 3.6 3.4 3.5 3.9 3.7 3.3 3.8 3.3 4.0 3.3 3.5 3.8 3.7
awareness
Identifying types of 4.3 4.4 4.4 4.1 4.1 3.8 4.41 3.8 4.4 4.2 4.2 4.5 4.1
controls (e.g.,
preventative, detective)
Interviewing 4.4 4.3 4.4 3.9 4.4 4.4 4.3 4.2 4.1 4.4 4.3 4.2 4.1
ISO/quality knowledge 2.8 2.8 3.1 3.4 3.0 2.6 3.4 2.8 3.0 2.6 3.1 3.3 3.3
Negotiating 3.5 4.0 4.0 3.7 3.9 3.5 4.0 3.4 3.9 2.9 3.8 3.6 3.7
Research skills 4.0 3.9 3.9 3.7 4.1 3.7 4.1 3.7 4.3 3.1 3.8 3.8 3.9
Risk analysis 4.2 4.4 4.4 4.2 4.4 4.3 4.5 4.4 4.3 4.5 4.3 4.2 4.2
Statistical sampling 3.2 3.0 3.2 3.5 3.5 2.9 3.7 3.3 3.9 2.8 3.5 3.8 3.5
Total quality 2.9 2.7 3.1 3.2 3.1 2.6 3.3 2.7 3.3 2.4 3.2 3.4 3.1
management
Understanding 4.7 4.5 4.6 4.3 4.3 4.5 4.5 4.2 4.5 4.6 4.5 4.5 4.4
business
Use of information 4.1 3.9 4.3 4.0 4.1 3.9 4.4 4.0 4.2 4.2 4.1 4.0 4.2
technology
**The mean is the average response to: 1 =minimally important to 5 =very important.
To add to the understanding of the importance placed by the Practitioners on the different technical
skills by staff level, the data from Table 7-2 is displayed in rank order by staff level in Table 7-3. In
Table 7-3, the technical skills are ranked from 1 (most important) through 13 (least important).
There is a high level of consistency in the ranking of technical skills among the three staff levels
(Audit Manager, Audit Senior/Supervisor, and Audit Staff). The relative decreasing importance of
certain skills as one achieves higher staff levels in the IAA is only indicated for data collection and
analysis. There is only slightly more importance of risk analysis and identifying types of controls as
one achieves higher staff levels in the IAA.
Table 7-3
Rankings of Technical Skills by Staff Level
Practitioner Respondents by Rank
Technical Skills Audit Audit Senior/ Audit
Manager Supervisor Staff
Data collection and analysis 5/6 2/3/4 1
Financial analysis 8 8 8
Forensic skills/fraud awareness 10 9/10 9
Identifying types of controls 3/4 5 5/6
Interviewing 3/4 2/3/4 2/3
ISO/quality knowledge 12/13 12/13 12/13
Negotiating 9 9/10 10/11
Research skills 7 7 7
Risk analysis 2 2/3/4 4
Statistical sampling 11 11 10/11
Total quality management 12/13 12/13 12/13
Understanding the business 1 1 2/3
Use of information technology 5/6 6 5/6
Note: In some cases the rankings are tied. For example, rankings of Data Collection and
Analysis and Use of Information Technology at the Audit Manager level are tied.
Behavioral Skills
CAE Respondents
For an IAA to be successful, internal auditors must possess the appropriate level of skills that are
fundamental for performance of their work (Standard 1210, Proficiency). From the twelve behavioral
skills that were listed in the survey question, CAEs were asked to indicate the five most important
for various professional staff levels in the IAA. The results can be used to identify similarities
among the CAEs responses.
Table 7-4 provides an overall view of the skills that CAEs chose as important for those performing
internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Staff
levels in the IAA. Their responses are presented in percentages by frequency of response for
those that answered the question. The higher the percentages in Table 7-4 for each behavioral skill
the more CAEs agreed on the importance of that skill. CAEs selected confidentiality first or
second for all staff levels with a low of 53.2% for Audit Managers to a high of 73.4% for the Audit
Staff. CAEs also selected objectivity (45.7% to 73.7%) and interpersonal skills (44% to 67.4%) as
highly needed behavioral skills for all staff levels.
Table 7-4
Most Important Behavioral Skills by Staff Level
Behavioral Skills CAE Audit Audit Audit
Supervisor
Confidentiality 68.7 53.2 56.2 73.4
Facilitating 34.3 33.3 28.6 13.4
Governance and ethics sensitivity 54.8 32.0 23.5 24.1
Interpersonal skills 49.0 44.0 49.9 67.4
Leadership 75.1 48.8 21.8 3.4
Objectivity 58.2 45.7 54.3 73.7
Relationship building 44.7 30.9 24.7 29.0
Staff management 34.8 44.0 30.1 2.2
Team building 32.9 39.4 30.8 7.8
Team player 15.2 18.4 34.9 65.2
Work well with all levels of management 58.3 42.6 35.2 40.3
Working independently 18.9 16.9 26.4 55.6
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The importance of objectivity and confidentiality is supported by many references in the Professional
Practices Framework. Objectivity and confidentiality are two of the four principles in The IIAs
Code of Ethics. The IIAs Code of Ethics states for objectivity, Internal auditors exhibit the highest
level of professional objectivity in gathering, evaluating, and communicating information about the
activity or process being examined. For confidentiality, The IIAs Code of Ethics states, Internal
auditors respect the value and ownership of information they receive and do not disclose information
without appropriate authority unless there is a legal or professional obligation to do so. According
to the Code, internal auditors must be prudent in their use and protection of information acquired.
Information cannot be used for personal gain or in a way that would be against the law or hurt the
organization.
The following discusses the CAEs rankings by staff level based on Table 7-4.
CAE
The behavioral skills CAEs commonly chose as important at their level are:
Leadership (75.1%).
Confidentiality (68.7%).
Work well with all levels of management (58.3%).
Objectivity (58.2%).
Governance and ethics sensitivity (54.8%).
For CAEs, the importance of relationships and leadership skills instead of skills emphasizing their
own individual success is supported in Standards 2440, Disseminating Results, 2500, Monitoring
Progress, and 2600, Resolution of Managements Acceptance of Risks. Each requires the CAE to
communicate with management and monitor progress. Practice Advisory 2340-1 states that the
CAE, Is responsible for assuring that appropriate engagement supervision is provided. CAEs did
not commonly choose as important behavioral skills such as team player (15.2%) and working
independently (18.9%).
Audit Manager
The most important behavioral skills that CAEs commonly believe Audit Managers should possess
at their level are:
Leadership (48.8%).
Interpersonal skills (44.0%).
Staff management (44.0%).
Works well with all levels of management (42.6%).
The importance of staff management skills at higher levels in the IAA is consistent with Standard
2340, which states that engagements should be properly supervised to ensure objectives are
achieved... Based on Standard 2030, Resource Management, if they are managing the engagement
properly, they are ensuring that the staff is effectively deployed to achieve the approved plan.
Progression in hierarchical position in the IAA from Audit Staff to Audit Manager results in a
relative decrease in importance of the percentage ranking for confidentiality, objectivity, interpersonal
skills, and team player as shown by the percentages attributed to each.
For the Audit Senior/Supervisor level, the behavioral skills chosen by CAEs as important include:
Work well with all levels of management (35.2%).
Team player (34.9%).
Comparing four of the behavioral skills CAEs chose as important for the Audit Manager and Audit
Senior/Supervisor levels, confidentiality is important at all levels. This holds true when comparing
the Audit Manager (53.2%) and the Audit Senior/Supervisor (56.2%) levels. Objectivity is also
relatively close in importance at both levels (45.7% and 54.3%). Interpersonal skills show close
alignment for the Audit Manager (44.0%) and Audit Senior/Supervisor (49.9%) levels. Work well
with all levels of management is also commonly chosen as important by CAEs for both of these
levels (42.6% ad 35.2%).
Audit Staff
A comparison of the CAEs responses regarding the important behavioral skills related to the four
staff levels reveals some noticeable differences. For the Audit Staff, the most commonly chosen
behavioral skills CAEs believe they should possess are:
Team player (65.2%).
Working independently (55.6%).
Skills indicated by CAEs as not critical for Audit Staff members to possess at this point in their
internal auditing career are staff management (2.2%), leadership (3.4%), and team building (7.8%).
In Table 7-4, when comparing results for Audit Seniors/Supervisors and Audit Staff to those of
Audit Managers, CAE respondents choices show a trend of increasing importance for:
Leadership (3.4% to 48.8%).
Staff management (2.2% to 44.0%).
Team building (7.8% to 39.4%).
Facilitating (13.4% to 33.3%).
CAE Respondents by Staff Level for Groups
Tables 7-4-1 (CAEs), 7-4-2 (Audit Managers), 7-4-3 (Audit Seniors/Supervisors), and 7-4-4 (Audit
Staff) show the selections by CAEs by groups of the most commonly chosen behavioral skills.
Table 7-4-1 shows the behavioral skills CAEs by group chose as important for the performance of
their job. Variability of results relate predominantly to facilitating, works well with all levels of
management, governance and ethics sensitivity, and staff management.
Table 7-4-1
Most Important Behavioral Skills
for CAEs by Groups*
Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Confidentiality 65.2 66.7 67.9 74.4 72.7 71.5 81.6 75.9 62.5 50.0 72.5 62.5 61.1
Facilitating 32.2 34.6 32.1 33.7 52.1 38.7 28.9 37.2 30.0 14.3 24.6 50.0 33.6
Governance and ethics 48.0 59.3 53.7 73.3 50.3 54.7 69.3 63.5 65.0 40.5 68.1 75.0 52.7
sensitivity
Interpersonal skills 52.6 59.3 53.0 54.7 50.9 40.9 46.5 39.8 35.0 45.2 59.4 37.5 40.5
Leadership 78.4 75.3 88.1 64.0 66.7 72.3 78.9 75.6 80.0 57.1 78.3 75.0 60.3
Objectivity 52.0 56.8 53.7 65.1 70.3 59.1 64.9 64.7 65.0 54.8 65.2 75.0 57.3
Relationship building 45.8 60.5 63.4 36.0 40.0 38.7 44.7 42.5 32.5 38.1 46.4 37.5 37.4
Staff management 26.1 29.6 36.6 30.2 58.8 43.8 33.3 51.5 27.5 28.6 33.3 12.5 28.2
Team building 28.4 33.3 32.8 45.3 41.2 24.8 33.3 44.4 37.5 19.0 29.0 37.5 31.3
Team player 8.2 13.6 13.4 20.9 27.9 10.2 37.7 22.2 7.5 9.5 17.4 12.5 17.6
Working independently 10.9 19.8 12.7 36.0 29.1 19.7 25.4 25.6 25.0 19.0 21.7 25.0 26.7
Work well with all levels 64.0 65.4 59.7 47.7 69.1 56.9 48.2 41.0 55.0 76.2 65.2 50.0 47.3
of management
In Table 7-4-2 for Audit Managers, CAEs in group 4 indicate that governance and ethics sensitivity
(60.5%) and leadership (69.8%) are commonly important for Audit Managers. Governance and
ethics sensitivity is one of the most important behavior skills for only 21.6% of the CAE respondents
belonging to group 1. Leadership is considered an important skill by CAEs for Audit Managers for
only 33.3% of respondents in group 10. A major difference between CAE respondents by group is
for facilitating, which is identified as much less important in group 10. Staff management skills are
commonly chosen as important by CAEs in group 3 (59.7%) but not by CAEs in group 10 (23.8%).
Table 7-4-2
for Audit Manager by Groups*
Facilitating 29.3 30.9 38.1 46.5 42.4 30.7 34.2 35.7 45.0 9.5 36.2 50.0 32.8
sensitivity
Leadership 49.9 37.0 46.3 69.8 50.9 35.8 57.9 44.7 50.0 33.3 59.4 50.0 47.3
Objectivity 41.4 46.9 49.3 43.0 49.1 43.8 56.1 47.4 52.5 40.5 60.9 87.5 43.5
Team building 38.3 33.3 43.3 55.8 39.4 41.6 35.1 43.6 27.5 40.5 40.6 25.0 31.3
Team player 11.4 16.0 19.4 16.3 27.3 13.1 37.7 27.1 15.0 14.3 24.6 12.5 23.7
Work well with all 47.5 49.4 56.0 38.4 38.8 31.4 38.6 33.1 27.5 42.9 52.2 25.0 36.6
levels of management
Table 7-4-3 highlights the CAEs responses for Audit Seniors/Supervisors. With the exception of
CAEs in groups 4, 5, and 12, there is remarkable consistency among CAEs in the groups. The main
differences are for staff management and leadership. For CAEs in group 4, these two skills are
considered quite important (53.5% and 46.5%) while group 5 indicates that these skills are not
important for Audit Seniors/Supervisors (13.9% and 7.9%). The percentages from Table 7-4 for
these two categories are respectively 30.1% and 21.8%. Another large difference relates to
facilitating where group 4 considers this much more important (57%) than group 10 (19%).
Table 7-4-3
for Audit Seniors/Supervisors by Groups*
Facilitating 24.3 27.2 25.4 57.0 35.2 31.4 31.6 26.3 37.5 19.0 42.0 37.5 25.2
sensitivity
Leadership 20.9 14.8 17.9 46.5 7.9 17.5 36.8 19.9 27.5 21.4 27.5 25.0 28.2
Objectivity 52.0 51.9 54.5 40.7 53.3 62.8 57.9 58.6 60.0 40.5 62.3 100.0 55.0
Team building 33.3 29.6 29.9 46.5 17.0 24.8 31.6 28.9 42.5 16.7 33.3 25.0 33.6
Team player 29.1 27.2 43.3 27.9 32.1 38.0 56.1 41.4 45.0 28.6 44.9 50.0 34.4
In Table 7-4-4 (Audit Staff) there are uniformly low indicators of importance for staff management,
leadership, team building, and facilitating. Group 6 believes that working independently is important
for Audit Staff (70.8%) while group 7 considers this skill much less important (35.1%). Being a
team player is vital for CAEs in group 7 (72.8%) and much less important in group 9 (37.5%).
Whereas CAEs in group 9 believe that governance and ethics sensitivity is very important (45.0%)
for Audit Staff when compared to the average 24.1% in Table 7-4, CAEs in group 12 show the
lowest percentage for this skill (12.5%). CAEs range of percentages for objectivity is 100% for
group 12, 82.5% for group 7, and 52.3% for group 4. The percentage from Table 7-4 is 73.7%.
Works well with all levels of management ranges from a low of 12.5% in group 12 to a high of
52.3% in group 4.
Table 7-4-4
for Audit Staff by Groups*
Facilitating 9.0 8.6 7.5 32.6 23.0 10.2 16.7 16.5 15.0 14.3 20.3 0.0 15.3
sensitivity
Leadership 2.9 2.5 2.2 4.7 1.8 0.7 13.2 2.3 7.5 0.0 2.9 0.0 6.1
Objectivity 76.2 61.7 77.6 52.3 69.1 75.2 82.5 75.6 80.0 71.4 72.5 100.0 65.6
Team building 5.1 8.6 4.5 22.1 17.0 2.9 8.8 8.3 10.0 4.8 8.7 0.0 10.7
Team player 65.9 59.3 71.6 61.6 72.1 65.7 72.8 68.4 37.5 45.2 59.4 75.0 55.7
Practitioners were asked to indicate the importance of each of the twelve behavioral skills to
perform their work at their current position in their organization. These respondents were asked to
use a scale of importance from 1 (minimally important) to 5 (very important). The data is divided
into the three staff levels: Audit Manager, Audit Senior/Supervisor, and Audit Staff. The higher the
mean in Table 7-5 for each behavioral skill the more Practitioners agreed on the importance of that
skill.
Practitioners consider almost all of the behavioral skills to be important with only marginal differences
in the means. The only skill categories with ratings below 4.0 are:
Staff management (the lowest score of all categories analyzed).
Facilitating (among the lowest scores given a skill by all respondents).
Leadership and team building (a mean lower than 4.0 only for the Audit Staff category).
Table 7-5
Importance of Behavioral Skills to Perform Work
Practitioner Respondents by Mean*
Behavioral Skills Audit Audit Audit
Supervisor
Confidentiality 4.8 4.8 4.7
Facilitating 4.1 4.0 3.9
Governance and ethics sensitivity 4.4 4.3 4.3
Interpersonal skills 4.6 4.5 4.5
Leadership 4.3 4.1 3.9
Objectivity 4.8 4.8 4.7
Relationship building 4.4 4.4 4.3
Staff management 4.1 3.8 3.5
Team building 4.2 4.0 3.9
Team player 4.3 4.2 4.2
Work well with all levels of management 4.6 4.6 4.5
Working independently 4.2 4.2 4.2
Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
The practitioner results highlight many similarities with the CAE respondents. Confidentiality and
objectivity are the skills that practitioners consider the most important for all professional levels.
This is consistent with Practice Advisory 1120-1, Individual Objectivity, which states, Objectivity
is an independent mental attitude which internal auditors should maintain in performing
engagements. Interpersonal skills and works well with all levels of management are also viewed
by respondents as very important to perform audit work.
Table 7-5-1 shows the means of the Practitioner responses by groups. The responses show that all
listed behavorial skills are considered important, regardless of where respondents reside.
Confidentiality and objectivity are the highest ranking skills for all groups. Considering the contents
of The IIAs Code of Ethics and the Standards, the uniformity of this perception among practitioners
globally is very important. Almost universally the lowest rankings by Practitioner groups are for
staff management, facilitating, and leadership. Staff management has a mean of more than 4.0
only for groups 12 and 7. For the other groups, the mean varies from 3.4 for group 10 to 4.0 for
group 3. Regarding leadership, group 12 considers this behavioral skill to be very important (4.6) to
perform audit work, while groups 5 and 6 assign leadership a much lower value (3.7).
Table 7-5-1
Importance of Behavioral Skills to Perform Work by Groups*
Practitioner Respondents in Means**
Behavioral Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C***
Facilitating 4.1 4.1 3.9 3.8 4.1 3.8 4.3 3.9 4.1 3.5 4.0 4.0 4.0
sensitivity
Leadership 4.3 4.3 4.2 4.0 3.7 3.7 4.4 3.8 4.1 3.8 4.2 4.6 4.0
Objectivity 4.7 4.8 4.8 4.7 4.7 4.7 4.8 4.7 4.7 4.8 4.5 4.8 4.7
Team building 4.1 4.0 4.1 4.1 4.0 3.7 4.3 4.0 4.0 3.7 4.1 4.5 4.0
Team player 4.3 4.2 4.2 4.1 4.2 4.0 4.5 4.2 4.1 4.0 4.2 4.4 4.2
**The mean is the average response to: 1 =minimally important to 5 =very important.
Summary
For their own position, CAEs indicate understanding the business and risk analysis as important
technical skills for them to possess. CAEs indicate noticeable difference in technical skills needed
between the various staff levels. Technical skills that are considered more important by CAEs for
the Audit Staff but less vital for themselves are data collection and analysis, identifying types of
controls, and use of information technology. CAEs considered other technical skills, such as
understanding the business, risk analysis, and negotiating, to be more important for themselves but
not as important for the Audit Staff or Audit Seniors/Supervisors.
Practitioners uniformly indicate the need for most of the technical skills and behavioral skills at
their own staff level. Practitioners consider most technical and behavioral skills listed to be important
to perform their work at their current position in the IAA. The results show that the CAEs and
Practitioners almost uniformly consider confidentiality and objectivity to be important behavioral
skills.
APPENDIX 7
Table 7-1-1-A
Most Important Technical Skills
for CAEs by Groups*
Technical Skills 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
analysis
awareness
controls (e.g.,
Interviewing 35.2 46.9 38.8 39.5 47.9 36.5 24.6 40.2 45.0 47.6 33.3 25.0 37.4
Negotiating 70.1 77.8 75.4 54.7 69.1 70.8 65.8 77.4 55.0 57.1 65.2 50.0 49.6
Research skills 14.5 28.4 28.4 19.8 42.4 19.0 20.2 21.8 22.5 9.5 33.3 50.0 16.0
Risk analysis 76.1 80.2 74.6 74.4 69.1 70.8 74.6 82.0 75.0 71.4 78.3 62.5 61.8
Total quality 30.3 24.7 38.1 34.9 50.3 32.1 43.0 28.2 42.5 19.0 46.4 25.0 29.8
management
Understanding the 83.9 86.4 88.8 53.5 65.5 72.3 74.6 83.8 57.5 88.1 82.6 75.0 59.5
business
technology
Table 7-1-2-A
Most Important Technical Skills
for Audit Managers by Groups*
analysis
awareness
controls (e.g.,
Interviewing 35.0 45.7 42.5 47.7 38.8 34.3 23.7 42.5 47.5 35.7 40.6 50.0 39.7
Negotiating 48.1 54.3 59.0 60.5 50.9 46.7 49.1 50.8 45.0 28.6 60.9 62.5 38.2
Research skills 15.8 21.0 22.4 18.6 30.3 17.5 28.1 21.1 10.0 14.3 31.9 25.0 17.6
Risk analysis 59.2 60.5 72.4 64.0 49.7 51.1 64.9 60.9 65.0 47.6 69.6 37.5 48.9
Total quality 16.5 13.6 17.9 48.8 34.5 16.1 24.6 18.8 37.5 16.7 31.9 37.5 18.3
management
Understanding 61.7 65.4 76.9 46.5 50.9 51.1 52.6 60.2 45.0 64.3 63.8 50.0 44.3
business
technology
Table 7-1-3-A
Most Important Technical Skills for
Audit Seniors/Supervisors by Groups*
analysis
awareness
controls (e.g.,
Interviewing 42.6 42.0 53.0 50.0 33.9 52.6 36.8 48.5 32.5 42.9 52.2 37.5 42.7
Negotiating 20.6 24.7 24.6 41.9 15.8 36.5 21.1 23.7 27.5 23.8 33.3 25.0 19.1
Research skills 27.4 29.6 20.1 38.4 37.6 30.7 42.1 36.1 30.0 11.9 26.1 12.5 25.2
Risk analysis 35.3 40.7 57.5 55.8 33.3 38.7 54.4 48.1 35.0 40.5 42.0 37.5 42.7
Total quality 6.0 4.9 11.2 36.0 12.7 6.6 19.3 10.2 17.5 7.1 17.4 12.5 15.3
management
business
technology
Table 7-1-4-A
Most Important Technical Skills for
Audit Staff by Groups*
analysis
awareness
controls (e.g.,
Interviewing 62.1 58.0 70.9 27.9 64.2 64.2 44.7 56.8 32.5 59.5 62.3 62.5 47.3
Negotiating 4.6 8.6 8.21 9.3 14.5 10.2 5.2 9.0 15.0 4.8 11.6 0.0 3.8
Research skills 47.0 42.0 21.6 41.8 51.5 48.9 39.8 39.8 40.0 19.0 18.8 0.0 34.3
Risk analysis 19.8 33.3 40.3 25.6 27.3 24.8 43.0 34.2 42.5 50.0 21.7 25.0 28.2
Total quality 1.1 1.2 3.7 20.9 5.4 2.2 6.1 5.3 7.5 0.0 5.8 0.0 3.8
management
business
technology

CONTENTS
Chapter 8

Chapter 8: Internal Auditor Competencies .......................................................................... 305
Introduction......................................................................................................................... 305
Competencies...................................................................................................................... 307
Areas of Knowledge........................................................................................................... 323
Summary............................................................................................................................. 331
Appendix 8.......................................................................................................................... 332

Disclosure


profession.
______________________________________ Chapter 8: Internal Auditor Competencies 305
CHAPTER 8
INTERNAL AUDITOR COMPETENCIES
Introduction
Internal auditors at all levels need to obtain and develop a range of competencies and knowledge
that enable them to perform their work effectively and enable the internal audit activity (IAA) to
function properly. This chapter summarizes the fundamental competencies and the areas of knowledge
needed by practicing internal auditors today. Competencies range from generally applicable individual
competencies, such as time management and presentation competencies, to abilities such as being
able to work through an issue to find the root cause of a problem area. Internal auditors also must
have different competencies to be successful at a given staff position within the IAA. This chapter
addresses the range of internal audit competencies at the CAE, Audit Manager, Audit Senior/
Supervisor, and Audit Staff levels and areas of knowledge at all staff levels except CAE.
Certain competencies and knowledge are essential for the success of an individual internal auditor,
the audit process, and the overall success of the IAA. Standard 1210, Proficiency, states, Internal
auditors should possess the knowledge, skills, and other competencies needed to perform their
individual responsibilities, and Standard 1230, Continuing Professional Development, states, Internal
auditors should enhance their knowledge, skills, and other competencies through continuing
professional development. Internal auditors must continually update their competencies and
knowledge to remain current. The importance of competencies is also highlighted as one of four
principles in The IIAs Code of Ethics.
Internal auditors at all staff levels need to obtain and develop a range of competencies and abilities
that enable them to perform their work effectively. These competencies range from generally
applicable individual competencies to qualities that are specific to internal auditors. Since Practice
Advisory 1210-1, Proficiency, requires that The internal audit staff should collectively possess the
knowledge and skills essential to the practice of the profession within the organization, each
individual internal auditor need not possess all competencies and abilities in each knowledge area.
It is the responsibility of the CAE to insure that the IAA collectively possesses or have access to
the needed competencies and abilities. When assigning staff to an audit, the CAE must consider
whether they are qualified and competent in the areas being audited. This implies that different
competencies and knowledge are appropriate for those in different staff levels in the IAA. An
assessment of auditor abilities and competencies within the IAA should be completed annually to
ensure the staff remains proficient and current, collectively and individually.
This chapter addresses respondents perception of the importance of a set of competencies and
knowledge areas to their job performance at their staff level in the IAA. Respondents were also
asked to determine those competencies that change in importance as one goes up the IAA hierarchy.
Table 8-1 lists the competencies and knowledge areas developed from The IIAs Standards,
Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK 2006 pilot
study. As a guide for respondents, competencies were defined in the survey as competencies
essential to perform certain tasks. Respondents could not amend or add to the list of competencies
or knowledge areas provided in the survey.
Table 8-1
Competencies and Knowledge Areas Included in the Survey
Competencies Knowledge Areas
Ability to promote the internal audit Accounting
activity within the organization
Analytical (ability to work through Auditing
an issue)
Change management Business law and government regulation
Communication Business management
Conceptual thinking Changes to professional standards
Conflict resolution Enterprise risk management
Critical thinking Ethics
Foreign language skills Finance
Keeping up to date with professional Fraud awareness
changes in opinions, standards, and
regulations
Organization skills Governance
Presentation skills Human resource management
Problem identification and solution Information technology
Project planning and management Internal auditing standards
Report development Managerial accounting
Time management Marketing
Training and developing staff Organization culture
Understanding complex information Organizational systems
systems
Writing skills Strategy and business policy
Technical knowledge for your industry
Not all of those that participated in the survey answered all of the questions asked. Results
question.
not CAEs).
These more detailed summaries of results may be provided for the four categories of respondents:
CAEs, Audit Managers, Audit Senior/Supervisor, and Audit Staff.
For a list of groups, please refer to Appendix 1-B of the report. For example, Table 8-2 is the total
of all respondents for that question with a related table 8-2-1 showing the responses by group. A
table can have more than one related table, where the second related table would be Table 8-2-2.
Additional related tables may be located in Appendix 8 at the end of this chapter. A table that is in
the Appendix can be clearly identified by an A at the end of its number. For example, Table 8-3-
1-A is located in Appendix 8.
Competencies
CAE Respondents
Chief audit executives (CAEs) were asked to identify the five most important competencies they
need to possess in order to be successful as the leader of their IAA. They were also asked to
identify the five most important competencies that Audit Manager, Audit Senior/Supervisor, and
Audit Staff each need to perform their jobs. The results can be used to identify similarities among
the CAEs responses.
Successful completion of the IAA annual plan requires that the internal audit staff possess the
proper competencies crucial for the nature and extent of the activities performed at various levels
of responsibility. Practice Advisory 2030-1, Resource Management, suggests that CAEs select
individuals who are qualified and competent regarding the areas being audited and in applying
internal auditing skills. From the eighteen competencies that were listed in this question, CAEs
were asked to indicate the five most important for various professional staff levels in the IAA.
Table 8-2 provides an overall view of the skills that CAEs commonly chose as important for those
performing internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and
Audit Staff levels. Their responses are presented in percentages by frequency of response. High
percentages in Table 8-2 indicate the competencies received strong common support from CAEs
regarding the importance of these competencies.
Table 8-2
Most Important Competencies by Staff Level
CAE Respondents (2,092 ) in Percentages
CAE Audit Audit Audit
Supervisor
Ability to promote the internal audit activity within 78.1 28.3 10.9 9.3
the organization
Analytical (ability to work through an issue) 24.9 31.5 47.7 63.9
Change management 34.7 20.4 7.6 4.1
Communication 60.3 46.7 43.2 51.9
Conceptual thinking 38.0 20.7 16.1 17.8
Conflict resolution 41.2 35.3 20.2 7.2
Critical thinking 31.3 26.3 31.0 43.9
Foreign language skills 13.4 10.8 8.1 12.4
Keeping up to date with professional changes in 41.3 31.0 22.9 22.5
opinions, standards, and regulations
Organization skills 30.3 27.9 22.0 20.9
Presentation skills 37.4 25.5 15.5 13.0
Problem identification and solution 21.6 23.8 34.5 47.0
Project planning and management 24.7 35.7 24.3 7.1
Report development 13.0 23.0 27.3 22.1
Time management 15.8 18.7 28.2 40.2
Training and developing staff 30.1 38.2 20.9 2.6
Understanding complex information systems 12.4 14.9 16.1 16.3
Writing skills 23.6 24.2 32.0 51.0
Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff
level.
CAEs identified communication as highly important for all staff levels. This supports Practice
Advisory 1210-1, Proficiency, which states, Internal auditors should be skilled in oral and written
communication. Foreign language skills was the only competency identified as being of low
importance for all staff levels.
The other 16 competencies show changing relative importance when going up or down the staff
levels of the IAA. This is in keeping with the intent of the Standards, which suggests that skills and
competencies vary in importance among the staff of the IAA.
Important Competencies Identified by CAEs for Staff Levels
As shown in Table 8-2, there is relative consistency in the identification of the most important
competencies for the Audit Staff and the Audit Senior/Supervisor levels. This is not the case for
the Audit Manager and CAE positions which have increasing oversight responsibility.
Keeping current with professional changes is important for all members of the IAA. Standard
1230, Continuing Professional Development, states that internal auditors ...enhance their knowledge,
skills, and other competencies through continuing professional development. Despite the critical
nature of the acquisition of knowledge for the success of the IAA as a whole, this competency was
not commonly indicated by CAE respondents as one of the most important for any of the staff
levels.
CAE
When looking at Table 8-2, the two highest percentages for CAEs are the ability to promote the
IAA within the organization (78.1%) and communication (60.3%). This is consistent with Standard
2000, Managing the Internal Audit Activity, which states that the CAE ...should effectively manage
the internal audit activity to ensure it adds value to the organization. Standard 2020, Communication
and Approval, states, The chief audit executive should communicate the internal audit activitys
plansto senior management and to the board for review and approval. Standard 2060, Reporting
to the Board and Senior Management, states, The chief audit executive should report periodically
to the board and senior management on the internal audit activitys purpose, authority, responsibility,
and performance relative to its plan. Reporting should also include significant risk exposures and
control issues, corporate governance issues, and other matters needed or requested by the board
and senior management.
The major role the CAE respondents identified for themselves is to communicate and promote the
IAA to senior members of management and the board. CAE respondents commonly indicated the
most important competencies that they should possess are:
Ability to promote the IAA within the organization (78.1%).
Communication (60.3%).
Keeping up to date with professional changes in opinions, standards, and regulations (41.3%).
Conflict resolution (41.2%).
Conceptual thinking (38.0%).
While CAEs strongly support their perception of the most important competencies at their level,
the majority of the respondents also show that a wide range of other competencies are valued.
CAEs should also excel in presentation skills (37.4%) and change management (34.7%). CAEs
did not identify time management (15.8%), foreign language skills (13.4%), report development
(13.0%), and understanding complex information systems (12.4%) as important for someone in
their position to possess.
Audit Manager
CAE respondents identified the following competencies as most important for Audit Managers:
Communication (46.7%)
Training and developing staff (38.2%)
Project planning and management (35.7%)
Conflict resolution (35.3%)
Analytical (31.5%)
Keeping up to date with professional changes in opinions, the Standards, and regulations
(31.0%)
Communication skills are perceived by the CAE respondents as an essential part of the Audit
Managers skills. Competencies that CAEs did not identify as critical for Audit Managers are
change management (20.4%), time management (18.7%), understanding complex information
systems (14.9%), and foreign language skills (10.8%).
At the Audit Manager level, some skills learned at lower levels are mastered. As indicated in Table
8-2, skills for which CAE respondents believe relative importance diminishes from Audit Staff to
Audit Manager levels are:
Analytical (from 63.9% to 31.5%).
Writing skills (from 51.0% to 24.2%).
Problem identification and solution (from 47.0% to 23.8%).
Time management (from 40.2% to 18.7%).
Comparing data related to Audit Managers with those of Audit Staff, skills that show a trend of
increasing importance are:
Training and developing staff (2.6% to 38.2%).
Project planning and management (7.1% to 35.7%).
Conflict resolution (7.2% to 35.3%).
Ability to promote the IAA within the organization (9.3% to 28.3%).
For the Audit Senior/Supervisor, CAEs commonly indicated that the most important competencies
were:
Analytical (47.7%).
Communication (43.2%).
Problem identification and solution (34.5%).
Writing skills (32.0%).
Critical thinking (31.0%).
Even though not commonly identified as one of the most important competencies for Audit Senior/
Supervisor, note that CAEs respondents gave higher percentages for report development (27.3%),
project planning (24.3%), and training and developing staff (20.9%) for the Audit Senior/Supervisor
level than for Audit Staff. Competencies that CAEs do not consider critical for Audit Senior/
Supervisor are presentation skills (15.5%), ability to promote the IAA (10.9%), foreign language
skills (8.1%), and change management (7.6%).
Audit Staff
In Table 8-2 the competency commonly indicated as the most important by CAEs for the Audit
Staff is analytical (ability to work through an issue) (63.9%). This supports Standard 2320, Analysis
and Evaluation, which states that internal auditors base conclusions and engagement results on
appropriate analyses and evaluations. The CAE respondents indicated the following as the most
important competencies for the Audit Staff level:
Analytical (63.9%)
Communication (51.9%)
Writing skills (51.0%)
Problem identification and solution (47.0%)
Critical thinking (43.9%)
Competencies that CAEs indicate are not as critical for Audit Staff members to possess at this
point in their internal auditing career are conflict resolution (7.2%), project planning and management
(7.1%), change management (4.1%), and training and developing staff (2.6%).
CAE Respondents by Staff Level for Groups
Tables 8-2-1 (CAE), 8-2-2 (Audit Manager), 8-2-3 (Audit Senior/Supervisor), and 8-2-4 (Audit
Staff) show CAE respondents percentages for the five most important competencies for the 13
groups.
Table 8-2-1 highlights the competencies CAEs value for their own job performance. Overwhelmingly,
CAEs in all groups find it critically important to be able to promote the IAA within the organization
and to have the ability to communicate in general. CAEs indicate variability in importance by group
on their competencies in change management, conceptual thinking, foreign language skills, report
development, and time management.
T
a
b
l
e

8
-
2
-
1
M
o
s
t

I
m
p
o
r
t
a
n
t

C
o
m
p
e
t
e
n
c
i
e
s

f
o
r

C
A
E

b
y

G
r
o
u
p
s
*
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
C
o
m
p
e
t
e
n
c
i
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
A
b
i
l
i
t
y

t
o

p
r
o
m
o
t
e

t
h
e
7
5
.
1
8
4
.
0
8
8
.
8
8
0
.
2
8
0
.
6
8
0
.
3
8
0
.
7
8
2
.
3
8
0
.
0
6
4
.
3
7
2
.
5
7
5
.
0
7
1
.
0
i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
w
i
t
h
i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n
A
n
a
l
y
t
i
c
a
l

(
a
b
i
l
i
t
y

t
o
2
1
.
0
2
1
.
0
2
0
.
1
3
9
.
5
3
3
.
9
1
9
.
7
3
7
.
7
2
6
.
3
2
0
.
0
3
5
.
7
2
7
.
5
0
.
0
2
5
.
2
w
o
r
k

t
h
r
o
u
g
h

a
n

i
s
s
u
e
)
C
h
a
n
g
e

m
a
n
a
g
e
m
e
n
t
2
8
.
1
3
7
.
0
5
3
.
7
3
3
.
7
2
6
.
7
3
4
.
3
5
3
.
5
4
4
.
4
4
0
.
0
4
.
8
5
3
.
6
3
7
.
5
2
8
.
2
C
o
m
m
u
n
i
c
a
t
i
o
n
6
7
.
0
6
4
.
2
6
0
.
4
5
2
.
3
4
9
.
1
4
8
.
9
5
5
.
3
6
2
.
0
4
5
.
0
7
6
.
2
6
0
.
9
3
7
.
5
4
8
.
9
C
o
n
c
e
p
t
u
a
l

t
h
i
n
k
i
n
g
3
7
.
0
4
5
.
7
4
1
.
0
2
4
.
4
5
8
.
2
4
3
.
8
3
2
.
5
3
2
.
0
3
7
.
5
1
6
.
7
5
5
.
1
2
5
.
0
2
9
.
8
C
o
n
f
l
i
c
t

r
e
s
o
l
u
t
i
o
n
3
7
.
5
3
7
.
0
3
8
.
8
4
0
.
7
5
3
.
3
4
2
.
3
3
9
.
5
5
1
.
1
4
2
.
5
1
4
.
3
4
7
.
8
7
5
.
0
3
6
.
6
C
r
i
t
i
c
a
l

t
h
i
n
k
i
n
g
3
1
.
1
3
2
.
1
2
6
.
9
3
0
.
2
3
3
.
9
2
4
.
8
3
5
.
1
3
1
.
2
3
7
.
5
4
0
.
5
4
6
.
4
1
2
.
5
2
6
.
0
F
o
r
e
i
g
n

l
a
n
g
u
a
g
e

s
k
i
l
l
s
2
.
6
2
.
5
2
.
2
3
1
.
4
3
2
.
7
1
3
.
9
3
8
.
6
2
5
.
9
2
7
.
5
1
1
.
9
1
4
.
5
0
.
0
1
2
.
2
K
e
e
p
i
n
g

u
p

t
o

d
a
t
e

w
i
t
h
4
0
.
4
3
7
.
0
3
8
.
8
5
2
.
3
4
1
.
8
2
9
.
2
5
3
.
5
4
5
.
5
3
5
.
0
3
1
.
0
4
6
.
4
5
0
.
0
3
8
.
9
p
r
o
f
e
s
s
i
o
n
a
l

c
h
a
n
g
e
s
i
n

o
p
i
n
i
o
n
s
,

s
t
a
n
d
a
r
d
s
,
a
n
d

r
e
g
u
l
a
t
i
o
n
s
O
r
g
a
n
i
z
a
t
i
o
n

s
k
i
l
l
s
2
0
.
9
2
2
.
2
2
6
.
9
3
8
.
4
5
0
.
9
3
3
.
6
3
4
.
2
4
6
.
6
2
7
.
5
3
1
.
0
3
1
.
9
2
5
.
0
2
6
.
0
P
r
e
s
e
n
t
a
t
i
o
n

s
k
i
l
l
s
4
4
.
3
3
9
.
5
3
9
.
6
3
0
.
2
4
1
.
8
1
9
.
7
2
4
.
6
3
0
.
5
4
0
.
0
4
7
.
6
3
9
.
1
3
7
.
5
2
9
.
0
P
r
o
b
l
e
m

i
d
e
n
t
i
f
i
c
a
t
i
o
n
1
3
.
7
2
3
.
5
1
4
.
9
3
6
.
0
3
1
.
5
1
4
.
6
2
7
.
2
3
5
.
3
3
7
.
5
2
6
.
2
2
9
.
0
1
2
.
5
1
9
.
1
a
n
d

s
o
l
u
t
i
o
n
P
r
o
j
e
c
t

p
l
a
n
n
i
n
g

a
n
d
2
0
.
0
2
3
.
5
2
8
.
4
3
8
.
4
3
3
.
9
1
3
.
1
3
6
.
0
3
2
.
0
3
5
.
0
1
1
.
9
3
0
.
4
0
.
0
1
7
.
6
m
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t

d
e
v
e
l
o
p
m
e
n
t
8
.
1
7
.
4
7
.
5
2
4
.
4
2
1
.
2
2
.
2
2
6
.
3
2
0
.
7
2
2
.
5
4
.
8
2
0
.
3
2
5
.
0
1
5
.
3
T
i
m
e

m
a
n
a
g
e
m
e
n
t
1
0
.
4
1
2
.
3
9
.
0
3
1
.
4
3
3
.
9
1
0
.
2
1
8
.
4
2
2
.
6
2
2
.
5
2
.
4
2
0
.
3
0
.
0
1
6
.
8
T
r
a
i
n
i
n
g

a
n
d
2
4
.
9
2
7
.
2
2
6
.
9
4
4
.
2
4
1
.
2
2
5
.
5
3
5
.
1
3
8
.
7
3
5
.
0
3
3
.
3
3
3
.
3
1
2
.
5
2
3
.
7
d
e
v
e
l
o
p
i
n
g

s
t
a
f
f
U
n
d
e
r
s
t
a
n
d
i
n
g
8
.
4
9
.
9
9
.
0
1
5
.
1
2
1
.
2
5
.
1
2
6
.
3
1
3
.
9
2
0
.
0
7
.
1
2
0
.
3
1
2
.
5
1
7
.
6
c
o
m
p
l
e
x

i
n
f
o
r
m
a
t
i
o
n
s
y
s
t
e
m
s
W
r
i
t
i
n
g

s
k
i
l
l
s
2
7
.
0
2
4
.
7
2
5
.
4
1
8
.
6
2
7
.
9
1
3
.
1
2
3
.
7
1
9
.
5
2
0
.
0
1
9
.
0
2
7
.
5
0
.
0
1
8
.
3
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
N
o
t
e
:

E
a
c
h

C
A
E

r
e
s
p
o
n
d
e
n
t

w
a
s

a
b
l
e

t
o

s
e
l
e
c
t

t
h
e

f
i
v
e

m
o
s
t

i
m
p
o
r
t
a
n
t

c
o
m
p
e
t
e
n
c
i
e
s

f
r
o
m

t
h
e

p
r
o
v
i
d
e
d

l
i
s
t

f
o
r

e
a
c
h

s
t
a
f
f

l
e
v
e
l
.
In Table 8-2-2 for Audit Manager, CAE respondents selected communication, project planning and
management, and training and developing staff as the most important skills for this staff level.
While there is generally consistency among the CAE respondents within the groups about the
importance of most of the competencies for Audit Manager, there are some outliers that place less
weight on certain competencies. In group 10, CAEs percentage for training and staff development
is only 14.3% while the next lowest value was 25.0% for CAEs in group 12. CAEs in six other
groups have values of 40% or higher for training and staff development. CAEs in ten groups had
percentages of 30% or more for project planning and management, but CAEs in groups 12 (12.5%)
and 6 (21.2%) had far fewer CAEs selecting this competency as being important for Audit Manager.
CAEs in group 2 (11.1%) had fewer respondents selecting change management as important than
CAEs in groups 4 (50%) and 12 (62.5%).
T
a
b
l
e

8
-
2
-
2
M
o
s
t

I
m
p
o
r
t
a
n
t

C
o
m
p
e
t
e
n
c
i
e
s

f
o
r

A
u
d
i
t

M
a
n
a
g
e
r

b
y

G
r
o
u
p
s
*
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
C
o
m
p
e
t
e
n
c
i
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
A
b
i
l
i
t
y

t
o

p
r
o
m
o
t
e

t
h
e
2
3
.
6
3
2
.
1
3
9
.
6
3
3
.
7
2
3
.
6
2
6
.
3
4
0
.
4
3
1
.
2
3
2
.
5
2
8
.
6
2
9
.
0
3
7
.
5
2
9
.
0
i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
w
i
t
h
i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n
A
n
a
l
y
t
i
c
a
l

(
a
b
i
l
i
t
y

t
o
2
7
.
8
3
0
.
9
3
3
.
6
4
5
.
3
3
6
.
4
2
3
.
4
3
9
.
5
3
1
.
2
1
7
.
5
3
8
.
1
4
4
.
9
3
7
.
5
3
3
.
6
w
o
r
k

t
h
r
o
u
g
h

a
n

i
s
s
u
e
)
C
h
a
n
g
e

m
a
n
a
g
e
m
e
n
t
1
4
.
7
1
1
.
1
2
0
.
9
5
0
.
0
2
1
.
8
1
4
.
6
2
9
.
8
2
7
.
1
2
5
.
0
1
4
.
3
2
1
.
7
6
2
.
5
2
2
.
1
C
o
m
m
u
n
i
c
a
t
i
o
n
4
8
.
5
5
3
.
1
5
6
.
7
5
8
.
1
3
9
.
4
3
7
.
2
4
1
.
2
4
4
.
4
3
2
.
5
5
0
.
0
5
3
.
6
5
0
.
0
4
2
.
7
C
o
n
f
l
i
c
t

r
e
s
o
l
u
t
i
o
n
3
1
.
6
3
2
.
1
3
5
.
8
5
7
.
0
3
8
.
8
2
8
.
5
3
6
.
8
3
9
.
5
4
2
.
5
1
4
.
3
4
7
.
8
3
7
.
5
3
6
.
6
C
r
i
t
i
c
a
l

t
h
i
n
k
i
n
g
2
3
.
4
2
3
.
5
2
9
.
9
2
6
.
7
2
6
.
1
2
5
.
5
3
2
.
5
2
8
.
2
3
0
.
0
3
1
.
0
3
4
.
8
1
2
.
5
2
7
.
5
C
o
n
c
e
p
t
u
a
l

t
h
i
n
k
i
n
g
1
6
.
2
1
8
.
5
1
9
.
4
2
4
.
4
2
5
.
5
2
4
.
1
2
5
.
4
2
6
.
3
3
0
.
0
4
.
8
3
0
.
4
3
7
.
5
2
0
.
6
F
o
r
e
i
g
n

l
a
n
g
u
a
g
e

s
k
i
l
l
s
1
.
7
2
.
5
0
.
7
2
9
.
1
2
0
.
0
1
0
.
2
2
4
.
6
2
4
.
1
1
7
.
5
9
.
5
1
5
.
9
0
.
0
1
6
.
8
K
e
e
p
i
n
g

u
p

t
o

d
a
t
e
2
6
.
1
2
5
.
9
3
5
.
8
4
0
.
7
3
1
.
5
2
5
.
5
4
5
.
6
3
8
.
0
3
2
.
5
2
6
.
2
3
6
.
2
2
5
.
0
2
9
.
8
w
i
t
h

p
r
o
f
e
s
s
i
o
n
a
l
c
h
a
n
g
e
s

i
n

o
p
i
n
i
o
n
s
,
s
t
a
n
d
a
r
d
s
,

a
n
d
r
e
g
u
l
a
t
i
o
n
s
O
r
g
a
n
i
z
a
t
i
o
n

s
k
i
l
l
s
2
3
.
3
1
9
.
8
2
6
.
9
5
3
.
5
4
0
.
6
2
4
.
8
2
3
.
7
3
2
.
3
3
2
.
5
1
4
.
3
3
3
.
3
1
2
.
5
2
9
.
0
P
r
e
s
e
n
t
a
t
i
o
n

s
k
i
l
l
s
2
3
.
9
2
1
.
0
3
1
.
3
3
0
.
2
2
5
.
5
1
9
.
0
2
6
.
3
2
5
.
2
2
0
.
0
2
3
.
8
4
7
.
8
0
.
0
2
8
.
2
P
r
o
b
l
e
m

i
d
e
n
t
i
f
i
c
a
t
i
o
n
1
8
.
8
2
4
.
7
2
6
.
1
2
9
.
1
2
6
.
7
1
3
.
9
2
8
.
1
3
3
.
5
2
5
.
0
2
3
.
8
3
3
.
3
3
7
.
5
2
5
.
2
a
n
d

s
o
l
u
t
i
o
n
P
r
o
j
e
c
t

p
l
a
n
n
i
n
g

a
n
d
3
6
.
1
3
9
.
5
3
5
.
1
4
3
.
0
4
0
.
0
2
1
.
2
3
6
.
8
3
8
.
0
4
5
.
0
3
1
.
0
3
3
.
3
1
2
.
5
3
1
.
3
m
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t

d
e
v
e
l
o
p
m
e
n
t
2
2
.
7
2
8
.
4
2
5
.
4
2
0
.
9
2
3
.
0
1
3
.
1
3
0
.
7
2
8
.
2
1
5
.
0
4
.
8
2
6
.
1
2
5
.
0
1
9
.
8
T
i
m
e

m
a
n
a
g
e
m
e
n
t
1
3
.
7
1
6
.
0
1
1
.
2
3
2
.
6
3
0
.
3
1
0
.
2
2
8
.
1
2
4
.
8
2
2
.
5
4
.
8
3
1
.
9
0
.
0
2
1
.
4
T
r
a
i
n
i
n
g

a
n
d
4
0
.
2
4
8
.
1
4
8
.
5
4
7
.
7
3
0
.
3
3
2
.
1
4
1
.
2
3
1
.
2
3
5
.
0
1
4
.
3
5
2
.
2
2
5
.
0
3
2
.
8
d
e
v
e
l
o
p
i
n
g

s
t
a
f
f
U
n
d
e
r
s
t
a
n
d
i
n
g
1
1
.
6
1
4
.
8
1
5
.
7
1
8
.
6
1
4
.
5
8
.
8
2
8
.
1
1
7
.
3
1
2
.
5
9
.
5
2
1
.
7
2
5
.
0
2
0
.
6
c
o
m
p
l
e
x

i
n
f
o
r
m
a
t
i
o
n
s
y
s
t
e
m
s
W
r
i
t
i
n
g

s
k
i
l
l
s
2
9
.
1
2
5
.
9
2
6
.
1
1
7
.
4
1
9
.
4
1
2
.
4
2
4
.
6
2
0
.
7
1
5
.
0
2
3
.
8
3
0
.
4
0
.
0
2
2
.
1
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
N
o
t
e
:

E
a
c
h

C
A
E

r
e
s
p
o
n
d
e
n
t

w
a
s

a
b
l
e

t
o

s
e
l
e
c
t

t
h
e

f
i
v
e

m
o
s
t

i
m
p
o
r
t
a
n
t

c
o
m
p
e
t
e
n
c
i
e
s

f
r
o
m

t
h
e

p
r
o
v
i
d
e
d

l
i
s
t

f
o
r

e
a
c
h

s
t
a
f
f

l
e
v
e
l
.
Table 8-2-3 highlights the CAE respondents group results for Audit Senior/Supervisor. There is
relative consistency among the CAEs selections of the most important and least important
competencies for this staff level. CAEs in group 12 did not support the importance of change
management, foreign language skills, presentation skills, or writing skills (00.0%). CAEs in group 4
consider project planning and management to be very important (40.7%), but only 9.1% CAEs in
group 5 selected this competency to be one of the top five competencies. CAEs in group 3 believe
that writing skills are important (41.0%), but CAEs in group 4 believe they are less significant for
the Audit Senior/Supervisor (17.4%). CAEs in group 7 believe that keeping up to date with
professional changes in opinions, standards, and regulations is fundamental (42.1%), but CAEs in
group 10 believe that this element is not critical for the Audit Senior/Supervisor (14.3%).
T
a
b
l
e

8
-
2
-
3
M
o
s
t

I
m
p
o
r
t
a
n
t

C
o
m
p
e
t
e
n
c
i
e
s

f
o
r

A
u
d
i
t

S
e
n
i
o
r
/
S
u
p
e
r
v
i
s
o
r

b
y

G
r
o
u
p
s
*
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
C
o
m
p
e
t
e
n
c
i
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
A
b
i
l
i
t
y

t
o

p
r
o
m
o
t
e

t
h
e
8
.
1
8
.
6
1
6
.
4
2
3
.
3
6
.
7
5
.
8
1
8
.
4
9
.
0
2
2
.
5
1
4
.
3
1
5
.
9
2
5
.
0
1
6
.
0
i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
w
i
t
h
i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n
A
n
a
l
y
t
i
c
a
l

(
a
b
i
l
i
t
y

t
o
4
6
.
2
5
1
.
9
5
6
.
7
5
7
.
0
4
3
.
0
5
1
.
8
5
1
.
8
4
4
.
0
4
7
.
5
5
4
.
8
4
9
.
3
7
5
.
0
3
9
.
7
w
o
r
k

t
h
r
o
u
g
h

a
n

i
s
s
u
e
)
C
h
a
n
g
e

m
a
n
a
g
e
m
e
n
t
4
.
8
4
.
9
2
.
2
2
5
.
6
1
0
.
3
5
.
8
1
5
.
8
9
.
0
1
7
.
5
7
.
1
1
0
.
1
0
.
0
5
.
3
C
o
m
m
u
n
i
c
a
t
i
o
n
4
4
.
6
4
3
.
2
5
1
.
5
5
3
.
5
4
0
.
6
3
8
.
7
3
7
.
7
3
2
.
0
4
2
.
5
4
2
.
9
5
9
.
4
6
2
.
5
4
5
.
0
C
o
n
f
l
i
c
t

r
e
s
o
l
u
t
i
o
n
1
7
.
5
1
4
.
8
2
0
.
1
3
2
.
6
1
7
.
0
2
1
.
9
2
8
.
1
2
2
.
9
2
5
.
0
1
4
.
3
2
9
.
0
5
0
.
0
1
6
.
8
C
r
i
t
i
c
a
l

t
h
i
n
k
i
n
g
3
1
.
5
2
2
.
2
2
0
.
9
2
5
.
6
3
0
.
3
3
8
.
0
3
6
.
8
3
7
.
2
2
7
.
5
3
3
.
3
2
1
.
7
1
2
.
5
2
9
.
8
C
o
n
c
e
p
t
u
a
l

t
h
i
n
k
i
n
g
1
2
.
8
1
1
.
1
1
0
.
4
2
5
.
6
1
3
.
9
2
1
.
2
1
9
.
3
2
2
.
2
2
7
.
5
7
.
1
2
1
.
7
1
2
.
5
1
8
.
3
F
o
r
e
i
g
n

l
a
n
g
u
a
g
e

s
k
i
l
l
s
1
.
7
1
.
2
1
.
5
2
0
.
9
1
2
.
1
1
1
.
7
1
4
.
0
2
0
.
7
1
7
.
5
7
.
1
1
0
.
1
0
.
0
8
.
4
K
e
e
p
i
n
g

u
p

t
o

d
a
t
e
1
4
.
5
1
6
.
0
2
1
.
6
3
6
.
0
2
7
.
9
2
5
.
5
4
2
.
1
3
3
.
8
3
7
.
5
1
4
.
3
2
7
.
5
3
7
.
5
1
9
.
1
w
i
t
h

p
r
o
f
e
s
s
i
o
n
a
l
c
h
a
n
g
e
s

i
n

o
p
i
n
i
o
n
s
,
s
t
a
n
d
a
r
d
s
,

a
n
d
r
e
g
u
l
a
t
i
o
n
s
O
r
g
a
n
i
z
a
t
i
o
n

s
k
i
l
l
s
2
4
.
1
1
8
.
5
1
7
.
9
2
9
.
1
1
6
.
4
2
1
.
9
2
3
.
7
2
1
.
1
2
0
.
0
9
.
5
3
0
.
4
1
2
.
5
1
9
.
1
P
r
e
s
e
n
t
a
t
i
o
n

s
k
i
l
l
s
1
0
.
3
1
3
.
6
1
4
.
2
2
9
.
1
1
5
.
2
1
8
.
2
2
2
.
8
2
0
.
3
1
7
.
5
1
4
.
3
3
0
.
4
0
.
0
1
6
.
8
P
r
o
b
l
e
m

i
d
e
n
t
i
f
i
c
a
t
i
o
n
3
1
.
4
3
7
.
0
4
2
.
5
5
2
.
3
3
3
.
3
2
7
.
7
3
6
.
8
3
4
.
2
3
7
.
5
3
3
.
3
4
6
.
4
3
7
.
5
3
2
.
1
a
n
d

s
o
l
u
t
i
o
n
P
r
o
j
e
c
t

p
l
a
n
n
i
n
g

a
n
d
2
6
.
6
2
9
.
6
3
1
.
3
4
0
.
7
9
.
1
2
4
.
1
2
1
.
9
2
0
.
3
2
0
.
0
1
4
.
3
3
0
.
4
1
2
.
5
1
9
.
8
m
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t

d
e
v
e
l
o
p
m
e
n
t
2
5
.
3
2
3
.
5
3
5
.
8
2
3
.
3
2
4
.
2
1
4
.
6
4
0
.
4
3
7
.
6
2
7
.
5
1
9
.
0
2
7
.
5
2
5
.
0
2
3
.
7
T
i
m
e

m
a
n
a
g
e
m
e
n
t
2
5
.
3
3
0
.
9
3
8
.
8
4
0
.
7
2
4
.
8
2
3
.
4
2
8
.
9
3
1
.
6
3
5
.
0
9
.
5
4
4
.
9
1
2
.
5
2
3
.
7
T
r
a
i
n
i
n
g

a
n
d

d
e
v
e
l
o
p
i
n
g
2
2
.
2
2
4
.
7
2
5
.
4
3
8
.
4
1
3
.
3
1
1
.
7
2
9
.
8
1
3
.
9
2
7
.
5
1
1
.
9
2
4
.
6
2
5
.
0
1
8
.
3
s
t
a
f
f
U
n
d
e
r
s
t
a
n
d
i
n
g

c
o
m
p
l
e
x
1
1
.
4
1
4
.
8
1
7
.
2
2
0
.
9
1
8
.
2
2
0
.
4
2
1
.
1
2
1
.
1
2
2
.
5
4
.
8
2
3
.
2
2
5
.
0
1
7
.
6
i
n
f
o
r
m
a
t
i
o
n

s
y
s
t
e
m
s
W
r
i
t
i
n
g

s
k
i
l
l
s
3
6
.
5
3
2
.
1
4
1
.
0
1
7
.
4
2
6
.
1
2
9
.
2
3
1
.
6
2
6
.
7
2
2
.
5
2
3
.
8
3
9
.
1
0
.
0
2
9
.
0
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
N
o
t
e
:

E
a
c
h

C
A
E

r
e
s
p
o
n
d
e
n
t

w
a
s

a
b
l
e

t
o

s
e
l
e
c
t

t
h
e

f
i
v
e

m
o
s
t

i
m
p
o
r
t
a
n
t

c
o
m
p
e
t
e
n
c
i
e
s

f
r
o
m

t
h
e

p
r
o
v
i
d
e
d

l
i
s
t

f
o
r

e
a
c
h

s
t
a
f
f

l
e
v
e
l
.
Table 8-2-4 shows that for Audit Staff there are uniformly low percentages for training and
developing staff, project planning and management, change management, and conflict resolution.
CAE respondents consider analytical ability and communication to be by far the most important
competencies for the Audit Staff in all groups.
There is variability among the CAE respondents among some groups for some competencies.
Foreign language skills vary from a low of 3.2% in group 1 to a high of 29.1% for group 4. Group
6 believes that critical thinking is very important for Audit Staff (58.4 %) while group 4 considers
this much less important (19.8%). Keeping up to date with professional changes in opinions,
standards, and regulations is considered vital by responding CAEs in group 7 (51.8%) and significantly
less important for group 1 (10.4%). While responding CAEs in Group 4 believe that presentation
skills are very important (50.0%) for Audit Staff, no CAEs in group 12 selected this competency as
important. The range of percentages for responding CAEs for report development is 8.0% for
group 6 to 59.3% for group 4.
T
a
b
l
e

8
-
2
-
4
M
o
s
t

I
m
p
o
r
t
a
n
t

C
o
m
p
e
t
e
n
c
i
e
s

f
o
r

A
u
d
i
t

S
t
a
f
f

M
e
m
b
e
r
s

b
y

G
r
o
u
p
s
*
C
A
E

R
e
s
p
o
n
d
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
C
o
m
p
e
t
e
n
c
i
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
A
b
i
l
i
t
y

t
o

p
r
o
m
o
t
e

t
h
e
6
.
6
7
.
4
1
6
.
4
1
0
.
5
4
.
8
8
.
0
1
5
.
8
9
.
0
2
7
.
5
9
.
5
1
3
.
0
2
5
.
0
1
2
.
2
i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
w
i
t
h
i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n
A
n
a
l
y
t
i
c
a
l

(
a
b
i
l
i
t
y

t
o
6
8
.
4
6
7
.
9
7
0
.
9
4
1
.
9
6
6
.
1
6
5
.
7
5
9
.
6
5
7
.
5
7
0
.
0
7
1
.
4
5
9
.
4
5
0
.
0
5
1
.
1
w
o
r
k

t
h
r
o
u
g
h

a
n

i
s
s
u
e
)
C
h
a
n
g
e

m
a
n
a
g
e
m
e
n
t
2
.
6
1
.
2
1
.
5
1
0
.
5
6
.
7
4
.
4
8
.
8
6
.
4
7
.
5
2
.
4
1
.
4
0
.
0
2
.
3
C
o
m
m
u
n
i
c
a
t
i
o
n
5
8
.
1
5
3
.
1
6
1
.
9
4
5
.
3
6
1
.
2
4
6
.
0
4
1
.
2
3
0
.
1
5
7
.
5
5
7
.
1
5
8
.
0
6
2
.
5
4
7
.
3
C
o
n
c
e
p
t
u
a
l

t
h
i
n
k
i
n
g
1
3
.
7
1
4
.
8
9
.
0
2
9
.
1
1
3
.
9
1
9
.
7
3
0
.
7
2
9
.
3
2
5
.
0
1
1
.
9
1
8
.
8
2
5
.
0
1
4
.
5
C
o
n
f
l
i
c
t

r
e
s
o
l
u
t
i
o
n
5
.
9
2
.
5
6
.
7
1
1
.
6
1
2
.
7
9
.
5
7
.
9
7
.
9
1
0
.
0
2
.
4
7
.
2
1
2
.
5
4
.
6
C
r
i
t
i
c
a
l

t
h
i
n
k
i
n
g
4
7
.
4
3
8
.
3
3
4
.
3
1
9
.
8
3
9
.
4
5
8
.
4
4
5
.
6
4
9
.
2
3
0
.
0
5
0
.
0
3
3
.
3
3
7
.
5
3
7
.
4
F
o
r
e
i
g
n

l
a
n
g
u
a
g
e

s
k
i
l
l
s
3
.
2
3
.
7
5
.
2
2
9
.
1
2
1
.
8
2
3
.
4
1
4
.
9
2
7
.
8
2
2
.
5
9
.
5
1
4
.
5
1
2
.
5
1
1
.
5
K
e
e
p
i
n
g

u
p

t
o

d
a
t
e

w
i
t
h
1
0
.
4
1
7
.
3
2
5
.
4
3
8
.
4
3
0
.
9
2
7
.
7
5
1
.
8
3
0
.
8
3
7
.
5
2
3
.
8
2
0
.
3
1
2
.
5
2
6
.
0
p
r
o
f
e
s
s
i
o
n
a
l

c
h
a
n
g
e
s

i
n
o
p
i
n
i
o
n
s
,

s
t
a
n
d
a
r
d
s
,

a
n
d
r
e
g
u
l
a
t
i
o
n
s
O
r
g
a
n
i
z
a
t
i
o
n

s
k
i
l
l
s
3
3
.
3
1
6
.
0
1
3
.
4
1
8
.
6
6
.
7
1
3
.
9
1
5
.
8
1
2
.
4
1
7
.
5
2
.
4
2
1
.
7
0
.
0
9
.
9
P
r
e
s
e
n
t
a
t
i
o
n

s
k
i
l
l
s
7
.
1
9
.
9
1
0
.
4
5
0
.
0
1
6
.
4
6
.
6
1
6
.
7
1
5
.
0
1
5
.
0
2
3
.
8
1
5
.
9
0
.
0
1
9
.
8
P
r
o
b
l
e
m

i
d
e
n
t
i
f
i
c
a
t
i
o
n
5
1
.
5
5
9
.
3
5
2
.
2
5
1
.
2
4
1
.
8
4
4
.
5
3
9
.
5
3
7
.
6
4
7
.
5
4
2
.
9
4
7
.
8
2
5
.
0
3
9
.
7
a
n
d

s
o
l
u
t
i
o
n
P
r
o
j
e
c
t

p
l
a
n
n
i
n
g

a
n
d
7
.
2
1
1
.
1
1
1
.
2
9
.
3
4
.
8
5
.
1
7
.
0
6
.
0
5
.
0
9
.
5
5
.
8
0
.
0
6
.
9
m
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t

d
e
v
e
l
o
p
m
e
n
t
1
3
.
4
1
7
.
3
1
7
.
9
5
9
.
3
2
6
.
7
8
.
0
3
0
.
7
3
6
.
5
3
7
.
5
1
9
.
0
2
3
.
2
3
7
.
5
2
6
.
0
T
i
m
e

m
a
n
a
g
e
m
e
n
t
4
6
.
2
5
0
.
6
5
8
.
2
5
0
.
0
2
5
.
5
2
9
.
9
2
9
.
8
3
5
.
3
3
5
.
0
1
1
.
9
4
2
.
0
5
0
.
0
2
9
.
8
T
r
a
i
n
i
n
g

a
n
d
1
.
1
0
.
0
1
.
5
1
1
.
6
3
.
0
1
.
5
3
.
5
4
.
1
5
.
0
2
.
4
5
.
8
0
.
0
3
.
1
d
e
v
e
l
o
p
i
n
g

s
t
a
f
f
U
n
d
e
r
s
t
a
n
d
i
n
g

c
o
m
p
l
e
x
9
.
6
9
.
9
1
1
.
9
3
4
.
9
2
0
.
0
2
4
.
8
2
4
.
6
1
9
.
9
3
0
.
0
1
4
.
3
1
8
.
8
2
5
.
0
2
0
.
6
i
n
f
o
r
m
a
t
i
o
n

s
y
s
t
e
m
s
W
r
i
t
i
n
g

s
k
i
l
l
s
5
3
.
7
5
5
.
6
5
8
.
2
4
7
.
7
5
7
.
0
4
5
.
3
5
4
.
4
4
6
.
2
4
2
.
5
3
8
.
1
5
3
.
6
3
7
.
5
3
7
.
4
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
N
o
t
e
:

E
a
c
h

C
A
E

r
e
s
p
o
n
d
e
n
t

w
a
s

a
b
l
e

t
o

s
e
l
e
c
t

t
h
e

f
i
v
e

m
o
s
t

i
m
p
o
r
t
a
n
t

c
o
m
p
e
t
e
n
c
i
e
s

f
r
o
m

t
h
e

p
r
o
v
i
d
e
d

l
i
s
t

f
o
r

e
a
c
h

s
t
a
f
f

l
e
v
e
l
.
The Practitioners were asked to indicate the importance of each of the eighteen competencies to
performing their jobs at their current position in their organization. The scale used to determine the
level of importance was 1 (minimally important) to 5 (very important). Table 8-3 shows the mean
responses by Practitioners for the eighteen competencies.
Table 8-3
Importance of Competencies to Perform Work
Supervisor
Ability to promote the internal audit activity 4.32 4.15 4.11
Analytical (ability to work through an issue) 4.52 4.53 4.45
Change management 4.03 3.89 3.72
Communication 4.61 4.59 4.54
Conceptual thinking 4.33 4.29 4.25
Conflict resolution 4.27 4.24 4.13
Critical thinking 4.48 4.43 4.36
Foreign language skills 2.59 2.54 2.66
Keeping up to date with professional changes 4.05 4.01 4.02
Organization skills 4.15 4.13 4.13
Presentation skills 4.13 4.03 4.02
Problem identification and solution 4.50 4.48 4.44
Project planning and management 4.13 4.02 3.84
Report development 4.31 4.27 4.19
Time management 4.26 4.25 4.21
Training and developing staff 4.06 3.74 3.56
Understanding complex information systems 3.79 3.73 3.65
Writing skills 4.49 4.47 4.39
Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and
4,735.
As indicated by only marginal differences in the means, Practitioners consider almost all of the
competencies equally important across the positional levels in the IAA. The only categories which
show some change between the Audit Staff level and the Audit Manager level are:
Ability to promote the IAA within the organization (4.11 to 4.32).
Project planning and management (3.84 to 4.13).
Change management (3.72 to 4.03).
Training and developing staff (3.56 to 4.06).
The competency categories for all levels with the most means below 4.0 are:
Foreign language skills (the lowest score of all categories analyzed with means between
2.54 and 2.66).
Understanding complex information systems (second lowest mean for all levels but still
somewhat important with means of 3.65 to 3.79).
Training and developing staff (a mean higher than 4.0 only for the Audit Manager category).
Change management (a mean higher than 4.0 only for the Audit Manager category).
Project planning and management (a mean higher than 4.0 for the Audit Senior /Supervisor
and Audit Manager categories).
Table 8-4 shows the ranking of the competency means for Practitioners. The consistent rankings
among the Audit Manager, Audit Senior/Supervisor, and Audit Staff levels are striking. Practitioners
indicate that many of the competencies are equally important across the hierarchical scale in the
IAA with only marginal differences in the ranks. The results highlight some similarities with the
responses of the CAE group. Communication is the most important for all professional levels. This
is consistent with Standard 2420, Quality of Communication, which states, Communications should
be accurate, objective, clear, concise, constructive, complete, and timely. This standard applies
for all internal auditors. The foreign language skills competency is indicated by respondents as the
least important for all Practitioners at all staff levels.
Table 8-4
Rankings of the Competencies by Staff Level
Practitioner Respondents by Rank
Supervisor
Ability to promote the internal audit activity 7 10 11
Analytical (ability to work through an issue) 2 2 2
Change management 16 15 15
Communication 1 1 1
Conceptual thinking 6 6 6
Conflict resolution 9 9 9/10
Critical thinking 5 5 5
Foreign language skills 18 18 18
Keeping up to date with professional changes 15 14 12/13
Organization skills 11 11 9/10
Presentation skills 12/13 12 12/13
Problem identification and solution 3 3 3
Project planning and management 12/13 13 14
Report development 8 7 8
Time management 10 8 7
Training and developing staff 14 16 17
Understanding complex information systems 17 17 16
Writing skills 4 4 4
Note: In some cases the rankings were tied. For example, rankings of conflict resolution and organization skills at the
Audit Staff level were tied.
CAEs and Practitioners seem to approach the competencies differently. CAEs appear to be viewing
competencies appropriate for a positional level from a department managers perspective, while
Practitioners appear to view the need for a variety of competencies necessary for their success.
For Audit Managers especially, the difference between the CAE and the Audit Manager responses
is noticeable for the following competencies: training and development, project planning, writing
skills, problem identification and solution, and keeping up to date with professional changes in
opinions, standards, and regulations. The differences for the Audit Manager level may be reflective
of the transition from more operational duties to managerial duties. (CAEs and Practitioners were
asked to rank the same list of competencies but their methods differed. CAEs indicated the five
most important competencies for each audit staff level, while Practitioners ranked each competency
as it related to the competencys importance for themselves to do their job.)
Practitioner Rankings by Groups
In Appendix 8, Tables 8-3-1-A (Audit Manager), 8-3-2-A (Audit Senior/Supervisor), and 8-3-3-A
(Audit Staff) show Practitioner responses for competencies broken out for the 13 groups. Foreign
language skills are universally the lowest ranked competency. For all groups, analytical ability,
communication, and problem identification and solution are the only abilities to receive means
above 4.0 for all three staff levels. For the three staff levels, understanding complex information
systems has a mean of more than 4.0 for only seven groups. In general after taking out the very
high and very low outliers among the groups, the responses show the perception that many skills
are important to the respondents regardless of where they reside. Considering the contents of The
IIAs Code of Ethics and the Standards, the uniformity of this perception among practitioners
globally is very important. These tables indicate that the findings are relatively consistent between
the groups for the three staff levels.
Areas of Knowledge
Standard 1210, Proficiency states, Internal auditors should possess the knowledge needed to
perform their individual responsibilities. Practice Advisory 1210-1, Proficiency, states, Proficiency
means the ability to apply knowledge to situations likely to be encountered and to deal with them
without extensive recourse to technical research and assistance. This section looks at 19 areas of
knowledge to determine which are important to internal auditors for the satisfactory performance
of their job at staff positions in the IAA.
Certain areas of knowledge are emphasized in the Standards and expanded upon in the Practice
Advisories:
Attribute Standard 1210 Internal auditors should possess the knowledge, skills, and
other competencies needed to perform their individual responsibilities.
Attribute Standard 1210.A1 The chief audit executive should obtain competent advice
and assistance if the internal audit staff lacks the knowledgeneeded to perform all or
part of the engagement.
Practice Advisory 1210-1 An appreciation is required of the fundamentals of subjects
such as accounting, economics, commercial law, taxation, finance, quantitative methods,
and information technology.
Practice Advisory 1210-1 Proficiency in accounting principles and techniques is required
of auditors who work extensively with financial records and reports.
Practice Advisory 1210-1 An understanding of management principles is required.
The areas of knowledge for this question were identified by reviewing the Standards and Practice
Advisories, internal auditing literature, past CBOK studies, and the current CBOK 2006 pilot
study. Based on this review, nineteen areas of knowledge were identified as being important for
internal auditors. The Practitioner Questionnaire asked respondents to indicate the importance of
these nineteen areas of knowledge to perform their work at their current position in their organization
on a scale of 1 (minimally important) to 5 (very important). Respondents were unable to amend or
add to the list. Table 8-5 shows an analysis of the three professional levels Audit Manager, Audit
Senior/Supervisor, and Audit Staff. Tables 8-5-1 (Audit Manager), 8-5-2 (Audit Senior/Supervisor),
and 8-5-3 (Audit Staff) list the areas of knowledge in descending order by mean.
Table 8-5
Supervisor
Accounting 3.83 3.77 3.71
Auditing 4.68 4.66 4.61
Business law and government regulation 3.68 3.70 3.68
Business management 3.75 3.60 3.53
Changes to professional standards 3.71 3.64 3.68
Enterprise risk management 3.85 3.74 3.71
Ethics 4.21 4.18 4.26
Finance 3.70 3.68 3.64
Fraud awareness 4.00 3.93 3.91
Governance 3.95 3.80 3.77
Human resource management 3.44 3.23 3.15
Information technology 3.85 3.84 3.79
Internal auditing standards 4.19 4.19 4.24
Managerial accounting 3.35 3.30 3.27
Marketing 2.70 2.60 2.64
Organization culture 3.91 3.79 3.82
Organizational systems 3.75 3.76 3.78
Strategy and business policy 3.73 3.61 3.60
Technical knowledge for your industry 3.97 3.92 3.96
NOTE: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and
4,751.
The means in Table 8-5 and the rankings in Table 8-6 indicate that knowledge of auditing is
overwhelmingly ranked first for all Practitioner respondents (4.61 to 4.68 for the Audit Staff through
Audit Manager). Ethics is ranked second (4.21 to 4.26) by all levels except for Audit Senior/
Supervisor (4.18, ranked 3). Areas of knowledge consistently ranked in the top five for all Practitioner
respondents are internal auditing standards, which is ranked second or third by all staff levels,
technical knowledge for your industry (3.92 to 3.97), and fraud awareness (3.91 to 4.00), which
are ranked either fourth or fifth for all Practitioner respondents.
There is unanimity in the ranking of the least important areas of knowledge for all Practitioner
respondents. Marketing at 19 is ranked the lowest (2.60 to 2.70), and human resource management
(3.15 to 3.44) and managerial accounting (3.27 to 3.35) are ranked either 18 or 17 for all respondents.
For the other areas of knowledge listed, Practitioner rankings vary.
Table 8-6
Practitioner Respondents by Staff Level
Supervisor
Accounting 10 9 10
Auditing 1 1 1
Business law and government regulation 16 12 12
Business management 11 16 16
Changes to professional standards 14 14 13
Enterprise risk management 8 11 11
Ethics 2 3 2
Finance 15 13 14
Fraud awareness 4 4 5
Governance 6 7 9
Human resource management 17 18 18
Information technology 9 6 7
Internal auditing standards 3 2 3
Managerial accounting 18 17 17
Marketing 19 19 19
Organization culture 7 8 6
Organizational systems 12 10 8
Strategy and business policy 13 15 15
Technical knowledge for your industry 5 5 4
Audit Manager
Looking at Table 8-5-1, the five most important areas of knowledge that Audit Managers indicate
they should possess are:
1. Auditing (4.68).
2. Ethics (4.21).
3. Internal auditing standards (4.19).
4. Fraud awareness (4.00).
5. Technical knowledge for your industry (3.97).
Table 8-5-1
Importance of Areas of Knowledge to Perform Work as Audit Manager
Areas of Knowledge Audit Manager
Auditing 4.68
Ethics 4.21
Internal auditing standards 4.19
Fraud awareness 4.00
Technical knowledge for your industry 3.97
Governance 3.95
Organization culture 3.91
Enterprise risk management 3.85
Information technology 3.85
Accounting 3.83
Business management 3.75
Organizational systems 3.75
Strategy and business policy 3.73
Changes to professional standards 3.71
Finance 3.70
Business law and government regulation 3.68
Human resource management 3.44
Managerial accounting 3.35
Marketing 2.70
Practitioners indicated that progression in hierarchical position in the IAA from Audit Staff to Audit
Manager results in no significant change in areas of knowledge that are fundamental to internal
auditors success. The focus on business management, enterprise risk management, and governance
does gain more importance. Marginally less crucial are business law and government regulation,
information technology, and organizational systems.
Table 8-5-2 reveals that Audit Seniors/Supervisors indicate that the five most important areas of
knowledge fundamental to their job performance are:
1. Auditing (4.66).
3. Ethics (4.18).
Table 8-5-2
Importance of Areas of Knowledge to Perform Work as
Areas of Knowledge Audit Manager/Supervisor
Auditing 4.66
Ethics 4.18
Governance 3.80
Accounting 3.77
Finance 3.68
Marketing 2.60
There is no area of knowledge that becomes more significant for this level than for the Audit Staff.
Audit Staff
Table 8-5-3 shows the five most important areas of knowledge that the Audit Staff believes are
fundamental for their job performance are:
1. Auditing (4.61).
2. Ethics (4.26).
Table 8-5-3
Importance of Areas of Knowledge to Perform Work as Audit Staff
Areas of Knowledge Audit Staff
Auditing 4.61
Ethics 4.26
Governance 3.77
Accounting 3.71
Finance 3.64
Marketing 2.64
Group Means for Areas of Knowledge
Tables 8-5-4-A (Audit Manager), 8-5-5-A (Audit Senior/Supervisor), and 8-5-6-A (Audit Staff)
show Practitioner mean responses for areas of knowledge broken out for the 13 groups. When
analyzed by groups there is evidence of a wide divergence of opinion for many knowledge areas.
There is a high level of consistency once very high and low rated knowledge areas by individual
groups are removed.
For Audit Managers in Table 8-5-4-A, auditing receives the highest means. Internal auditing standards
has means of 4.00 and above for all but one group and ethics is above 4.00 for all but two groups.
Group means for the Audit Senior/Supervisor level in Table 8-5-5-A are very similar to those of the
Audit Staff for the high and low ranking areas of knowledge. The other areas of knowledge means
are relatively close together for most of the groups.
For the Audit Staff (Table 8-5-6-A), auditing is critical for all groups with all means above 4.24.
Ethics (9 groups) and internal auditing standards (8 groups) receive rankings above 4.0 for the
majority of the groups. The low rankings continue to be low for human resource management,
managerial accounting, and marketing. Group 12 was the only group whose means for enterprise
risk management, ethics, organizational systems, and strategy and business policy are all 5.00,
indicating the respondents in this group believe that these knowledge areas are of the highest
importance for that groups respondents.
Summary
The results show that the CAEs and Practitioners consider communication as the most important
competency for all members of the IAA. The CAE respondents believe that ability to promote the
IAA within the organization is overwhelmingly the most important competency that the CAE
should possess. The top two competencies deemed most important by the CAE for the Audit Staff
and Audit Senior/Supervisor are analytical and communication. The CAEs responses indicate a
difference among the competencies needed based on staff levels (Audit Staff, Audit Senior/
Supervisor, Audit Manager, CAE) while the Practitioner responses at each staff level generally
indicate that for their current position the competencies are equally important.
When viewing the importance of competencies across the array of hierarchical positions in the
IAA from CAE to the Audit Staff, the ability to promote the IAA within the organization, change
management, conflict resolution and training, and developing staff show a trend of increasing
importance at higher staff levels. Problem identification, time management, and writing competencies
noticeably decline in importance as an internal auditor advances to higher staff levels.
Areas of knowledge important to the respondents job performance were only ranked by Practitioners
and did not include CAEs in the rankings. They indicated that for all Practitioner levels, auditing is
the most important knowledge area followed by ethics and internal auditing standards. Fraud
awareness and technical knowledge of the respondents industry are the only other competencies
with rankings in the top five for all Practitioner respondents. There are no noticeable differences
based on comparisons of members of the audit staff and those at the Audit Senior/Supervisor level.
At the manager level, enterprise risk management marginally increases in importance. There is an
overall consistency of rankings of the knowledge areas by Practitioner respondents for all staff
levels.
When comparing the data for the 13 groups, differences relate to only a few competencies and
knowledge areas.
A
P
P
E
N
D
I
X

8
T
a
b
l
e

8
-
3
-
1
-
A
I
m
p
o
r
t
a
n
c
e

o
f

C
o
m
p
e
t
e
n
c
i
e
s

t
o

P
e
r
f
o
r
m

W
o
r
k

f
o
r

A
u
d
i
t

M
a
n
a
g
e
r

b
y

G
r
o
u
p
s
*
P
r
a
c
t
i
t
i
o
n
e
r

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s
*
*
C
o
m
p
e
t
e
n
c
i
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
b
i
l
i
t
y

t
o

p
r
o
m
o
t
e

t
h
e
4
.
2
0
4
.
3
6
4
.
4
6
4
.
1
8
4
.
4
1
4
.
2
9
4
.
7
5
4
.
3
3
4
.
8
3
4
.
0
6
4
.
1
4
4
.
8
3
4
.
2
7
i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
w
i
t
h
i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n
A
n
a
l
y
t
i
c
a
l

(
a
b
i
l
i
t
y

t
o
4
.
5
8
4
.
6
0
4
.
5
4
4
.
2
8
4
.
5
0
4
.
5
6
4
.
6
6
4
.
3
2
4
.
7
2
4
.
5
0
4
.
3
7
4
.
6
7
4
.
4
0
w
o
r
k

t
h
r
o
u
g
h

a
n

i
s
s
u
e
)
C
h
a
n
g
e

m
a
n
a
g
e
m
e
n
t
4
.
0
6
4
.
0
9
4
.
2
2
3
.
5
6
3
.
7
7
3
.
7
7
4
.
3
4
3
.
9
4
4
.
3
3
3
.
8
1
3
.
9
6
4
.
4
2
3
.
9
3
C
o
m
m
u
n
i
c
a
t
i
o
n
4
.
7
0
4
.
7
2
4
.
6
9
4
.
2
8
4
.
4
9
4
.
4
3
4
.
6
2
4
.
5
1
4
.
5
3
4
.
5
0
4
.
5
4
4
.
7
5
4
.
4
4
C
o
n
f
l
i
c
t

r
e
s
o
l
u
t
i
o
n
4
.
3
2
4
.
1
9
4
.
3
8
4
.
0
5
4
.
2
9
3
.
9
5
4
.
4
8
4
.
2
1
4
.
5
6
3
.
8
8
4
.
2
1
4
.
5
8
4
.
1
1
C
r
i
t
i
c
a
l

t
h
i
n
k
i
n
g
4
.
5
7
4
.
4
7
4
.
5
0
3
.
7
9
4
.
4
2
4
.
4
1
4
.
4
8
4
.
3
9
4
.
7
2
4
.
4
4
4
.
4
0
4
.
9
2
4
.
3
4
C
o
n
c
e
p
t
u
a
l

t
h
i
n
k
i
n
g
4
.
4
1
4
.
4
5
4
.
4
0
3
.
7
7
4
.
3
8
4
.
3
4
4
.
3
5
4
.
0
5
4
.
7
2
4
.
3
8
4
.
3
3
4
.
5
0
4
.
2
3
F
o
r
e
i
g
n

l
a
n
g
u
a
g
e

s
k
i
l
l
s
1
.
7
7
1
.
6
2
2
.
0
2
3
.
3
8
3
.
6
5
3
.
6
1
3
.
9
0
3
.
5
9
4
.
0
0
3
.
6
9
3
.
0
0
3
.
2
5
3
.
1
4
K
e
e
p
i
n
g

u
p

t
o

d
a
t
e

w
i
t
h
3
.
9
1
3
.
7
0
4
.
1
6
3
.
8
7
4
.
0
8
4
.
0
2
4
.
4
8
4
.
1
5
4
.
5
6
4
.
3
3
4
.
1
0
4
.
5
0
4
.
0
9
p
r
o
f
e
s
s
i
o
n
a
l

c
h
a
n
g
e
s

i
n
o
p
i
n
i
o
n
s
,

s
t
a
n
d
a
r
d
s
,
a
n
d

r
e
g
u
l
a
t
i
o
n
s
O
r
g
a
n
i
z
a
t
i
o
n

s
k
i
l
l
s
4
.
2
1
4
.
0
7
4
.
1
4
3
.
6
2
4
.
0
8
3
.
9
3
4
.
3
5
4
.
2
0
4
.
3
9
3
.
9
4
4
.
0
0
4
.
3
3
4
.
0
3
P
r
e
s
e
n
t
a
t
i
o
n

s
k
i
l
l
s
4
.
1
5
4
.
1
7
4
.
1
6
4
.
0
0
4
.
0
5
3
.
8
8
4
.
1
6
4
.
1
1
4
.
5
0
4
.
2
5
4
.
2
8
4
.
5
0
4
.
0
0
P
r
o
b
l
e
m

i
d
e
n
t
i
f
i
c
a
t
i
o
n
4
.
5
2
4
.
5
2
4
.
5
5
4
.
3
6
4
.
4
5
4
.
4
5
4
.
5
3
4
.
4
9
4
.
8
9
4
.
4
4
4
.
4
2
4
.
5
8
4
.
4
5
a
n
d

s
o
l
u
t
i
o
n
P
r
o
j
e
c
t

p
l
a
n
n
i
n
g

a
n
d
4
.
2
8
4
.
1
1
4
.
0
9
3
.
7
4
4
.
0
6
3
.
8
1
4
.
2
3
3
.
9
0
4
.
3
3
4
.
0
0
4
.
1
3
4
.
4
2
3
.
9
2
m
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t

d
e
v
e
l
o
p
m
e
n
t
4
.
3
5
4
.
5
0
4
.
3
5
3
.
8
7
4
.
3
6
3
.
6
4
4
.
5
2
4
.
3
0
4
.
3
3
4
.
2
5
4
.
3
8
4
.
6
7
4
.
3
3
T
i
m
e

m
a
n
a
g
e
m
e
n
t
4
.
3
3
4
.
3
7
4
.
4
3
3
.
7
7
4
.
2
9
3
.
8
2
4
.
3
9
4
.
1
7
4
.
5
0
3
.
8
1
4
.
4
4
4
.
8
3
4
.
0
0
T
r
a
i
n
i
n
g

a
n
d
4
.
0
3
3
.
9
8
4
.
1
5
3
.
8
6
4
.
0
0
3
.
8
1
4
.
4
4
4
.
0
6
4
.
3
9
3
.
6
0
4
.
0
0
4
.
5
0
4
.
0
4
d
e
v
e
l
o
p
i
n
g

s
t
a
f
f
U
n
d
e
r
s
t
a
n
d
i
n
g
3
.
7
1
4
.
0
9
3
.
7
7
3
.
5
4
3
.
7
0
3
.
7
5
4
.
2
5
3
.
6
8
4
.
6
7
3
.
7
5
3
.
9
0
4
.
3
3
3
.
8
1
c
o
m
p
l
e
x

i
n
f
o
r
m
a
t
i
o
n
s
y
s
t
e
m
s
W
r
i
t
i
n
g

S
k
i
l
l
s
4
.
5
6
4
.
6
0
4
.
5
9
3
.
7
9
4
.
5
8
4
.
3
6
4
.
5
3
4
.
3
1
4
.
6
1
4
.
3
3
4
.
5
2
4
.
9
2
4
.
2
8
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

m
i
n
i
m
a
l
l
y

i
m
p
o
r
t
a
n
t

t
o

5

=

v
e
r
y

i
m
p
o
r
t
a
n
t
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
8
-
3
-
2
-
A
I
m
p
o
r
t
a
n
c
e

o
f

C
o
m
p
e
t
e
n
c
i
e
s

t
o

P
e
r
f
o
r
m

W
o
r
k

f
o
r

A
u
d
i
t

S
e
n
i
o
r
/
S
u
p
e
r
v
i
s
o
r

b
y

G
r
o
u
p
s
*
P
r
a
c
t
i
t
i
o
n
e
r

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s
*
*
C
o
m
p
e
t
e
n
c
i
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
b
i
l
i
t
y

t
o

p
r
o
m
o
t
e

t
h
e
4
.
0
6
4
.
0
8
4
.
2
4
4
.
2
8
4
.
1
8
4
.
1
5
4
.
4
8
4
.
0
4
4
.
3
6
4
.
2
4
4
.
0
9
4
.
7
1
4
.
2
8
i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
w
i
t
h
i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n
A
n
a
l
y
t
i
c
a
l

(
a
b
i
l
i
t
y

t
o
4
.
5
8
4
.
7
1
4
.
5
7
4
.
3
6
4
.
5
6
4
.
5
7
4
.
6
0
4
.
2
9
4
.
5
5
4
.
5
6
4
.
5
0
5
.
0
0
4
.
4
2
w
o
r
k

t
h
r
o
u
g
h

a
n

i
s
s
u
e
)
C
h
a
n
g
e

m
a
n
a
g
e
m
e
n
t
3
.
9
5
3
.
8
9
4
.
0
9
3
.
7
6
3
.
7
0
3
.
4
1
4
.
2
4
3
.
7
6
3
.
6
8
3
.
3
6
3
.
8
2
3
.
4
3
3
.
7
9
C
o
m
m
u
n
i
c
a
t
i
o
n
4
.
6
7
4
.
7
9
4
.
7
2
4
.
4
8
4
.
5
6
4
.
3
2
4
.
5
6
4
.
3
6
4
.
1
4
4
.
5
8
4
.
5
2
4
.
8
6
4
.
5
3
C
o
n
c
e
p
t
u
a
l

t
h
i
n
k
i
n
g
4
.
3
9
4
.
3
9
4
.
2
6
3
.
8
0
4
.
3
8
4
.
3
2
4
.
3
1
4
.
0
5
4
.
0
5
4
.
0
8
4
.
2
4
4
.
7
1
4
.
1
9
C
o
n
f
l
i
c
t

r
e
s
o
l
u
t
i
o
n
4
.
3
1
4
.
1
6
4
.
3
3
4
.
1
8
4
.
3
6
3
.
7
2
4
.
3
5
4
.
0
8
4
.
0
0
3
.
7
6
4
.
0
9
4
.
0
0
4
.
2
3
C
r
i
t
i
c
a
l

t
h
i
n
k
i
n
g
4
.
5
3
4
.
5
3
4
.
4
5
3
.
8
8
4
.
3
4
4
.
4
3
4
.
5
2
4
.
2
7
4
.
2
4
4
.
4
0
4
.
3
5
4
.
4
3
4
.
3
3
F
o
r
e
i
g
n

l
a
n
g
u
a
g
e

s
k
i
l
l
s
1
.
8
1
1
.
5
5
1
.
9
0
3
.
3
6
3
.
4
6
3
.
6
6
3
.
6
1
3
.
2
9
3
.
3
6
3
.
6
8
2
.
8
8
2
.
4
3
3
.
2
2
K
e
e
p
i
n
g

u
p

t
o

d
a
t
e

w
i
t
h
3
.
8
6
3
.
7
1
4
.
1
8
4
.
2
2
4
.
0
6
4
.
0
4
4
.
4
0
4
.
0
5
3
.
7
3
4
.
1
7
3
.
9
7
4
.
0
0
4
.
1
6
p
r
o
f
e
s
s
i
o
n
a
l

c
h
a
n
g
e
s

i
n
o
p
i
n
i
o
n
s
,

s
t
a
n
d
a
r
d
s
,
a
n
d

r
e
g
u
l
a
t
i
o
n
s
O
r
g
a
n
i
z
a
t
i
o
n

s
k
i
l
l
s
4
.
2
3
4
.
2
6
4
.
1
4
3
.
4
8
4
.
1
0
3
.
8
3
4
.
3
3
4
.
0
1
3
.
7
3
3
.
7
1
3
.
7
4
4
.
5
7
4
.
1
1
P
r
e
s
e
n
t
a
t
i
o
n

s
k
i
l
l
s
4
.
1
1
3
.
9
7
3
.
9
3
3
.
9
4
4
.
0
4
3
.
7
6
4
.
0
4
3
.
9
9
3
.
9
5
4
.
1
2
4
.
0
3
4
.
0
0
3
.
8
9
P
r
o
b
l
e
m

i
d
e
n
t
i
f
i
c
a
t
i
o
n
4
.
5
1
4
.
6
6
4
.
5
6
4
.
2
4
4
.
5
2
4
.
3
4
4
.
5
0
4
.
4
1
4
.
1
4
4
.
5
6
4
.
4
5
5
.
0
0
4
.
4
4
a
n
d

s
o
l
u
t
i
o
n
P
r
o
j
e
c
t

p
l
a
n
n
i
n
g

a
n
d
4
.
1
7
4
.
0
8
4
.
0
4
3
.
7
6
3
.
9
1
3
.
4
3
4
.
0
7
3
.
8
0
3
.
8
6
4
.
2
0
4
.
0
3
4
.
0
0
3
.
9
1
m
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t

d
e
v
e
l
o
p
m
e
n
t
4
.
2
8
4
.
4
7
4
.
4
3
4
.
0
2
4
.
2
4
3
.
4
1
4
.
5
6
4
.
3
8
4
.
5
0
4
.
0
0
4
.
2
6
4
.
8
3
4
.
2
0
T
i
m
e

m
a
n
a
g
e
m
e
n
t
4
.
3
4
4
.
3
7
4
.
4
3
3
.
7
8
4
.
1
9
3
.
6
6
4
.
4
1
4
.
1
4
3
.
9
0
3
.
8
0
4
.
3
5
4
.
5
7
4
.
1
4
T
r
a
i
n
i
n
g

a
n
d
3
.
6
5
3
.
6
8
3
.
8
2
3
.
7
1
3
.
7
7
3
.
2
8
4
.
1
6
3
.
7
9
3
.
4
1
3
.
5
6
3
.
7
9
4
.
2
9
3
.
9
4
d
e
v
e
l
o
p
i
n
g

s
t
a
f
f
U
n
d
e
r
s
t
a
n
d
i
n
g

c
o
m
p
l
e
x
3
.
6
4
3
.
6
1
3
.
9
8
3
.
6
7
3
.
5
5
3
.
7
1
4
.
0
9
3
.
6
5
3
.
9
5
3
.
6
8
3
.
7
9
3
.
4
3
3
.
9
0
i
n
f
o
r
m
a
t
i
o
n

s
y
s
t
e
m
s
W
r
i
t
i
n
g

S
k
i
l
l
s
4
.
5
3
4
.
5
5
4
.
5
7
3
.
9
0
4
.
5
9
4
.
4
1
4
.
5
8
4
.
2
9
4
.
3
2
4
.
3
6
4
.
4
1
4
.
2
9
4
.
3
3
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

m
i
n
i
m
a
l
l
y

i
m
p
o
r
t
a
n
t

t
o

5

=

v
e
r
y

i
m
p
o
r
t
a
n
t
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

8
-
3
-
3
-
A
I
m
p
o
r
t
a
n
c
e

o
f

C
o
m
p
e
t
e
n
c
i
e
s

t
o

P
e
r
f
o
r
m

W
o
r
k

f
o
r

t
h
e

A
u
d
i
t

S
t
a
f
f

b
y

G
r
o
u
p
s
*
P
r
a
c
t
i
t
i
o
n
e
r

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s

*
*
C
o
m
p
e
t
e
n
c
i
e
s
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
b
i
l
i
t
y

t
o

p
r
o
m
o
t
e

t
h
e
4
.
0
1
4
.
1
7
4
.
3
3
4
.
3
0
4
.
1
1
3
.
8
9
4
.
4
2
3
.
9
9
4
.
6
2
3
.
8
8
3
.
8
2
5
.
0
0
4
.
2
5
i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
w
i
t
h
i
n

t
h
e

o
r
g
a
n
i
z
a
t
i
o
n
A
n
a
l
y
t
i
c
a
l

(
a
b
i
l
i
t
y

t
o
4
.
5
3
4
.
1
7
4
.
4
9
4
.
5
3
4
.
5
4
4
.
3
0
4
.
7
7
4
.
1
6
4
.
3
8
4
.
2
9
4
.
1
2
4
.
6
7
4
.
4
8
w
o
r
k

t
h
r
o
u
g
h

a
n

i
s
s
u
e
)
C
h
a
n
g
e

m
a
n
a
g
e
m
e
n
t
3
.
7
5
3
.
8
3
3
.
8
5
3
.
7
0
3
.
6
0
3
.
2
0
4
.
2
9
3
.
6
1
4
.
0
0
3
.
1
6
3
.
5
9
4
.
0
0
3
.
8
7
C
o
m
m
u
n
i
c
a
t
i
o
n
4
.
6
5
4
.
4
2
4
.
7
4
4
.
5
6
4
.
4
5
4
.
4
0
4
.
7
7
4
.
3
0
4
.
3
8
4
.
2
8
4
.
0
0
4
.
6
7
4
.
5
0
C
o
n
c
e
p
t
u
a
l

t
h
i
n
k
i
n
g
4
.
3
9
4
.
2
5
4
.
2
9
4
.
0
9
4
.
2
7
4
.
0
4
4
.
5
5
3
.
9
6
4
.
3
1
3
.
9
2
3
.
8
2
5
.
0
0
4
.
2
2
C
o
n
f
l
i
c
t

r
e
s
o
l
u
t
i
o
n
4
.
2
0
4
.
0
0
4
.
2
6
4
.
2
7
4
.
0
2
3
.
7
6
4
.
5
8
3
.
9
0
4
.
2
3
3
.
3
6
3
.
9
4
4
.
0
0
4
.
2
5
C
r
i
t
i
c
a
l

t
h
i
n
k
i
n
g
4
.
5
4
4
.
4
2
4
.
4
4
3
.
9
3
4
.
1
6
4
.
3
6
4
.
6
8
4
.
1
5
4
.
2
3
4
.
4
8
3
.
9
4
4
.
3
3
4
.
2
7
F
o
r
e
i
g
n

l
a
n
g
u
a
g
e

s
k
i
l
l
s
1
.
9
0
1
.
5
0
2
.
2
7
3
.
3
6
3
.
6
0
3
.
3
3
3
.
4
8
3
.
2
1
4
.
0
0
3
.
4
8
2
.
2
9
3
.
3
3
3
.
1
3
K
e
e
p
i
n
g

u
p

t
o

d
a
t
e

w
i
t
h
3
.
8
2
4
.
0
0
4
.
3
0
4
.
3
4
4
.
2
8
3
.
8
9
4
.
5
5
3
.
9
9
4
.
3
8
3
.
5
2
3
.
7
6
5
.
0
0
4
.
1
6
p
r
o
f
e
s
s
i
o
n
a
l

c
h
a
n
g
e
s

i
n
o
p
i
n
i
o
n
s
,

s
t
a
n
d
a
r
d
s
,
a
n
d

r
e
g
u
l
a
t
i
o
n
s
O
r
g
a
n
i
z
a
t
i
o
n

s
k
i
l
l
s
4
.
2
8
4
.
4
2
4
.
2
2
3
.
8
6
4
.
0
4
3
.
8
4
4
.
2
9
4
.
0
8
4
.
3
1
3
.
6
3
3
.
7
1
4
.
6
7
4
.
0
3
P
r
e
s
e
n
t
a
t
i
o
n

s
k
i
l
l
s
4
.
0
1
3
.
9
2
3
.
9
7
4
.
1
3
4
.
0
7
3
.
8
0
4
.
1
9
4
.
1
2
4
.
1
5
3
.
8
4
3
.
8
2
4
.
6
7
3
.
9
6
P
r
o
b
l
e
m

i
d
e
n
t
i
f
i
c
a
t
i
o
n
4
.
4
5
4
.
5
8
4
.
5
3
4
.
5
7
4
.
4
5
4
.
3
1
4
.
6
8
4
.
4
1
4
.
6
2
4
.
0
5
4
.
1
8
4
.
6
7
4
.
3
5
a
n
d

s
o
l
u
t
i
o
n
P
r
o
j
e
c
t

p
l
a
n
n
i
n
g

a
n
d
3
.
9
6
3
.
4
2
3
.
8
9
3
.
8
9
3
.
8
1
3
.
4
9
3
.
8
4
3
.
7
5
4
.
1
5
3
.
5
6
3
.
5
9
3
.
6
7
3
.
7
2
m
a
n
a
g
e
m
e
n
t
R
e
p
o
r
t

d
e
v
e
l
o
p
m
e
n
t
4
.
2
1
4
.
3
3
4
.
3
8
4
.
1
0
3
.
9
9
3
.
7
2
4
.
8
4
4
.
1
7
4
.
4
6
3
.
8
4
3
.
8
8
5
.
0
0
4
.
2
6
T
i
m
e

m
a
n
a
g
e
m
e
n
t
4
.
3
9
4
.
3
3
4
.
4
5
4
.
1
3
4
.
1
1
3
.
6
9
4
.
5
2
4
.
0
2
4
.
5
4
3
.
5
2
3
.
8
2
5
.
0
0
4
.
0
6
T
r
a
i
n
i
n
g

a
n
d
3
.
3
5
3
.
2
5
3
.
4
3
3
.
9
9
3
.
5
6
3
.
3
0
4
.
1
0
3
.
8
0
4
.
2
3
3
.
1
6
3
.
4
7
5
.
0
0
3
.
7
6
d
e
v
e
l
o
p
i
n
g

s
t
a
f
f
U
n
d
e
r
s
t
a
n
d
i
n
g
3
.
5
1
3
.
3
3
3
.
8
1
3
.
8
1
3
.
6
9
3
.
5
1
4
.
0
6
3
.
5
3
3
.
9
2
3
.
5
6
3
.
3
5
5
.
0
0
3
.
9
0
c
o
m
p
l
e
x

i
n
f
o
r
m
a
t
i
o
n
s
y
s
t
e
m
s
W
r
i
t
i
n
g

S
k
i
l
l
s
4
.
4
9
4
.
1
7
4
.
4
6
3
.
9
0
4
.
5
4
4
.
2
4
4
.
5
8
4
.
2
4
4
.
2
3
4
.
2
4
4
.
4
1
5
.
0
0
4
.
4
1
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

m
i
n
i
m
a
l
l
y

i
m
p
o
r
t
a
n
t

t
o

5

=

v
e
r
y

i
m
p
o
r
t
a
n
t
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

8
-
5
-
4
-
A
I
m
p
o
r
t
a
n
c
e

o
f

A
r
e
a
s

o
f

K
n
o
w
l
e
d
g
e

t
o

P
e
r
f
o
r
m

W
o
r
k

f
o
r

A
u
d
i
t

M
a
n
a
g
e
r

b
y

G
r
o
u
p
s
*
P
r
a
c
t
i
t
i
o
n
e
r

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s
*
*
A
r
e
a
s

o
f

K
n
o
w
l
e
d
g
e
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
c
c
o
u
n
t
i
n
g
3
.
8
4
3
.
3
4
3
.
6
7
3
.
9
5
3
.
8
1
3
.
6
5
4
.
2
0
3
.
6
7
4
.
4
4
3
.
4
4
4
.
1
7
4
.
2
5
3
.
9
6
A
u
d
i
t
i
n
g
4
.
7
0
4
.
5
3
4
.
6
1
4
.
4
2
4
.
6
7
4
.
5
8
4
.
8
4
4
.
6
8
4
.
8
9
4
.
8
8
4
.
6
9
4
.
9
2
4
.
7
2
B
u
s
i
n
e
s
s

l
a
w

a
n
d
3
.
4
8
3
.
7
0
3
.
7
3
3
.
6
8
3
.
7
9
3
.
5
3
4
.
2
9
3
.
6
9
4
.
1
7
4
.
0
0
4
.
0
6
4
.
4
2
3
.
8
6
g
o
v
e
r
n
m
e
n
t

r
e
g
u
l
a
t
i
o
n
B
u
s
i
n
e
s
s

m
a
n
a
g
e
m
e
n
t
3
.
6
4
3
.
8
4
3
.
8
5
3
.
6
1
3
.
8
1
3
.
6
6
4
.
1
9
3
.
6
7
3
.
9
4
4
.
0
6
3
.
8
5
4
.
2
7
3
.
8
3
C
h
a
n
g
e
s

t
o

p
r
o
f
e
s
s
i
o
n
a
l
3
.
6
1
3
.
4
0
3
.
8
5
3
.
7
9
3
.
5
2
3
.
5
2
4
.
1
8
3
.
5
9
4
.
1
7
3
.
6
3
4
.
0
2
4
.
3
3
3
.
8
3
s
t
a
n
d
a
r
d
s
E
n
t
e
r
p
r
i
s
e

r
i
s
k

m
a
n
a
g
e
m
e
n
t
3
.
5
4
4
.
0
7
4
.
1
1
4
.
0
3
3
.
9
5
3
.
9
4
4
.
3
5
4
.
0
0
4
.
4
4
4
.
2
0
3
.
9
8
4
.
3
3
4
.
0
0
E
t
h
i
c
s
4
.
2
6
4
.
0
4
4
.
1
6
4
.
2
1
3
.
9
5
3
.
7
6
4
.
6
7
4
.
0
9
4
.
5
6
4
.
3
8
4
.
0
9
4
.
5
0
4
.
3
3
F
i
n
a
n
c
e
3
.
5
2
3
.
3
8
3
.
7
0
3
.
6
9
4
.
0
0
3
.
5
8
4
.
2
5
3
.
7
1
4
.
4
4
3
.
6
3
4
.
1
1
4
.
0
8
3
.
7
5
F
r
a
u
d

a
w
a
r
e
n
e
s
s
4
.
0
1
3
.
8
5
3
.
9
4
3
.
8
2
3
.
9
9
3
.
7
1
4
.
3
6
3
.
9
0
4
.
3
3
3
.
8
1
4
.
1
3
4
.
1
7
4
.
1
0
G
o
v
e
r
n
a
n
c
e
3
.
8
1
4
.
2
6
4
.
2
1
3
.
7
9
3
.
9
7
3
.
7
9
4
.
3
0
3
.
9
7
4
.
1
7
4
.
2
5
4
.
0
9
4
.
1
7
3
.
8
4
H
u
m
a
n

r
e
s
o
u
r
c
e
3
.
2
5
3
.
3
2
3
.
5
2
3
.
2
1
3
.
5
7
3
.
2
8
3
.
9
6
3
.
5
9
3
.
9
4
3
.
6
3
3
.
5
5
3
.
7
5
3
.
5
8
m
a
n
a
g
e
m
e
n
t
I
n
f
o
r
m
a
t
i
o
n

t
e
c
h
n
o
l
o
g
y
3
.
7
9
3
.
5
7
3
.
8
0
3
.
6
4
3
.
8
3
3
.
8
8
4
.
3
6
3
.
7
4
4
.
4
4
3
.
9
4
4
.
0
6
4
.
4
2
3
.
8
7
I
n
t
e
r
n
a
l

a
u
d
i
t
i
n
g

s
t
a
n
d
a
r
d
s
4
.
1
5
3
.
6
8
4
.
2
7
4
.
0
0
4
.
2
0
4
.
0
4
4
.
6
7
4
.
0
5
4
.
7
2
4
.
0
6
4
.
2
9
4
.
6
7
4
.
2
3
M
a
n
a
g
e
r
i
a
l

a
c
c
o
u
n
t
i
n
g
3
.
0
5
3
.
1
7
3
.
2
8
3
.
4
5
3
.
5
5
3
.
4
0
4
.
0
4
3
.
5
3
4
.
1
7
3
.
3
1
3
.
6
9
4
.
0
0
3
.
6
9
M
a
r
k
e
t
i
n
g
2
.
4
5
2
.
5
3
2
.
8
6
3
.
1
6
2
.
9
5
2
.
5
8
3
.
3
0
2
.
6
1
3
.
6
7
2
.
4
0
2
.
9
2
3
.
5
8
3
.
0
0
O
r
g
a
n
i
z
a
t
i
o
n

c
u
l
t
u
r
e
3
.
9
2
3
.
8
9
3
.
9
2
3
.
4
9
3
.
8
2
3
.
8
0
4
.
0
7
3
.
9
4
4
.
2
2
3
.
5
0
3
.
8
1
4
.
4
2
3
.
8
4
O
r
g
a
n
i
z
a
t
i
o
n
a
l

s
y
s
t
e
m
s
3
.
6
5
3
.
9
3
3
.
9
9
3
.
4
5
3
.
7
1
3
.
8
6
3
.
9
3
3
.
6
1
4
.
3
3
3
.
7
5
3
.
7
7
4
.
4
0
3
.
9
0
S
t
r
a
t
e
g
y

a
n
d

b
u
s
i
n
e
s
s
3
.
6
3
3
.
6
8
4
.
0
2
3
.
6
4
3
.
6
5
3
.
6
9
3
.
9
9
3
.
5
7
4
.
3
3
4
.
0
6
3
.
8
3
4
.
5
0
3
.
7
7
p
o
l
i
c
y
T
e
c
h
n
i
c
a
l

k
n
o
w
l
e
d
g
e
3
.
9
9
4
.
0
2
4
.
0
2
3
.
7
2
3
.
9
2
3
.
4
0
4
.
1
6
4
.
0
3
4
.
4
4
3
.
5
0
4
.
0
0
4
.
3
3
3
.
9
0
f
o
r

y
o
u
r

i
n
d
u
s
t
r
y
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

m
i
n
i
m
a
l
l
y

i
m
p
o
r
t
a
n
t

t
o

5

=

v
e
r
y

i
m
p
o
r
t
a
n
t
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

8
-
5
-
5
-
A
I
m
p
o
r
t
a
n
c
e

o
f

A
r
e
a
s

o
f

K
n
o
w
l
e
d
g
e

t
o

P
e
r
f
o
r
m

W
o
r
k

f
o
r

A
u
d
i
t

S
e
n
i
o
r
/
S
u
p
e
r
v
i
s
o
r

b
y

G
r
o
u
p
s
*
P
r
a
c
t
i
t
i
o
n
e
r

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s
*
*
A
r
e
a
s

o
f

K
n
o
w
l
e
d
g
e
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
c
c
o
u
n
t
i
n
g
3
.
7
7
3
.
5
5
3
.
4
5
3
.
9
4
3
.
7
8
3
.
5
3
4
.
2
0
3
.
4
6
4
.
2
7
3
.
7
6
3
.
9
7
4
.
7
1
4
.
0
2
A
u
d
i
t
i
n
g
4
.
6
7
4
.
7
6
4
.
7
3
4
.
5
3
4
.
5
6
4
.
4
2
4
.
8
0
4
.
5
6
4
.
7
7
4
.
6
0
4
.
6
5
4
.
7
1
4
.
6
8
B
u
s
i
n
e
s
s

l
a
w

a
n
d
3
.
5
5
3
.
7
1
3
.
7
7
3
.
7
9
3
.
7
9
3
.
5
1
4
.
1
6
3
.
6
2
3
.
7
7
3
.
8
0
3
.
5
3
3
.
5
7
4
.
0
2
g
o
v
e
r
n
m
e
n
t

r
e
g
u
l
a
t
i
o
n
B
u
s
i
n
e
s
s

m
a
n
a
g
e
m
e
n
t
3
.
5
8
3
.
6
8
3
.
6
3
3
.
7
1
3
.
5
4
3
.
4
9
3
.
9
4
3
.
4
3
3
.
2
7
3
.
6
7
3
.
6
8
3
.
8
6
3
.
6
2
C
h
a
n
g
e
s

t
o

p
r
o
f
e
s
s
i
o
n
a
l
3
.
6
0
3
.
5
0
3
.
7
6
3
.
9
2
3
.
5
2
3
.
4
6
4
.
0
6
3
.
4
8
3
.
4
1
3
.
2
8
3
.
6
2
4
.
0
0
3
.
7
6
s
t
a
n
d
a
r
d
s
E
n
t
e
r
p
r
i
s
e

r
i
s
k

m
a
n
a
g
e
m
e
n
t
3
.
5
1
3
.
7
9
3
.
8
6
4
.
1
0
3
.
8
2
3
.
9
3
4
.
1
6
3
.
9
4
3
.
5
5
3
.
9
2
3
.
6
2
4
.
2
9
3
.
8
5
E
t
h
i
c
s
4
.
3
0
4
.
1
1
4
.
1
0
4
.
0
6
3
.
9
5
3
.
7
8
4
.
6
2
3
.
8
5
4
.
0
9
4
.
2
4
3
.
8
2
4
.
2
9
4
.
1
6
F
i
n
a
n
c
e
3
.
5
8
3
.
4
9
3
.
7
1
3
.
8
8
3
.
9
7
3
.
2
6
4
.
0
4
3
.
5
5
3
.
5
9
3
.
7
6
3
.
7
3
4
.
0
0
3
.
9
1
F
r
a
u
d

a
w
a
r
e
n
e
s
s
3
.
9
5
3
.
8
2
3
.
9
5
3
.
9
4
3
.
9
0
3
.
6
4
4
.
2
7
3
.
6
6
3
.
8
6
3
.
6
4
3
.
7
6
4
.
1
4
4
.
0
7
G
o
v
e
r
n
a
n
c
e
3
.
7
6
4
.
0
8
4
.
1
6
3
.
6
3
3
.
6
1
3
.
5
7
4
.
0
6
3
.
6
5
3
.
5
5
3
.
8
8
3
.
8
5
3
.
5
7
3
.
8
7
H
u
m
a
n

r
e
s
o
u
r
c
e
3
.
0
8
3
.
4
2
3
.
4
1
3
.
3
1
3
.
2
6
3
.
0
5
3
.
7
0
3
.
1
5
3
.
0
9
3
.
1
6
3
.
0
6
3
.
4
3
3
.
4
8
m
a
n
a
g
e
m
e
n
t
I
n
f
o
r
m
a
t
i
o
n

t
e
c
h
n
o
l
o
g
y
3
.
7
8
3
.
7
1
3
.
8
6
4
.
0
8
3
.
5
7
3
.
8
8
4
.
2
2
3
.
7
1
3
.
5
5
4
.
1
7
3
.
7
9
4
.
0
0
4
.
0
9
I
n
t
e
r
n
a
l

a
u
d
i
t
i
n
g

s
t
a
n
d
a
r
d
s
4
.
2
2
4
.
1
6
4
.
2
6
4
.
0
0
4
.
1
5
3
.
9
3
4
.
5
5
3
.
9
2
3
.
8
2
4
.
0
8
4
.
0
9
4
.
2
9
4
.
2
6
M
a
n
a
g
e
r
i
a
l

a
c
c
o
u
n
t
i
n
g
3
.
1
3
3
.
0
8
3
.
2
2
3
.
6
9
3
.
4
1
3
.
1
6
3
.
9
2
3
.
2
8
3
.
2
3
3
.
3
8
3
.
1
8
3
.
5
7
3
.
6
1
M
a
r
k
e
t
i
n
g
2
.
4
1
2
.
3
7
2
.
6
8
3
.
1
6
2
.
6
8
2
.
2
9
3
.
2
3
2
.
5
5
2
.
4
5
2
.
6
4
2
.
5
9
2
.
7
1
2
.
8
8
O
r
g
a
n
i
z
a
t
i
o
n

c
u
l
t
u
r
e
3
.
8
0
4
.
0
3
3
.
9
6
3
.
6
2
3
.
5
4
3
.
5
1
4
.
0
9
3
.
7
9
3
.
6
8
3
.
7
6
3
.
4
7
4
.
2
9
3
.
7
2
O
r
g
a
n
i
z
a
t
i
o
n
a
l

s
y
s
t
e
m
s
3
.
7
0
4
.
0
3
4
.
1
5
3
.
6
3
3
.
6
8
3
.
6
7
3
.
9
0
3
.
6
6
3
.
6
4
3
.
6
4
3
.
5
9
4
.
4
3
3
.
7
9
S
t
r
a
t
e
g
y

a
n
d

b
u
s
i
n
e
s
s
3
.
5
7
3
.
8
4
3
.
8
9
3
.
8
8
3
.
4
2
3
.
5
1
3
.
8
9
3
.
3
3
3
.
5
0
3
.
7
6
3
.
6
5
4
.
5
7
3
.
5
4
p
o
l
i
c
y
T
e
c
h
n
i
c
a
l

k
n
o
w
l
e
d
g
e
3
.
9
7
3
.
9
2
3
.
9
9
4
.
2
0
3
.
7
3
3
.
5
0
4
.
0
8
3
.
9
7
3
.
5
5
3
.
5
4
3
.
7
6
4
.
4
3
3
.
8
3
f
o
r

y
o
u
r

i
n
d
u
s
t
r
y
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

m
i
n
i
m
a
l
l
y

i
m
p
o
r
t
a
n
t

t
o

5

=

v
e
r
y

i
m
p
o
r
t
a
n
t
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

8
-
5
-
6
-
A
I
m
p
o
r
t
a
n
c
e

o
f

A
r
e
a
s

o
f

K
n
o
w
l
e
d
g
e

t
o

P
e
r
f
o
r
m

W
o
r
k

f
o
r

t
h
e

A
u
d
i
t

S
t
a
f
f

b
y

G
r
o
u
p
s
*
P
r
a
c
t
i
t
i
o
n
e
r

R
e
s
p
o
n
d
e
n
t
s

i
n

M
e
a
n
s
*
*
A
r
e
a
s

o
f

K
n
o
w
l
e
d
g
e
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
*
A
c
c
o
u
n
t
i
n
g
3
.
7
1
3
.
1
7
3
.
5
6
4
.
0
6
3
.
8
5
3
.
3
6
4
.
1
0
3
.
4
8
4
.
5
0
3
.
1
2
3
.
7
1
4
.
3
3
3
.
8
6
A
u
d
i
t
i
n
g
4
.
6
2
4
.
7
5
4
.
7
5
4
.
5
6
4
.
7
2
4
.
2
4
4
.
9
0
4
.
5
7
4
.
9
2
4
.
4
0
4
.
2
9
4
.
3
3
4
.
5
7
B
u
s
i
n
e
s
s

l
a
w

a
n
d
3
.
5
8
3
.
7
5
3
.
7
6
4
.
0
9
3
.
5
6
3
.
3
1
4
.
0
3
3
.
6
1
4
.
2
5
3
.
7
2
3
.
5
3
4
.
0
0
3
.
8
7
g
o
v
e
r
n
m
e
n
t

r
e
g
u
l
a
t
i
o
n
B
u
s
i
n
e
s
s

m
a
n
a
g
e
m
e
n
t
3
.
4
6
3
.
2
5
3
.
5
6
3
.
8
7
3
.
5
9
3
.
4
4
4
.
0
3
3
.
2
9
4
.
2
5
3
.
4
8
3
.
5
3
3
.
3
3
3
.
6
5
C
h
a
n
g
e
s

t
o

p
r
o
f
e
s
s
i
o
n
a
l
3
.
6
5
3
.
7
5
4
.
0
2
4
.
0
4
3
.
7
3
3
.
1
1
4
.
0
0
3
.
4
2
4
.
3
3
3
.
0
8
3
.
1
2
4
.
0
0
3
.
8
2
s
t
a
n
d
a
r
d
s
E
n
t
e
r
p
r
i
s
e

r
i
s
k

m
a
n
a
g
e
m
e
n
t
3
.
4
2
3
.
4
2
3
.
9
6
4
.
1
7
4
.
0
6
3
.
8
0
4
.
0
3
3
.
7
1
4
.
1
7
3
.
5
6
3
.
3
5
5
.
0
0
3
.
8
7
E
t
h
i
c
s
4
.
4
0
4
.
4
2
4
.
2
9
4
.
3
1
4
.
0
6
3
.
7
7
4
.
5
5
4
.
0
1
4
.
7
5
3
.
8
8
3
.
8
8
5
.
0
0
4
.
2
6
F
i
n
a
n
c
e
3
.
5
4
3
.
4
2
3
.
8
9
4
.
0
9
3
.
9
3
3
.
1
8
4
.
0
3
3
.
3
1
4
.
5
0
2
.
8
4
3
.
7
6
4
.
3
3
3
.
8
5
F
r
a
u
d

a
w
a
r
e
n
e
s
s
3
.
9
5
3
.
6
7
3
.
9
3
4
.
1
7
3
.
7
1
3
.
5
3
4
.
4
5
3
.
6
0
4
.
3
3
3
.
2
8
3
.
7
6
4
.
6
7
4
.
1
8
G
o
v
e
r
n
a
n
c
e
3
.
7
3
3
.
9
2
4
.
1
6
3
.
8
0
3
.
7
2
3
.
5
3
4
.
1
3
3
.
5
3
4
.
0
9
3
.
8
8
3
.
7
6
3
.
6
7
3
.
8
5
H
u
m
a
n

r
e
s
o
u
r
c
e
2
.
9
5
3
.
1
7
3
.
1
8
3
.
4
6
3
.
3
8
2
.
8
0
3
.
6
5
3
.
0
7
4
.
0
0
2
.
8
4
3
.
0
6
4
.
0
0
3
.
4
5
m
a
n
a
g
e
m
e
n
t
I
n
f
o
r
m
a
t
i
o
n

t
e
c
h
n
o
l
o
g
y
3
.
6
9
3
.
5
8
3
.
8
8
3
.
9
7
3
.
9
6
3
.
4
2
4
.
3
5
3
.
5
9
4
.
0
0
3
.
8
8
3
.
5
9
4
.
6
7
4
.
0
4
I
n
t
e
r
n
a
l

a
u
d
i
t
i
n
g

s
t
a
n
d
a
r
d
s
4
.
2
9
4
.
0
0
4
.
5
2
4
.
1
6
4
.
3
7
3
.
8
0
4
.
6
8
3
.
9
4
4
.
6
7
3
.
8
0
3
.
5
9
4
.
3
3
4
.
3
4
M
a
n
a
g
e
r
i
a
l

a
c
c
o
u
n
t
i
n
g
3
.
0
5
2
.
9
2
3
.
2
4
3
.
9
6
3
.
5
5
3
.
0
2
3
.
7
4
3
.
1
4
3
.
9
2
2
.
9
2
3
.
3
8
4
.
3
3
3
.
5
3
M
a
r
k
e
t
i
n
g
2
.
4
4
2
.
2
5
2
.
6
6
3
.
2
4
2
.
8
6
2
.
1
6
3
.
2
7
2
.
5
3
3
.
6
7
2
.
0
0
2
.
7
6
2
.
6
7
2
.
9
1
O
r
g
a
n
i
z
a
t
i
o
n

c
u
l
t
u
r
e
3
.
8
3
4
.
0
8
3
.
9
4
3
.
7
4
3
.
5
9
3
.
5
8
4
.
1
3
3
.
7
1
4
.
0
8
4
.
1
3
3
.
5
9
4
.
6
7
3
.
8
8
O
r
g
a
n
i
z
a
t
i
o
n
a
l

s
y
s
t
e
m
s
3
.
7
1
3
.
9
2
4
.
1
6
3
.
6
8
3
.
7
2
3
.
6
9
4
.
1
0
3
.
5
6
4
.
0
0
3
.
8
4
3
.
8
2
5
.
0
0
3
.
9
1
S
t
r
a
t
e
g
y

a
n
d

b
u
s
i
n
e
s
s
3
.
5
1
3
.
5
0
4
.
1
0
3
.
9
1
3
.
4
3
3
.
4
1
4
.
3
2
3
.
1
7
4
.
0
0
3
.
9
6
3
.
1
8
5
.
0
0
3
.
7
3
p
o
l
i
c
y
T
e
c
h
n
i
c
a
l

k
n
o
w
l
e
d
g
e

f
o
r
3
.
9
8
4
.
0
0
4
.
1
3
4
.
2
1
3
.
8
3
3
.
0
2
4
.
2
3
4
.
1
4
3
.
7
5
3
.
3
6
3
.
4
7
4
.
6
7
3
.
9
6
y
o
u
r

i
n
d
u
s
t
r
y
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
T
h
e

m
e
a
n

i
s

t
h
e

a
v
e
r
a
g
e

r
e
s
p
o
n
s
e

t
o
:

1

=

m
i
n
i
m
a
l
l
y

i
m
p
o
r
t
a
n
t

t
o

5

=

v
e
r
y

i
m
p
o
r
t
a
n
t
.
*
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.

CONTENTS
Chapter 9

Chapter 9: Emerging Roles of Internal Audit Activities ..................................................... 339
Introduction......................................................................................................................... 339
Years That the IAA and Organizations Have Existed........................................................ 340
Changing Emphasis on Types of Audits............................................................................. 344
Emerging Roles in Organizations Activities..................................................................... 346
Organizational Environment and Key Activities of the IAA.............................................. 352
Summary............................................................................................................................. 357

Disclosure


profession.
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 339
CHAPTER 9
EMERGING ROLES OF
INTERNAL AUDIT ACTIVITIES
Introduction
To examine the emerging role of the internal audit activity (IAA) in the organization, this chapter
starts with a discussion of the length of time organizations have had IAAs and the number of years
the organizations have been in existence. The next section reports on the general types of audits
being performed currently by IAAs and the expected changes in emphasis over the next three
years. Another section examines the range of special audit activities respondents IAAs perform
now and how that is expected to change in the next three years. The last section looks at the
respondents organizations and the IAAs current role in the organization as well as how the
organizations environment and the IIAs role will evolve over the next three years.
question.
not CAEs).
related table would be 9-4-2.
Years That the IAA and Organizations Have Existed
Before looking at the roles and expected roles of the IAAs, one needs to gain a perspective of the
length of time respondents organizations have had IAAs and the years their organizations have
been in existence. Figure 9-1 lists the number of years the respondents IAAs have been in existence.
The largest numbers of respondents work for IAAs that have been in existence for only 0-5 years
(28.4%). Another 21% of the respondents work for IAAs that have been in existence for 6-10
years. This shows that many of the respondents IAAs (49.4%) are just starting to develop in their
organizations. Only 13.8% of the respondents work in IAAs that have been in existence for 31 or
more years.
Figure 9-1
0-5 Years
28.4%
41+Years
8.1%
31-40 Years
5.7%
21-30 Years
14.1%
11-20 Years
22.7%
6-10 Years
21.0%
Table 9-1 provides the number of years respondent organizations have had IAAs by groups. The
groups are listed on the inside back cover of this report. In group 5 respondents indicate that 60.5%
of their IAAs are 0-5 years old and another 22.5% are 6-10 years old. Respondents in the other
groups indicate between 20% - 33.9% of the IAAs are between 0-5 years old and an additional
16.1% - 33.1% indicate their IAAs are between 6-10 years old. A review of the countries in each
group and historical events explain some of these differences since in some areas of the world,
economies are more developed than others.
Table 9-1
Number of Years the IAA Has Existed by Groups*
More
t han
Group Respon- 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 50
dents Years Years Years Years Years Years Years Years Years Years Years Total
1 3,025 23.8 16.1 10.9 12.6 9.2 8.9 3.1 4.8 .7 4.5 5.4 100.0
2 188 26.1 20.7 17.0 13.3 5.9 6.9 2.7 2.7 1.1 1.1 2.5 100.0
3 636 25.8 26.6 11.9 10.2 5.8 7.1 2.7 1.9 .5 4.2 3.3 100.0
4 347 25.6 33.1 15.9 13.3 3.2 3.5 1.2 2.0 .6 .8 .8 100.0
5 550 60.5 22.5 8.0 2.7 1.5 1.3 .0 1.1 .2 1.3 .9 100.0
6 423 23.6 18.0 10.4 7.6 8.0 11.6 3.1 2.6 .9 5.2 9.0 100.0
7 467 23.1 20.3 13.1 9.9 8.4 11.8 2.8 3.2 .6 2.6 4.2 100.0
8 910 32.7 25.3 14.3 11.1 5.5 3.7 1.9 1.3 .2 1.3 2.7 100.0
9 118 33.9 29.7 15.3 7.6 5.1 .8 .0 .0 .8 3.4 3.4 100.0
10 125 22.4 25.6 11.2 8.0 6.4 4.8 3.2 6.4 .0 3.2 8.8 100.0
11 226 28.8 24.3 11.9 10.2 5.8 8.4 1.3 4.0 .9 2.2 2.2 100.0
12 40 20.0 27.5 10.0 10.0 5.0 12.5 2.5 .0 7.5 2.5 2.5 100.0
N/C** 692 27.6 23.3 11.6 13.0 4.8 7.4 1.4 3.6 .6 3.3 3.4 100.0
Overall 7,747 2,194 1,628 914 847 529 566 181 255 48 257 328
Respondents
in Category
Overall 28.4 21.0 11.8 10.9 6.8 7.3 2.4 3.3 .6 3.3 4.2 100.0
Percent in
Category
Figure 9-2 reports on how long respondents organizations have been in existence. A correlation
test performed by the researchers showed a relationship between how long the organizations have
been in existence and how long the organizations have had an IAA. It appears that older companies
tend to have established IAAs longer than younger companies.
Figure 9-2
Table 9-2 lists the length of time respondents organizations have been in existence by the 13
groups. Groups 1, 6, and 10 have a large number of respondents (54.5% - 59.2%) working in
organizations that are more than 50 years old and only 11.2% - 13.4% with organizations that are
10 or less years old. While for respondents in groups 4, 5, and 11, greater than 24% of their
organizations (24.1% - 29.4%) are 10 years old or less.
Table 9-2
Number of Years Organizations Have Existed by Groups*
Group Respondents 0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More Total
Years Years Years Years Years Years Years Years Years Years t han
50
Years
1 3,241 4.4 6.8 4.7 4.8 3.9 5.0 3.7 4.8 1.7 5.7 54.5 100.0
2 189 8.5 11.1 3.7 6.3 3.7 6.9 4.2 2.6 2.1 7.4 43.5 100.0
3 648 8.3 13.1 9.3 5.9 5.4 5.1 3.1 5.2 1.4 5.7 37.5 100.0
4 354 11.6 17.8 9.9 12.7 3.4 9.0 5.9 5.1 4.0 3.7 16.9 100.0
5 552 12.0 17.4 24.8 6.7 2.2 3.1 2.2 3.1 1.1 4.3 23.1 100.0
6 434 4.8 8.5 6.0 2.5 1.8 4.4 2.5 3.7 .9 8.5 56.4 100.0
7 504 6.0 14.1 10.3 5.0 4.0 6.7 5.0 3.4 3.6 6.5 35.4 100.0
8 954 11.3 10.6 7.0 6.2 3.6 5.8 2.5 4.8 1.5 5.6 41.1 100.0
9 125 8.0 9.6 7.2 13.6 11.2 3.2 7.2 1.6 5.6 8.0 24.8 100.0
10 135 6.7 6.7 3.7 4.4 3.0 3.7 5.2 1.5 3.7 2.2 59.2 100.0
11 228 11.4 12.7 10.1 11.0 8.3 6.1 5.7 6.1 4.8 4.8 18.8 100.0
12 39 5.1 10.3 7.7 10.3 5.1 15.4 10.3 10.3 7.7 .0 17.8 100.0
N/C** 762 8.7 14.3 9.4 7.9 3.5 6.2 3.1 3.3 1.8 5.4 36.4 100.0
Total/ 8,165 590 856 648 496 321 442 299 355 165 461 3532
Overall
Respondents
in Category
Overall
Percent in
Category 7.2 10.5 7.9 6.1 3.9 5.4 3.7 4.3 2.0 5.6 43.4 100.0
Changing Emphasis on Types of Audits
This section focuses on the anticipated change in demand for the general types of audits that will
be performed by the IAA in the next three years. The definition of internal auditing in The IIAs
1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,
acknowledges the importance of assurance services and consulting in the areas of risk management,
governance, and controls. With this expansion of scope, it was expected that the audits performed
by IAAs would include these three areas. In order to assess staffing needs, required competencies,
and the skills necessary in the near future, the profession needs to anticipate changes in the demand
for their services. Table 9-3 shows the estimates of all respondents to the question about whether
they anticipate the general types of audits performed by their IAA will increase, decrease, or stay
the same over the next three years.
Table 9-3
Within the Next Three Years
Activity Total Increase Decrease Stay the Total
Responses Same Percent
Risk management 6,728 79.5 2.3 18.2 100.0
Governance 6,704 63.2 4.0 32.8 100.0
Regulatory compliance 6,698 46.9 11.7 41.4 100.0
Operational auditing 6,715 46.2 14.7 39.1 100.0
Review of financial processes 6,724 43.5 14.6 41.9 100.0
Respondents predict that the greatest increase in the types of audits performed in the next three
years will be in risk management (79.5%) and governance (63.2%) audits. The projected increases
for these types of audits will need to be reflected in the IAAs internal audit plan, the resources
allocated to the IAA, and in the audit staffs competencies. For many of the respondents, regulatory
compliance (46.9%), operational auditing (46.2%), and reviews of financial processes (43.5%)
show material increases as well. Some respondents do anticipate that less time will be spent on
operational audits (14.7%), the review of financial processes (14.6%), and regulatory compliance
audits (11.7%).
As IAAs around the world are evolving at different rates, this study also looked at the expected
changes in the types of audits to be performed by IAAs by groups. Table 9-3-1 presents predicted
increases in the types of audits for all respondents by group, Table 9-3-2 presents the decreases
anticipated by group, and Table 9-3-3 shows predictions of no change by group. The respondents
in all groups agreed that the performance of risk management and governance audits should increase
the most in the next three years.
Table 9-3-1
Within the Next Three Years - Increased Role
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Review of financial 45.0 30.0 44.0 41.2 48.0 35.9 44.5 37.2 55.9 40.9 47.2 70.6 46.0
processes
Risk management 74.5 75.0 84.0 88.5 83.6 77.2 89.0 82.6 87.9 79.1 83.9 100.0 80.7
Governance 55.9 67.0 76.0 72.2 61.0 64.5 75.9 64.6 79.4 52.6 77.2 85.3 63.9
Regulatory compliance 46.4 46.0 50.0 40.8 41.2 44.6 54.7 47.2 52.2 25.0 49.2 64.7 51.1
Operational auditing 47.9 48.0 45.0 51.9 44.6 44.7 44.5 38.3 59.1 30.7 45.8 67.7 50.1
Table 9-3-2
Within the Next Three Years - Decreased Role
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
processes
Risk management 1.7 5.0 3.0 0.4 6.3 2.2 1.0 1.8 2.2 2.6 3.3 0.0 2.7
Governance 3.7 2.0 2.0 2.3 12.1 3.7 3.7 2.7 4.4 4.4 2.8 2.9 4.6
Table 9-3-3
Within the Next Three Years - Stay the Same
Activity 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
processes
Risk management 23.8 20.0 14.0 11.2 10.2 20.6 10.1 15.7 9.9 18.3 12.8 0.0 16.6
Governance 40.4 30.0 22.0 25.6 26.9 31.8 20.4 32.8 16.3 43.0 20.0 11.8 31.6
Emerging Roles in Organizations Activities
To gain an understanding of what roles IAAs have and will have in various types of activities and
functions performed within an organization, respondents were provided with a list of important
tasks performed by organizations. They were asked to indicate if their IAA currently has a role in
the area, if the IAA is likely to have a role in the next three years, or if it is unlikely for the IAA to
have a role. Role was defined as being within the IAAs scope of work. The list was developed
from a review of internal auditing literature and the CBOK 2006 pilot survey. An overview of all
responses is shown in Table 9-4.
The respondents IAAs all do some work in the areas listed. The four highest ranked areas where
respondents indicate that their IAAs currently perform audits are fraud prevention/detection (69%),
risk management (66.6%), regulatory compliance assessment monitoring (64%), and corporate
governance (52.2%). Areas where respondents IAAs currently have less of a role are emerging
markets (11.5%), environmental sustainability (14%), and globalization (15.3%). For most of the
audit areas that are not currently being audited, respondents indicated that 17.7% to 38.1% of their
IAAs plan to do audit work in those areas over the next three years. Currently 23.6% have a role
in corporate social responsibility and an additional 31.6% of the respondents are likely to have a
role in the next three years. Areas where more than a third of the respondents indicate they are
unlikely to be involved are executive compensation (45.4%), environmental sustainability (39.9%),
emerging markets (39.5%), globalization (35.2%), and intellectual property and knowledge assessment
(35.1%).
Table 9-4
Emerging Roles of the IAA - Total Responses in Percentages
Roles Total Currently Likely to Have Unlikely to Not Total
Respon- Have a Role a Role Within Have a Role Applicable
dents the Next 3
Years
Alignment of strategy 6,500 23.1 35.2 30.1 11.6 100.0
and performance
measures (e.g., Balanced
Scorecard)
Benchmarking 6,476 28.6 35.7 26.0 9.7 100.0
Corporate governance 6,511 52.2 31.2 11.4 5.2 100.0
Corporate social 6,415 23.6 31.6 33.8 11.0 100.0
responsibility
Develop training and 6,522 46.6 34.4 15.3 3.7 100.0
Disaster recovery 6,490 34.0 26.1 29.0 10.9 100.0
Evidential issues 6,385 39.8 23.9 23.5 12.8 100.0
Emerging markets 6,426 11.5 22.5 39.5 26.5 100.0
Environmental sustainability 6,436 14.0 24.7 39.9 21.4 100.0
Executive compensation 6,429 16.0 17.7 45.4 20.9 100.0
Fraud prevention/detection 6,530 69.0 22.9 5.7 2.4 100.0
Globalization 6,431 15.3 21.1 35.2 28.4 100.0
Intellectual property and 6,391 19.2 28.4 35.1 17.3 100.0
IT management assessment 6,453 46.1 32.2 16.8 4.9 100.0
Knowledge management 6,387 26.1 38.1 26.9 8.9 100.0
systems development review
Mergers and acquisitions 6,437 18.4 23.7 30.8 27.1 100.0
Project management 6,410 39.8 27.6 25.1 7.5 100.0
Provide training to the 6,436 31.2 34.4 21.7 12.7 100.0
audit committee
Regulatory compliance 6,442 64.0 23.0 9.2 3.8 100.0
Risk management 6,509 66.6 25.5 5.6 2.3 100.0
Strategic frameworks 6,407 27.0 36.8 27.7 8.5 100.0
Tables 9-4-1 and 9-4-2 show the total results by group for the question about roles and work areas
that respondent IAAs currently have or are likely to have in the next three years. The respondents
group data shows many variations in the roles the IAAs currently have and are likely to have in
three years. Approximately 80% of the groups respondents indicate that they are currently involved
or will be involved in the next three years in corporate governance, fraud prevention, IT management
assessment, regulatory compliance, and risk management. The group data indicates that
approximately 50% to 59% of the IAAs have or will have a role in alignment of strategy and
performance measures.
Table 9-4-1
Emerging Roles of the IAA - Currently Have a Role by Groups*
Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Alignment of strategy and 22.8 19.1 32.6 11.6 17.6 16.6 34.4 22.7 18.9 26.4 28.2 25.7 22.0
performance measures
(e.g., Balanced Scorecard)
Benchmarking 30.6 26.6 34.9 16.0 26.6 22.2 26.3 26.8 35.2 29.1 33.0 36.4 25.6
Corporate governance 56.5 70.7 75.2 25.7 37.6 47.2 47.4 52.9 40.0 48.2 60.7 62.9 35.7
Corporate social 26.4 15.5 30.7 15.4 15.2 11.1 31.6 22.7 25.3 17.4 20.2 30.3 20.7
responsibility
Develop training and 48.7 44.6 51.0 40.5 39.8 30.5 52.5 50.8 41.1 31.8 50.6 64.7 42.5
Disaster recovery 45.2 41.3 47.8 17.7 18.9 21.6 24.6 20.3 26.4 22.7 29.3 37.1 21.4
Evidential issues 40.8 36.3 41.5 29.2 43.6 35.6 55.2 35.3 40.0 24.5 34.5 56.3 38.5
Emerging markets 11.9 10.4 15.0 5.9 8.0 10.1 13.1 11.1 10.0 15.5 11.5 12.5 12.1
Environmental 13.1 9.3 20.6 12.9 11.8 7.9 18.6 13.4 12.4 18.2 11.5 17.6 17.3
sustainability
Executive compensation 19.8 9.8 17.2 8.2 13.1 7.4 18.2 11.6 11.1 19.8 14.5 21.2 14.3
Fraud prevention/ 75.1 71.7 73.4 52.7 56.9 64.7 69.2 64.8 72.8 65.8 63.2 82.9 60.7
detection
Globalization 14.4 7.7 18.1 13.4 12.9 12.5 29.0 12.9 15.6 23.9 19.0 14.7 15.2
Intellectual property and 22.3 18.7 24.7 10.6 16.6 10.7 23.2 14.9 16.7 24.1 17.5 14.3 14.7
IT management assessment 48.7 47.8 48.0 26.0 37.2 45.0 62.7 46.8 42.7 51.8 36.9 48.6 37.9
Knowledge management 31.4 27.6 34.2 12.4 18.5 20.6 28.4 16.8 26.7 23.6 23.1 17.6 21.4
systems development
review
Mergers and acquisitions 20.6 12.7 19.9 8.2 12.1 19.1 23.8 20.0 23.3 14.5 12.7 8.6 13.5
Project management 44.4 45.3 50.4 32.0 30.2 40.6 36.2 33.4 28.1 42.2 30.5 41.2 31.7
Provide training to the 40.2 29.4 39.5 16.1 15.1 13.2 31.7 26.8 19.1 24.8 23.1 31.4 23.3
audit committee
Risk management 69.5 76.9 79.6 46.4 57.7 62.7 67.7 68.8 56.0 67.9 67.1 76.5 52.9
Strategic frameworks 29.2 29.1 39.0 15.2 20.5 13.5 39.8 19.2 22.4 31.2 22.4 47.1 25.3
Table 9-4-2
Emerging Roles of the IAA - Likely to Have a Role in
Next Three Years by Groups*
Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Benchmarking 32.2 35.3 36.2 36.7 44.8 33.9 44.3 35.1 44.3 27.3 42.6 42.4 37.9
responsibility
Environmental 17.9 26.2 32.8 28.1 24.5 21.2 37.5 29.3 33.7 20.0 38.5 55.9 27.3
sustainability
Fraud prevention/ 18.9 19.0 17.5 38.9 32.0 25.1 25.3 23.4 21.7 21.6 28.7 8.6 30.1
detection
Globalization 13.9 19.1 21.2 42.4 24.6 16.6 33.8 21.3 22.2 15.6 37.4 35.3 31.4
systems development
review
audit committee
Risk management 22.2 18.1 15.8 46.8 31.6 28.3 25.5 23.5 38.5 22.0 28.9 17.6 37.1
Table 9-4-3 summarizes the areas where respondents think the IAA would not have a role in the
next three years. The areas that most groups agree that the IAA will not have a role in the
foreseeable future are emerging markets, environmental sustainability, executive compensation,
and intellectual property and knowledge assessment.
Table 9-4-3
Emerging Roles of the IAA Not Likely to Have a Role in
Next Three Years by Groups*
Roles 1 2 3 4 5 6 7 8 9 10 11 12 N/C**
Benchmarking 28.5 31.5 23.4 35.5 17.3 33.3 16.2 26.6 11.4 34.5 18.8 3.0 22.9
responsibility
Environmental 46.5 49.2 31.7 38.3 33.3 46.8 26.5 35.2 38.2 50.9 37.4 11.8 30.9
sustainability
Fraud prevention/detection 4.0 7.1 7.0 6.1 7.6 8.4 3.3 7.9 4.3 12.6 4.0 5.7 6.2
Globalization 37.7 42.6 32.9 29.0 30.0 40.1 24.9 36.9 46.7 37.6 34.5 35.3 29.7
systems development
review
audit committee
Risk management 6.2 3.3 3.4 4.9 6.6 7.9 2.5 5.5 3.3 10.1 3.5 0.0 6.8
Organizational Environment and Key Activities of the IAA
This final section of the chapter captures CAE and Audit Manager respondents agreement with
statements about their organizations and their IAAs role in the organization. The survey asked if a
statement currently applies, is likely to apply within the next three years, or will not apply in the
foreseeable future. As listed in Table 9-5, 61.2% of the respondents indicate that their countries
currently have laws or regulations that require organizations to have an IAA and an additional
13.1% anticipate having such requirements in the next three years. Corporate governance codes
are complied with in 67.7% of the organizations with 22.7% of the respondents organizations
likely to comply with a corporate governance code in the next three years. In 70.5% of the
respondents organizations, there is an internal control framework and 24.3% indicate that their
organizations will have a framework in the next three years.
Assurance audits receive more emphasis than consulting services in 71.5% of the organizations.
The IAAs (64.3% currently, 25.3% more in three years) educate their organizations personnel
about internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,
25.6% more in three years) have an important role in the integrity of their organizations financial
reporting. Internal auditors anticipate having a growing advisory involvement in the development of
strategy (28.9% currently, 32.7% in the next three years) while 30.3% noted they would not have
an advisory role in strategy development in the foreseeable future. Providing training to audit
committee members (34% currently, 32.3% in the next three years) is also anticipated to increase.
Implementation of a knowledge management system is expected to escalate (25.6% currently,
43.9% in the next three years) while 20.6% indicate their organizations will not apply a knowledge
management system in the foreseeable future.
Table 9-5
How Statements Apply to Your Organization
CAEs and Audit Managers Agreement with Statements in Percentages
Statement Number of Currently Likely to Will Not Not Total
Respondents Applies Apply Apply in the Applicable
Within the Foreseeable
Next 3 Future
Years
Internal auditing is required 3,464 61.2 13.1 12.9 12.8 100.0
by law or regulation where
the organization is based.
Internal auditors in the 3,445 28.9 32.7 30.3 8.1 100.0
organization have an
advisory role in strategy
development.
The organization complies 3,447 67.7 22.7 4.3 5.3 100.0
with a corporate governance
code.
The organization has 3,443 70.5 24.3 3.5 1.7 100.0
implemented an internal
control framework.
The organization has 3,423 25.6 43.9 20.6 9.9 100.0
implemented a knowledge
management system.
The internal audit activity 3,424 34.0 32.3 18.5 15.2 100.0
has provided training to
audit committee members.
assumes an important role
in the integrity of financial
reporting.
educates organization
personnel about internal
controls, corporate
governance, and compliance
issues.
places more emphasis on
assurance than consulting
services.
Tables 9-5-1 and 9-5-2 provide information by groups for CAE and Audit Manager respondents
current agreement with these statements and the likelihood of application in the next three years.
The group tables show that the majority (48.0% up to 84.2%) live in countries that have or likely
will have laws and regulations in the next three years requiring organizations to have internal
auditors. Most organizations within the groups have (49.1% to 78.8%) or likely will adopt (16.8%
to 45.3%) an internal control framework in the next three years projecting coverage of over 90%
of the respondents IAAs. Most respondents within the groups agree that the IAA does or will
assume an important role in the integrity of financial reporting, educates organization personnel
about internal controls, corporate governance and compliance issues, and places more emphasis
on assurance than internal controls and consulting services. In most groups, the advisory role the
IAA has in the organizations strategy development (currently 17.5% - 39.5% with group 12 at
60%) will likely significantly increase in the next three years.
T
a
b
l
e

9
-
5
-
1
H
o
w

S
t
a
t
e
m
e
n
t
s

C
u
r
r
e
n
t
l
y

A
p
p
l
y

t
o

R
e
s
p
o
n
d
e
n
t
s

O
r
g
a
n
i
z
a
t
i
o
n
s

b
y

G
r
o
u
p
s
*
C
A
E

a
n
d

A
u
d
i
t

M
a
n
a
g
e
r

A
g
r
e
e
m
e
n
t

w
i
t
h

S
t
a
t
e
m
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
S
t
a
t
e
m
e
n
t
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
I
n
t
e
r
n
a
l

a
u
d
i
t
i
n
g

i
s

r
e
q
u
i
r
e
d
5
8
.
0
4
8
.
0
6
7
.
7
8
0
.
0
6
4
.
7
6
0
.
6
6
5
.
7
6
2
.
4
5
2
.
7
5
4
.
7
6
6
.
4
8
4
.
2
5
8
.
8
b
y

l
a
w

o
r

r
e
g
u
l
a
t
i
o
n

w
h
e
r
e
t
h
e

o
r
g
a
n
i
z
a
t
i
o
n

i
s

b
a
s
e
d
.
I
n
t
e
r
n
a
l

a
u
d
i
t
o
r
s

i
n

t
h
e
2
9
.
7
3
0
.
3
3
3
.
8
3
9
.
5
2
2
.
8
1
7
.
5
3
5
.
5
2
2
.
9
3
7
.
0
2
0
.
8
3
3
.
9
6
0
.
0
2
8
.
4
o
r
g
a
n
i
z
a
t
i
o
n

h
a
v
e

a
n

a
d
v
i
s
o
r
y
r
o
l
e

i
n

s
t
r
a
t
e
g
y

d
e
v
e
l
o
p
m
e
n
t
.
T
h
e

o
r
g
a
n
i
z
a
t
i
o
n

c
o
m
p
l
i
e
s
7
3
.
8
7
2
.
4
7
9
.
6
5
5
.
5
6
0
.
3
5
4
.
8
5
5
.
7
6
6
.
9
5
3
.
7
5
4
.
7
7
1
.
9
5
5
.
0
5
6
.
6
w
i
t
h

a

c
o
r
p
o
r
a
t
e

g
o
v
e
r
n
a
n
c
e
c
o
d
e
.
T
h
e

o
r
g
a
n
i
z
a
t
i
o
n

h
a
s
7
0
.
4
7
1
.
3
7
3
.
2
7
8
.
8
6
1
.
2
5
9
.
2
7
8
.
4
7
7
.
5
6
5
.
5
4
9
.
1
7
7
.
9
6
3
.
2
6
5
.
5
i
m
p
l
e
m
e
n
t
e
d

a
n

i
n
t
e
r
n
a
l
c
o
n
t
r
o
l

f
r
a
m
e
w
o
r
k
.
T
h
e

o
r
g
a
n
i
z
a
t
i
o
n

h
a
s
2
2
.
9
2
7
.
9
3
2
.
4
3
0
.
5
2
5
.
2
1
9
.
3
2
6
.
5
2
6
.
2
4
6
.
3
2
5
.
0
3
3
.
9
2
6
.
3
2
3
.
9
i
m
p
l
e
m
e
n
t
e
d

a

k
n
o
w
l
e
d
g
e
m
a
n
a
g
e
m
e
n
t

s
y
s
t
e
m
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
4
6
.
9
3
5
.
8
4
3
.
4
1
7
.
4
1
4
.
5
1
3
.
0
3
4
.
0
2
4
.
0
2
1
.
2
2
0
.
8
2
1
.
9
1
5
.
0
2
3
.
0
h
a
s

p
r
o
v
i
d
e
d

t
r
a
i
n
i
n
g

t
o
a
u
d
i
t

c
o
m
m
i
t
t
e
e

m
e
m
b
e
r
s
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
6
4
.
1
6
2
.
3
5
8
.
4
4
2
.
4
3
9
.
5
4
5
.
2
5
8
.
1
4
6
.
7
5
4
.
7
3
9
.
6
6
2
.
8
5
0
.
0
4
7
.
5
a
s
s
u
m
e
s

a
n

i
m
p
o
r
t
a
n
t

r
o
l
e
i
n

t
h
e

i
n
t
e
g
r
i
t
y

o
f

f
i
n
a
n
c
i
a
l
r
e
p
o
r
t
i
n
g
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
7
3
.
1
6
8
.
0
7
1
.
3
4
7
.
1
5
0
.
2
4
2
.
7
6
6
.
2
6
2
.
9
4
5
.
5
4
3
.
4
6
5
.
8
6
0
.
0
5
3
.
2
e
d
u
c
a
t
e
s

o
r
g
a
n
i
z
a
t
i
o
n
p
e
r
s
o
n
n
e
l

a
b
o
u
t

i
n
t
e
r
n
a
l
c
o
n
t
r
o
l
s
,

c
o
r
p
o
r
a
t
e
g
o
v
e
r
n
a
n
c
e
,

a
n
d

c
o
m
p
l
i
a
n
c
e
i
s
s
u
e
s
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
7
5
.
2
7
2
.
4
8
1
.
6
6
5
.
0
6
0
.
9
6
8
.
8
7
1
.
2
6
7
.
1
5
8
.
2
6
2
.
3
6
9
.
3
7
8
.
9
6
6
.
8
p
l
a
c
e
s

m
o
r
e

e
m
p
h
a
s
i
s

o
n
a
s
s
u
r
a
n
c
e

t
h
a
n

c
o
n
s
u
l
t
i
n
g
s
e
r
v
i
c
e
s
.
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
T
a
b
l
e

9
-
5
-
2
H
o
w

S
t
a
t
e
m
e
n
t
s

a
r
e

L
i
k
e
l
y

t
o

A
p
p
l
y

t
o

R
e
s
p
o
n
d
e
n
t
s

O
r
g
a
n
i
z
a
t
i
o
n
s

W
i
t
h
i
n

t
h
e

N
e
x
t

3

Y
e
a
r
s

b
y

G
r
o
u
p
s
*
C
A
E

a
n
d

A
u
d
i
t

M
a
n
a
g
e
r

A
g
r
e
e
m
e
n
t

w
i
t
h

S
t
a
t
e
m
e
n
t
s

i
n

P
e
r
c
e
n
t
a
g
e
s
S
t
a
t
e
m
e
n
t
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
N
/
C
*
*
I
n
t
e
r
n
a
l

a
u
d
i
t
i
n
g

i
s

r
e
q
u
i
r
e
d

b
y
9
.
6
1
6
.
3
1
3
.
1
1
3
.
3
1
5
.
1
1
3
.
0
1
3
.
0
1
5
.
4
3
2
.
7
1
1
.
3
1
5
.
5
1
0
.
5
2
0
.
8
l
a
w

o
r

r
e
g
u
l
a
t
i
o
n

w
h
e
r
e

t
h
e
o
r
g
a
n
i
z
a
t
i
o
n

i
s

b
a
s
e
d
.
I
n
t
e
r
n
a
l

a
u
d
i
t
o
r
s

i
n

t
h
e
2
8
.
6
2
4
.
6
3
2
.
7
3
2
.
8
4
1
.
8
3
1
.
6
4
3
.
9
3
3
.
8
4
4
.
4
1
7
.
0
4
2
.
6
3
5
.
0
3
6
.
7
o
r
g
a
n
i
z
a
t
i
o
n

h
a
v
e

a
n

a
d
v
i
s
o
r
y
r
o
l
e

i
n

s
t
r
a
t
e
g
y

d
e
v
e
l
o
p
m
e
n
t
.
T
h
e

o
r
g
a
n
i
z
a
t
i
o
n

c
o
m
p
l
i
e
s
1
6
.
8
2
2
.
8
1
7
.
3
4
0
.
3
2
8
.
4
2
7
.
9
3
3
.
5
2
2
.
8
4
4
.
4
2
4
.
5
2
1
.
1
4
0
.
0
2
9
.
2
w
i
t
h

a

c
o
r
p
o
r
a
t
e

g
o
v
e
r
n
a
n
c
e
c
o
d
e
.
T
h
e

o
r
g
a
n
i
z
a
t
i
o
n

h
a
s
2
3
.
2
2
3
.
8
2
3
.
6
1
8
.
6
3
2
.
8
3
2
.
5
1
9
.
7
2
0
.
2
2
7
.
3
4
5
.
3
1
6
.
8
3
1
.
6
2
9
.
5
i
m
p
l
e
m
e
n
t
e
d

a
n

i
n
t
e
r
n
a
l
c
o
n
t
r
o
l

f
r
a
m
e
w
o
r
k
.
T
h
e

o
r
g
a
n
i
z
a
t
i
o
n

h
a
s
3
7
.
4
4
9
.
2
4
9
.
6
4
7
.
5
4
9
.
1
4
3
.
5
5
1
.
2
4
5
.
3
4
4
.
4
4
6
.
2
4
7
.
0
6
3
.
2
5
3
.
2
i
m
p
l
e
m
e
n
t
e
d

a

k
n
o
w
l
e
d
g
e
m
a
n
a
g
e
m
e
n
t

s
y
s
t
e
m
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
2
7
.
9
3
4
.
1
3
1
.
3
4
6
.
1
3
2
.
0
2
7
.
5
3
9
.
6
3
0
.
2
5
1
.
9
3
0
.
2
4
8
.
2
7
5
.
0
3
8
.
7
h
a
s

p
r
o
v
i
d
e
d

t
r
a
i
n
i
n
g

t
o
a
u
d
i
t

c
o
m
m
i
t
t
e
e

m
e
m
b
e
r
s
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
2
0
.
9
1
9
.
7
2
7
.
4
3
7
.
3
2
9
.
4
2
7
.
9
3
1
.
2
3
0
.
5
3
4
.
0
1
8
.
9
2
7
.
4
4
0
.
0
2
6
.
2
a
s
s
u
m
e
s

a
n

i
m
p
o
r
t
a
n
t

r
o
l
e
i
n

t
h
e

i
n
t
e
g
r
i
t
y

o
f

f
i
n
a
n
c
i
a
l
r
e
p
o
r
t
i
n
g
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
2
0
.
1
2
3
.
8
2
0
.
9
3
5
.
5
3
2
.
3
3
0
.
6
2
6
.
8
2
6
.
6
4
3
.
6
3
0
.
2
2
6
.
3
3
5
.
0
3
4
.
7
e
d
u
c
a
t
e
s

o
r
g
a
n
i
z
a
t
i
o
n
p
e
r
s
o
n
n
e
l

a
b
o
u
t

i
n
t
e
r
n
a
l
c
o
n
t
r
o
l
s
,

c
o
r
p
o
r
a
t
e
g
o
v
e
r
n
a
n
c
e
,

a
n
d

c
o
m
p
l
i
a
n
c
e
i
s
s
u
e
s
.
T
h
e

i
n
t
e
r
n
a
l

a
u
d
i
t

a
c
t
i
v
i
t
y
1
1
.
9
1
9
.
5
9
.
9
2
8
.
3
2
0
.
6
1
4
.
4
1
8
.
6
1
2
.
6
2
9
.
1
2
2
.
6
2
1
.
1
1
5
.
8
2
1
.
8
p
l
a
c
e
s

m
o
r
e

e
m
p
h
a
s
i
s

o
n
a
s
s
u
r
a
n
c
e

t
h
a
n

c
o
n
s
u
l
t
i
n
g
s
e
r
v
i
c
e
s
.
*
F
o
r

a

l
i
s
t

o
f

g
r
o
u
p
s
,

p
l
e
a
s
e

s
e
e

A
p
p
e
n
d
i
x

1
-
B
.
*
*
N
/
C

=

R
e
s
p
o
n
d
e
n
t
s

d
i
d

n
o
t

i
n
d
i
c
a
t
e

a
f
f
i
l
i
a
t
e

o
r

c
h
a
p
t
e
r

m
e
m
b
e
r
s
h
i
p
.
Summary
Internal auditing has evolved significantly from its origins in the early 20th century. The results of
CBOK demonstrate that internal auditing will continue to evolve in the future by incorporating new
responsibilities and having an impact on more areas of the organization.
It is especially interesting to note that respondents indicated their IAAs responsibilities increasing
in all of the major types of audits that are currently being performed, some by large amounts. For
example, risk management is expected to increase 79.5% over the next three years. Furthermore,
it does not appear that any of the current types of audits performed will decrease in any significant
way over the next three years.
As the profession evolves, emerging roles to monitor include alignment of strategy and performance
measures, benchmarking, knowledge management, systems development review, and strategic
frameworks. Each of these was indicated by respondents as having an increase of more than 35%
over the next three years.
Executive compensation stood out in the CBOK results as clearly showing that IAAs do not
currently and most likely will not have a role in the future. Respondents indicate that 16% of IAAs
currently have a role and 17.7% are likely to have a role in the next three years. This is compared
with 45.4% of respondents who indicate that their IAA is unlikely to have a role in the next three
years in this activity.

CONTENTS
Chapter 10

Chapter 10: Research Method and Literature Review........................................................ 359
Research Method................................................................................................................ 359
Project Teams............................................................................................................... 359
Pilot Test and Literature Review.................................................................................. 361
CBOK 2006 Questionnaires......................................................................................... 363
Clustering for Groups................................................................................................... 364
Literature Review................................................................................................................ 367
Introduction.................................................................................................................. 367
Prior IIA CBOK Studies............................................................................................... 367
North American Literature Review on Internal Auditing............................................ 372
Summary............................................................................................................................. 379
Asia Pacific Literature Review on Internal Auditing.......................................................... 380
European Literature Review on Internal Auditing.............................................................. 390
South African Literature Review on Internal Auditing...................................................... 398
Appendix 10-A: Pre-scope Questionnaire for CBOK......................................................... 406
Appendix 10-B: Topical Areas That Are Addressed in Past and Current
IIA CBOK Studies........................................................................................................ 418
Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire................................... 421

Disclosure


profession.
_____________________________ Chapter 10: Research Method and Literature Review 359
CHAPTER 10
RESEARCH METHOD
AND LITERATURE REVIEW
This chapter reviews the research method used to gather the data for the Common Body of
Knowledge (CBOK) 2006 study and provides a literature review prepared by each of the research
teams listed below summarizing the past studies reviewed prior to preparing the CBOK
questionnaires.
RESEARCH METHOD
Project Teams
The research team was comprised of three international teams that were selected from the responses
to the CBOK request for proposals. Table 10-1 lists the members of the three CBOK 2006 teams.
Based on the location of the selected research teams, the international affiliates and chapters were
broken down into three broad geographical areas.
Table 10-1
Research Teams
Teams General Areas
of Responsibilities
Lead Team
Priscilla A.Burnaby (Bentley College, United States) North, Central, and
Project Coordinator and Team Coordinator South America and
Mohammad J . Abdolmohammadi (Bentley College, the Caribbean
United States)
Susan Hass (Simmons College, United States)
Rob Melville (Cass Business School, England) Europe and Africa
Team Coordinator
Marco Allegrini and Giuseppe DOnza
(University of Pisa, Italy)
Leen Paape (Erasmus University, Netherlands)
Gerrit Sarens (University of Ghent, Belgium)
Marinda M. Marais (University of South Africa)
Elmarie Sadler (University of South Africa)
Houdini Fourie (Tshwane University of
Technology, South Africa)
Barry J . Cooper (Deakin University, Australia) Asia and Pacific
Team Coordinator
Philomena Leung (Deakin University, Australia)
Pilot Test and Literature Review
1
The pre-scope questionnaire sent to practitioners for their input was developed after reviewing the
Professional Practices Framework (The IIA, 2004) and performing a literature review of current
internal auditing studies around the world. A summary of the literature review is included in the
second part of this chapter. The objective of the pilot survey was to determine what practitioners
believed should be included in the CBOK 2006 questionnaires. Based upon discussions with
knowledgeable internal auditors, key stakeholders at The IIA, and the literature review, the following
topics were selected for inclusion in the pilot survey:
Audit methods, tools, and techniques
Auditor skill sets
Certification and professional development
Emerging trends in internal auditing
Evaluation of staff
Internal auditing standards from the Professional Practices Framework
Percentage of time spent on different types of audits in 2005
Role of the board of directors and audit committee
Specific areas of knowledge required of internal auditors
To collect data from a small representative group of experienced internal auditors, the pre-scope
questionnaire was sent to a number of internal auditors in various regions of the world by each of
the three global teams. The respondents were asked to indicate which items listed on the pre-
scope questionnaire should be included or excluded from the CBOK 2006 study. Each topic on the
pilot questionnaire was followed by a request for the respondents to add related areas and questions
that they thought should be included in the final questionnaire.
Sixty-three responses were received from nine countries. Table 10-2 indicates the number of
responses from each country. Appendix 10-A contains the pre-scope questionnaire and a summary
of the responses, including the respondents suggestions for additional areas to be included in
CBOK 2006. A majority of participants agreed with the inclusion in the study of most of the topics
in the pre-scope questionnaire and provided insights into other topics that should be included.
These areas were priorities for inclusion in the final CBOK questionnaires.
1
Table 10-2
Summary of Pilot Test Respondents by Countries
Countries Respondents
Asia
Australia 11
New Zealand 5
Malaysia 2
Europe
Belgium 9
France 2
Italy 6
South Africa 1
U.K./Ireland 13
USA 14
Total 63
To include current practices and explore emerging practices in the profession, CBOK 2006
incorporated several topics that were not included in prior CBOK studies. This was based on the
literature review and the results of the pilot survey. Appendix 10-B lists topical areas covered in
past CBOK studies and those that were covered in CBOK 2006. CBOK 2006 used The IIAs
International Standards for the Professional Practice of Internal Auditing (Standards) as of
September 2006, the date of the study, as the basis for the focus of the study. The Standards
contain the expanded scope in The IIAs definition of internal auditing, which includes governance,
risk management, and internal control engagements for the internal audit activity (IAA).
CBOK 2006 Questionnaires
Due to the need expressed by The IIAs CBOK Steering Committee to limit the members response
time to 40 minutes, it was decided to create three separate CBOK questionnaires as follows:
1. Affiliates: The IIA is fortunate to have numerous Affiliate organizations around the world that
provide services to their geographic area in cooperation with IIA headquarters. This questionnaire
asked affiliate leaders questions about regulatory and cultural differences affecting the application
of ethics and the Standards in their area. One questionnaire was sent to each participating
affiliate.
2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest position
within the organization responsible for the internal audit activity (IAA). Data on the status of
the IAA within the organization, application of the Standards, skills needed at each staff level,
and emerging audit roles were collected from CAEs worldwide.
3. Practitioners: For purposes of this study, Practitioners are all other internal auditors that are
not CAEs. Data about the application of the Standards, how an audit is performed, skill sets
needed, and the emerging roles of IAA were collected from internal auditors worldwide.
The three detailed questionnaires developed by the CBOK 2006 teams were subjected to close
scrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, the
questionnaires were reviewed by a statistical expert and a small group of internal auditors worldwide
to ensure completeness and validity. Based on their comments, the final questionnaires were
developed and translated from English into 16 languages (Spanish, French, German, Russian, Czech,
Turkish, Simplified Chinese, J apanese, Traditional Chinese, Indonesian, Arabic, Polish, Bulgarian,
Italian, Portuguese, and Swedish). In September 2006, the CAE and Practitioner questionnaires
were distributed electronically to The IIA membership by participating affiliates, chapters, and
United States members that allow The IIA to send them e-mails using the survey software Peruses.
The Affiliate questionnaire was distributed by The IIA in December 2006. As some of the questions
for the CAE and Practitioner questionnaires were the same, the questionnaires were combined for
translation. Please see Appendix 10-C for the combined CAE and Practitioner questionnaire. A
guide for which questions were asked of all participants or either the CAE or the Practitioner is
provided in the first two pages of Appendix 10-C.
Number of Responses
As of September 2006, The IIA had approximately 127,700 members. As listed in Table 10-3, the
membership was made up of 143 chapters in the United States, 11 chapters in Canada, 9 chapters
in the Caribbean, and 94 affiliates. The total number of responses to the CAE and Practitioner
questionnaires was 15,028. After the responses that were deemed not usable were deleted from
the database, 9,366 usable responses remained resulting in a 7.3% overall response rate. Due to
some Affiliates not participating and some members who have opted not to receive e-mails from
The IIA, the survey was sent to approximately 99,000 members resulting in an estimated 9.5%
response rate. The respondents represent 91 countries as one of the participating countries has
two affiliates.
Table 10-3
Number of Participating Chapters and Affiliates
Area *Number of 1 or More Usable Number of Affiliates
Chapters/Affiliates Responses from that Returned CBOK
Chapters/Affiliates Affiliate
Questionnaire
U.S.A. 143 133 Not Applicable
Canada 11 11 Not Applicable
Caribbean 9 7 Not Applicable
IIA Affiliates 94 83 46
*Tallied from The IIAs Web site
Responses were determined to not be useable if the reply was empty or the respondent did not
answer enough questions to be considered for inclusion. A total of 133 United States chapters, all
of the Canadian chapters, and 7 of the Caribbean chapters participated in CBOK 2006. Eighty-
three affiliates had at least one usable CAE or Practitioner response. The number of respondents
for the United States, Canada, and the Caribbean and for each participating affiliate is summarized
in Appendix 1-B of Chapter 1 in this research report. Forty-six affiliates returned the CBOK
Affiliate questionnaire by the J anuary 15, 2007, cutoff date for inclusion (noted by a +sign in
Appendix 1-B in Chapter 1).
Clustering for Groups
As data was collected from numerous affiliates and chapters, a methodology was needed to combine
them into groups for comparison of responses. Clustering literature was reviewed for plausible
ways to combine affiliates and chapters by cultural classification. Pioneer work for cultural
classification was performed by Hofstede (1980), who argued that the four dimensions of Power
Distance, Individualism, Masculinity, and Uncertainty Avoidance influence work environments.
Based on these dimensions, Hofstede (1983) classified fifty countries into different cultural zones.
In 2004, House et al. expanded Hofstedes dimensions and the number of countries classified into
cultural zones. House et al. (2004) used nine dimensions to classify 62 countries into various
categories. Table 10-4 defines and lists the dimensions used by Hofstede (1983) and House et al.
(2004).
Table 10-4
Cultural Classification Criteria
No. Criterion Definition +
1* Uncertainty The extent to which members of an organization or society strive to avoid
Avoidance uncertainty by relying on established social norms, rituals, and bureaucratic
practices.
2* Power The degree to which members of an organization or society expect and agree
Distance that power should be stratified and concentrated at higher levels of an
organization or government.
3** Institutional The degree to which organizational and societal institutional practices
Collectivism encourage and reward collective distribution of resources and collective
action.
4** In-group The degree to which individuals express pride, loyalty, and cohesiveness in
Collectivism their organizations or families.
5*** Gender The degree to which an organization or society minimizes gender role
Egalitarianism differences while promoting gender equality.
6*** Assertiveness The degree to which individuals in organizations or societies are assertive,
confrontational, and aggressive in social relationships.
7
@
Future The degree to which individuals in organizations or societies engage in
Orientation future-oriented behaviors such as planning, investing in the future, and
delaying individual or collective gratification.
8
@
Performance The degree to which an organization or society encourages and rewards
Orientation group members for performance improvement and excellence.
9
@
Human The degree to which individuals in organizations or societies encourage and
Orientation reward individuals for being fair, altruistic, friendly, generous, caring, and
kind to others.
+Definitions are from House and J avidan (2004, 11-13).
*These two criteria are the same as those of Hofstedes (1980).
**These two criteria are based on Hofstedes (1980) Individualism.
***These two criteria are based on Hofstedes (1980) Masculinity.
@
House et al. (2004) added these based on literature other than Hofstede (1980).
Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62
societies was insufficient for complete classification of the CBOK 2006 participants. By using
additional information from the Central Intelligence Agency World Fact Book (2006), affiliate
language, geographical location, and discussions with The IIA staff and leadership, the affiliates
and chapters were classified into 12 groups. Respondents who did not indicate membership in a
specific affiliate or chapter were clustered into a 13
th
group that was included in statistical summaries
for the aggregate results but not in affiliate or chapter cultural cluster results. Please refer to
Appendix 1-B of this report for the groups used for the analysis of responses for CBOK 2006.
LITERATURE REVIEW
Introduction
The objective of the literature review for CBOK 2006 was to provide a summary of published
articles, studies on special topics, and research projects about the practice of internal auditing
around the world as determined by the research teams around the world. Each research team
prepared a literature review for the countries in their area of the world.
Prior IIA CBOK Studies
2
Overview
The IIA has sponsored four prior CBOK studies. Appendix 10-C lists the topical areas covered in
these studies and identifies topical areas covered in the CBOK 2006 study. The past four CBOK
studies are summarized in the following section. Table 10-5 compares the number of participating
countries and usable questionnaire responses used in each CBOK study.
Table 10-5
Comparison of CBOKs Number of Countries and Number of Respondents
CBOK Year Number of Number of Usable
Number Countries Respondents
I 1972 1 75
II 1985 2 340
III 1991 2 1,163
IV 1999 21 136
V 2006 91 9,366
2
CBOK I in 1972
The objective of CBOK I (Gobeil, 1972) was to define the CBOK for the profession of internal
auditing. The survey was conducted only in the United States. The report was based on a sample
of 100 internal auditors from which there were 75 responses. The questionnaires were distributed
to The IIAs international officers, directors, and the chairs and committee members of all
international committees. It attempted to define and interpret three areas. The first area was to
establish the knowledge that internal auditors should possess to be considered professionally proficient.
The second area of interest was the knowledge required for candidates sitting for the Certified
Internal Auditor (CIA) exam. The final area was the type of knowledge that should be the focus of
continuing professional development and training.
The study outlined three different levels of knowledge required in the three different subject matters
(Gobeil, 1972), namely:
Appreciation of the broad nature and fundamentals involved in, and an ability to recognize
the existence of special features and problems in, various business transactions, and
determination of what further study or research must be undertaken under various
conditions.
A sound appreciation of the broad aspects of practices and procedures and an awareness
of the problems related to more detailed aspects thereof. It also included the ability to
apply such broad knowledge to situations likely to be encouraged, to recognize the more
detailed aspects which must be considered, and to carry out research and studies necessary
to come to a reasonable solution.
A sound understanding of principles, practices, and procedures and the ability to apply
such knowledge to situations likely to be encountered in order to deal with all aspects
without extensive recourse to technical research and assistance.
CBOK II in 1985
The objective of CBOK II (Barrett et al., 1985) was to establish the structure of the CBOK for
practicing internal auditors. This study included responses from the United States and Canada.
The researchers first reviewed how the medical, legal, military, religious, accounting, and auditing
professions determined their CBOK. Then they conducted interviews with directors and managers
of large international audit departments in Canada and the United States. Based on this background
the researchers developed and distributed questionnaires to approximately 900 individuals of whom
340 returned usable responses.
The researchers identified three key areas of CBOK: knowledge of relevant disciplines; skills
needed to perform appropriate internal auditing tasks; and experiences necessary to be professionally
qualified, proficient, and a competent internal auditor. Barrett et al. (1985) presented three broad
conclusions. First, senior internal auditors should have a firm grasp of the core academic disciplines
of auditing and computer systems and a working knowledge of communications and accounting.
Second, at the bottom of the importance scale of knowledge is marketing. Finally, entry-level
internal auditors are expected to possess as much knowledge but fewer skills as senior-level
auditors, and senior-level (not entry-level) auditors are expected to become professionally certified.
CBOK III in 1991
Albrecht et al. (1992) sent questionnaires to internal auditors in Canada and the United States. Of
the 1,247 returned questionnaires, 1,163 responses were usable. The research method used by the
authors was the most elaborate of the CBOK studies to date. It included:
Review of current internal audit literature.
Interviews with content experts in the subject areas identified by the literature review.
Development of the initial questionnaire.
One-day meetings with selected groups of internal audit practitioners in various cities.
Distribution of the CBOK questionnaire to practicing internal auditors and analysis of the
data.
This study contributed to the literature in several significant ways. It identified the competencies
and knowledge that was required for internal auditors to practice at varying levels of experience.
It also identified the most appropriate setting (formal education, professional development seminars,
or on-the-job experience) where the competency should be acquired. The researchers included
the following in their findings:
The knowledge included in the CBOK
The levels at which internal auditors should possess various knowledge elements of the
CBOK
The kind of knowledge that should be included on the CIA examination
The kind of knowledge that should be included in professional development and training
seminars for internal auditors
The authors found that a major demographic factor causing responses to the CBOK questionnaire
to vary was the position level of the respondent. As auditors move from staff auditor to senior, to
manager, and finally to director, there are changes in what the respondents perceived should be the
required CBOK.
CFIA in 1999 (CBOK IV)
The next CBOK project, known as the Competency Framework for Internal Auditing (CFIA),
was undertaken by a group of researchers in Australia. The study resulted in the publication of five
detailed monographs (see Birkett, et al., 1999). To summarize the large amount of information
presented, The IIA published a short executive summary monograph (McIntosh, 1999). These
studies surveyed five groups of participants and provided information about the changing nature of
internal auditing from compliance to assurance, risk exposures, and control strategies.
The scope of Birkett, et al.s (1999) studies addressed the areas of the future of the internal audit
profession, the value proposition of internal auditing, the critical competencies of internal auditors,
global practices, and an assessment of these competencies. One of the interesting conclusions
from this study was that the future will be driven by global organizational change, which would be
accompanied by lower independence for internal auditors. The monographs also concluded that
internal auditors must increasingly get involved with the assessment of risk and strategies for
control. The authors proved to be correct as both of these issues have been addressed by the U.S.
Sarbanes-Oxley Act of 2002.
Internal Auditing: The Global Landscape
Birkett, et al. (1999) found that there were major difficulties in discussing the topic of internal
auditing at a global level. They found that there was a lack of common meaning for terms like
internal control and compliance. There were also differences in interpretation of proper
governance. The surveyed countries agreed on the desired skills that an internal auditor should
possess, including cognitive, behavioral, technical, analytic, appreciative, personal, interpersonal,
and organizational skills. It was also important for internal auditors to have knowledge in specific
areas such as information systems, finance, risk analysis, accounting, internal auditing, benchmarking
techniques, and legal/regulatory systems. The respondents expressed concern that the certification
requirements for the CIA designation were oriented toward North American practice. Major issues
and concerns that would affect the profession in the future were identified as globalization, increased
competition, rapid technological advancement, and changes in corporate governance.
Internal Auditing Knowledge: Global Perspectives
The profession of internal auditing was also discussed at the global level. The internal auditors
work environment was further analyzed by its context, factors of influence, key roles in the function,
critical knowledge/expertise needed, and the evaluation of the auditing function. The key roles in
the auditing function included audit management, project leader, internal auditor, management
development trainee, specialist, and external consultant. A competent internal audit department
must have knowledge of the organization, auditing tasks, technical applications, management
processes, risk/control framework, and commercial viability. Developing competency within internal
auditing was done through an improved recruiting process and implementation of training/development
programs. The auditing function was then assessed based on the linkage between their activities
and the value they provided. It was suspected that in the future, internal auditing would take on a
more anticipatory/proactive role which brought up a discussion on auditors independence.
Competency: Best Practices and Competent Practitioners
This monograph includes six units, 27 elements, and many sub-elements, which are assessed through
best practices. The focus of the monograph was on internal auditor competencies (skills) and
capabilities (potential for making judgment). The authors found that competency was the relationship
between task performance and individual attributes such as knowledge, skills, and attitudes
(McIntosh, 1999, p. 4). The authors argued for common terminology but admitted that this was not
an easy task because there is no equivalent for certain terminology (e.g., compliance) in some
countries.
Competency was defined in terms of best practices that are subject to benchmarks. The authors
defined competency standards in terms of units of set tasks needed to meet the fundamental
requirements of performing the audit. Elements of competency are subsets of tasks such as
understanding organizational objectives/strategies, processes and capabilities, and the contextual
dynamics affecting its functioning and sub-elements such as identify/clarify the organizations
objectives. The authors listed six units of competency:
1. U1: Understanding risk
2. U2: Understanding adequacy of control strategies
3. U3: Improve risk management and control
4. U4: Provide ongoing assurance to organizations
5. U5: Manage the IA function
6. U6: Manage the dynamic context that affect the work of the function
The Future of Internal Auditing: A Delphi Study
Birkett, et al. (1999) conducted a study that captured the opinions of 136 internal auditing experts
representing 21 countries. The study focused on topics of importance to the future of the profession,
key tasks performed, drivers of change, skills/knowledge required, and assessment criteria. The
results indicated that the profession was gradually moving toward a focus on alignment with
organizational needs and how to create value for the organization. Drivers such as globalization,
competition, increasing expectations/demands from stakeholders, legal perspectives, and technology
were changing the context of internal auditing work. With the changes that the profession was
facing, auditors needed to be knowledgeable and aware of the importance of evaluating risk
exposures. The assessment of the auditing function could be assessed internally according to the
organizations value proposition or externally relative to best practices.
Assessing Competency in Internal Auditing: Structures and Methodologies
In this study, the authors provided four performance criteria: qualitative outcomes such as accuracy,
critical process variables such as holistic review, evidence and performance such as relevant
documents, and consulting and timing. The authors stated that the different designations of auditor
levels are trainee, team leader, manager, and director. Other designations included junior, senior,
manager, and director. Internal auditors can also be called consultant, managing consultant, and
vice president of audit.
North American Literature Review on Internal Auditing
Overview
The literature reviewed indicates that the role of the IAA has grown significantly over the years
and given the significant change factors organizations are facing, such as the regulatory environment
and new technologies, it is likely to be subjected to more significant changes in the future. The
literature is fairly extensive in its investigation of the internal auditors role in various corporate
governance issues. An extensive literature review by Gramling, et al. (2004) investigated the
increasing role of the IAA in corporate governance. Due to the recent review of this topic provided
by Gramling, et al. (2004), that literature is not reviewed in detail in this chapter. The focus of this
literature review is primarily on the external environment that is causing change in the organization
and the resulting expanded scope of audits required of the IAA.
The Professional Practices Framework of 2004
The most recent study undertaken by The IIA to determine the nature of the changes in internal
auditing and the need to update the definition and standards of the profession was in 1999. Based
on this study The IIA published a report titled, A Vision for the Future: Professional Practices
Framework for Internal Auditing (The IIA, 1999). The report had the following objectives:
Revise the definition of internal auditing
Produce a new framework
Improve existing processes of standards-setting and guidance development through better
coordination and leveraging of The IIAs volunteer committees
This report resulted in changes to the definition of internal auditing, The IIAs Code of Ethics, and
The IIAs Standards. As seen below, the new definition of internal auditing expands the scope of
internal auditing into corporate governance and risk management (The IIA, 2004):
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organizations operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
This is The IIAs most proactive and comprehensive definition of internal auditing. It acknowledges
the changing role of internal auditing in organizations, the need for a comprehensive and adaptable
framework, and the ever-increasing value that the IAA contributes to contemporary organizations
of differing sizes and types.
As late as the beginning of the twenty-first century, the evolutionary practice of internal auditing
resulted in developing internal audit best practices and adding value to the organization and its
stakeholders by understanding the link between internal audit and organizational goals. Before the
enactment of Sarbanes-Oxley, internal audit services were focusing on detection, not prevention.
Internal auditors were moving from a confrontational approach to partnering with management
and moving from a controls approach to a risk-based approach. They were also focusing on
consulting services (Roth, 2002).
Chapman and Anderson (2002) argue that the inclusion of assurance and consulting services in the
new definition of internal auditing results in internal auditing becoming a proactive, consumer-
focused activity concerned with the important issues of control, risk management, and governance.
The definition specifically states the internal audit activity (IAA) is designed to add value and
improve an organizations operations (The IIA, 2002).
The Standards indicate examples of assurance engagements as financial, performance, compliance,
system security, and diligence audits. Examples of consulting activities include conducting internal
control training, providing advice to management about the control concerns in new systems, drafting
policies, and participating in quality teams. In addition, assurance services include financial auditing,
performance auditing, and quick response auditing, and consulting services includes assessment
services, facilitation services, and remediation services (Anderson, 2003). These are all value-
added activities and contribute to organizational success and strategic achievement. This was
reflected in the revised Professional Practices Framework which recognized that the IAA needed
to support and promote a broad range of value-adding activities (RGTF, 1999). This also allowed
for the recognition of the practice of internal auditing as evolutionary in the competitive marketplace
(Krogstad, et al., 1999). The next sections include more focused discussion of the factors that
significantly impact the future of the IAA.
Regulations
Prior to the need for compliance with the requirements of Sarbanes-Oxley in the United States and
similar laws in other countries, the emphasis of the IAA in the late 1990s was more a consultative
partner with management (Roth and Espersen, 2003). Internal auditors also performed reviews of
controls over operational systems. In responding to regulatory and technological change factors,
organizations are evolving in their need for different types of internal audit involvement. The
Sarbanes-Oxley Act (2002) legislation in the United States resulted in extensive regulatory
requirements for a more effective and better documented system of internal controls over financial
reporting in publicly listed companies. The IAA is in an advantageous position to help organizations
comply with these requirements and is being called upon by companies to do much of the work in
documenting and testing key internal controls over financial reporting. The new regulatory
requirements have increased the IAAs participation in the development of control documentation
and compliance auditing over financial reporting that was often left in the past to external auditors.
Sarbanes-Oxley legislation in the United States required the creation of the Public Accounting
Oversight Board in 2004 (PCAOB, 2004). PCAOB was created to reform the auditing of internal
control systems and financial reporting systems. The major objectives of the PCAOB are to enhance
reliable financial reporting and to restore investor confidence after the business scandals and
accounting failures of early 2000s. Faced with the regulatory requirements of Sarbanes-Oxley,
many organizations turned to their IAAs for help. Internal auditor involvement was primarily
compliance work surrounding the adequacy of key controls to aid in the increased reporting and
governance requirements for publicly held companies. Although Sarbanes-Oxley work primarily
emphasized control compliance, it also required internal auditors to provide consulting activities
such as control system design.
Sarbanes-Oxley Changes Audit Coverage
The shift of the IAA to a compliance focus is a result of a regulatory regime imposed by the
requirements of Sarbanes-Oxley (2002) and the PCAOB (2004). Also influential were the changes
in governance requirements that various stock exchanges implemented (Gray, 2004). Although the
resulting involvement in responding to regulatory requirements is still deemed value-added work, it
is a different trend than was evolving before the business scandals at the beginning of the century
in such areas as governance and risk assessment.
An outcome of the current regulatory climate in the United States is that many IAA resources are
spent on Sarbanes-Oxley compliance assurance work. A survey of audit managers undertaken in
the third quarter of 2005 indicated that Sarbanes-Oxley (2002) first-year compliance efforts utilized
50% or more of internal audit (PwC, 2006). In the resource constrained paradigm within which the
IAA operates, this emphasis means that resources must be diverted from operational audits and
consulting activities to increase Sarbanes-Oxley assurance services. This is a challenging resource
allocation problem for the IAA, where strong leadership and analytical skills as well as the ability
to manage projects more efficiently and effectively are required. Also needed are effective
communication and negotiation skills to interact with various stakeholders. When diverting resources,
leaders of the IAA must be certain that they have a thorough understanding of how their work
contributes value and links to strategy execution and achievement.
The assurance work emphasis necessitated by regulatory requirements could also result in a negative
reputation effect. For example, IAA stakeholders may develop a negative perception that is reverting
back to the stereotypes of compliance duties in earlier periods. Gray (2004) argues that the image
of internal auditors may be regressing to that of police as they identify negative findings in their
assessment and tests of internal controls. This is a serious reputation issue that the IAA must
address. Internal auditors must understand when this is happening and neutralize or eliminate such
negative perceptions if they are to be effective in their assurance and consulting activities, relationship
with key stakeholders, and in their role as supporter of organizational success. Ignoring such
perceptions can result in reduced effectiveness of the IAA in its assurance and consulting activities
and with stakeholders.
Finally, an outcome of the expanding regulatory requirements is that internal auditors work closely
with internal management and external auditors. Critics question whether this might damage the
objectivity of the IAA (Krell, 2005). Since independence and objectivity are the cornerstones of
the definition of internal auditing, there is a need for development of holistic models in which the
IAA can maintain its objectivity and independence despite the close working relationships with
internal management and external auditors. To do so may require internal auditors to use effective
interpersonal skills such as relationship management and team building, concepts that are widely
researched and discussed in management science.
Risk Assessment
A recent survey shows that regulatory requirements diverted internal audit resources from other
important internal audit activities such as risk-based audits to assurance work (PwC, 2005A).
Failure to address key strategic and operational risks as well as compliance risk in an annual audit
program undermines the effectiveness of the IAA. It diminishes its strategic value to key
stakeholders and exposes the enterprise to greater operational and financial risks in the future.
Balancing all risks that an organization faces is imperative to the success of the IAA and the
organization as a whole (Krell, 2005).
Internal auditors must not only be able to assess risks in their larger organizations, they must also
be able to complete complex risk analyses in their own IAA. Being able to self-evaluate is important
to the success of the IAA. To accomplish this, internal auditors need to possess increasing levels
of critical thinking, analysis, decision making, and logic. These are among the skills included in the
CBOK 2006 study.
Increased Demands on the IAA
Balancing the complex, competing demands of stakeholder needs with limited IAA resources also
requires effective management by the chief audit executive (CAE) (PwC, 2006). To be perceived
to add value, the internal audit activity must strategically align with the needs and priorities of all of
its key stakeholders, including the audit committee, executive management, and external auditors.
Communicating the needs of the audit function, both orally and in writing, to key stakeholders is
critical to successfully maximizing resources. Effective risk analysis, time management, and
prioritization of tasks are important skills for internal auditors to ensure effective utilization of
scarce resources.
The increased demand for the IAA services places strain on many departments limited time
budgets resulting in outsourcing and/or co-sourcing of activities. Rittenberg and Covaleski (1997)
argue that outsourcing would be viable for functions that are not unique. For areas with specialized
needs or competencies, outsourcing may be a viable alternative. Outsourcing reduces the demand
for a scarce resource but requires management of external contract workers and their employers.
CAEs must ensure that their management of internal audit staff is a transferable skill that can be
used for the management of external co-sourcing relationships.
Information Technology
The information technology (IT) used by companies is becoming increasingly more complex. The
IAA must embrace technology, understand it, and be able to effectively audit the processes and
use it as an audit tool. Internal auditors will have to provide increased assurance by providing IT
control assessment within the system of internal controls. If IT controls are selected and implemented
properly on the basis of the risks they are designed to manage, then a methodology to continuously
monitor IT control effectiveness and validity could provide the assurances needed (Le Grand,
2005). Knowledge of IT controls, IT auditing techniques, and the current trends in IT enhances
understanding and efficient utilization of IAA resource.
While the complexity of IT makes auditing more challenging, it also provides an opportunity to
streamline internal audit activities by designing and utilizing continuous IT controls. This can relieve
some of the stress of limited IAA resources that were noted previously. The use of continuous
auditing may reduce the need for detailed annual reviews that have been typical in the past.
Continuous auditing gives internal auditors the ability to monitor key business systems for both
anomalies at the transaction level and for data-driven indicators of control deficiencies and emerging
risk. This can also be incorporated into other aspects of the audit process (Coderre, 2005). Under
continuous auditing, technology is an enabler, but must be initiated and managed by the IAA (Warren,
2003). Continuous auditing should not be confused with continuous monitoring, which may be
management driven (COSO, 2004).
Computer-assisted audit tools (CAATs) can also expand audit coverage when there are finite
resources. Maintenance of existing resource levels while expanding the scope of continuous
monitoring and reporting of organizational effectiveness can be accomplished by utilization of
automated testing capabilities. Effectively enhancing the extent of audit coverage would reduce
the risks that arise with constrained resource allocation (PwC, 2005B). Training for computer skills
for the internal audit staff would ensure IT expertise as an alternative to traditional manual audit
techniques.
Risk-based Internal Auditing
The IIAs Standards require the establishment of risk-based plans to determine that the priorities
of the IAA are consistent with organizational goals. For example, the risk of noncompliance with
the regulatory requirements of Sarbanes-Oxley and other laws is a risk to the organization that
should be assessed along with other risks when finalizing audit plans. Sarbanes-Oxley requires
managements development and monitoring of procedures and controls for making their required
attestation regarding the adequacy of internal controls over financial reporting.
The Standards require that internal audit activities evaluate and contribute to the improvement of
the organizations risk management, control, and governance processes through consulting and
assurance activities. Thus, after the first few years of compliance, the role of internal auditing
activity for Sarbanes-Oxley compliance should be one of support through consulting and assurance
activities as outlined in the Standards (The IIA, 2004). This should allow the IAA to go back to a
broader scope of services and provide more consulting than assurance services.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released
Enterprise Risk Management - Integrated Framework to help businesses respond to enterprise
risk management issues in their own organizations (COSO, 2004). The COSO definition of internal
control differs a bit from The IIAs definition but the two are substantively similar enough that they
seek to accomplish the same purpose. Since assessing the effectiveness of risk management is
core to the globally accepted definition of internal auditing, the role of internal auditors must be
clearly defined by organizations to ensure that they do not set the risk appetite, impose risk
management processes, or make decisions about risk responses. These are the duties of
management. The IAA must not be accountable for risk management decisions for the organization
(The IIA, 2005). The IAA must be objective and independent if it is to perform its value-added
duties and continue to contribute efficiently and effectively to corporate success.
The current emerging business trend appears to be that the business environment challenges many
organizations to simultaneously strengthen their internal controls and sustain compliance with
Sarbanes-Oxley while also operating efficiently. After the first year of material compliance costs,
organizations are faced with trying to reduce these costs. A top down risk-based approach to cost
cutting may help companies cut costs while identifying the most effective and efficient controls
needed to both achieve compliance and reduce efforts (Deloitte, 2006). If this impacts the internal
audit activity in the future, concern about objectivity, independence, and risk may occur but must
instantly be mitigated. By working independently and organizing the audit plan to focus on the
needs identified in a risk-based assessment in conjunction with discussion with key stakeholders,
the IAA will be able to perform objective and independent audits.
Objectivity
Internal audits role is critical in assurance audits because it provides objective assurance (PwC,
2005B). The assurance function of internal audit has always been perceived as an independent
and continuing appraisal of an organizations internal control system, providing appropriate assurance
that the systems were adequate, effective, and could be relied upon (The IIA, 2002). This is
important because the internal control system comprises the entire network of systems established
in an organization to provide reasonable assurance that organizational objectives will be achieved
with particular reference to risk; effective operations; economical and efficient use of resources;
compliance with procedures, laws, and regulations; safeguarding against loss, including fraud; and
the integrity and reliability of information and data (PwC, 2006). If auditors are to succeed in this
environment, they must be comfortable with governance, fraud, and ethical audits as they perform
an objective evaluation of the control environment.
New regulation has elevated internal auditing and moved it to the forefront of executive consciousness
and corporate governance. Internal auditors are now being viewed as the go-to group and
management is more receptive to changes and recognition of those individuals who help minimize
the negative consequences of disruption caused by the new regulations (Gray, 2004). Objectivity
and professionalism are necessary for effective internal audit services. A change in the traditional
services offered leads to an increase in the risks related to objectivity and independence. Managing
these risks requires auditors to be competent, have integrity, and to use due care when performing
their duties. Training and education provide the foundation for the objectivity needed for auditor
competence and adherence to moral values avoids the perception of deception (Mutchler, 2001).
Strategic Perspective
Due to the demands for increased corporate governance by external stakeholders, management
has been demanding a more tangible explanation of value-added contributions from various functions
(Zoellick, 2005). To be perceived to add value, the IAA must strategically align with the needs and
priorities of its key stakeholders, including the audit committee, executive management, and external
auditors. Strategic implementation has become increasingly important as organizations must compete
with other, often more nimble, entities. Therefore, value for internal auditors may be defined as
supporting the execution of strategy and those that lead its implementation (Simons, 2000).
To achieve this goal, foundational knowledge for internal auditors includes an understanding of the
business, the competitive nature of the industry, and the linkages of all functional and operational
areas in the company. The importance of academic training in foundational business subjects and
a focus on the functions and skills learned in upper-level management courses appear critical for
todays new auditors. Without such knowledge, misunderstanding the strategic orientation of
stakeholders could impact perceived value added by and the success of the IAA.
Summary
The main message from this literature review is that understanding how internal audit activities
create value in an organization is of critical importance. Also important is the recognition that the
contemporary IAA is positioned to strategically align its goals with those of its many stakeholders,
and yet must remain independent and objective. Another important message from this review is
that the IAA must position itself to be actively involved with risk assessment, control, and governance.
Given the regulatory requirements in the United States that have absorbed approximately 50 percent
of the IAAs limited resources, resource allocation has become a key activity of the IAA. Internal
auditors need to take full advantage of new technologies such as continuous auditing and software
innovations in IAA department management. The IAA must use its limited resources to support
key activities and organizational needs. Strategic alignment requires that the internal audit function
posture itself as vital to a rigorous, sustainable organizational vision of responsiveness to both
internal and external needs. Enterprise risk assessment, and the subsequent allocation of resources
to provide assurance about the adequacy of the control environment to key stakeholders, is a
daunting task. Audits for all scope areas require a broad set of specialized skills.
Asia Pacific Literature Review on Internal Auditing
3
Overview
Most available literature relates to Australia, New Zealand, China, Malaysia, Singapore, and Hong
Kong. The approach in this literature review is to review the Asia Pacific developments in
approximate chronological order rather than country by country.
Early 1980s
The first known empirical study on the role of internal auditing in the Asia Pacific region was that
undertaken by Cooper and Craig (1983). This seminal research on internal auditing in Australia
found a number of issues that were of concern to the profession. It was found that there were a
number of misconceptions about what internal auditors were doing and what their chief executive
officers (CEOs) perceived was being done, and in fact there were expectations by the CEOs that
internal auditors could do more than the traditional financial auditing work mainly being done at the
time. There was nevertheless strong support for internal audit by CEOs and at the time it was seen
as offering long-term career prospects. However, the profession in Australia in the early 1980s
suffered from an image problem, it did not have a strong professional body to represent its interests
as it has now, and there were no generally accepted professional qualifications recognized as
necessary to practice as an internal auditor. This study was undertaken before the development of
modern internal auditing.
3
The Asia Pacific literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal
(MAJ ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ , this section uses portions
of the following article: Cooper, B.J ., P. Leung, and G. Wong, The Asia Pacific literature review on internal auditing,
Managerial Auditing Journal 21 (8), 2006, pp. 822-834.
Early 1990s
Coopers et al. (1989) Hong Kong study surveyed both CEOs and internal audit managers with
respective reasonable response rates of 25.8% and 23.1% in a survey of 485 organizations. At the
time, this was a very good response rate from business people as the culture in Hong Kong is not
generally conducive to responding to surveys.
The Hong Kong study was aimed at determining the (then) current state of internal audit practice
in Hong Kong, the level of professionalism evident in internal audit departments, and their training
needs. The majority of CEOs (45.6%) saw the main role of internal auditing as being an independent
appraisal of the internal control system; 21.6% perceived internal auditings main role as an
independent review of the efficient operation of the organization; and 19.2% were more concerned
with proper safeguarding of assets and preventing and detecting fraud and error. From the perspective
of internal audit managers, they saw their main role in financial auditing (including internal control
reviews), representing up to 50% of the activity in 94% of the internal audit departments responding
to the survey. The other major activity was the audit of operational areas to improve operational
efficiency, in line with the expectations of the CEOs as noted above. This study also found that
only a minority of internal audit managers were members of The IIA and that on-the-job training
was mainly relied upon to develop internal audit skills.
During 1992, Cooper, et al. (1994) sent a major survey to the internal audit profession in Australia.
He mailed questionnaires to CEOs and internal audit managers of a wide range of organizations in
both the private and public sectors. The research aimed to provide a profile of internal auditing in
Australia in the 1990s. It also addressed a number of issues, including attitudes and recognition;
professionalism; role and scope of internal audit work; career opportunities; education and training;
and the future role of internal auditing. A total of 687 organizations were surveyed with separate
surveys being sent to CEOs and internal audit managers, with usable response rates of 31.0% and
30.9% respectively.
Although the overall view was a positive one in terms of attitudes and recognition, there was some
confusion between perceptions by CEOs and the reality as seen by the internal audit managers.
Findings included:
The perceived high profile of internal auditing as reported by the CEOs was not necessarily
borne out by their understanding of the audit process; for example, their strong support for
the mechanical aspects of the process rather than a more management-oriented role for
internal auditing.
Reporting levels were generally less than ideal and the confusion between perceived status
and the reality of the situation was further reinforced by internal audit managers views on
how their role was seen by clients, particularly with respect to a perceived policing function.
The survey did uncover some concerns over the number of internal audit managers who
are not members of The IIA and confusion about the value of the existing internal audit
qualifications such as the CIA designation.
Regarding the role and scope of internal auditing, the CEOs appeared to place the greatest
emphasis on the audit of financial areas, and yet most internal auditors were by then
concentrating on operational areas.
There was general overall support for education and training, but there was apparent
confusion among internal audit managers as to whether internal auditing is a training ground
or a career position.
85 percent of them agreed that management usually implemented audit recommendations.
80 percent agreed that there was adequate feedback from management on audit
recommendations.
85 percent agreed (including 24 percent strongly agreeing) that the internal audit activity
would become increasingly important to management in the future.
The Mid-1990s
In 1996, the first study on benchmarking internal auditing in the region was published by Cooper,
Leung, and Mathews (1996). The three countries compared were Australia, Malaysia, and Hong
Kong. The paper was based on the aforementioned studies of Australia in 1992, Hong Kong in
1989, and a study by Mathews, Cooper, and Leung in Malaysia in 1994, which was based on a
comparable methodology to the Australian and Hong Kong studies. These comparative studies
showed that CEOs in Malaysia were very positive in their perceptions of internal auditing as were
CEOs in Australia. The perceptions were less positive with CEOs in Hong Kong.
CEOs understanding of internal audit activities in Malaysia and Australia appeared to set positive
benchmarks, with Malaysian CEOs particularly positive in their view of internal auditing as an
independent review of the efficient operation of the organization. However, the CEOs in Hong
Kong were more concerned with internal audit resources being devoted to appraisal of internal
control, which is reinforced by their views of internal auditing being more exploitative and authoritative
than consultative.
An important benchmark is ensuring that audit recommendations are well thought through and
useful for management and this will normally be evidenced by the extent to which management
takes notice of, and implements, internal audit findings. In this comparative study, 79.6% of Australian
internal audit managers agreed (with 19.1 % strongly agreeing) that CEOs recognize their
accomplishments, compared with 80.1% in Malaysia and 83.3% in Hong Kong (although in this
case, only 13.6% strongly agreed). With respect to the implementation of internal audit
recommendations by management, 85.5% of internal audit managers in Australia were in agreement,
compared with 84.4% in Malaysia and 84.9% in Hong Kong. With regard to the adequacy of
feedback from management on audit findings and recommendations, more than 75% of internal
audit managers in all countries were positive on this issue.
The Late 1990s
In 1997, a special edition on internal auditing in China was published by Managerial Auditing
Journal, with papers by a number of practitioners and academics. Although none of the papers
presented empirical data, they did provide an insight into internal audit practice in China at the time.
It is important to understand that the internal audit activity in China is an agent of the State, unlike
in Western countries. Tang, Chow, and Cooper (2000) provide a background on how internal
auditing operates in China in their book Accounting and Finance in China - A Review of Current
Practice. In 1983, the State Council in China established the Audit Administration of the Peoples
Republic of China (AAPRC) to supervise all auditing activities in the republic, and in 1988 issued
the Regulation on Audit of the Peoples Republic of China, the first comprehensive statute on
state audit, which dictated that state auditing, internal auditing, and public auditing are all to be
guided by the AAPRC. In 1994, the Eighth National Peoples Congress adopted the Audit Law of
the Peoples Republic of China, which provided for an audit organizational framework consisting
of government audit institutions (departments), internal audit institutions, and public audit institutions
set up at various levels with varying degrees of authority.
Under the system in China, the designated scope of work carried out by internal audit institutions
includes the audit of financial revenues and expenditures; the audit of economic contracts; the
audit of construction projects; and the audit of internal control. An additional audit area is the audit
of economic responsibility, which ensures that management assumes its economic responsibilities,
including the maintenance of assets, observance of economic laws and regulations, and fulfillment
of operational budgets.
Cai (1997) agrees with the categorization of internal audit roles as noted by Tang, Chow, and
Cooper (2000), but observes that as the socialist economy continues to develop in China, it is the
latter role of the audit of economic responsibility that is assuming major importance. As the economy
develops, different challenges will face internal auditing, and as management and state ownership
separate in formerly State-owned enterprises, the role of internal auditing to help management
make the transition and still protect the interests of the State will become more important. Wang
(1997) also points out that with the development of the market economy, enterprises need to
improve internal control systems, management and production technology, and reduce production
costs; therefore, market competition requires the strengthening of internal auditing.
In addition, the Chinese have a practice called guanxi in business. In the Chinese language,
guanxi is the term for a personal relationship. It refers to the networks of informal relationships
and exchanges of favors that dominate all business and social activities that occur throughout
China (Lovett, et al., 1999; Lou, 1997). Guanxi works on the basic, unspoken word. Individuals
seek to meet their guanxi responsibilities, and failure to do so results in damaged prestige. In
China, business people first strive to build personal relationships with a potential customer and,
once admitted to the clan/guanxi family, business follows. Thus, trust must be established before
business may be conducted. Guanxi is nurtured by the exchange of gifts and favors. However,
such gifts strike ethical nerves in Western society as gifts are contrary to at least the spirit if not the
letter of the laws such as Sarbanes-Oxley and make it hard to follow internal auditing standards.
2000 Onward
A major study has been undertaken in New Zealand by Van Peursem (2004) on internal auditors
role and authority. In this study, internal auditors were asked to come to a view on whether functions
they perform in connection with internal audit engagements are essential, and to what degree they
feel they enjoy the authority over, and independence from, management that we might expect of a
professional. The research constituted a survey of New Zealand auditors, all of whom were members
of the New Zealand affiliate of The IIA. A very high response rate of 73% was achieved over the
original and follow-up survey. The study found that characteristics of a true profession exist but
did not dominate. Significantly, and as subgroups, Van Peursem (2004) also observed that public
practice and experienced auditors may enjoy greater influence over management, and accountancy-
trained auditors may enjoy greater status owing to the mystique of their activities emanating
from their membership of well-known accountancy professional bodies.
Van Peursem (2004) also notes that Cooper et al. (1996) identified a potential issue in confusion
between expectations that internal auditors will both independently evaluate managements
effectiveness, and also aid management. More recent observations by Glascock (2002) and McCall
(2002) have expressed similar concerns. Van Peursem (2004) also concludes that a key issue is
that internal auditors will assume whatever position is in the best interests of their employer and be
reluctant to counter management, irrespective of the consequences, which is potentially damaging
in terms of image for the internal audit profession.
In a follow-up study in New Zealand, Van Peursem (2005) examined the role of the New Zealand
internal auditor and conceptualized on the auditors influence over that role. The fundamental
question is how an effective internal auditor can overcome the tension of working with management
to improve performance, while also remaining sufficiently distant from management in order to
report on their performance. The research found that there are three concepts characteristic of
those who best balanced their role: the internal auditors external professional status; the presence
of a formal and informal communication network; and the internal auditors place in determining
their own role. Informing these concepts is the auditors ability to manage ambiguity. This was a
qualitative study using a multiple case-based approach in which the researcher made observations,
examined documents, and interviewed senior internal auditors in six New Zealand organizations.
In a Singaporean study reported by Goodwin and Yeo (2001), factors that may impact on the
independence and objectivity of internal auditing were investigated. In particular, the researchers
considered the relationship of internal auditors and the audit committee and the use of the internal
audit activity as a management training ground, in terms of the potential effect on the independence
and objectivity of internal auditing. A survey of chief internal auditors found a strong relationship
between internal auditing and the audit committee, particularly where the committee was comprised
solely of independent directors. Chief internal auditors were generally found to have regular and
private access to the audit committee and this was supported by the regulatory framework in
Singapore, which provided support for the independence and objectivity of internal auditors.
The use of internal auditing as a management training ground was also found to be widespread. It
was also more common where an audit committee existed and where the organization was a larger
entity. This existence of an audit committee minimized any negative impact on independence and
objectivity of the internal audit activity in situations where internal auditing was used as a management
training ground.
A study undertaken by Goodwin (2004) explored similarities and differences between public sector
internal auditing and its counterpart in the private sector. Features examined include organizational
status, outsourcing, using internal auditing as a tour of duty function, audit activities, and
relationships with the external auditor. The study is based on a survey of chief internal auditors in
organizations in Australia and New Zealand. Results suggest that there are differences in status
between the internal audit activity in the two sectors, with public sector internal auditors generally
reporting to a higher level in the organization. While a similar amount of work is outsourced, public
sector organizations are more likely than those in the private sector to outsource to the external
auditor. There is little difference between internal audit activities and interactions with external
audit in the two sectors. However, private sector internal auditing is perceived to lead to a greater
reduction in external audit fees compared to that in the public sector.
Goodwin-Stewart and Kent (2006) explored the voluntary use of internal auditing by Australian
publicly listed companies and sought to identify factors that lead listed companies to have an
internal audit activity. The study predicted that internal audit use is associated with factors related
to risk management, strong internal controls, and strong corporate governance. To test the predictions,
the study combined data from a survey of listed companies with information from corporate annual
reports. The results indicate that only one-third of the sample companies use internal auditing.
While size appears to be the dominant driver, there was also a strong association between internal
auditing and the level of commitment to risk management. However, the study found only weak
support for an association between the use of internal auditing and strong corporate governance.
The study indicates that a large proportion of Australian listed companies do not use internal
auditing and many of those firms that do have only one or two internal audit staff, a finding supported
by research by Leung, Cooper, and Robertson (2004). The implications of these findings for sound
corporate governance are serious, as it has been suggested that it is difficult for audit committees
to be effective without the support of internal auditing. It would appear that there is considerable
scope for strengthening the relationship between internal auditing, audit committees, and external
auditors.
Leung et al. (2004) researched the role of internal auditing in corporate governance and management
in Australia. The specific objectives of the research were to identify the accountability structures
and internal audit objectives of organizations; determine the nature and extent of internal audit
practice; determine the management and governance relationships of chief audit executives (CAEs)
within organizations; assess the application of the redefined internal audit activity; identify financial
reporting risks and governance issues encountered by internal auditors; assess the effectiveness of
internal auditings role in management accountability in a world actively concerned with corporate
governance issues; and recommend improvements in internal auditing. The researchers used a
two-pronged approach to ascertain information pertinent to the objectives. First, the total population
of CAEs in Australia was surveyed using an e-mail survey. The population total, based mainly on
membership of The Institute of Internal Auditors Australia, was 397 and a 21.4% response rate
yielded 85 usable responses. Second, eighteen CAEs were interviewed to gain a deeper insight
into issues that internal audit faces in Australia. To minimize any selection bias, an additional seven
senior business representatives from listed companies and the governmental sectors, including
regulatory bodies, were also interviewed.
This Australian study found that CAEs were generally very positive about the performance of the
internal audit activity. They see themselves as a key part of the management team, and that they
can influence decisions, maintain a sufficient level of objectivity, integrity, and competence in their
jobs, and are able to provide good support for their own staff. They view the culture and support
of management as a key factor in ensuring the effectiveness of their role.
A high percentage of respondents indicated that they perceived management recognized their role
in enhancing good corporate governance and that management appeared to take an interest in their
work. On the other hand, there were views expressed that they should have a greater role in the
organizations governance processes, although some were concerned that they did not have sufficient
resources to discharge such additional work effectively. Many were also unsure about how they
should actually go about making an effective contribution to the improvement of corporate governance
in their organizations. What this Australian study indicates is that despite the universal concerns
about the need to enhance good corporate governance and the contribution that the internal auditing
profession can make, the internal auditors role in contributing to the process cannot be taken for
granted.
Ernst & Young et al. (2005) undertook a benchmarking study of internal audit services in the
communications and entertainment sectors in both Australia and New Zealand. The study found
that 63% of respondents indicated they had entered into a co-sourcing relationship with an external
party and 13% had completely outsourced their internal audit function. With regard to reporting
relationships, 72% report primarily to the chair of the audit committee and 62% have increased the
size of their internal audit activities in the prior 12 months. With respect to corporate governance,
63% of respondents are involved in providing assurance or monitoring compliance with the Australian
Stock Exchange (ASX) Corporate Governance Principles.
Fadzil et al. (2005) undertook a study in Malaysia to determine whether the internal audit department
of the companies listed on the Bursa Malaysia (Malaysian Stock Exchange) comply with the
Standards and whether compliance with the Standards affects the quality of the internal control
system of the company.
It was found that management of the internal audit department, professional proficiency, objectivity,
and review processes significantly influence the monitoring aspect of the internal control system.
The scope and performance of audit work significantly influences the information and communication
aspects of the internal control system, while performance of audit work, professional proficiency,
and objectivity significantly influence the control environment aspect of the internal control system.
The study also shows that management of the internal audit department, performance of audit
work, the audit program, and audit reporting significantly influence the risk assessment aspect of
the internal control system. Lastly, performance of audit work and audit reporting significantly
influences the control activities aspect of the internal control system.
A study in Malaysia by Ali, et al. (2004) looked at internal auditing in the state and local governments
of Malaysia. Based on a series of semi-structured interviews, the authors found that only a minority
of local governments in Malaysia have an internal audit activity. The presence of quite a small
number of local governments with internal auditing may be due to the fact that in at least two
states, the internal audit activity of their local government departments is conducted by the internal
audit departments or units attached to the two state governments. There is no comfort, however,
for such an arrangement though it is certainly better than having no internal audit done at all at
the local government level. This is because internal auditing in so many of the state governments
and their statutory bodies is operating with numerous limitations. The severest problems are
concerned with a shortage of audit staff and staff lacking in audit competencies. In many
organizations, the non-audit personnel and top management are generally unsupportive of internal
auditing.
Another study in Malaysia by Ernst & Young (2004) was undertaken to develop an understanding
of the practice of internal auditing following the tightening of regulations and the increasing
importance of risk management and corporate governance practices in Malaysia. The survey was
given to participants of The IIA Malaysias National Conference held in September 2004 in Kuala
Lumpur. Responses were received from 292 out of more than 600 participants. A total of 87% of
the respondents stated that the primary function of internal auditing is to provide assurance of
internal control and risk management processes and systems. The secondary role of the internal
audit activity is focused on three areas, namely, operational reviews (32%), efficiency of operations/
cost savings (20%), and risk management (11%). The majority of respondents indicated having
staff levels ranging from less than 5 to 25, although 50% of the respondents indicated that the size
of internal auditing has increased in the past 12 months. The increase in the number of internal
audit staff could be the result of the rising importance of corporate governance in Malaysia.
Respondents reported that more than half of the internal audit staff are qualified auditors (53%),
complemented by staff with a commercial background (26%) and information technology specialists
(12%). Most of the respondents (in excess of 70%) indicated that their methodology commonly
included risk assessment, control evaluation, and process analysis. However, about 13% and 15%
of the respondents respectively reported not having a risk assessment and control evaluation process.
Only 30% of respondents reported internal auditing having commissioned an independent review.
Of the 30% of respondents who indicated that a review had been conducted, 46% indicated that
the review was conducted by peer companies while 44% engaged a professional services firm.
Ernst & Young (2005) also conducted a survey of internal auditing in Australia and New Zealand
of the Australian Stock Exchanges (ASX) top 200 companies in Australia and the top 100 listed
companies in New Zealand and received 173 responses. The aim of the survey was to further the
understanding of how internal audit activities in both the public and private sectors are continuing
to evolve to meet ever-increasing demands and expectations. In total, 39% of respondents increased
the size of their internal audit activities over the previous 12 months and 78% of internal audit
activities now report to either the audit committee chair or the CEO. J ust 54% of internal audit
staff have a financial background, suggesting that internal audit teams are increasingly undertaking
non-financial reviews and recruiting more commercial and other specialist skills; 77% of respondents
have at least part of their internal audit conducted by an external party, mostly due to the need for
specialist skills.
Over half the organizations surveyed have changed the coverage of internal auditing to help support
the ASX Principles of Good Corporate Governance. These internal audit teams are undertaking
more detailed controls testing and increasing their focus on providing assurance around risk
management frameworks to underpin compliance with the principles. In New Zealand, 76% of
private sector respondents have audit committees that satisfy the requirements of the updated
New Zealand Stock Exchange Listing Rules. In both countries, 84% of internal audit activities are
basing their annual audit plan on generally accepted risk management principles.
Carey et al. (2006) undertook a study to investigate the determinants of internal audit outsourcing
using survey data on 99 companies listed on the Australian Stock Exchange. It was noted that
54.5% of companies fully rely on an in-house internal audit activity, with the others outsourcing all
or some of their internal audit activities. Outsourcing is associated with perceived cost savings and
the technical competence of the provider. However, it was also observed that 75% of those companies
outsourcing did so to their external auditor, which may have implications for perceptions about the
independence of the external auditor.
Summary
The above provides a summary of the trend and literature covering internal auditing in the Asia
Pacific region from the seminal work by Cooper and Craig in 1983 until the most recently reported
studies in the academic and professional literature. In reviewing the above literature, a few
observations can be noted:
While internal auditing has been strongly supported by management, including the CEOs,
conclusive consensus as to the role of internal auditors has not yet emerged.
The function of internal auditors has changed from a more financially oriented role into
one that focuses on internal controls and risk assessment through the last two decades.
CEOs have generally perceived internal auditing as having a financial function, while
internal auditors moved their emphasis into systems and risks.
There was, and still is, confusion regarding the independence of internal auditors. This is
made more complex by the definition of internal auditing which encompasses both the
expectations of the consulting role and the assurance role. Internal auditors are uncertain
as to how to balance independence in both roles.
During the 1990s, the increasing use of international accounting firms in consulting and
assurance engagements overshadowed the internal audit function.
The U.S. Sarbanes-Oxley Act of 2002 added the dimension of internal financial reporting
assurance expected of internal auditors and audit committees.
With the apparent lack of a structured approach to the body of knowledge, a clearly
defined role, and an apparent lack of status underpinned by a rigorous generally accepted
professional program (the CIA program has had limited uptake in Asia Pacific), internal
auditing has suffered from lack of prominence in Asia Pacific.
The Common Body of Knowledge 2006 study is timely and highly significant in shaping
the internal auditing profession in Asia Pacific in the years to come.
European Literature Review on Internal Auditing
4
Overview
This section summarizes the major studies addressing internal auditing and related corporate
governance issues in Europe and is drawn from work carried out by authors from Belgium, Italy,
the Netherlands, and the United Kingdom.
Physically, Europe can be described as a continent that contains approximately 45 separate nations
ranging in size from the smallest states in the world to among the largest. Politically and economically,
there is a diversity that includes former centralized economies (former USSR states such as Russia
and Ukraine), economies where state intervention is active (France), and free market capitalist
economies (such as the U.K.). There is also a range of developmental status from post-industrial
through to agrarian-based. Culturally, Europeans speak more than 200 different languages (with
many states being as a minimum bilingual and trilingual). Given that each state also has its own
legal system and business traditions it is not surprising that there can be no one size fits all code
of corporate governance. The following is a summary of the major European studies on internal
auditing.
4
The European literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ ),
Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ , this section uses portions of the
following article: Allegrini, M., G. DOnza, L. Paape, R. Melville, and G. Sarens, The European literature review on
internal auditing, Managerial Auditing Journal 21(8), 2006a, pp. 845-853.
Institut Franais de lAudit et du Contrle Internes (2005)
This French study followed up a previous version in 2002 that was conducted in conjunction with
Ernst & Young. The survey was sent to 508 chief audit executives (CAEs), with a response rate of
37%. Both the private and public sectors were included. Statistics include detailed descriptive
results illustrated with charts and tables completed with results from interviews with the six major
CAEs. By conducting this survey, Institut Franais de lAudit et du Contrle Internes (IFACI)
wanted to assess the recent evolution in internal auditing in France, investigate the impact of new
laws and regulations, and assess the future of internal auditing. Major findings are discussed below.
Internal Audit Role in Corporate Governance
The independence and objectivity of internal auditors are guaranteed by their double reporting lines
to top management and the audit committee. About 50% of the internal audit departments in this
study have a formal meeting with their top management every quarter, whereas 40% of the CAEs
have private meetings with the head of the audit committee. The audit committee is primarily
interested in the internal audit activities and mainly the implementation of their recommendations.
More than half of the internal audit departments are involved with activities related to corporate
governance.
Internal Audit: Still Strongly Focused on Assurance
Assurance engagements are still dominant, representing 73% of the working agenda of internal
auditors. These engagements mainly deal with the evaluation of internal controls, as well as
compliance audits. With respect to consulting engagements, internal auditors give advice and
participate in specific projects or working teams.
Internal Audits Role in the Implementation of New Laws and Regulations
It is interesting to see that internal auditors play a key role in implementing laws such as the Loi de
Scurit Financire and Sarbanes-Oxley. More than two-thirds of the internal audit departments
have developed a project on internal control reporting and 74% have dedicated a part of their
working time on the implementation of Sarbanes-Oxley. These two laws have slightly changed
internal audits work in that it has become more risk-based. In those companies that have to
comply with Sarbanes-Oxley, internal auditors currently spend more time on the evaluation of
financial controls and regularly conduct financial audits.
Internal Auditors as Credible, Objective, and Professional Partners
A large majority (82%) of the internal audit departments have an internal audit charter, formally
approved by top management and the audit committee. In order to guarantee their objectivity, most
of the internal auditors adhere to the Code of Ethics defined by the profession. Even when the
internal audit plan is strongly influenced by specific requests from top management and the audit
committee, the internal audit plan is, in a majority of the cases, also based on a risk assessment. It
was observed that a significant number of CAEs have difficulty finding people with the right
competencies. This is one of the main reasons why internal audit is calling more and more for
expertise coming from other internal departments or from external providers.
Internal Audit has Sufficient Financial and Human Resources
On average, companies have 2.85 internal auditors for every 1,000 employees, with large differences
between sectors. In a majority of the companies, the internal audit budget remains stable, whereas
in 42% of the companies, the internal audit budget increased. About 25% of the internal audit
departments have existed for less than five years and 74% of the departments have less than 10
internal auditors. The profile of an internal auditor did not change during the last three years.
IIA Belgium (2006)
IIA Belgium carried out a survey of its members from November 2005 until March 2006. This
survey was strongly inspired by the IFACI study in France. Internal audit departments in 260
Belgian private companies were contacted. The response rate was 31%, which is quite good for a
first general survey about internal auditing in Belgium.
The survey addressed issues with respect to the internal audit department, the internal audit activities,
risk management and the role of internal auditing, the relationship with stakeholders, and the future
evolution of internal auditing. The survey illustrates that, in Belgium, internal auditing is still a
relatively young profession. The main findings are illustrated below.
Internal Audit Department Review
In terms of age of the internal audit department, more than 50% were created less than 5 years
ago. Most internal auditors have working experience in finance, operations, or external audit.
Internal auditors education level is at least at the bachelors degree level. On average, internal
auditors remain in internal auditing for less than four years (53% of the respondents). The recruitment
channel for internal auditors is equally spread between internal and external sources. CAEs have
a relatively short experience in audit, with 64% of the CAEs having less than 10 years experience
in audit. Only 37% of the internal audit departments observed are conducting satisfaction surveys
with their auditees. Networking is important for internal auditors as more than 80% have regular
contacts with colleagues from other companies.
Internal Audit Activities
Integrated and operational audit represent globally more than 50% of the activities of the responding
internal audit departments. Consulting activities remain low (on average 12% of the annual working
time), but a majority of the responding internal audit departments expected an increase in consulting
activities in the next two years.
An internal audit charter is used in more than 90% of the cases. On average, 65% of the internal
audit plan is based on a risk analysis, but discrepancies have been observed by sector. In 42% of
the cases, the yearly internal audit plan is adapted more than twice a year to take new requirements
and priorities into consideration. On average, 65% of the recommendations are implemented within
one year after the audit. In general, 61% of the responding internal audit departments do not use
outsourcing or co-sourcing today, but they expect to use, to some extent, more external service
providers in the future.
Role of Internal Auditing in Risk Management
Seventy percent of the respondents organizations have set up a risk measurement process. It is
also remarkable to notice that in a lot of companies, not everyone knows the policies and procedures
he or she has to follow. Gaps are observed by sector in terms of risk management practices. On
average, 29% of the respondents IAAs are responsible for the risk management process for their
organizations.
Relationship with Stakeholders
Seventy-four percent of the CAEs report functionally to the audit committee. In 74% of the internal
audit departments reviewed the audit committee is in charge of dismissing the CAE, and in 51% of
the cases the audit committee approves the internal audit budget. In second position, it is the CEO
who dismisses the CAE (44%) or approves the budget (49%). Some deviations have been observed
by sector. It is interesting to see that the relationship with the audit committee is positively perceived
by most responding internal audit departments. Furthermore, there are exchanges between internal
audit and external audit (audit reports and audit planning). However, the relationship is less intensive
in the other direction. Overall, the responding internal audit departments are satisfied with their
interaction with the CEO. Although CAEs are generally satisfied about their interaction with the
CFO, this relationship is less intensive than the one with the CEO.
Challenges for Internal Auditing
The relationship with the audit committee and the board of directors needs to be reinforced and the
assurance provided by internal auditing should become the best independent and objective assessment
in terms of risk management, internal controls, and corporate governance. The activities of internal
auditors will be adapted to the new requirements and evolve with the new legislation and the new
challenges of the organization. The profile of the internal auditor is evolving in order to meet the
broader scope of activities. The profession still needs to become more recognized within the
companies. Moreover, internal auditors need to aspire to a longer career in internal auditing.
Sarens and De Beelde (2006)
This study addressed internal auditors perception about their role in risk management, and compared
United States (US) and Belgian companies. The purpose of the study was to describe and compare
in a qualitative way how internal auditors perceive their current role in risk management within
U.S. and Belgian companies, and was based on ten case studies (interviews with CAEs and
analysis of relevant documents).
In the Belgian cases, internal auditors focus on acute shortcomings in the risk management system
creates opportunities to demonstrate their value. Internal auditors are playing a pioneering role in
the creation of a higher level of risk and control awareness and a more formalized risk management
system. In the U.S. cases, internal auditors objective evaluations and opinions are a valuable input
for the new internal control review and disclosure requirements of Sarbanes-Oxley. In Belgium,
the internal auditing profession is actually in a kind of transition phase. In order to survive this
phase, internal auditors need to assume a teaching role vis--vis the different management levels
to make them aware of their responsibilities in risk management. After this transition period, internal
auditors will be able to focus more on their core activities.
Arena and Azzone (2006)
This study explores the relationship between enterprise risk management (ERM) and internal
auditing. Particularly, this study analyzed internal auditings role with respect to ERM systems and
the integration of ERM and internal audit activities. The results are based on multiple case studies
applying semi-structured interviews.
The results show a high diversity in risk management systems with respect to the actual adoption
of an integrated risk management system, the techniques that companies apply to identify risks,
and the methodologies applied for risk assessment. Internal auditors mainly provide assurance on
the ERM process, and in some cases they support the implementation and management of the
process. In half the cases, they found a partial integration between ERM and internal audit activities.
More specifically, this integration concerns the comparison of risk maps made by managers and
those made by internal auditors, the integration of evidence that arises from self-assessment to
support the internal audit plan, and the incorporation of the ERM process in the internal audit
reports.
Allegrini and DOnza (2003)
Based on a survey of the top 100 companies listed on the Italian stock exchange, this study
investigates internal auditing and risk assessment practices in large Italian companies. The analysis
of the survey answers indicates the existence of three different approaches to internal auditing in
the Italian context. Some companies (25%) have a small internal audit department that carries out
traditional assurance activities. The internal auditor is still perceived as an inspector. These companies
do not integrate the COSO methodology into their audit process, and have a control system entirely
based on hard variables. The annual audit planning generally follows an audit-cycle approach. This
model is often found in smaller companies.
In most companies (67%) internal auditors are providing some contributions to the risk management
process and are trying to incorporate the COSO model in the internal control policies and procedures
as well as in the audit process. In this context, internal auditors perform mainly operational audits
and make use of risk assessment findings in planning the annual schedule of audits (macro level).
In planning the individual audits, they generally start from the recognition of significant risks inherent
to the activity in order to limit or expand the test of controls. The internal audit department of
financial institutions generally follows this model.
Moreover, it is possible to identify a few large companies (8%) in which the internal audit unit is
also focused on consulting activities. Internal auditors attempt to add value through a more active
support to risk management at different levels and to align internal audit objectives with the strategic
goals of the organization. This group includes the early pioneers in control and risk self-assessment
(CRSA) projects, insofar as they try to strengthen the accountability at all levels of management
for risk and control. They focus their work on significant risks, and they are trying to adopt a
collaborative approach with line management. A risk-based approach is applied both at the macro
and the micro levels so that we can assume they are embracing the risk paradigm as suggested by
Selim and McNamee (1998). Furthermore, internal auditors focus on monitoring activities and soft
controls.
The survey results also show that, in Italy, control and risk self-assessment may be considered in a
start-up phase, since it is possible to identify a few early pioneers implementing self-assessment
throughout their entire organization. Some other companies claim to have started applying CRSA
only in a few business areas while others reveal their willingness to introduce it within the next few
years.
Tettamanzi (2003)
This study, based on a questionnaire sent to 150 private companies, describes the historical evolution,
current state, and prospects for future developments of internal audit practices in Italy and the
United Kingdom. Tettamanzi found that the percentage of time spent on financial auditing is lower
than the other types of activities (like compliance or operational reviews). In Italy, as well as the
U.K., it was found that if internal auditing has existed for a period of time, its activities mainly
focus on operational and management auditing. If the internal audit unit has been recently set up,
they mainly focus on financial auditing. Nevertheless, the relevance of financial auditing was
higher in the past. Currently, more resources have been devoted to operational and management
audit and this will increase in the future. The study also reveals that in the U.K., many companies
have introduced an internal audit department to comply with the Cadbury Code. Similarly, in Italy,
the Preda Code has determined the introduction and improvement of internal auditing in listed
companies.
Arena, Azzone, Casati, and Mello (2004)
This study is based on a survey within 365 private Italian companies and investigates the existence
and characteristics of an internal audit activity and the activities performed. It was found that 74%
of the responding companies have introduced an internal audit activity. The existence of an internal
audit activity differs between industries and can be linked with the company size. For those
companies that did not have an internal audit activity at that time, 30% had intentions to introduce
one in the future.
However, 50% are not willing to introduce an internal audit activity in the future, whereas 20%
have removed their internal audit activity. More than 50% of the internal audit departments in this
study have less than five internal auditors. With respect to the internal audit agenda, they found
that operational audits, compliance audits, and the monitoring of the internal control system are the
most prevalent activities.
Allegrini and Bandettini (2006)
This study replicated an earlier study by Selim and Woodward (2004) in the U.K. and Ireland and
focuses on internal audit and consulting assignments. The questionnaire was adapted to the Italian
context and sent to the members of the Italian Institute of Internal Auditors. The results reveal that
the new definition of internal auditing changed consistently the percentage of time allocated to
consulting assignments, which moved from 7% to 26%.
The perceptions regarding internal auditors involvement in consulting activities are positive or
very positive in 73% of the responding companies. It is interesting to see that 69% of the respondents
indicate that they perform consulting assignment regarding the Law number 231 (issued in 2001),
which requires companies to set up a structured internal control system. More than half of the
respondents (53%) declared to work on consulting assignments regarding corporate governance
and risk management.
Other Studies on Internal Auditing that Address European Issues
Rittenberg and Covaleski (1999) addressed outsourcing of internal auditing services in a government
environment and provided insight into the methods and reasons for outsourcing. Melville (1999)
addressed the current state of the art of control self-assessment (CSA) practice in the U.K. The
overview was based on a survey of the top 50 companies listed on the FTSE, while the other two
elements were based on structured interviews. The conclusions drawn were that CSA is widely
seen as a beneficial practice, although it may not be repeated after the first exercise.
Hopkins (1997) discussed the fundamental differences in perceptions of internal audit quality between
providers of internal audit services and their prospective clients. The study was based on the U.K.
public sector. Selim and Yiannakis (2001) addressed the various levels and methods of outsourcing
in private and public sector organizations and discussed the various levels of success. Melville
(2003) undertook a study based on an international survey of internal auditors, of which European
responses were approximately 12% of the sample. The results showed that internal auditors were
highly geared toward making a contribution to strategic management, especially where a balanced
scorecard type of system was used.
Selim, et al. (2003) found that based on a survey of six countries, internal auditors already play a
key role in the mergers and acquisitions process, though it was also found that they would prefer
this role to be further developed. Paape, Scheffe, and Snoep (2003) reviewed a survey carried out
by the European Confederation of Institutes of Internal Auditing (ECIIA). While the authors were
unsure about the rigor of their research (due to problems with distribution of the questionnaires
rather than a fundamental flaw in methodology), it is clear that there is a wide variety of internal
audit responses to corporate governance issues.
South African Literature Review on Internal Auditing
5
Twenty years ago internal auditing in South Africa was not well known as a profession. In South
Africa, a number of factors contributed to the changes, development, and growth of the countrys
internal auditing profession. During the past five years, there were three major contributors to the
large unexpected growth of the profession in South Africa. The first was the reports of the King
commission on corporate governance (King I: 1994 and King II: 2002). The second was the Public
Finance Management Act (SA 1999. Section 38), which made it a legal requirement for all forms
of public organizations to have an internal audit activity in line with the Standards.
As internal auditing is a relative new profession in South Africa, limited formal research publications
were found on internal auditing within the country. The following briefly discusses the various
research publications found about internal auditing in South Africa.
Communication Skills
During his research, Fourie (2006) attempted to find answers to two research questions. The first
was whether tertiary institutions (universities) in South Africa teach sufficient communication
skills to enable aspiring internal auditors to perform their internal audit assignments professionally.
The second question was whether internal auditors in practice regard themselves as having sufficient
communication skills in order to conduct their internal audit assignments professionally.
The results of the study revealed that universities in South Africa do not teach adequate
communication skills to aspiring internal auditors. The respondents indicated that they do not possess
adequate communication skills to professionally conduct their internal audit engagements.
New Standards Address Challenges Faced by the Profession
Coetzee & du Bruyn (2001) investigated the limitations of the previous Standards and the changes
in the new Standards. They found that change in auditing required by the new Standards was
5
South Africas literature review was written by Houdini Fourie of the Tshwane University of Technology, South
Africa and Elmarie Sadler of University of South Africa.
difficult to analyze because the new Standards were to be used in conjunction with the previous
Standards at the time of the papers publication. Coetzee & Du Bruyn are of the opinion that the
new Standards successfully address the challenges faced by internal auditors in the profession.
Effectiveness of Public Service Audit Committees
The question for this research was the effectiveness of public service audit committees in improving
accountability in the South African public service as perceived by the independent external auditors
of government (Van der Nest, 2007). Van der Nest stated that the audit committee is a key
accountability instrument, playing a crucial role in the financial management and control environments
of public corporations. Audit committees are increasingly regarded as integral to modern control
structures and governance practices in both the private sector and public service. The establishment
of audit committees is recognized as best practice with respect to good corporate governance. The
establishment of audit committees is legislated in the financial management legislation in South
Africa.
Importance of Quality Control
In her study, Marais (2003) investigated the importance of quality control within internal audit
activities as prescribed by the Standards and guidelines of The IIA. The study also attempted to
determine to what extent these Standards and guidelines are applied in internal audit activities in
South Africa.
The study concluded that quality control is not adequately applied within all IAAs in South Africa.
Compliance with the Standards that were implemented during J anuary 2002 should help to improve
the situation. Marais further concluded that The IIA should take action to motivate IAAs to exercise
quality control according to the Standards.
Compliance with Good Practice and Legal Requirements by Audit Committees
In his paper, Van der Nest (2005) evaluated the compliance with good practice and legal requirements
by audit committees in South Africas government departments. The performance in four of the
audit committees important areas of responsibility was also measured.
The initial general observation by Van der Nest was that there is sufficient compliance with the
legal framework within which the South African public sector audit committees function. A further
observation was that there is general compliance with good practice for audit committees in the
South African public sector. According to Van der Nest, evidence shows that there is a
preoccupation with control issues and internal audit reports. Van der Nest is concerned about the
absence or lack of other critical issues that should be addressed by audit committees, including risk
management, processes, financial reporting, and corporate governance.
Summary
The literature indicates many changes in the activities performed by internal auditors over the past
30 years. The increasing complexity of business transactions, a more dynamic regulatory environment,
and significant advances in information technology are developments that have resulted in
opportunities and challenges for internal auditors. One of the objectives of CBOK 2006 was to
gather information on the current state of internal auditing around the world to determine the
current state of the art for the practice of internal auditing to add to the growing literature and
study of the internal auditing profession.
References
1. Abdolmohammadi, M.J ., P.A. Burnaby, and S. Hass, A review of prior common body of
knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,
2. Albrecht, W.S, J .D. Stice, and K.D. Stocks, A Common Body of Knowledge for the Practice
of Internal Auditing (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation), 1992.
3. Ali, A.M., S.Z. Saidin, M.Z. Ghazali, M.S. Rahim, M.H. Sahdan, A. Ali, and A. Ahmi, Internal
Audit in the State and Local governments of Malaysia, Working Paper, Universiti Utara Malaysia,
2004.
4. Allegrini, M., and E. Bandettini, Internal Auditing And Consulting Assignments In Italy: An
Empirical Research, Fourth European Conference on Internal Audit and Corporate Governance,
2006b.
5. Allegrini, M., and G. DOnza, Internal Auditing and Risk Assessment in Large Italian Companies:
an Empirical Survey, International Journal of Auditing 7 (3), 2003, pp. 191-208.
6. Allegrini, M., G. DOnza, L. Paape, R. Melville, and G. Sarens, The European literature
review on internal auditing, Managerial Auditing Journal 21(8), 2006a, pp. 845-853.
7. Anderson, U., Assurance and Consulting Services, In Research Opportunities in Internal
Auditing, Ch. 4, Bailey, A.D., A.A. Gramling, and S. Ramamoori (eds.) (Altamonte Springs,
8. Arena, M., and G. Azzone, Internal Audit in Large Italian Companies: adoption, development
and evolution, Fourth European Academic Conference on Internal Audit and Corporate
Governance, 2006.
9. Arena, M., G. Azzone, P. Casati, and F. Mello, Rapporto di ricerca, Italian Institute of Internal
Auditors, 2004.
10. Barrett, M.J ., G.W. Lee, S.P. Roy, and L. Verastigu, A Common Body of Knowledge for
Internal Auditors: A Research Study (Altamonte Springs, FL: The Institute of Internal Auditors),
1985.
11. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J . Roebuck, Internal Auditing:
The Global Landscape (Altamonte Springs, FL: The Institute of Internal Auditors), 1999a.
12. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J . Roebuck, Internal Auditing
Knowledge: Global Perspectives (Altamonte Springs, FL: The Institute of Internal Auditors),
1999b.
13. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P. J . Roebuck, Competency:
Best Practices and Competent Practitioners (Altamonte Springs, FL: The Institute of Internal
Auditors), 1999c.
14. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J . Roebuck, The Future of
Internal Auditing: A Delphi Study (Altamonte Springs, FL: The Institute of Internal Auditors),
1999d.
15. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J . Roebuck, Assessing
Competency in Internal Auditing: Structures and Methodologies (Altamonte Springs, FL:
The Institute of Internal Auditors), 1999e.
16. Burnaby, P.A., S. Hass and M.J . Abdolmohammadi, A survey of internal auditors to establish
the scope of the common body of knowledge study in 2006, Managerial Auditing Journal
21 8, 2006, pp. 854-868.
17. Cai, C., Internal audit under the socialist market economy system, Managerial Auditing
Journal 12 (4/5), 1997, pp. 210-213.
18. Carey, P., N. Subramanaim, and K. Ching, Internal audit outsourcing in Australia, Accounting
and Finance 46 (1), 2006, pp. 11-30.
19. CIA World FactBook, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.
20. Chapman, C., and U. Anderson, Implementing the Professional Practices Framework
(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation) 2002.
21. Coderre, D., Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),
2005.
22. Coetzee, G.P., and Du Bruyn, The relationship between the new IIA standards and the internal
auditing profession, Meditari 9(6), 2001, pp. 1-79.
23. Cooper, B.J ., and J . Craig, A Profile of Internal Audit in Australia (Melbourne: Royal
Melbourne Institute of Technology), 1983.
24. Cooper, B.J ., P. Leung, and C. Mathews, Benchmarking a comparison of internal audit in
Australia, Malaysia and Hong Kong, Managerial Auditing Journal 11 (1), 1996, pp. 23-19.
25. Cooper, B.J ., P. Leung, and C. Mathews, Internal Audit: An Australian Profile, Managerial
Auditing Journal 9 (3), 1994, pp. 13-19.
26. Cooper, B.J ., P. Leung, and G. Chau, A Survey of Internal Auditing in Hong Kong (Hong
Kong: Department of Accountancy, Hong Kong Polytechnic), 1989.
27. Cooper, B.J ., P. Leung, and G. Wong, The Asia Pacific literature review on internal auditing,
28. COSO, Enterprise Risk Management Integrated Framework Executive Summary (The
Committee of Sponsoring Organizations of the Treadway Commission), 2004.
29. Deloitte & Touche, Lean and Balanced How to Cut Costs Without Compromising
Compliance, Deloitte & Touche, 2006.
30. Ernst & Young, Internal Audit in Malaysia, Kuala Lumpur, (Malaysia), Ernst & Young, 2004.
31. Ernst & Young and IIA New Zealand and Australia, Trends in Australian and New Zealand
Auditing Second Annual Benchmarking Survey 2005, Ernst & Young and IIA New Zealand
and Australia, 2005.
32. Fadzil, F.H., H. Haron, and M. J antan, Internal auditing practices and internal control system,
33. Fourie, H., Internal auditing and communication: a South African perspective, M. Tech
dissertation, Pretoria, Tshwane University of Technology, 2006.
34. Glascock, K.L., Auditees or clients? Internal Auditor, 59 (4), 2002, pp. 84-85.
35. Gobeil, R.E., The Common Body of Knowledge of Internal Auditors, The Internal Auditor,
November/December 1972, pp. 20-29.
36. Goodwin, J ., A comparison of internal audit in the private and public sectors, Managerial
37. Goodwin, J ., and Y.T. Yeo, Two factors affecting internal audit independence and objectivity:
evidence from Singapore, International Journal of Auditing 5, 2001, pp.107-125.
38. Goodwin-Stewart, J ., and P. Kent, The use of internal audit by Australian companies,
39. Gramling, A.A., M.J . Maletta, A. Schneider, and B.K. Church, The Role of the Internal Audit
Activity in Corporate Governance: A Synthesis of the Extant Internal Auditing Literature and
Directions for Future Research, Journal of Accounting Literature 23, 2004, pp. 194-244.
40. Gray, G., Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley
Environment (Altamonte Springs, FL: The Institute of Internal Auditors), 2004.
41. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, The Americas literature review on internal
auditing, Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
42. Hofstede, G., Cultures consequences: International differences in work-related values
(London, UK: Sage), 1980.
43. Hofstede, G., Dimensions of National Culture in Fifty Countries and Three Regions, in J .B.
Deregowski, S. Dziurawiec, and R.C. Annis (Eds.), Explications in Cross-Cultural Psychology,
Swets and Zeitling, 1983.
44. Hopkins, R., The nature of audit quality - a conflict of paradigms? An empirical study of
internal audit quality throughout the United Kingdom Public Sector, International Journal
of Auditing 1 (2), 1997, pp. 117-133.
45. House, R.J ., P.J . Hanges, M. J avidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,
and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage
Publications), 2004.
46. IFACI (Institute de LAudit Interne), Resultat de lenquete sur la pratique de laudit interne en
France en 2005 (The Institute of Internal Auditors France), 2005.
47. IIABEL (The Institute of Internal Auditors Belgium), Internal audit in Belgium: the shaping of
internal audit today and the future expectations survey results (The Institute of Internal
Auditors Belgium), www.iiabel.be.
48. King Committee on Corporate Governance, King report on corporate governance for South
Africa, Institute of Directors, 1994.
49. King Committee on Corporate Governance, King report on corporate governance for South
Africa, Institute of Directors, 2002.
50. Krell, E., Is Sarbanes-Oxley Compromising Internal Audit? Business Finance, August, 2005.
51. Krogstad, J ., A.J . Ridley, and L.E. Rittenberg, Where Were Going, Internal Auditor. October
1999.
52. Le Grand, C.H., Information Technology Controls (Altamonte Springs, FL: The Institute of
Internal Auditors Research Foundation), 2005.
53. Leung, P., B.J . Cooper, and P. Robertson, The Role of Internal Audit in Corporate
Governance and Management (Melbourne: RMIT Publishing), 2004.
54. Lou, Y., Guanxi: principles, philosophies, and implications, Human Systems Management 16
(1), 1997, pp. 43-51.
55. Lovett, S., L.C. Simmons, and R. Kali, Guanxi versus the market: ethics and efficiency,
Journal of International Business Studies 30 (2), 1999, pp. 231-47.
56. Marais, M., Quality control within internal audit functions and the application thereof in South
Africa, M. Comm. Dissertation, Pretoria, University of South Africa, 2003.
57. McCall, S.M., The auditor as consultant, Internal Auditor 59 (6), 2002, pp. 35-39.
58. McIntosh, E.R., Competency Framework for Internal Auditing: An Overview (Altamonte
59. Melville, R., Control self assessment in the 1990s: the UK perspective, International Journal
of Auditing 3 (3), 1999, pp. 191-206.
60. Melville, R., The Contribution Internal Auditors Make to Strategic Management, International
Journal of Auditing 7 (3), 2003, pp. 209-222.
61. Mutchler, J ., Independence and Objectivity: A Framework for Internal Auditors (Altamonte
62. Paape, L., J . Scheffe, and P. Snoep, The Relationship between the Internal Audit Activity and
Corporate Governance in the EU - a Survey, International Journal of Auditing 7 (3), 2003,
pp. 247-262.
63. PCAOB (Public Company Accounting Oversight Board), Auditing Standard No. 2: An Audit
of Internal Controls over Financial Reporting Performed in Conjunction with an Audit of Financial
Statements, (Washington, DC: Public Company Accounting Oversight Board), 2004.
64. PricewaterhouseCoopers LLP, Internal Audit Global Best Practices: #2 in a series, The
Internal Audit Newsletter, 2005A, pp.5-6.
65. PricewaterhouseCoopers LLP, How Computer Assisted Audit Tools Can Be Used in a
Fiduciary Audit Environment, The Internal Audit Newsletter, 2005B, pp. 2-3.
66. PricewaterhouseCoopers LLP, PricewaterhouseCoopers State of the Internal Audit
Profession: Internal Audit Post Sarbanes-Oxley (New York), 2006.
67. RGTF (Report of the Guidance Task Force to The IIAs Board of Directors), A Vision for the
Future: Professional Practices Framework for Internal Auditing (Altamonte Springs, FL:
The Institute of Internal Auditors Research Foundation), 1999.
68. Rittenberg, L., and M. Covaleski, Outsourcing the internal audit activity: the British government
experience with market testing, International Journal of Auditing 3 (3), 1999, pp. 225-235.
69. Rittenberg, L.E., and B.J .Covaleski, The Outsourcing Dilemma: Whats Best for Internal
Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),
1997.
70. Roth, J ., Adding Value: Seven Roads to Success (Altamonte Springs, FL: The Institute of
Internal Auditors Research Foundation), 2002.
71. Roth, J ., and D. Espersen, Internal Audits Role in Corporate Governance: Sarbanes-
Oxley Compliance (Altamonte Springs, FL: The Institute of Internal Auditors Research
Foundation), 2003.
72. Sarens, G., and I. De Beelde, Internal Auditors Perception about Their Role in Risk
Management: A Comparison Between US and Belgian Companies, Managerial Auditing
Journal 21 (1), 2006, pp. 63-80.
73. Selim, G., and A. Yiannakas, Outsourcing the Internal Audit Activity: A Survey of the UK
Public and Private Sectors, International Journal of Auditing 5 (1), 2001, pp. 213-226.
74. Selim, G., and D. McNamee, Risk Management: Changing the Internal Auditors Paradigm,
(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1998.
75. Selim, G., and S. Woodward, Internal Auditing and Consulting Practice: UK and Ireland Survey,
British Academy of Management Annual Conference (UK: University of St. Andrews), 2004.
76. Selim, G., S. Sudarsanam, and M. Lavine, The Role of Internal Auditors in Mergers, Acquisitions
and Divestitures: An International Study, International Journal of Auditing 7 (3), 2003, pp.
223-246.
77. Simons, R., Performance Measurement & Control Systems for Implementing Strategy
(Upper Saddle River, NJ : Prentice Hall), 2000.
78. South Africa, The Public Finance Management Act, Act 1 of 1999, Pretoria, Government
Printers, 1999.
79. U.S. Sarbanes Oxley Act of 2002 (One Hundred Seventh Congress of the United States of
America, HR 3763), 2002.
80. Tang, Y.W., L. Chow, and B.J . Cooper, Accounting and Finance in China A Review of
Current Practice, 4
th
, Sweet and Maxwell Asia, (Hong Kong), 2000.
81. Tettamanzi, P., Internal auditing: evoluzione storica, stato dellarte e tendenze di sviluppo:
Italia e Regno unito a confronto, Egea, 2003.
82. The Institute of Internal Auditors, A Vision for the Future: The Professional Practices
Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors
Research Foundation), 1999.
85. The Institute of Internal Auditors, The IIA Research Foundation Request for Proposal (Altamonte
86. Van der Nest, D.P., Audit committees in government departments: an internal audit perspective,
The South African Journal of Accountability and Audit Research 6, 2005, pp. 75-83.
87. Van der Nest, D.P., Audit committees and accountability in the South African public service,
D. Tech dissertation, Pretoria, Tshwane University of Technology, 2007.
88. Van Peursem, K.A., Conversations with internal auditors - The power of ambiguity,
89. Van Peursem, K.A., Internal auditors role and authority - New Zealand evidence, Managerial
90. Wang, X., Development trends and future prospects of internal audit, Managerial Auditing
Journal 12 (4/5),1997, pp. 200-204.
91. Warren, J .D., and X.L. Parker, Continuous Auditing: Potential for Internal Auditors
(Altamonte Springs, FL: The Institute of Internal Auditors), 2003.
92. Zoellick, B., and T. Frank, Governance, Risk Management, and Compliance: An
Operational Approach (The Compliance Consortium), 2005.
APPENDIX 10-A
Pre-scope Questionnaire for CBOK
Do you agree that the global CBOK scope should include the following: Yes No
Demographics for respondents and companies. 53 7
Percentage of time spent on different types of audit (scope) in 2005:
Operational 60 2
Financial (include work with external auditor) 58 2
Governance (ethics, control framework, Sarbanes-Oxley, linkage of 61 1
strategy, and company performance)
o The role of internal auditing in organizational governance
Consulting 60 3
Enterprise risk management (ERM) Need more specification 59 3
Fraud investigations (forensic accounting/auditing) 59 3
Work done by consultants (outsourcing) 57 5
Other:
Belgium
o Procedures development
o Benchmark analyses (meant to steer company decisions and action
plans for performance improvement)
o Role of internal audit in project management
o IT audit (!)
o Direct operational responsibilities (even limited)
U.K. Ireland
o Work done by consultants (co-sourcing)
o Assurance work
U.S.
o I think the work spent with the external auditor should be its own
classification
o With respect to Sarbanes Oxley, the governance component should
be separate from the work done in an advisory capacity
(i.e., monitoring separate from management documentation, testing,
and assessment)
o Outsourced work may be better defined as subject matter expertise
required versus outsourced internal auditing (i.e., is the internal audit
activity outsourced or complemented?)
o Compliance (non-Sarbanes-Oxley)
Percentage of time spent on different types of audit (scope) Yes No
in 2005: (Cont.)
o Regulatory
o Technology
o Audit of IT function
Asia
o IT audit
o Probity auditing
o Information technology audit
o Ad hoc/special audit
Italy
o Compliance programs for the prevention of corporate crime: risk
assessment, compliance audit, monitoring, compliance programs
updating.
South Africa
o Integrated assurance services (audits that combine financial,
operational, ICT, and governance).
Adherence to the International Standards for the Professional Practice Yes No
of Internal Auditing (Standards) (The IIA, 2004):
1000 Purpose, Authority, and Responsibility 62 1
o Charter outlining nature of assurance and consulting services
1100 Independence and Objectivity 61 1
o Reporting structure administratively and functionally
o Support of upper management
o Support of the audit committee
1200 Proficiency and Due Professional Care 62 0
o Level of education required of entry-level auditors
o Certifications
o Skills required of each audit position
1230 Continuing Professional Development - number of hours required 53 5
1300 Quality Assurance and Improvement Program 59 4
o How often internal quality review is performed
o How often external quality review is performed
2000 Managing the Internal Audit Department 58 5
o CAE - rotating or permanent position
o Written policies and procedures
o Staff rotation policy
Adherence to the International Standards for the Professional Practice Yes No
of Internal Auditing (Standards) (The IIA, 2004):
2010 Planning 56 7
o Percentage of audit budget spent on planning activities
2210 Engagement Objectives 58 5
o Set audit objectives during the planning stages of the audit
2240 Engagement Work Program 56 7
o % of audit programs written specifically for each engagement
o % of audit programs from prior audits
o % of purchased audit programs
2400 Communicating Results 62 1
o A written audit report is prepared for what percent of engagements
o Audit report includes a grade or score for the audit process
2500 Monitoring Progress 62 1
o Follow-up procedures are performed on what % of audits
o Audit department has the support of upper management to ensure
improvements are made by auditee
Other: Belgium
o Follow-up on implementation of critical recommendations
o Calculation/estimation of return of audit work (through
implementation of audit recommendations or through audit review as
such on e.g., double payments: savings achieved; double
disbursements prevented or corrected; etc.)
U.K. Ireland
o Adherence to the International Standards for the Professional
Practice of Internal Auditing (Standards) (The IIA)
o Adherence to national or sectoral standards, based on the standards
o Adherence to national or sectoral standards, not based on the
standards
U.S.
o Determination of IA as either a cost center or profit center
o Calculation of cost savings and/or opportunity income gained arising
from internal audit recommendations as part of reporting (estimation)
and monitoring (actual).
Specific areas of knowledge required of internal auditors: Yes No
Traditional business school topics (finance, operations, accounting, 52 11
marketing)
Business terminology 45 16
Technology 57 6
Financial reporting 50 12
Costing methods/managerial accounting 45 17
Economic theories 25 35
Accounting standards 49 14
Auditing standards 54 8
Other:
Belgium
o Language skills (2 x mentioned)
o IT knowledge and skills (company ERP package) (2 x mentioned)
U.K. Ireland
o Internal auditing standards
o Statistics and analytical techniques
o General management
U.S.
o Should there be more in the way of operational and compliance
auditing? The above categories seem traditional and exclusive to
the operational and compliance COSO components
o Should technology be more specific as to systems etc- should there
be some additional requirements as to ERM, ERP, etc.?
o Should there be more in the Other areas such as forensics, fraud,
money laundering, etc.
o Statistical analyses, Six-sigma, etc.
o Regulatory
o Various industries
o Fraud
o Regulation relevant to the industry
Asia
o Record keeping electronic
o Risk management practices
Italy
o Statistics
o New legislation (SOX, D.Lgs 231/01)
South Africa
o Legislation
Role of the board of directors and audit committee: Yes No
How often the CAE reports to the audit committee 60 2
Boards role in governance issues 57 5
Audit committee/board role in review of annual audit plan 59 3
Other:
Belgium
o Boards role in the definition of risk as used by the internal auditor
in his risk assessment
o Audit committee support for internal audit activity, internal audit
recommendations
U.S.
o Directors Loan Committee & Trust Committee interaction
o Board appointment of CAE, salary determination, etc.
o Administrative chain of command
o AC structure and experience
o Reporting relationships, agendas
Asia
o Induction program for AC members
o Board review of IA performance
Italy
o Audit committee/board role in budget definition
Evaluation of staff: Yes No
Questionnaire at end of audit by client 53 10
Staff evaluated at end of each audit 55 8
Other:
Belgium
o Staff evaluations mid-year and year-end: rotation/career opportunities
inside the company or audit staff
o Evaluation of the overall internal audit activity
U.S.
o Staff evaluation at certain minimum hours if audit is long term?
o Other internal audit quality metrics and measurements
o Core competency development
o Goal achievement (results)
o Performance evaluation (annual or more frequent).
Asia
o Preference for annual survey of branch performance
South Africa
o Ethics
Emerging trends in internal auditing: Yes No
Laws requiring companies to have an internal audit activity 56 7
Internal auditors in advisory role for strategy development 50 11
Implemented an internal control framework (COSO, COSO-ERM, 57 4
Cadbury, or CoCo)
Utilize self-directed, integrated work teams. 48 14
Involved in corporate directives to introduce ERP - Enterprise Resource 45 16
Planning software such as SAP, Oracle, Peoplesoft, BAAN, and J D
Edwards
Implement computer library (Web or CD-ROM) for audit reports, 55 7
workpapers, and reference materials
Implement knowledge management systems 49 13
Work with management to develop ERM system 52 11
Provide training to audit committee 47 14
Share audit programs with Other companies internal audit departments 53 8
Introduce improvements in cycle time 44 19
Utilize groupware such as Lotus Notes 36 26
Review electronic commerce applications 43 19
Utilize CAATs 56 6
Develop intranet site to educate company personnel about internal 55 7
controls, risk management, Sarbanes-Oxley requirements, etc.
Other:
Belgium
o Provide control awareness trainings to managers (new recruited
managers: as part of company introduction program; newly
promoted managers - individually; newly acquired company
management team; etc.)
o Implementing total quality related frameworks (e.g., EFQM)
U.K. Ireland
o Refocused internal audit on role of providing objective assurance in
context of organization's overall assurance framework
o Introducing full risk-based internal auditing
U.S.
o Analytical (audit) reviews
o Is there a need to address independence if internal audit is used to
introduce erp, implement knowledge systems and develop erm-
how to audit?
o Regulatory
o Attorney client privilege work
Emerging trends in internal auditing: (Cont.) Yes No
Asia
o Audit time recording system of allocation of audit hours
Italy
o Supporting internal control system definition in BPR projects
o Web-based training for personnel according to D.Lgs 231/01
requirements
Certification: Yes No
Need for certification exams for audit managers and CAEs above 45 17
CIA certificate. Already part of the adherence to Standards?
Other:
Belgium
o Need for a CIA more oriented toward non-profit organizations
U.K. Ireland
o Need for specific qualification or certification for internal auditors
o Need for certification for practicing internal auditors
U.S.
o Certifications for seniors (level below mgrs)
o Skills needed - CISA, CFE, etc.
Asia
o Specialized internal auditing certifications CGAP for public sector,
CFSA for financial services auditor
Italy
o CPA, ACFE, CSA
Salaries: Yes No
Entry-level salary at each audit position 42 18
How internal audit salaries compare with managers at similar levels 45 16
in the organization
Other:
U.K. Ireland
o How internal audit salaries for those with internal audit qualifications
compare
U.S.
o Does IA have possibility to rotate to another position within the
company? How often does it happen? What is the average time IA
stays within the IA function?
o Staff levels to include bonus and option programs
Salaries: (Cont.) Yes No
o Mobility within the organization - how many transfers to the
departments, functions?
o Changes too often and varies globally
o Incentive compensation - bonuses, stock options
Asia
o Essential criteria for CAEs and staff, i.e., degree
Italy
o Other benefits
Audit Methods, Tools, and Techniques: Yes No
ACL, Idea, SAS 59 3
Control self-assessment 57 6
Continuous auditing 52 11
Electronic workpapers 58 3
Sampling 59 4
Data mining 54 8
Whistle-blowing hot line 49 13
Comparisons of performance measures to targets in entitys objectives 52 9
Flowchart software 46 15
Other:
Belgium
o Generic office IT tools/groupware
U.S.
o Outsourcing of highly technical/specialized reviews
o Lotus Notes
o Issue tracking repositories
o Intranet portals
o Knowledge management
Asia
o PowerPoint presentations for audit
Italy
o Process Modeling Software
o Risk assessment (No: control risk self-assessment)
South Africa
o Include ERM, benchmarking, QAR, the IA process - procedures,
e.g., compliance, substantive and analytical - Refer PA 2320
Auditee Skill Set (at each level): Yes No
Organization 56 7
Interpersonal 57 6
Writing 57 5
Critical thinking 56 7
Ability to do root cause analysis 53 9
Negotiation 56 7
Conflict resolution 57 6
Interview 57 5
Other:
Belgium
o IT skills (knowledge of company ERP capabilities and control
features +use of system to prepare projects and substantiate findings)
o Synthesis: know how to extract just that information that is necessary
to put context around a finding and recommendation
U.K. Ireland
o Influencing
o Presentation of complex results
U.S.
o Computer skills
o Foreign languages
o Strategic agility
o Facilitation
o Consensus building
o Teamwork
Asia
o Communication
o Time management
o Judgment
o Business acumen
Italy
o Corporate crime, fraud
France
o Courage
Other: Please list Other topics that you would like to include in the survey: Yes No
Belgium
o Interaction between internal and external audit
o Co-sourcing/outsourcing
o Auditors career: recruitment into internal audit and/or internal move
in/career path with internal audit and/or internal move out/external
move out
U.K. Ireland
o Knowledge areas are too narrow: should include governance, ethics,
ethnographic methods
o Involvement in corporate social responsibility
o Benchmarking regarding I.A. size (i.e., no. of employees, mixture of
qualified and non-qualified staff, types of qualification of I.A. staff, etc.)
U.S.
o How is the internal audit plan developed, on the basis of what information
(scoping using risk assessment, particular needs of BU, fraud
investigation, what is the % of each component)?
o What is the duration of the audit plan (1 year, 3 years, etc.)? How often
is it revised?
o Whom does the IA report to (audit committee, CEO, CFO, etcare
they independent?
o How is the IA founded: special budget, re-invoiced to BU, etc?
What is the budget?
o What are the yearly training expenses?
o Does IA use any indicator to measure its performance? If yes, what are
they?
o The views expressed are solely my own and do not necessarily reflect
to the position of Fidelity Investments or its associates
o Trend toward outsourcing/partnering
o Resource management and planning
o Internal audit department structure and geographic locations
o Global focus
o Reporting relationship of CAE to board/audit committee, CEO, CFO,
Other
o Frequency of private meeting of CAE and board/audit committee
chair/committee - never, once per year, etc.
o Asset size of company/annual sales
o Number of internal auditors
Other: Please list Other topics that you would like to include in Yes No
the survey: (Cont.)
o Annual audit department salaries & benefits
o Public/private/other org.
o Core competency framework
o Soft skill development
o Training and development
o Career pathing
o Knowledge management
Asia
o Will 1312 review be completed by J an 1, 2007
o Probity auditing
o Project management
o Standardization of audit reports
o Freedom of information/privacy concerns
o Performance indicators for internal audit
o Standardization of ranking audit
o Balanced scorecards for internal audit
o Disclosure and confidentiality principles for internal audit
o International auditing standards (Global)
o Globalization of auditing profession
o Academic qualifications for internal audit in tertiary institutions
o Career planning for internal audit
o Marketing of the internal audit activity
o Recognized Professional Association
o Benchmarking of internal audit
o Introduce CAE within organization for signoff on internal controls
o Ratio of internal audit cost vs. external audit cost
o Boardroom skills
o Personnel management skills
o Managerial skills
o Split information required for financial audit between financial control
work and supporting/interacting on external audit work
o Emerging new technology and trends in business that impact audit
o New business organizational formations that affect audit capability
Other: Please list Other topics that you would like to include in Yes No
the survey: (Cont.)
Italy
o Information about staff and outsourcing
o Role of the Collegio sindacale
The relationship between the collegio sindacale and the internal audit
unit (collegio sindacale is a specific body of the Italian corporate
governance system). The features involves in this relationship could
concern:
The support of the collegio sindacale to the internal audit
independence.
The review of the audit plan.
The communication of audit results to the collegio sindacale.
Other.
o Planning and priority setting
o Role of the collegio sindacale in the Italian corporate governance
system and the relationship with the internal audit department.
France
o How do IA, MA, compliance, quality control, and Other control
functions fit together?
o What are the job positions in internal auditing?
o How can we go from one position to another?
o How to be prepared to get out of the audit department to disseminate
the control culture.
South Africa
o Environmental auditing
o QAR
o ISO standards relating to internal auditing, e.g., ISO 14000, etc.
APPENDIX 10-B
Topical Areas That Are Addressed in
Past and Current IIA CBOK Studies
Gabeil Barrett et al. Albrecht et al. Birkett et al. CBOK
(1972) (1985) (1991) (1999) (2006)
Accounting Accounting* Accounting** Accounting Accounting***
Auditing Auditing Auditing Auditing Auditing
@
Audit Committee/
Oversight Committee
Audit Plan
Behavioral Behavioral Skills/
Sciences Technical
Skills/Competencies
Communications Communications Communications Communications Communications
Competency Benchmarks/Quality
Assessment, Assessment
Benchmark,
Competency
Standards
Government Compliance/ Compliance/
Government Regulations
Corporate Corporate
Governance Governance
Computers Basis Computer Software
Used in the Audit
Computers & Computer & Computers & Computers & Information
Systems Information Information Information Technology
Systems Systems Systems
Consulting/Advisory
Services
Data Gathering Data Data Mining
& Delivery Warehousing
*Specifies as financial, management, and government accounting
**Specifies as financial and managerial accounting
***Financial and managerial accounting as well as specialized accounting appropriate for the type of organization
Past and Current IIA CBOK Studies (Cont.)
(1972) (1985) (1991) (1999) (2006)
Economics Economics Economics
Ethics Ethics Ethics/Ethics Audits
Expertise Expertise (Experience,
(Experience, Knowledge, Skills)
Knowledge, Skills)
External
Relations
Finance & Finance Finance Finance Finance
Control
Forensic Forensic
Accounting/ Accounting/
Auditing Auditing
Fraud Fraud
Future of the Emerging Issues
Profession and
Influencing Factors
IA Staff Position IAA Position in the
in Organizations Organization
Internal Auditors Internal Auditors
Work Environment, Work Environment,
Context, Population, Context, Population,
and Scope of Work and Scope of Work
International International/culture International/
Globalization/Culture
Legal Aspects Legal Aspects Legal Aspects Legal Regulations
of Business of Business (Commercial and
Regulatory Law)
Secretarial
& Legal
Management Management Management Management
and the
Management
Functions
Past and Current IIA CBOK Studies (Cont.)
(1972) (1985) (1991) (1999) (2006)
Marketing Marketing & Marketing Marketing Marketing
Distribution
Organizations Organizations/
Industries
Organizational Organizational Organizational
Behavior Behavior Behavior
Outsourcing/
Co-sourcing the
Audit/Audit
Function
Personnel
Administration
Professional Professional
Qualification, Qualifications,
Education, Education,
Development, Development,
Training Training
Production
Need for a Global Professional
Validated Practices
Framework Framework
(Common
Language, Global
Profession of
Internal Auditing)
Quantitative Statistics Quantitative Quantitative Statistics
Methods Methods Methods
& Statistics & Statistics
Research & R&D Audit
Development
Reasoning Reasoning Reasoning Reasoning
Risk Control/ Risk Management
Internal Control and Control/Internal
Control
Role of the CAE
Taxes Taxes Taxes
APPENDIX 10-C
CBOK 2006 CAE AND PRACTITIONER
QUESTIONNAIRE
Note: This is the final English questionnaire. On the next two pages is a summary of
which questions were on just the CAE questionnaire, just the Practitioner questionnaire,
or on both. The IIA combined the two questionnaires as some of the questions appeared
on both questionnaires.
COMMON BODY OF KNOWLEDGE (CBOK) 2006
Chief Audit Executive (CAE) or Service Provider Equivalent,
Head of Internal Audit Activity,
Engagement Leader, or Service Provider Principal
Welcome to the Common Body of Knowledge (CBOK) 2006! You are about to participate in one
of the most important projects ever undertaken by The IIA Research Foundation. CBOK will help
Understand, Guide, and Shape the future of Internal Auditing! Your participation will ensure this
project is a success.
We anticipate that this survey will take approximately 40 minutes of your valuable time. All of your
answers will be strictly confidential and will not be associated with your personal information or
organization information. Please answer the questions honestly.
Please complete the survey in one session. If you have any technical problems or questions, please
send an e-mail to jeffrey.swerdlow@theiia.org.
At the end of the survey you will be given the opportunity to enter an optional drawing for twenty-
five US$200 VISA Gift Cards.
Questions for CAE and Practitioner (Per Word file version)
Question Question Description Both CAE Practitioner
Number
Part I Personal/Background Information
1a How long member *
1b Affiliate/Chapter *
2 Age *
3 Level of Education *
4 Academic Major *
5 Organization Position *
6 Professional Qualification *
7 Total Professional Experience *
8 Total Years as CAE, GA, TAP, VP *
9 Reporting Status *
10 Training hours over last 36 months *
11 Training hours over last 12 months *
12 Type of organization you work in *
13 Classification of the industry you offer *
internal audit services
14 Organization Size - (total employees, assets, *
revenue)
15 Area Served *
16 How long has your organization existed? *
17a Does organization have an Internal Audit Activity *
(IAA)?
17b How long has the IAA existed? *
18 Organization Documents *
19 Who is involved in appointing the CAE? *
20 Who evaluates CAEs performance *
21 Is there an Audit Committee? *
22a Number of Audit Committee meetings *
22b Number of Audit Committee meeting invitations *
22c Number of Audit Committee meetings attended *
22d Meet Audit Committee in addition to regular *
meetings?
23 Have appropriate access to Audit Committee? *
24 How is value added by IAA measured? *
Number
25a How many times is the audit plan updated? *
25b How do you establish audit plan *
26a Provide IA services to external organizations? *
26b External Organizations that receive IA services *
26c Do you agree with the statements below? *
27 Number of Staff in IAA *
28 Incentives to hire IA professionals *
29 Methods to fill staff vacancies *
30 Methods to compensate for missing skills *
31 Percentage of activities out or co-sourced *
32 Will budget for out/co-sourced activities change? *
33 Number of Members who have Certifications *
34 Need additional certification beyond CIA? *
35 Method of staff evaluation *
36 Frequency of training *
37 Use IIAs Intl Standards in whole or part? *
38 Guidance from International standard Adequate? *
39 Standard of Professional Practices Framework *
adequate?
40 Reasons for not using The IIAs Intl Standards *
41 IAs have quality assessment and improvement *
program?
42 When was last formal internal quality *
assessment?
43 When was last formal internal quality *
assessment?
44 Activities performed as part of IAA quality *
assessment
45 Who performs following activities/audits? *
46 Percentage time spent on the following activities *
47 Resolution of major differences *
48 Who reports auditing findings to management *
49 Who monitors corrective actions? *
50 How much is IA going to use the following *
audit tools?
Number
51 Behavioral skills for staff *
52 Technical skills for staff *
53 Competencies for staff *
51a Important behavioral skills *
52a Important technical skills *
53a Important competencies *
53b Importance of certain knowledge *
54 Will changes in the IAA scope occur? *
55 Roles of IAA *
56 Indicate whether statements apply to *
organization
I. Personal/Background Information
Note: Background information will be used anonymously for aggregate data analysis. No individual
information will be revealed in research reports.
1a. How long have you been a member of The IIA?
1-5 years
6-10 years
11 years or more
I am not a member of The IIA (Skip to question 2.)
1b. Please select your IIA Affiliate or if you are located in North America or the Caribbean, please
select your Chapter. Affiliate: _______________ Chapter: ________________
2. Your age: _________
3. Your highest level of formal education (not certification) completed:
Secondary/High School Education
Bachelors/Diploma in Business
Bachelors/Diploma in fields other than Business
Masters/Graduate Degree/Diploma in Business
Masters/Graduate Diploma in fields other than Business
Doctoral Degree
Other
4. Your academic major(s): (Please mark all that apply.)
Accounting
Arts or Humanities
Auditing
Computer Science
Economics
Engineering
Finance
General Business/Management
Information Systems
Internal Auditing
Law
Mathematics/Statistics
Science or Technical Field
Other
No degree
5. Your position in the organization:
Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/
Service Provider Equivalent
Internal Audit Management/Service Provider Management
Internal Audit Senior or Supervisor/Service Provider Senior or Supervisor
Internal Audit Staff/Service Provider Staff
Support Staff (administration, secretarial, and clerical)
Other
6. Your professional qualification(s): (Please mark all that apply.)
Internal Auditing (such as CIA/MIIA/PIIA)
Information Systems Auditing (such as CISA/QiCA/CISM)
Government Auditing/Finance (such as CIPFA/CGAP/CGFM)
Control Self-Assessment (such as CCSA)
Public Accounting/Chartered Accountancy (such as CA/CPA /ACCA/ACA)
Management/General Accounting (such as CMA/CIMA/CGA)
Accounting - technician level (such as CAT/AAT)
Fraud Examination (such as CFE)
Financial Services Auditing (such as CFSA/CIDA/CBA)
Fellowship (such as FCA/FCCA/FCMA)
Certified Financial Analyst (such as CFA)
Other
7. Specify your total years of professional experience using the following categories: (Use whole
numbers.)
Service Years in Years in Years in Years in
Provider Private Publicly/ Govern- Not-for-
Company Listed mental Profit
Company
a. Accounting _____ _____ _____ _____ ______
b. Engineering
c. External (Independent)
Auditing _____ _____ _____ _____ ______
d. Finance
e. Information Technology _____ _____ _____ _____ ______
f. Internal Auditing _____ _____ _____ _____ ______
g. Management _____ _____ _____ _____ ______
h. Other Professional
Experience _____ _____ _____ _____ ______
Total Professional Experience _____ _____ _____ _____ ______
8. How many total years have you been the Chief Audit Executive/General Auditor/Top Audit
Position/Vice President - Audit/Service Provider equivalent at your current organization and
previous organizations you have worked for? Years: __________
9. Your reporting status in your organization is:
Staff position reporting to a manager
Managerial position reporting to executive management/high-level government official
Officer position reporting to the executive management/high-level government official
Independent position reporting to the audit committee of the board/oversight board
Other
10. On average, how many hours of formal training have you received over the last 36 month
period or while you have been in the Internal Audit Activity if less than three years? Training
includes, but is not limited to seminars, conferences, workshops, and in-house information
sessions provided by either your organization or another organization.
Hours: ____________
11. How many hours of training over a 12-month period are required by law/statute where you
work?
Hours: ____________
II. Your Organization
Note: Organization information will be used anonymously for aggregate data analysis. No individual
organization information will be revealed.
12. The type of organization for which you currently work:
Service Provider/Consultant
Publicly Traded (Listed) Company
Privately Held (Non-listed) Company
Public Sector/Government
Not-for-Profit Organization
Other
13. The broad industry classification(s) of the organization for which you work or provide internal
audit services: (Please mark all that apply.)
Agricultural/Forestry
Banking/Financial Services/Credit Union
Building and Construction
Communication/Telecommunication
Consumer Goods
Education
Financial, Accounting, and/or Business Services
Healthcare
Hospitality/Leisure/Tourism
Insurance
Manufacturing
Mining and Oil
Non-Professional Services
Pharmaceutical/Chemical
Professional Services
Real Estate
Retail/Wholesale
Technology
Trade Services
Transport and Logistics
Utilities
Other
14. Size of the entire organization for which you work as of December 31, 2005 or the end of the
last fiscal year: (Please use whole numbers and no abbreviations: use 1,000,000 not 1M.)
Total Employees (Full-time Equivalent):
Employees: ___________________
Total Assets (U.S. Dollar Equivalent):
Assets:_______________________
Total Revenue or Budget if Government or Not-for-Profit (U.S. Dollar Equivalent)
Revenue: _____________________
15. Is your organization:
Local
State/Provincial
Regional
National
International/Multinational
16. How long has your organization been in existence?
Years: _________________
III. Internal Audit Activity
17a. Does your organization have an Internal Audit Activity or provide Internal Audit services?
Yes
No (Skip to question 18.)
17b. If yes, for how long? (Please use whole numbers only.)
Years:
18. Which of the following documents exist in your organization? (Please mark all that apply.)
Corporate Governance Code
Long-term Strategic Plan for the Organization
Audit Oversight/Committee Charter
Internal Audit Charter
Mission Statement for the Internal Audit Activity
Internal Audit Operating Manual/Policy Statement
Corporate Ethics Policy/Code of Ethics/Code of Conduct
Annual Internal Audit Plan/Rolling Audit Plan/Quarterly Audit Plan
Long-term Audit Plan (longer than 1 year)
Internal Audit Risk Assessment (to determine what areas to audit)
19. Who is involved in appointing the Chief Audit Executive/General Auditor/Top Audit Position/
Vice President - Audit/Service Provider equivalent? (Please mark all that apply.)
Chairperson of the Board
Chief Executive Officer
Audit Committee/Oversight Committee/Committee Chairperson
Chief Financial Officer
Another person reporting to CFO
Other
20. Who evaluates your performance? (Please mark all that apply.)
Board of Directors
Chairperson of the Board
Chief Executive Officer
Audit Committee/Oversight Committee/Committee Chairperson
Senior Management
Auditee/Client at the end of audit
Supervisor periodically
Peers/Subordinates periodically
Not evaluated
21. Is there an Audit Committee/Oversight Committee or equivalent in your organization?
Yes
22a. Number of Audit Committee/Oversight Committee meetings held in the last fiscal year:
Number: _______________
22b. Number of Audit Committee/Oversight Committee meetings you were invited to attend (entirely
or in part) during the last fiscal year:
Number: ______________
22c. Number of Audit Committee/Oversight Committee meetings you attended (entirely or in part)
during the last fiscal year:
Number: ______________
22d. Do you meet with the Audit Committee/Oversight Committee/Chairperson in addition to the
regularly scheduled meetings?
Yes No
23. Do you believe that you have appropriate access to the Audit Committee/Oversight Committee?
Yes No
24. How does your organization measure the value added by the Internal Audit Activity? (Please
mark all that apply.)
Customer/Auditee surveys from audited departments
Recommendations accepted/implemented
Cost savings and improvements from recommendations implemented
Number of management requests for internal audit assurance or consulting projects
Reliance by external auditors on the Internal Audit Activity
Budget to actual audit hours
Cycle time from entrance conference to draft report
Number of major audit findings
Other
No formal measurement of value added
25a. How frequently do you update the audit plan?
Multiple times per year
Every year
Every two years
More than every two years
No audit plan (Skip to question 26.)
25b. How do you establish your audit plan? (Please mark all that apply.)
Use of a risk-based methodology
Consult previous years audit plan
Consultation with divisional or business heads
Requests from management
Audit Committee/Oversight Committee requests
Compliance/regulatory requirements
Requests from or consultation with external auditors
Other
26a. Are you currently a service provider of internal audit services to external organizations?
Yes
26b. What is the number of external organizations to which you provide internal audit services?
Number: ________________
Note: If you have identified yourself as a provider of internal audit services to external
organizations, whenever you see the phrase Internal Audit Activity please answer
the question based on your experiences as a service provider, not as an internal
auditor for your organization.
26c. Please indicate your agreement with the following statements as they relate to your current
organization or organizations that you audit.
1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree
____ a. Your Internal Audit Activity is an independent objective assurance and consulting
activity.
____ b. Your Internal Audit Activity adds value.
____ c. Internal Audit brings a systematic approach to evaluate the effectiveness of risk
management.
____ d. Your Internal Audit Activity brings a systematic approach to evaluate the
effectiveness of internal controls.
____ e. Your Internal Audit Activity brings a systematic approach to evaluate the
effectiveness of governance processes.
____ f. Your Internal Audit Activity proactively examines important financial matters,
risks, and internal controls.
____ g. Your Internal Audit Activity is an integral part of the governance process by
providing reliable information to management.
____ h. The way our Internal Audit Activity adds value to the governance process is
through direct access to the Audit Committee.
____ i. Your Internal Audit Activity has sufficient status in the organization to be effective.
____ j. Independence is a key factor for your Internal Audit Activity to add value.
____ k. Objectivity is a key factor for your Internal Audit Activity to add value.
____ l. Your Internal Audit Activity is credible within your organization.
____ m. Compliance with The IIAs International Standards for the Professional
Practice of Internal Auditing is a key factor for your Internal Audit Activity to
add value to the governance process.
____ n. Compliance with The IIAs Code of Ethics is a key factor for your Internal Audit
Activity to add value to the governance process.
IV. Staffing
27. How many staff are in your Internal Audit Activity? Temporary or co-sourced staff should be
included to the nearest full-time equivalent.
Full-time Part-time
CAE/General Auditor/Top Audit Position/Service Provider
Equivalent/Vice President - Audit ______ ____
Internal Audit Managers ______ ____
Internal Audit Supervisors ______ ____
Internal Audit Staff ______ ____
External Auditors (co-sourced) ______ ____
Contract Audit Staff (co-sourced) ______ ____
Support Staff (Administrative, Secretarial, and Clerical) ______ ____
Other ______ ____
28. Is your organization currently offering any special incentives to hire internal audit professionals?
(Please mark all that apply.)
Relocation expenses
Signing bonus
Stock options
Accelerated raises
Vehicle provided by the organization
Transportation allowance
Other
29. What methods do you use to make up for staff vacancies? (Please mark all that apply.)
Facilitate Control Self-assessments in place of audits
Reduce areas of coverage
Increased use of audit software
Borrowing staff from other departments
Co-sourcing from internal audit service providers
No vacancies
Other
30. What methods is your organization employing to compensate for missing skill sets (e.g., IT
audit, statistical analysis)? (Please mark all that apply.)
Reduce areas of coverage
More reliance on audit software
Borrowing staff from other departments
Co-sourcing/outsourcing
No missing skill sets
Other
31. What percentage of your Internal Audit Activity activities are currently outsourced / co-
sourced?
No outsourcing/co-sourcing
0-10 %
11-20%
21-30%
31-40%
41-50%
51-60%
61-70%
71-80%
81-90%
91-100%
32. Do you anticipate that your budget for outsourced/co-sourced activities will change in the next
three years?
Increase
Decrease
Remain the same
33. How many members of the Internal Audit Activity hold the following certifications? If a staff
member has more than one certification, include them in all applicable categories.
Number
Internal Auditing (such as CIA/MIIA/PIIA)
Information Systems Auditing (such as CISA/QiCA/CISM)
Government Auditing/Finance (such as CIPFA/CGAP/CGFM)
Control Self-Assessment (such as CCSA)
Public Accounting/Chartered Accountancy (such as CA/CPA/ACCA/ACA)
Management/General Accounting (such as CMA/CIMA/CGA)
Accounting - technician level (such as CAT/AAT)
Fraud Examination (such as CFE)
Financial Services Auditing (such as CFSA/CIDA/CBA)
Fellowship (such as FCA/FCCA/FCMA)
Certified Financial Analyst (such as CFA)
Other
34. Do you see a need for additional certification beyond the CIA for audit managers and CAEs?
a. Need for additional certification exams for audit managers Yes
b. Need for additional certification exams for CAEs No
35. What method of staff evaluation do you use? (Please mark all that apply.)
By supervisor periodically Customer/auditee feedback
Peers/subordinates periodically Other
36. How frequently do you and your staff receive the following types of training?
More frequently than annually
Annually
Less frequently than annually
As needed
Never
a. Standards and professional practices ___________________________________
b. Basic/advanced technology ___________________________________
c. Anti-fraud techniques ___________________________________
d. Ethics training ___________________________________
e. Communication skills ___________________________________
f. Team-building skills ___________________________________
V. Internal Auditing Standards
37. Does your organization use The IIAs International Standards for the Professional Practice
of Internal Auditing in whole or in part? If you are a service provider do you use The IIA's
International Standards for the Professional Practice of Internal Auditing in whole or in
part for your audits of your clients?
Yes
38. If your Internal Audit Activity follows any of The IIAs International Standards for the
Professional Practice of Internal Auditing, please indicate if the guidance provided by
these standards is adequate for your Internal Audit Activity and if you believe your organization
complies with the Standards.
[provide links to all below] Guidance is Your Organization
Adequate is in Compliance
Yes Yes, full
No compliance
Do not use Yes, partial
I do not compliance
know No, not in
compliance
I do not know
AS 1000 - Purpose, Authority, and Responsibility
AS 1100 - Independence and Objectivity
AS 1200 - Proficiency and Due Professional Care
AS 1300 - Quality Assurance and Improvement
PS 2000 - Managing the Internal Audit Activity
PS 2100 - Nature of Work
PS 2200 - Engagement Planning
PS 2300 - Performing the Engagement
PS 2400 - Communicating Results
PS 2500 - Monitoring Progress
PS 2600 - Resolution of Managements Acceptance of Risks
39. If your Internal Audit Activity uses any of the Practice Advisories provided by The IIA in the
International Professional Practices Framework, indicate if they are adequate for your Internal
Audit Activity. If your organization does not use any of the Practice Advisories, skip to question
40.
[provide links to all below] Guidance is
Adequate
Yes
No
Do Not Use
AS 1000 - Purpose, Authority, and Responsibility
AS 1100 - Independence and Objectivity
AS 1200 - Proficiency and Due Professional Care
AS 1300 - Quality Assurance and Improvement
PS 2000 - Managing the Internal Audit Activity
PS 2100 - Nature of Work
PS 2200 - Engagement Planning
PS 2300 - Performing the Engagement
PS 2400 - Communicating Results
PS 2500 - Monitoring Progress
PS 2600 - Resolution of Managements Acceptance of Risks
40. What are the reasons for not using The IIAs International Standards for the Professional
Practice of Internal Auditing, in whole or in part? (Please mark all that apply.) Skip to
question 41 if your organization is in full compliance with The IIAs International Standards
for the Professional Practice of Internal Auditing.
Standards or Practice Advisories are too complex
Not appropriate for small organizations
Too costly to comply
Too time consuming
Superseded by local/government regulations or standards
Not appropriate for my industry
Compliance not supported by management/board
Not perceived as adding value by management/board
Inadequate Internal Audit Activity staff
Compliance not expected in my country
Other
Please explain: _______________________________________________________
41. Does your Internal Audit Activity have a quality assessment and improvement program in
place in accordance with The IIAs International Standards for the Professional Practice
of Internal Auditing Standard 1300?
Yes, currently in place
To be put in place within the next twelve months
No plans to put in place in the next twelve months
Your quality assurance program is not in accordance with Standard 1300
I do not know
42. When was your Internal Audit Activity last subject to a formal internal quality assessment,
periodic or ongoing, in accordance with The IIAs International Standards for the Professional
Practice of Internal Auditing Standard 1311 on internal assessments?
Scheduled to be completed prior to J anuary 1, 2007, but not yet completed
Within the last 12 months
1-3 years ago
4-5 years ago
More than 5 years ago
Never
The internal review was not done in accordance with Standard 1311
I do not know
43. When was your Internal Audit Activity last subject to a formal external quality assessment in
accordance with The IIA International Standards for the Professional Practice of Internal
Auditing Standard 1312 on external assessments?
Scheduled to be completed prior to J anuary 1, 2007, but not yet completed
Within the last 12 months
1-3 years ago
4-5 years ago
More than 5 years ago
Never
The external review was not done in accordance with Standard 1312
I do not know
44. For your Internal Audit Activity, which of the following activities are performed as part of your
internal audit quality assessment and improvement program? (Please mark all that apply.)
Verification that the Internal Audit Activity is in compliance with The IIAs International
Standards for the Professional Practice of Internal Auditing
Compliance with non-IIA standards or codes
Internal audit professionals are in compliance with The IIAs Code of Ethics
Checklists/manuals to provide assurance that proper audit processes are followed
Engagement supervision
Feedback from audit customers at the end of an audit
Reviews by other members of the Internal Audit Activity
Review by external party
I do not know
Not applicable
VI. Audit Activities
45. Please indicate who performs the following activities and/or audits: (Please mark all that apply.)
Internal Audit
Activity
Other
department
in the
organization
Co-sourced
Outsourced
Not Performed
a. Administrative (audit plan, assign tasks)
b. Business viability assessments
c. Compliance with company privacy policies
d. Compliance with corporate governance and regulatory
code requirements
e. Control framework monitoring and development
f. Corporate takeovers/mergers
g. Enterprise risk management
h. Ethics audits
i. External audit assistance
j. Health, safety, and environment
k. Financial auditing
l. Information risk assessment
m. Information technology department assessment
n. Internal auditing
o. Internal control testing/systems evaluation
p. Investigations of fraud and irregularities
q. Linkage of strategy and company performance
r. Management effectiveness review/audit
s. Operational audits
t. Project management
u. Quality assessment of internal audit activity
v. Quality/ISO audits
w. Resource management and controls
x. Security issues
y. Social and sustainability audits
z. Special projects
aa. Technical competency training for auditors
46. Please estimate the percentage of time spent by the Internal Audit Activity on each of the
following activities for the most recent fiscal year:
3 Years Currently 3 Years
Ago From Now
a. Compliance audits (laws, regulations,
and policy ______ ______ ______
b. Consulting/Advisory ______ ______ ______
c. Financial process audits (including
assistance to the external auditor) ______ ______ ______
d. Fraud investigations (forensic
accounting/auditing) ______ ______ ______
e. Governance (ethics, control framework,
regulatory, linkage of strategy and
company performance) ______ ______ ______
f. Information technology audits ______ ______ ______
g. Operational ______ ______ ______
h. Management audits ______ ______ ______
i. Other ______ ______ ______
Total should add to 100% in each column ______ ______ ______
47. If major differences arise around audit issues (audit results versus policy or between auditor
and auditee/client), when are they resolved?
Never
Rarely
Sometimes
Usually
Always
During planning
During audit fieldwork
During audit reporting
After audit report is issued
Never
48. After the release of an audit report in the organization, who has the primary responsibility for
reporting findings to senior management?
Auditee/client
Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service
Provider equivalent
Internal auditor manager
Both internal audit manager and auditee/client
Both Chief Audit Executive and auditee/client
Other
No formal reporting of results
49. After the release of an audit report with findings that need corrective action, who has the
primary responsibility to monitor that corrective action has been taken?
Auditee/client
Internal auditor
Both internal audit and auditee/client
No formal follow-up
Other
VII. Tools, Skills, and Competencies
50. Indicate the extent the Internal Audit Activity uses or plans to use the following audit tools /
techniques on an audit engagement:
1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used
Currently Plan to use
Used in the next
3 years
1 1
2 2
3 3
4 4
5 5
a. Analytical review
b. Balanced scorecard or similar framework
c. Benchmarking
d. Computer Assisted Audit Techniques
e. Continuous/real-time auditing
f. Control Self-assessment
g. Data mining
h. Electronic workpapers
i. Flowchart software
j. Other electronic communication (e.g., Internet, e-mail)
k. Process mapping application
l. Process modeling software
m. Risk-based audit planning
n. Statistical sampling
o. The IIAs Quality Assessment Review tools
p. Total quality management techniques
51. Please mark the five most important of the following behavioral skills for each professional
staff level to perform their work. (Behavioral skills are actions towards others measured by
commonly accepted standards and management of ones own actions).
Staff Supervisor Management Head of
Audit
Activity
a. Confidentiality
b. Facilitating
c. Governance and ethics sensitivity
d. Interpersonal skills
e. Leadership
f. Objectivity
g. Relationship building
h. Staff management
i. Team building
j. Team player
k. Working independently
l. Work well with all levels
of management
52. Please mark the five most important of the following technical skills for each level of professional
staff to perform their work. (Technical skills are using terminology or subject matter in a
particular field)
Audit
Activity
a. Data collection and analysis
b. Financial analysis
c. Forensic skills/Fraud awareness
d. Identifying types of controls
e. Interviewing
f. ISO/quality knowledge
g. Negotiating
h. Research skills
i. Risk analysis
j. Statistical sampling
k. Total Quality Management
l. Understanding business
m. Use of information technology
53. Please mark the five most important of the following competencies for each level of professional
rank to perform their work. (Competencies are skills essential to perform certain tasks).
Audit
Activity
a. Ability to promote the Internal
Audit Activity within the
organization
b. Analytical (ability to work
through an issue)
c. Change management
d. Communication
e. Conflict resolution
f. Critical thinking
g. Conceptual thinking
h. Foreign language skills
i. Keeping up to date with
professional changes in
opinions, standards and
regulations
j. Organization skills
k. Presentation skills
l. Problem identification
and solution
Audit
Activity
m. Project planning and
management
n. Report development
o. Time management
p. Training and developing staff
q. Understanding complex
information systems
r. Writing skills
51a. Please indicate the importance of the following behavioral skills for you to perform your work
at your position in the organization. (Behavioral skills are actions towards others measured by
commonly accepted standards and management of one's own actions).
Rank from 1 (minimally important) to 5 (very important)
___ a. Confidentiality
___ b. Facilitating
___ c. Governance and ethics sensitivity
___ d. Interpersonal skills
___ e. Leadership
___ f. Objectivity
___ g. Relationship building
___ h. Staff management
___ i. Team building
___ j. Team player
___ k. Working independently
___ l. Work well with all levels of management
52a. Please indicate the importance of the following technical skills for you to perform your work
at your position in the organization (Technical skills means using terminology or subject matter
in a particular field).
___ a. Data collection and analysis
___ b. Financial analysis
___ c. Forensic skills/Fraud awareness
___ d. Identifying types of controls (e.g., preventative, detective)
___ e. Interviewing
___ f. ISO/quality knowledge
___ g. Negotiating
___ h. Research skills
___ i. Risk analysis
___ j. Statistical sampling
___ k. Total Quality Management
___ l. Understanding business
___ m. Use of information technology
53a. Please indicate the importance of the following competencies for you to perform your work at
your position in the organization (Competencies are skills essential to perform certain tasks).
___ a. Ability to promote the Internal Audit Activity within the organization
___ b. Analytical (ability to work through an issue)
___ c. Change management
___ d. Communication
___ e. Conflict resolution
___ f. Critical thinking
___ g. Conceptual thinking
___ h. Foreign language skills
___ i. Keeping up to date with professional changes in opinions, standards, and regulations
___ j. Organization skills
___ k. Presentation skills
___ l. Problem identification and solution
___ m. Project planning and management
___ n. Report development
___ o. Time management
___ p. Training and developing staff
___ q. Understanding complex information systems
___ r. Writing skills
53b. How important are the following areas of knowledge for satisfactory performance of your job
at your position in the organization?
___ a. Accounting
___ b. Auditing
___ c. Business law and government regulation
___ d. Business management
___ e. Changes to professional standards
___ f. Enterprise risk management
___ g. Ethics
___ h. Finance
___ i. Fraud awareness
___ j. Governance
___ k. Human resource management
___ l. Internal auditing standards
___ m. Information technology
___ n. Managerial accounting
___ o. Marketing
___ p. Organization culture
___ q. Organizational systems
___ r. Strategy and business policy
___ s. Technical knowledge for your industry
VIII. Emerging Issues
54. Do you perceive likely changes in the role of the Internal Audit Activity in the organization over
the next 3 years?
Increase
Decrease
Stay the same
a. Review of financial processes
b. Risk management
c. Governance
d. Regulatory compliance
e. Operational auditing
55. Please identify the roles that the Internal Audit Activity currently has in your organization or
will have in the next 3 years. Role means that it is within the scope of your work.
Currently have a role
Likely to have a role within
the next 3 years
Unlikely to have a role
Not applicable
a. Alignment of strategy and performance
measures (e.g., Balanced Scorecard)
b. Benchmarking
c. Corporate governance
d. Corporate social responsibility
e. Develop training and education of
organization personnel (e.g., internal
controls, risk management, regulatory
requirements)
f. Disaster recovery
g. Evidential issues
h. Emerging markets
i. Environmental sustainability
j. Executive compensation
k. Fraud prevention/detection
l. Globalization
m. Intellectual property and knowledge
assessment
n. IT management assessment
o. Knowledge management systems
development review
p. Mergers and acquisitions
q. Project management
r. Provide training to the audit committee
s. Regulatory compliance assessment monitoring
t. Risk management
u. Strategic frameworks
56. Please indicate if the following statements apply to your organization now, in the next 3 years
or will not apply in the foreseeable future.
Currently Apply
Likely to Apply Within
the Next 3 Years
Will Not Apply in the
Foreseeable Future
Not Applicable
a. Internal auditing is required by law or regulation
where the organization is based.
b. Internal auditors in the organization have an
advisory role in strategy development.
c. The organization complies with a corporate
governance code.
d. The organization has implemented an internal
control framework.
e. The organization has implemented a knowledge
management system.
f. The Internal Audit Activity has provided training
to audit committee members.
g. The Internal Audit Activity assumes an important
role in the integrity of financial reporting.
h. The Internal Audit Activity educates organization
personnel about internal controls, corporate
governance, and compliance issues.
i. The Internal Audit Activity places more emphasis
on assurance than consulting services.
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 455
THE WILLIAM G. BISHOP III, CIA,
MEMORIAL FUND
CONTRIBUTORS
DIAMOND LEVEL
Association of Certified Fraud Examiners
The Institute of Internal Auditors (IIA)
IIA Baltimore
IIA Dallas
IIA New York
IIA Washington, DC
EMERALD LEVEL
The Bishop Family
J ane Lee and William L. Taylor
Thomas J . Warga, CIA
J CPenney Company Inc.
J efferson Wells International Inc.
Protiviti Inc
IIA Central Illinois
IIA Central Penn
IIA Houston
RUBY LEVEL
Robert Antoine, CIA
Dennis K. Beran, CIA, CCSA
J ohn J . Fernandes, CIA, CCSA
J ohn J . Flaherty, CIA
J ean-Pierre Garitte, CIA, CCSA
Eric Hespenheide
Al Holzinger
Bruce Meikle
Patricia K. Miller, CIA
Sandra L. Pundmann
Sridhar Ramamoorti, Ph.D., CIA, CPA,
CFE, CFSA, CGAP
Anthony J . Ridley, CIA
C. Wayne Rose, CIA
Richard M. Serafini, CIA, CFSA
American Institute of Certified Public
Accountants (AICPA)
Asian Confederation of Institute of Internal
Auditors (ACIIA)
Association of Healthcare Internal Auditors
Fannie Mae
Microsoft Corporation
IIA Ak-Sar-Ben
IIA Albany
IIA Austin
IIA Australia
IIA Birmingham (AL)
IIA Green Mountain (VT)
IIA Los Angeles
IIA Milwaukee
IIA Montreal
IIA Nashville
IIA New Zealand
IIA North J ersey
IIA Norway
IIA Orange County (CA)
IIA Phoenix
IIA Southern New England
IIA United Kingdom and Ireland
IIA Vancouver
IIA Wichita
FRIEND LEVEL
Urton L. Anderson, Ph.D., CIA, CCSA
Audley L. Bell, CIA
Andrew J . Dahle, CIA
Stephen D. Goepfert, CIA
Timothy R. Holmes
Howard J . J ohnson, CIA
Carman Lapointe-Young, CIA, CCSA
J ohn M. Polarinakis, CIA
Ralph E. Purpur
Larry E. Rittenberg, Ph.D., CIA
Roderick M. Winters, CIA
Association of Credit Union
Internal Auditors (ACUIA)
MIS Training Institute
Salt River Project
IIA Baltimore
IIA Central Florida
IIA Central Iowa
IIA Central Kentucky
IIA Detroit
IIA Greater Boston
IIA Indianapolis
IIA Kansas City
IIA Long Island
IIA Madison
IIA Malaysia
IIA Miami
IIA Ocean State (RI)
IIA Salem (OR)
IIA Saskatchewan
IIA St. Louis
IIA Sweden
IIA Tallahassee
IIA Tidewater
IIA Tulsa
IIA Twin Cities
IIA Westchester Fairfield
IIA Winnipeg
DONOR LEVEL
Ronald W. Acker, CIA
Bruce Alan Adamec, CIA
Augusto Baeta
Thomas J . Beirne
J oanna Berens
Lucia B. Bishop
Sten Bjelke, CIA
LeRoy E. Bookal, CIA
Katy Brown
Robert Bullen
J udith K. Burke, CCSA
Richard F. Chambers, CIA, CCSA, CGAP
Nicolette Creatore
Prof. Mortimer Dittenhofer, CIA
William J . Duane, CIA, CFSA
Edward M. Dudley, CIA
Charles B. Eldridge
Ivy N. Estes
Robert A. Ferst, CIA
Robert B. Foster
Hal A. Garyn, CIA
Kimberly Parker Gavaletz, CIA
Gaston L. Gianni, J r., CGAP
Audrey A. Gramling, CIA
Trish Harris
Rudy Hernandez, J r., CIA
Glenn P. Hoffman, CIA, CFSA
J ohn Gregory Hutsell
Cynthia Huysman
Steven Earl J ameson, CIA, CCSA, CFSA
Thomas A. J ohnson, CIA
Wendy W. Kerins, CIA
Donald E. Kirkendall, CIA
J oel F. Kramer
Kevin Kuntz
Daniel B. Langer, CIA, CCSA
Susan B. Lione, CIA, CCSA, CFSA, CGAP
Philip B. Livingston
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 457
Melani P. Lovik, CIA
Marjorie A. Maguire-Krupp, CFSA
Stacy M. Mantzaris, CIA, CCSA, CGAP
Carlo L. Mastropaolo
Dorick V. Mauro
J ill E. Mayhew, CIA
Sam Michael McCall, CIA
Robert N. McDonald, CIA
Betty L. McPhilimy, CIA
Guenther Meggeneder
T. Fred Miller
J ames A. Molzahn
Perry Glen Moore, CIA
Wayne G. Moore, CIA
Kevin M. Morrissey
D. Richard Moyer, CIA
J ane F. Mutchler
Donald J . Nelson, CIA
Frank M. OBrien, CIA
Amy B. Owen
Paula W. Parker, CIA
Dolores C. Pasto-Ziobro, CIA
Basil H. Pflumm, CIA
J arred and Shannon Pittman
David Polansky
Robert B. Powell
Charity A. Prentice, CIA, CCSA, CGAP
Walter D. Pugh
Michael S. Raphael, CIA
Richard K. Robinson
Anastasia Rodriguez Ford, CIA
H. David Rosenstein
J ames P. Roth, Ph.D., CIA, CCSA
Charles T. Saunders, J r., CIA, CCSA
Mitchell J ames Smith
Paul J . Sobel, CIA
Donald E. Sparks
Peteris Strazdins, CIA
Margaret G. Summers
J ohanna S. Swauger, CIA, CCSA, CFSA
Deborah L. Sword
Deborah Wheless Tanju, CIA
David A. Tenney, CIA
Archie R. Thomas, CIA
Bena G. Tinsley, CIA
Bonnie L. Ulmer
Dallal Helen Van Hoeck, CIA
Curtis C. Verschoor, CIA
Dominique Vincenti, CIA
H.C. Warner, CIA
J ohn K. Watsen, CIA
Billy G. Weathers
Scott D. White, CIA, CFSA
Douglas E. Ziegenfuss, Ph.D., CIA, CCSA
Michael A. Zowine
American International Group
Association of College and University Auditors
(ACUA)
Board of Environmental, Health & Safety
Auditor Certifications (BEAC)
J PA International Inc.
J unior Achievement of Central Florida
Kraus-Manning Inc.
Majestic Star Casino
Memphis Blues Rugby Club
Office Depot Inc.
Omni Hotels Corporation
Paisley Consultants/CARDdecisions Inc.
PBD Worldwide Fulfillment Services Inc.
Shenandoah Group
Simon Operation Services Inc.
IIA Atlanta
IIA Calgary
IIA Central Virginia
IIA Chattanooga Area
IIA Chicago
IIA Chinese Taiwn
IIA Coastal Georgia
IIA Downeast Maine
IIA Edmonton
IIA El Paso
IIA Granite State (NH)
IIA Lansing (MI)
IIA Las Vegas
IIA Monroe
IIA Ozarks
IIA Rochester
IIA Santa Fe
IIA Sioux Falls
IIA Spokane
IIA Tucson
IIA U.S. Pacific
THE IIA RESEARCH FOUNDATION
CHAIRMANS CIRCLE
Cargill Inc.
Chevron
Deloitte & Touche LLP
Ernst & Young LLP
ExxonMobil Corporation
J CPenney Company
Lockheed Martin Corporation
PricewaterhouseCoopers LLP
Protiviti Inc.
Raytheon Company
David A. Richards, CIA
Paul J . Sobel, CIA
Rod and Donna Winters
_________________________________ The IIA Research Foundation Board of Trustees 459
The IIA Research Foundation
Board of Trustees
President
Roderick M. Winters, CIA, CPA
Vice President - Strategy
Eric J . Hespenheide, CPA
Deloitte & Touche LLP
Vice President - Research
Robert B. Foster, CFE
Fidelity Investments
Vice President - Development
Dennis K. Beran, CIA, CCSA, CPA, CFE
JCPenney Company, Inc.
Treasurer
Stephen W. Minder, CIA
Archer Daniels Midland Company
Secretary
Oliver Ray Whittington, Ph.D., CIA
DePaul University
Members
Mark Hamill
Protiviti Inc.
Michael A. Herzog
Ernst & Young LLP
Robert B. Hirth, CPA, CA
Protiviti Inc.
Howard J . J ohnson, CIA, CPA.
Michael Lickteig, CIA, CCSA
Susan J. Komen Breast Cancer Foundation
Marjorie A. Maguire-Krupp
American International Group
Wayne G. Moore, CIA, CPA
J ohannes (Hans) Nieuwlands
NUON
Sridhar Ramamoorti, Ph.D., CIA, CPA, CFE,
CFSA, CGAP
Grant Thornton Chicago
Gregory C. Redmond
Chevron Corporation
Paul J. Sobel, CIA, CPA
Mirant Corporation
Jay R. Taylor, CIA
General Motors Corporation
WilliamL. Taylor, CPA, CGFM
Donald E. Tidrick, Ph.D., CIA
Northern Illinois University
Susan D. Ulrey
KPMG LLP
Anton B. van Wyk, CIA, CFA
PricewaterhouseCoopers LLP
Shi Xian
Nanjing Audit University
Douglas Ziegenfuss, Ph.D., CIA, CCSA
Old Dominion University
The IIA Research Foundation
Board of Research and Education Advisors
Chairman
Robert B. Foster, CFE, Fidelity Investments
Vice Chairman
Susan D. Ulrey, KPMG LLP
Members
George R. Aldhizer III, Ph.D., CIA, Wake Forest
University
Lalbahadur Balkaran, CIA, FCMA, KPMG LLP
Kevin W. Barthold, CPA, CISA, San Antonio Credit
Union
Edmund Beemer, Hudson
Thomas J . Beirne, CFSA, CPA, CBA, Protiviti Inc.
Audley L. Bell, CIA, CPA, CFE, CISA, Habitat for
Humanity International
Iva Cerna, CIA, Zentiva a.s.
Thomas J. Clooney, CCSA, CPA, CBA, CSP, KPMG
LLP
Kathryn Constantopoulos, Deloitte & Touche LLP
J ean Coroller, Ernst & Young LLP
Mary Christine Dobrovich, Jeffersonwells
International
Helen Dozois, CIA, Burger King Corporation
Susan Page Driver, CIA, CPA, CISA, Comptroller
of Public Accounts
Donald A. Espersen, CIA, CBA, despersen &
associates
Gareth Evans, MIIA, United Kingdom
Philip E. Flora, CIA, CCSA, CFE, CISA, Texas
Guaranteed Student Loan
J ohn M. Furka, CPA, Brown Brothers Harriman &
Co.
J ohn C. Gazlay, CPA, CCP, Freddie Mac
Dan B. Gould, CIA, JCPenney Company, Inc.
Peter M. Hughes, Ph.D., CIA, CPA, CFE, Orange
County
Ronald W. Lackland, University of Central England
Richard B. Lanza, CPA, Cash Recovery Partners
LLC
David J. MacCabe, CIA, CGAP, Teacher Retirement
System of Texas
Gary J. Mann, Ph.D., CPA, University of Texas at El
Paso
Trevor B. Martin, National Oilwell Varco
Gary R. McGuire, CIA, CPA, Lennox International
Inc.
J ohn D. McLaughlin, Smart and Associates LLP
Steven S. Mezzio, CIA, CCSA, CFSA, CPA, CISSP,
CBA, Resource Connection
Anna Rebecca Nicodemus, CIA, CPA, CFE, Belo
Corporation
Claire Beth Nilsen, CFSA, CRCM, CFE, CRP,
Yardville National Bank
J acob Nuss, Israel Aircraft Industries Ltd.
Daniel Pantera, The Methodist Hospital
Mark R. Radde, CIA, CPA, Buffets Inc.
M. Rajeshwaran, EID Parry India Ltd.
Alan Reinstein, Ph.D., CPA, PBA, Wayne State
University
David G. Royal, Texas Department of Insurance
Mark L. Salamasick, CIA, CISA, CDP, CSP,
University of Texas at Dallas
J esus Antonio Serrano Nava, CIA, Banco Azteca
Katherine E. Sidway, Ernst & Young LLP
J ames G. Swearingen, CPA, Weber State University

CBOK Combined

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CBOK Combined

Uploaded by

Copyright:

Available Formats

_________________________________________________________ Table of Contents 1

You might also like