achieving high performance in internal audit...a truly independent and objective internal audit...

Achieving High Performance inInternal Audit Australia 2009

©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page1

Executive Summary 4

About this Study 7

Authority, Independence and Mandate 8

Challenges and Trends 13

Quality 17

Internal Audit Resources and Competencies 20

Enablers and Technology 24

Outcomes 27

Contents

Graphs

About this Study

Graph 1 Organisations by type 7

Graph 2 Organisations by size 7

Graph 3 Organisations by industry 7

Graph 4 Organisations by State 7

Authority, Independence and Mandate

Graph 5 Who appoints and removes the CAE? 9

Graph 6 Appointment and removal of CAE

by sector 9

Graph 7 Setting the remuneration and bonus

by sector 10

Graph 8 Evaluating performance of the CAE 10

Graph 9 Approving internal scope and budget 11

Graph 10 Composition of the audit committee 11

Graph 11 CAE meeting privately without

management 12

Challenges and Trends

Graph 12 Change in structure and direction

of internal audit in last 3 years 14

Graph 13 Change in scope of internal audit

in last 3 years 14

Graph 14 Change in scope of internal audit

in next 3 years 15

Graph 15 Emerging priorities in next 3 years 16

Graph 16 Impact of the global financial crisis

on internal audit activity 16

Quality

Graph 17 Ensuring quality in internal audit 18

Graph 18 Level of compliance with the Standards 18

Graph 19 Level of compliance with the Standards

by sector 18

Graph 20 Last external quality assessment review 19

Graph 21 Last external quality assessment by

number of staff in internal audit 19

Internal Audit Resources and Competencies

Graph 22 Number of FTE personnel in internal

audit 21

Graph 23 Unfilled demands for technical skills 21

Graph 24 IA capabilities and needs 22

Enablers and Technology

Graph 25 Relationship between the internal iudit

and risk management functions 25

Graph 26 Relationship between the internal audit

and risk management functions 25

Graph 27 Functionality provided by the primary

tool and its usefulness 26

Outcomes

Graph 28 Extent of reliance by external auditor 28

Graph 29 KPIs used to measure internal audit performance

29

Graph 30 Providing assurance opinions 30


Christopher McRostieChief Executive Officer

The Institute of Internal AuditorsAustralia

Welcome to the 2009benchmarking study.

The IIA’s vision for theprofession is for it to be universally recognised, trustedand respected as the leading provider of assurance andadvice on risk management, internal control andgovernance, and this study provides some usefulsignposts for all of us in achieving that goal.

In reading the results, I am struck by two things.

Firstly, the significant majority of internal auditfunctions have moved from under the wing of thefinance function and into the spotlight of the CEO andaudit committee. This is a great achievement, but is alsoa double edged sword and not to be taken lightly.Pressures on CEOs and non-executive directors continueto evolve, and we must keep pace with them if we are to meet expectations. As a profession, internal auditmust be an intellectual exercise and strong engagementwith leading CEOs and audit committees will help usachieve this.

Unfortunately, too many internal audit functions are stillreporting to the CFO or a level of management whichcan compromise internal audit independence. In this dayand age, it is simply not appropriate and rightly, questionsneed to be asked of these organisations as to why theythink that this is acceptable.

Secondly, while the survey shows that there is almostuniversal acceptance that factors like adherence to theIIA Standards, independent quality assessments, activemembership of relevant professional bodies andappropriate qualifications are important, we still have

a long way to go with putting them into practice.Anyone holding themselves out to be an internal auditorneeds to assess themselves against these factors, if weare to be taken seriously as a profession.

I would like to thank Protiviti for all of their work inputting the study together – this project would not havebeen possible without them. Importantly, I would alsolike to thank those who participated, and wish you allwell as we strive to be universally recognised as trulyworld-class in all that we do.

Christopher McRostieCEO, The Institute of Internal Auditors

Key Messages


Gary AndersonManaging Director

Protiviti

Protiviti is pleased to supportthis important study thatprovides useful insights into thestate and direction of the

internal audit profession in Australia.

The study encouragingly shows that the role of internalaudit is expanding, with the vast majority of organisationshaving increased the scope of their internal auditactivity in recent years. Challenging economic timesdemand more vigilant governance and it is appropriatethat organisations are using internal audit to reviewtheir operations more extensively.

It is also clear that the financial crisis has promptedmany organisations and their internal auditors to sharpentheir focus on risk management and mitigation. In thisenvironment, internal auditors need to be proactive anduse their expertise to assist boards and management tosteer their organisations through difficult times.

The growing importance that organisations are placingon internal audit has been attributable in part to therising professionalism of internal auditors. A significantmajority of internal auditors now recognise that the bestway to ensure quality in their internal audit activity isby complying with the International Standards for theProfessional Practice of Internal Audit (‘the Standards’).Moreover, a large number of internal auditors areconsistently updating their skills through continuingeducation programs available through their membershipwith the Institute of Internal Auditors (IIA).

Still, with less than half of organisations currently fullyadhering to the Standards, there is some way to gobefore the profession achieves its goal of full, across theboard compliance. This is clearly an area the professionmust work on if it hopes to further enhance its standingwith senior decision-makers and other stakeholders.

Key Messages

Another major issue emerging from the study is thatsenior executives such as the Chief Financial Officer areexerting too great an influence over the internal auditfunction to the point where the objectivity andindependence of the internal audit risks are beingcompromised.

Best practice dictates that decisions relating to the hiringand firing, remuneration and performance of the Head ofInternal Audit must ultimately rest with the AuditCommittee Chair. Substantive reporting lines for theHead of Internal Audit must also lead to the AuditCommittee Chair.

Directors should recognise that for internal audit to be asource of reliable information to help the board meet itsgovernance duties, it must not be captured by management.Internal auditors and Audit Committee Chairs shouldstrive to ensure that internal audit charters reflect thesefundamentals. Internal audit professionalism is againrelevant, as the greater the value and expertise boardsperceive in their internal audit function, the moredisposed they will be to champion their independence.

Gary AndersonManaging Director, Protiviti


Executive Summary


Authority, Independence and MandateInternal audit encompasses much more than traditionalfinancial auditing. It is rapidly becoming an arm of theboard that provides independent assurance over themanagement of business risks. To be effective, thisfunction needs to be free from undue managementinfluence. Yet, according to our research, internal audit’sfunctional reporting line to the board, or equivalentgoverning body, is compromised by excessive influencefrom executive management.

For example, the Chief Financial Officer is the finaldecision-maker in listed companies for:• appointing or removing the Chief Audit Executive (CAE) –

15%

• evaluating the CAE’s performance – 27%

• approving the scope of the organisation’s internalaudit – 21%

This is clearly out of line with contemporary and betterpractice.

However, there are a number of encouraging practices inthis area including:• 64% of listed companies stated that their audit

committee chair is the final decision-maker for theappointment or removal of the CAE

• 58% of government organisations reported that theirchief executive or equivalent is the final decision-maker for CAE appointments and removals

• 64% of listed companies stated that their auditcommittee chair is the final decision-maker for theapproval of the internal audit function’s scope andbudget.

An ongoing relationship between the audit committeechair and the CAE is essential to good governance. Yet,one third of CAEs do not hold private meetings with theaudit committee chair and/or the audit committee.

While best practice is now increasingly the norm, thereis still room for improvement particularly for listedcompanies. In the public sector, good practice isdemonstrated by the fact that the internal audit functionin a significant proportion of organisations reports tothe chief executive equivalent or the audit committee.The challenge for the public sector is to ensure that

Internal Audit: Accelerating StrongGovernanceRecent research conducted by Protiviti and the Instituteof Internal Auditors – Australia (IIA) with chief auditexecutives from over 150 organisations in the public andprivate sectors highlights that organisations mustaddress a number of issues to enable their internal auditfunction to more effectively advance good corporategovernance.

Specifically the research found:• a significant number of internal audit functions

lacked the appropriate framework to operateindependently and objectively

• an excessive level of influence is exercised byexecutive management over audit committeeactivities and the oversight and management of theinternal audit function

• the majority of internal audit functions are unable to demonstrate compliance with the InternationalStandards for the Professional Practice of InternalAuditing (Standards).

As you review this report, you should ask yourself:

• Are the governance structures for your internal auditfunction sufficient to allow your organisation to havea truly independent and objective internal auditfunction?

• How is your organisation placed to respond to theemerging trends facing internal auditors?

• How are you driving quality in your internal auditfunction and is it aligned to the Standards?

• How are you addressing key competency gaps withinyour internal audit function?

• Is Internal Audit really meeting the needs of yourstakeholders?

Executive Summary


It is also noteworthy that government (49%) and not-for-profit organisations (44%) out-performed theirprivate sector counterparts with respect to compliancewith the Standards.

An effective way of ascertaining the level of compliancewith the Standards is through subjecting the internalaudit function to an External Quality Assessment asrequired in Standard 1310. Yet less than half (43%) ofthe respondents had under taken this exercise in the lastthree years. This raises questions about the quality ofwork performed by some internal audit functions andmay reflect the fact that some organisations are willingto undergo an external quality assessment where theyare aware they do not fully comply with the Standards.

Internal Audit Resources andCompetenciesOrganisations identified a need for greater internal auditresources in three key areas:• IT – 45%

• Risk Management – 33%

• Operations – 26%

In addition, respondents noted that their internal auditteam would be more effective with enhancedcompetencies in:• Continuous Auditing

• Data Analysis

• Marketing of the Internal Audit Function

These findings are consistent with those from a 2009international internal audit study focussed predominantlyon the United States, United Kingdom and Europe, wheresimilar skillset requirements were identified:• Continuous Auditing and Computer Assisted Audit

Techniques (CAATs)

• Data Analysis Tools

• Fraud Monitoring.

audit committees work effectively and provide sound andindependent stewardship when an independent board isnot present.

Challenges and TrendsThe following five areas were noted by surveyrespondents as emerging priorities for internal auditfunctions over the next three years:• Risk Management Attestation

• IT

• Major Projects Implementation

• Fraud and

• Core Financial Controls

These priorities are largely consistent across all sectorsand organisation sizes. As internal audit is increasinglyexpected to sign off on risk processes, risk managementattestation has accordingly become a top priority. Theeconomic downturn has also led to increased fraud riskas business cost-cutting curtails fraud preventionactivities while the motivation to commit fraud has risen in step with personal financial pressures.

QualityWhen asked whether their organisations’ internal auditactivity met quality benchmarks, 87% of respondentsindicated they ensure quality through compliance withthe Standards. However, on average only 42% revealedthey were fully compliant and 50% were only partiallycompliant. Partial compliance may suggest thatorganisations are choosing to comply with the lessdemanding elements of the Standards rather than themore significant and challenging ones.

Executive Summary


Organisations by type - Graph 1

• Data was collected from over 150 organisations.

• Participants in the survey included listed companies(37%), unlisted private companies (14%), federal,state and local government agencies (42%) and not-for-profit organisations (6%).

Organisations by size - Graph 2

• Small and medium organisations represented just overhalf of the respondents (54%).

• Almost one-third of respondents (32%) indicatedrevenues and/or budget exceeding AUD $1 billion.

Organisations by industry - Graph 3

• The public sector represented the largest single sectortaking part in the survey (38%).

• This was followed by the financial services (20%) andresources/utilities industries (14%).

Organisations by state - Graph 4

• Information was collected across each of the six statesand the Australian Capital Territory.

• The highest proportion of respondents came from NewSouth Wales (31%), followed by Victoria (21%) andQueensland (17%).

• A small proportion of respondents were residentoutside Australia (3%).

About this StudyThe study includes a diverse range of sectors and organisations. Participants invited to take part in the survey earlier this year were Chief Audit Executives (CAE) who are current members of the Institute of Internal Auditors-Australia (IIA).

14%

6%

1%

37%

42%

14%

32% 23%

31%

38%

7%

20%

14%

10%

5%6%

17%

12%

12%31%

21%

3%3% 1%

Graphs 1-4: Organisational graphs

� Listed Company� Unlisted Private

Sector or Company� Government� Not For Profit� Service Provider

� Small $0 to $100m� Medium $100m to $500m� Large $500m to $1b� Very large > $1b

� Financial Services� Resources and Utilities� Consumer Products and

Retail� Construction and

Manufacturing� Government� Not For Profit� Other

� NSW� VIC� QLD� ACT� WA� SA� Outside Australia� TAS

1

2

3

4


Authority, Independence andMandate


Appointment and removal of the Chief Audit Executive(CAE) – Graph 5 & 6

• In the majority of listed companies, the AuditCommittee Chair is responsible for the appointmentand removal of the CAE (64%).

• Of concern is the fact that in many listed companies,the Chief Financial Officer (CFO) is responsible forCAE appointments and removals (15%).

• In Government organisations, the Chief Executiveequivalent bears this responsibility (58%).

Authority, Independence and MandateInternal audit’s role in the governance process is optimised when the internal audit is independent frommanagement and reports to individuals with no perceived motivation to limit the scope of internal audit activities. A direct reporting line to the audit committee is best practice. Yet, the study indicates that internal audit’sfunctional independence is compromised by excessive influence from executive management on key matters such asappointments, performance evaluation, work scope and budgeting.

36%35%

14%4%

4%2% 3%2%

Graph 5: Who appoints and removes the CAE?

(all sectors)

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

08

110

Other0 0

80

Division Head5 0 0 0

Chief RiskOfficer

4 0 2 0

CompanySecretary /

General Counsel(or equivalent)

15

0 0 0

Chief FinancialOfficer (orequivalent)

18

45

58

33

Chief ExecutiveOfficer

64

32

23

33

Audit CommitteeChair

11

2317

33

Board

Not For ProfitGovernmentUnlistedListed

Graph 6: Appointment and removal of CAE by sector *

� Board� Audit Committee Chair� Chief Executive (or equivalent)� Chief Financial Officer (or equivalent)� Company Secretary/General Counsel (or equivalent)� Chief Risk Officer� Division Head� Other

* Percentages may exceed 100% as respondents provided more than one final decision-maker.



Setting the remuneration and bonus of the CAE – Graph 7

• The Chief Executive (or equivalent) is primarilyresponsible for setting the remuneration and bonus ofthe CAE across all sectors.

• In listed companies, one-quarter (25%) of CFOsperform this function, despite this being contrary torecommended practice.

Evaluating the performance of the CAE – Graph 8

• The Chief Executive (or equivalent) and the AuditCommittee are responsible for evaluating theperformance of the CAE across all sectors.

• In listed companies, the CFO (27%) and the ChiefRisk Officer (11%) are the final decision-makersregarding CAE performance, again contrary torecommended practice.

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

5

1521

17

Other

40 5 0

Division Head

7 0 0 0

Chief RiskOfficer

110 3 0

CompanySecretary /


25

5 30


38

55

6256


2118

11

33


914 12

0

Board


Graph 7: Setting the remuneration and bonus by sector *

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

2 8 7 0

Other

40

10

22

Division Head

110 0 0

Chief RiskOfficer

7 0 3 0

CompanySecretary /


27

90 0


23

5551

44


36

2329

33


5 09 11

Board


Graph 8: Evaluating performance of the CAE *



Approving the scope and budget of internal audit – Graph 9

• In almost two-thirds (64%) of listed companies, theAudit Committee approves the scope and budget ofthe internal audit function.

• 21% of CFOs in listed companies have thisresponsibility, again contrary to recommendedpractice.

Composition of the audit committee – Graph 10

• Almost all of the organisations that responded to thestudy have an audit committee or equivalent bodyacting in that capacity, which is encouraging.

• However, almost one half (43%) reported that theiraudit committee does not have an independentchairperson. In addition, 22% stated that their auditcommittee consists largely of executive management.

• 20% of listed company audit committees do not havean independent chairperson, which is contrary torecommended practice.

Authority, Independence and MandatePe

rcen

tage

%

0

10

20

30

40

50

60

70

80

5 0 3 0

Other2 0 5

11

Division Head0 0 0 0

Chief RiskOfficer

0 0 0 0

CompanySecretary /


21

08

0


16

5046 44


64

50

3833


2 5

1722

Board


Graph 9: Approving internal scope and budget *

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

1No audit

committeein place

22

Auditcommitteemade upprimarily

of executives(management)

1No audit

committee,function is

servedby the full

Board

2No audit

committee,function isserved by asimilar sub-committeeor the Board

71

Majority/allindependent

members

57

IndependentChairperson

Graph 10: Composition of the audit committee




Private meetings without management – Graph 11

• The holding of private meetings between the CAE andAudit Committee without management present, is acritical element of an independent internal auditfunction.

• Almost one-third of CAEs (31%) do not hold privatemeetings with the audit committee. This is consistentthroughout all sectors and across medium to largeorganisations.

• In almost half (45%) of smaller organisations withturnover less than $100m, the CAE does not meetprivately with the audit committee in the absence ofmanagement.

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

45

33

2420

No

1215 14

9

Yes, private session withthe full Audit Committee

27 28

38 39

Yes, private session withAudit Committee Chair

15

24 24

33

Yes, separate privatesessions with Audit

Committee Chair and thefull Audit Committee

>1b500m-1b100m-500m0-100m

Graph 11: CAE meeting privately without management


Change in structure and direction of internal audit in last 3years – Graph 12

• The level of change in the structure and direction ofthe internal audit function was significant for almosthalf (43%) of Australian organisations.

Change in scope of internal audit in last 3 years – Graph 13

• Assurance on risk mitigation and operational auditswere areas that saw an increase – 69% and 67%respectively.

• Financial process audits did not change in 40% oforganisations.

Challenges and TrendsInternal audit is a long-standing but rapidly evolving profession, with increasing demands on the extent and scopeof work performed. This poses challenges for the profession in meeting new expectations while not losing sight oftraditional core areas.

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

2Do not know

43

Significant change -significant changein structure, role

&/or reporting lines

31

Moderately stable - some changein these areas

24

Highly stable -no major changesto structure, role,reporting lines

Graph 12: Change in structure and direction of internalaudit in last 3 years

0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Percentage %

Assurance onRisk Mitigation

Consulting/Advisory

Compliance audits(laws, regulations,

and policy)

Operationalaudits lists

Financial Process audits(including external

audit support)

Overall size ofplan (days)

12 28 47 22

2 5 35 40 19

1 13 35 41 9

1 6 26 47 20

4 16 40 28 11

2 6 24 41 28

Significantly increased

Somewhat increased

No change

Somewhat decreased

Significantly decreased

Graph 13: Change in scope of internal audit in last 3 years



Change in scope of internal audit in next 3 years – Graph14

• Almost three-quarters of organisations (73%) expectthat assurance on risk mitigation will increase overthe next 3 years.

• Financial audits are likely to stay at the same levelsfor just over half or the organisations (54%).

0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Percentage %

Assurance onRisk Mitigation

Consulting/Advisory

Compliance audits(laws, regulations,

and policy)

Operationalaudits lists

Financial Process audits(including external

audit support)

Overall size ofplan (days)

1 3 24 55 18

1 4 30 49 16

8 45 38 9

1 6 39 39 15

2 10 54 26 8

1 5 39 40 15

Significantly increased

Somewhat increased

No change

Somewhat decreased

Significantly decreased

Graph 14: Change in scope of internal audit in next 3 years


Emerging priorities for internal audit in the next 3 years –Graph 15

• The top five areas nominated as emerging prioritiesover the next 3 years are risk managementattestation, IT, major project implementations, fraudand core financial controls.

• These priorities are consistent across all sectors andorganisation size.

Impact of the Global Financial Crisis (GFC) on internalaudit activity – Graph 16

• Almost half of organisations (42%) indicated that theGFC would have no material impact on their internalaudit activity at the time of the survey.

• Over one-third (36%) stated that the internal auditbudget would face cost pressures as a result of theGFC.

• More than half indicated significant additionaldemands, with 33% indicating their scope includednew areas or areas brought forward and 21%indicating a change in control environment.

Challenges and TrendsPe

rcen

tage

%

0

10

20

30

40

50

60

70

80

5Other

11

The new ASXPrinciple 7(updated

during 2007)

14

Market/commodity

riskexposure

16

Treasury

21

Credit riskexposure

32

Emissionsreporting

andCarbon Pollution

Reduction Scheme

53

Core financialcontrols

61

Fraud

62

Major projectimplementation

66

IT

72

RiskManagementAttestation

Graph 15: Emerging priorities in next 3 years

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

21

Change incontrol

environmentas a result

of restructuring

3

Other(please specify)

33

New areas/areas broughtforward on

the audit plan

36

Cost pressureson the internalaudit budget

42

No materialimpact

Graph 16: Impact of the global financial crisis oninternal audit activity


Quality


Ensuring quality in internal audit – Graph 17

• Respondents in the majority of organisations revealed(87%) that the best way to ensure quality in theirinternal audit activity was to comply with theInternational Standards for the professional practiceof Internal Audit (Standards).

• Internal audit team members were encouraged to bemembers of the IIA by almost 8 out of 10organisations (79%).

Level of compliance with the Standards – Graphs 18 & 19

• Despite acknowledgement of the importance ofadherence to the Standards, less than half (42%) ofrespondents indicated they fully complied with theStandards, with 50% indicating partial compliance,2% not complying and 6% unsure.

• The level of compliance with the Standards wasrelatively consistent across all sectors andorganisation size.

• The government and not for profit organisationsindicated a higher level of full compliance (49% and44%) than listed and unlisted companies (33% and38%).

QualityThis section asked participants to indicate how they ensured quality and professionalism in their teams andfunctions. Surprisingly, despite seeing the importance of membership, certification, quality programs and compliancewith the Standards, these requirements are still not universally applied.

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

100 3

12

Do not know2 5 2 0

Not inCompliance

55 57

46 44

PartialCompliance

3338

4944

FullCompliance


Graph 19: Level of compliance with the Standards by sector

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

90

43

IA StaffCertification

(CIA)

10

Other

31

ReportsSigned Off

by CIA

55

QualityProgram(ISPPIA

Standard 1310)

79

IA StaffMembership

(IIA)

87

Compliancewith

IIA theStandards

Graph 17: Ensuring quality in internal audit

6%

42%

50%

2%

Graph 18: Level of compliance with the Standards

� Full Compliance� Partial Compliance� Not in Compliance� Do Not Know


Last external quality assessment review – Graphs 20 & 21

• The Standards require quality assessment of theinternal audit function at least every five years withinternal quality processes to be performed on anongoing basis.

• Less than half (43%) of respondents had undertakenan external quality assessment within the last 3years.

• One-fifth had completed an assessment within thelast 12 months.

• Organisations with less than five internal audit staffwere less likely to have undertaken an externalassessment.

• 43% of respondents had never completed an externalquality assessment.

QualityPe

rcen

tage

%

0

10

20

30

40

50

60

70

80

6Do notknow

43

Nevercompleted

1More than5 years

ago

64-5 years

ago

23

1-3 yearsago

20

Withinthe last

12 months

Graph 20: Last external quality assessment review

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

3 95 0

Do not know

58

3934

14

Never completed1 0 0 0More than 5years ago

7 08 7

4-5 years ago

20

35

2629

1-3 years ago

1117

26

50

Within the last12 months

>20 staff11-20 staff6-10 staff1-5 staff

Graph 21: Last external quality assessment by number of staff in internal audit

Internal Audit Resources andCompetencies



Number of full time equivalent (FTE) personnel in internalaudit – Graph 22

• Almost 60% of organisations employed between oneand five FTE staff in their internal audit department.

• The average number of full time internal audit employeesin an in-house capacity was five and the averagenumber of FTE personnel either in-house or externalwas seven.

Unfilled demand for key technical skills – Graph 23

• The top three technical skills in greatest demandwere IT (45%), risk management (33%) andoperations (26%).

• While financial and accounting skills are still indemand, this is now exceeded by demand for projectmanagement skills.

Internal Audit Resources and CompetenciesAs internal audit’s scope and remit continues to broaden, skills, resources and competencies need to evolve to keep apace. This section outlines key findings in this area.

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

11

>20

316 - 20

911 - 15

19

6 - 10

58

1 - 5

Graph 22: Number of FTE personnel in internal audit

0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Percentage %

Treasury andFinance

Operations

RiskManagement

Environment andSustainability

ProjectManagement

IT Skills

Financial andAccounting

14 28 30 10 3 14

13 17 36 19 7 9

10 15 33 25 8 8

17 29 26 8 2 17

12 15 44 16 6 8

10 9 29 33 12 7

15 27 31 12 105

Very High Demand

Not Applicable

High Demand

In Demand

Low Demand

Very Low Demand

Graph 23: Unfilled demands for technical skills



Internal audit team competencies and areas forimprovement – Graph 24

• Respondents were asked to assess, on a scale of oneto five, their team’s competency in 25 areas oftechnical knowledge important to internal audit, withone being the lowest competency and five being thehighest. They were then asked to indicate whetherthey believed their team possessed adequatecompetencies or if there was room for improvement,taking into account the circumstances of theirorganisation and industry.

• Respondents indicated that their teams would bemore effective with enhanced competencies in 1)continuous auditing, 2) data analysis and 3) marketingof the internal audit function (top right quadrant).

• These findings are consistent with those from a 2009international internal audit study focussedpredominately on the United States, United Kingdomand Europe, where similar skill deficiencies wereidentified, namely continuous auditing, data analysistools and fraud monitoring.

Low

erH

ighe

r

Lower Higher

Com

pete

ncy

Need to Improve

Graph 24: IA capabilities and needs

A Financial ReviewB Compliance with RegulationsC Compliance with ASX Principle 7D Operational ReviewE External Audit AssistanceF Risk Management AssuranceG Operational EfficiencyH Revenue EnhancementI FraudJ Anti-Money LaunderingK Culture AssessmentL Mergers and AcquisitionsM Governance StructuringN Continuous AuditO Data AnalysisP Self Assessment TechniquesQ Developing RecommendationsR Internal Quality Assessment (ongoing)S Internal Quality Assessment (periodic)T External Quality AssessmentU Marketing Internal AuditV Planning Audit StrategyW Presenting to Audit CommitteeX Report WritingY Resource Management


Chief Audit Executive competencies and areas forimprovement

• Respondents were asked to assess on a scale of oneto five – with one being the lowest competency andfive being the highest – their competency in 16 typesof Personal Skills and Capabilities.

• They were then asked to indicate whether theybelieved their competency level was adequate or inneed of improvement, taking into account thecircumstances of their organisation and the nature oftheir industry. Listed on this page are the 16 PersonalSkills and Capabilities.

• Developing outside contacts and networking wasidentified as the top area for improvement followedin second place by the need to improve leadershipwithin the internal audit profession.

• The need to develop other Board Committeerelationships was the third most important skill toimprove. This is broadly comparable with the findingsof the aforementioned 2009 international internalaudit survey where developing relationships withother Board members has been the top priority forseveral years.

• Even though respondents reported relatively highcompetency levels in most of the top-ranked skillsand capabilities, the findings nevertheless suggestthat further improvement is essential as these areasremain key priorities.

Internal audit certification

Respondents were asked whether they were accredited asa Certified Internal Auditor (CIA). Almost half (48%)were not while 35% of respondents were CIA-certified.The remainder (17%) had intentions to become CIAqualified in the future.


Needs to Personal Skill CompetencyImprove Rank & Capabilities (5 pt scale)

1 Developing outside 3.8contacts/networking

2 Leadership (within 3.4the IA profession)

3 Developing other 3.7Board Committeerelationships

4 Time management 3.9

5 Strategic thinking 4.2

1 = Change Management2 = Coaching/Mentoring3 = Creating a learning IA function4 = Developing Audit Committee relationships5 = Developing other Board Committee relationships6 = Developing rapport with senior executives7 = Developing outside contacts/networking8 = Leadership (within your organisation)9 = Leadership (within the IA profession)10 = Negotation11 = Personnel performance evaluation12 = Presenting (small groups)13 = Persuasion14 = Strategic thinking15 = Time management16 = Written communication


Relationship between the Internal Audit and RiskManagement functions – Graphs 25 and 26

• Almost one fifth (19%) of respondents indicatedthere was either no risk management function at allwithin their organisation or that internal audit wasfacilitating aspects of the risk management work.

• The larger the organisation, the greater the likelihoodthat risk management and internal audit wouldoperate as separate functions with different reportinglines. Over half (53%) of companies with revenuesover $1 billlion had completely separate internalaudit and risk management functions with differentreporting lines. By contrast, only 21% oforganisations with revenues of less than $100 millionseparated their risk management and internal auditfunctions.

Enablers and TechnologyThe efficiency of the internal audit function can be enhanced with the support of appropriate frameworks andtechnology solutions. This section outlines findings in this area.

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

1Other

4

No riskmanagementfunction -InternalAudit not

charged withresponsibility forrisk management

15

No riskmanagementfunction -Internal

Audit facilitatesaspects of this

23

Integratedfunction

18

Separateunits withcommonleadership

reporting lines

39

Completelyseparate

with differentreporting lines

Graph 25: Relationship between the internal audit andrisk management functions

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

30 0 0

Other4 5 0 5

No riskmanagementfunction -

Internal Auditnot charged withresponsibility forrisk management

17

26

115

No riskmanagementfunction -

Internal Auditfacilitates

aspects of this

38

2126

16

Integratedfunction

21

13

21 21

Separate units with common

leadershipreporting lines

21

32

42

53

Completelyseparate

with differentreporting lines

>1B 500M - 1B100M - 500M0 - 100M

Graph 26: Relationship between the internal audit and risk management functions


Functionality provided by technology solutions – Graph 27

• Automated work papers, on-line review and sign-offwere considered to be the most useful (39%)functionalities provided by the primary internal auditsoftware tool. This was followed by action tracking(37%) and data analytics (30%).

• Resource scheduling and time recording wereconsidered to be the most problematic functions(6%).


0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Percentage %

Resource Schedulingand Time Recording

Automated Work Papers,Online Review and

Sign Off

RiskRegister

Web Support/Information Modules

Control SelfAssessment

Action Tracking andEmail Follow-ups

Team Collaboration

Integrated withother Systems

Extensive ManagementReporting

Continuous ControlMonitoring

Data Analytics30 27 6 4 2310

14 23 10 4 3316

16 26 14 3 2616

11 21 4 3 3624

37 13 6 4 2317

20 17 4 4 3420

13 17 6 4 3921

24 29 11 4 247

39 16 6 3 2710

14 20 4 6 3323

17 26 3 3619

Very Problematic

Not Applicable

Somewhat Problematic

No Impact

Somewhat Useful

Very Useful

Graph 27: Functionality provided by the primary tool and its usefulness

Internal Audit methodology

• 42% of respondents used an in-house internal auditmanual, while 31% used the IIA’s methodology.

• 95% of respondents indicated that the internal auditplan was based on a formal risk identification andassessment undertaken within their organisation, asrequired by the Standards.

Computer assisted Audit Techniques (CAATs) and softwaretools

• Almost two-thirds (62%) used CAATs on an ad-hocbasis with limited use on specific projects.

• Over half (57%) indicated they used audit softwaretools and of those, the majority (75%) used ‘off theshelf’ tools.

Outcomes



Reliance by external auditor – Graph 28

• A coordinated approach between internal andexternal auditors prevents duplication of effort andpresents a holistic assurance plan to the auditcommittee. It also enables greater reliance to beplaced on internal audit work.

• Coordinated approaches were more common in thegovernment sector (55%) where Federal and StateAuditor Generals provided the external audit servicethemselves, or oversaw the outsourcing of theexternal audit to an appropriate audit provider.

• In one in ten listed companies and 15% of unlistedcompanies, the external auditor placed no reliance onthe work of the internal audit team.

OutcomesFor the value of the internal audit function to be understood by the organisation, appropriate accountabilityframeworks must be in place for internal audit so that results are achieved and communicated in a transparent way.This section outlines key findings in this area.

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

1015

6 0

No reliance

49

40 40

63

Limited reliance in a smallnumber of specific areas

4145

55

30

Coordinated approach withhigh degree of reliance

placed on IA work

Not for ProfitGovernmentUnlistedListed

Graph 28: Extent of reliance by external auditor


Outcomes

Key Performance Indicators (KPI) for internal audit – Graph29

• A broad range of KPIs were used to measure theperformance of Internal Audit.

• The percentage of audits completed was the mostcommon KPI to measure internal audit performance(59%).

• Another key measure was recommendations acceptedand implemented (56%).

0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2%Auditing related cost to support cost ratio4%Staff transferred to/from the business4%Other

7%None – we do not track KPIs9%$ cost savings and/or $revenue generated9%Budgeted IA headcount Vs actual10%Number of material events/breaches/high risk findings identified

12%Staff turnover

15%Number of qualified staff eg. CA, CPA, CISA, CIA etc16%Training hours (total or Vs budget)

22%Reliance by external audit on the internal audit activity25%Completion of overdue audit issues26%Post-implementation results on implemented recommendations27%Number of management requests for internal audit projects28%Audit committee ratings/scores28%Staff satisfaction scores eg. through staff survey

40%Cycle time from entrance meeting to draft report42%Percentage of planned audits completed on time

45%Auditee service service scores eg. via post audit survey of auditee46%Budgeted IA costs Vs actual

56%Recommendations accepted/implemented59%Percentage of planned audits completed

Graph 29: KPIs used to measure internal audit performance


Reporting

• Accountability was mixed for monitoring correctiveaction – see table on left.

• Almost three-quarters (73%) of respondents indicatedthat internal audit has the primary responsibility forreporting the status of audit issues/recommendations.

• Over half (53%) used software such as spreadsheetsor a database to track audit issues. One-fifth had adedicated tracking system, while the same proportionused manual processes.

• Half of respondents indicated that Internal Auditused both issue rankings and report gradings tohighlight significant findings from their review.

• Almost one quarter (23%) indicated that reportformats and approaches had undergone major orsubstantial changes with the majority (60%)indicating moderate changes.

Providing assurance opinions – Graph 30

• Internal audit is increasingly being asked to provideaudit opinions. Respondents reported that themajority of opinions provided were positive andcapable of confirming reasonable assurance.

• Almost one-third of listed companies (29%) did notprovide assurance opinions.

Outcomes

Monitoring Primarycorrective action responsibilitytaken and resolution reporting the of audit issues/ status of recommendations audit issues/

recommendations

Management 26% 11%

Internal Audit 32% 73%

Both 41% 16%

Other 1% 0%

Perc

enta

ge %

0

10

20

30

40

50

60

70

80

0 54

13

Don’t know

29

21 21

0

No opinions

12

0

15 13

Negative opinions(Limited assurance

– nothing to indicate conditions met)

59

74

60

75

Positive opinions(Reasonable assurance

– conditions met)

Not for ProfitGovernmentUnlistedListed

Graph 30: Providing assurance opinions

36%Audit Committee Chair

35%Chief Executive(or equivalent)

14%Board

4% Chief Financial Officer(or equivalent)

4% Other

2% Company Secretary/General Counsel(or equivalent)

3% Division Head

2% Chief Risk Officer

Who Appoints and Removes the CAE? (all sectors)

36%Audit Committee Chair

35%Chief Executive(or equivalent)

14%Board

4% Chief Financial Officer(or equivalent)

4% Other

2% Company Secretary/General Counsel(or equivalent)

3% Division Head

2% Chief Risk Officer

Who Appoints and Removes the CAE? (all sectors)

Protiviti (www.protiviti.com.au) is a global business consulting and internal audit

firm composed of experts specialising in risk, advisory and transaction services.

The firm helps solve problems in finance and transactions, operations, technology,

litigation, governance, risk, and compliance. Protiviti’s highly trained, results-

oriented professionals provide a unique perspective on a wide range of critical

business issues for clients in the Americas, Asia-Pacific, Europe and the

Middle East.

MELBOURNELevel 17,140 William StreetMelbourne, VIC 3000 AUSTRALIA Ph: (03) 9948 1200Fax: (03) 9602 [email protected]

SYDNEYLevel 45, MLC Centre19 Martin Place Sydney, NSW 2000 AUSTRALIA Ph: (02) 8220 9500 Fax: (02) 9247 7241 [email protected]

PERTHLevel 29,221 St Georges TerracePerth, WA 6000AUSTRALIAPh: (08) 9214 3865 Fax: (08) 9288 [email protected]

CANBERRALevel 5,71 Northbourne Avenue Canberra, ACT 2600 AUSTRALIA Ph: (02) 6113 3900 Fax: (02) 6262 7567 [email protected]

BRISBANELevel 15, 333 Ann StreetBrisbane, QLD 4000 AUSTRALIAPh: (07) 3039 4000Fax: (07) 3039 4098 [email protected]

IIA provides internal auditing practitioners, executive management, boards

of directors and audit committees with standards, guidance and information

on internal auditing best practices. Established in Australia in 1952, the IIA has

chapters across the country. Globally, the IIA serves more than 160,000 members

in internal auditing, governance and internal control, IT audit, education and

security from more than 165 countries.

SYDNEYThe Institute of Internal AuditorsPO Box A2311Sydney South NSW 1235AUSTRALIAPh: + 61 2 9267 9155Fax: + 61 2 9264 [email protected] 7/133 Castlereagh StreetSydney NSW 2000 Australia

All marks used are the property of their respective owners.

©2009 Protiviti Pty Limited / An Equal Opportunity Employer / BMSR02/09-09

achieving high performance in internal audit...a truly independent and objective internal audit...

Documents