achieving high performance in internal audit...a truly independent and objective internal audit...
TRANSCRIPT
Achieving High Performance inInternal Audit Australia 2009
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page1
Executive Summary 4
About this Study 7
Authority, Independence and Mandate 8
Challenges and Trends 13
Quality 17
Internal Audit Resources and Competencies 20
Enablers and Technology 24
Outcomes 27
Contents
Graphs
About this Study
Graph 1 Organisations by type 7
Graph 2 Organisations by size 7
Graph 3 Organisations by industry 7
Graph 4 Organisations by State 7
Authority, Independence and Mandate
Graph 5 Who appoints and removes the CAE? 9
Graph 6 Appointment and removal of CAE
by sector 9
Graph 7 Setting the remuneration and bonus
by sector 10
Graph 8 Evaluating performance of the CAE 10
Graph 9 Approving internal scope and budget 11
Graph 10 Composition of the audit committee 11
Graph 11 CAE meeting privately without
management 12
Challenges and Trends
Graph 12 Change in structure and direction
of internal audit in last 3 years 14
Graph 13 Change in scope of internal audit
in last 3 years 14
Graph 14 Change in scope of internal audit
in next 3 years 15
Graph 15 Emerging priorities in next 3 years 16
Graph 16 Impact of the global financial crisis
on internal audit activity 16
Quality
Graph 17 Ensuring quality in internal audit 18
Graph 18 Level of compliance with the Standards 18
Graph 19 Level of compliance with the Standards
by sector 18
Graph 20 Last external quality assessment review 19
Graph 21 Last external quality assessment by
number of staff in internal audit 19
Internal Audit Resources and Competencies
Graph 22 Number of FTE personnel in internal
audit 21
Graph 23 Unfilled demands for technical skills 21
Graph 24 IA capabilities and needs 22
Enablers and Technology
Graph 25 Relationship between the internal iudit
and risk management functions 25
Graph 26 Relationship between the internal audit
and risk management functions 25
Graph 27 Functionality provided by the primary
tool and its usefulness 26
Outcomes
Graph 28 Extent of reliance by external auditor 28
Graph 29 KPIs used to measure internal audit performance
29
Graph 30 Providing assurance opinions 30
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page2
Christopher McRostieChief Executive Officer
The Institute of Internal AuditorsAustralia
Welcome to the 2009benchmarking study.
The IIA’s vision for theprofession is for it to be universally recognised, trustedand respected as the leading provider of assurance andadvice on risk management, internal control andgovernance, and this study provides some usefulsignposts for all of us in achieving that goal.
In reading the results, I am struck by two things.
Firstly, the significant majority of internal auditfunctions have moved from under the wing of thefinance function and into the spotlight of the CEO andaudit committee. This is a great achievement, but is alsoa double edged sword and not to be taken lightly.Pressures on CEOs and non-executive directors continueto evolve, and we must keep pace with them if we are to meet expectations. As a profession, internal auditmust be an intellectual exercise and strong engagementwith leading CEOs and audit committees will help usachieve this.
Unfortunately, too many internal audit functions are stillreporting to the CFO or a level of management whichcan compromise internal audit independence. In this dayand age, it is simply not appropriate and rightly, questionsneed to be asked of these organisations as to why theythink that this is acceptable.
Secondly, while the survey shows that there is almostuniversal acceptance that factors like adherence to theIIA Standards, independent quality assessments, activemembership of relevant professional bodies andappropriate qualifications are important, we still have
a long way to go with putting them into practice.Anyone holding themselves out to be an internal auditorneeds to assess themselves against these factors, if weare to be taken seriously as a profession.
I would like to thank Protiviti for all of their work inputting the study together – this project would not havebeen possible without them. Importantly, I would alsolike to thank those who participated, and wish you allwell as we strive to be universally recognised as trulyworld-class in all that we do.
Christopher McRostieCEO, The Institute of Internal Auditors
Key Messages
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page3
Gary AndersonManaging Director
Protiviti
Protiviti is pleased to supportthis important study thatprovides useful insights into thestate and direction of the
internal audit profession in Australia.
The study encouragingly shows that the role of internalaudit is expanding, with the vast majority of organisationshaving increased the scope of their internal auditactivity in recent years. Challenging economic timesdemand more vigilant governance and it is appropriatethat organisations are using internal audit to reviewtheir operations more extensively.
It is also clear that the financial crisis has promptedmany organisations and their internal auditors to sharpentheir focus on risk management and mitigation. In thisenvironment, internal auditors need to be proactive anduse their expertise to assist boards and management tosteer their organisations through difficult times.
The growing importance that organisations are placingon internal audit has been attributable in part to therising professionalism of internal auditors. A significantmajority of internal auditors now recognise that the bestway to ensure quality in their internal audit activity isby complying with the International Standards for theProfessional Practice of Internal Audit (‘the Standards’).Moreover, a large number of internal auditors areconsistently updating their skills through continuingeducation programs available through their membershipwith the Institute of Internal Auditors (IIA).
Still, with less than half of organisations currently fullyadhering to the Standards, there is some way to gobefore the profession achieves its goal of full, across theboard compliance. This is clearly an area the professionmust work on if it hopes to further enhance its standingwith senior decision-makers and other stakeholders.
Key Messages
Another major issue emerging from the study is thatsenior executives such as the Chief Financial Officer areexerting too great an influence over the internal auditfunction to the point where the objectivity andindependence of the internal audit risks are beingcompromised.
Best practice dictates that decisions relating to the hiringand firing, remuneration and performance of the Head ofInternal Audit must ultimately rest with the AuditCommittee Chair. Substantive reporting lines for theHead of Internal Audit must also lead to the AuditCommittee Chair.
Directors should recognise that for internal audit to be asource of reliable information to help the board meet itsgovernance duties, it must not be captured by management.Internal auditors and Audit Committee Chairs shouldstrive to ensure that internal audit charters reflect thesefundamentals. Internal audit professionalism is againrelevant, as the greater the value and expertise boardsperceive in their internal audit function, the moredisposed they will be to champion their independence.
Gary AndersonManaging Director, Protiviti
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page4
Executive Summary
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page5
Authority, Independence and MandateInternal audit encompasses much more than traditionalfinancial auditing. It is rapidly becoming an arm of theboard that provides independent assurance over themanagement of business risks. To be effective, thisfunction needs to be free from undue managementinfluence. Yet, according to our research, internal audit’sfunctional reporting line to the board, or equivalentgoverning body, is compromised by excessive influencefrom executive management.
For example, the Chief Financial Officer is the finaldecision-maker in listed companies for:• appointing or removing the Chief Audit Executive (CAE) –
15%
• evaluating the CAE’s performance – 27%
• approving the scope of the organisation’s internalaudit – 21%
This is clearly out of line with contemporary and betterpractice.
However, there are a number of encouraging practices inthis area including:• 64% of listed companies stated that their audit
committee chair is the final decision-maker for theappointment or removal of the CAE
• 58% of government organisations reported that theirchief executive or equivalent is the final decision-maker for CAE appointments and removals
• 64% of listed companies stated that their auditcommittee chair is the final decision-maker for theapproval of the internal audit function’s scope andbudget.
An ongoing relationship between the audit committeechair and the CAE is essential to good governance. Yet,one third of CAEs do not hold private meetings with theaudit committee chair and/or the audit committee.
While best practice is now increasingly the norm, thereis still room for improvement particularly for listedcompanies. In the public sector, good practice isdemonstrated by the fact that the internal audit functionin a significant proportion of organisations reports tothe chief executive equivalent or the audit committee.The challenge for the public sector is to ensure that
Internal Audit: Accelerating StrongGovernanceRecent research conducted by Protiviti and the Instituteof Internal Auditors – Australia (IIA) with chief auditexecutives from over 150 organisations in the public andprivate sectors highlights that organisations mustaddress a number of issues to enable their internal auditfunction to more effectively advance good corporategovernance.
Specifically the research found:• a significant number of internal audit functions
lacked the appropriate framework to operateindependently and objectively
• an excessive level of influence is exercised byexecutive management over audit committeeactivities and the oversight and management of theinternal audit function
• the majority of internal audit functions are unable to demonstrate compliance with the InternationalStandards for the Professional Practice of InternalAuditing (Standards).
As you review this report, you should ask yourself:
• Are the governance structures for your internal auditfunction sufficient to allow your organisation to havea truly independent and objective internal auditfunction?
• How is your organisation placed to respond to theemerging trends facing internal auditors?
• How are you driving quality in your internal auditfunction and is it aligned to the Standards?
• How are you addressing key competency gaps withinyour internal audit function?
• Is Internal Audit really meeting the needs of yourstakeholders?
Executive Summary
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page6
It is also noteworthy that government (49%) and not-for-profit organisations (44%) out-performed theirprivate sector counterparts with respect to compliancewith the Standards.
An effective way of ascertaining the level of compliancewith the Standards is through subjecting the internalaudit function to an External Quality Assessment asrequired in Standard 1310. Yet less than half (43%) ofthe respondents had under taken this exercise in the lastthree years. This raises questions about the quality ofwork performed by some internal audit functions andmay reflect the fact that some organisations are willingto undergo an external quality assessment where theyare aware they do not fully comply with the Standards.
Internal Audit Resources andCompetenciesOrganisations identified a need for greater internal auditresources in three key areas:• IT – 45%
• Risk Management – 33%
• Operations – 26%
In addition, respondents noted that their internal auditteam would be more effective with enhancedcompetencies in:• Continuous Auditing
• Data Analysis
• Marketing of the Internal Audit Function
These findings are consistent with those from a 2009international internal audit study focussed predominantlyon the United States, United Kingdom and Europe, wheresimilar skillset requirements were identified:• Continuous Auditing and Computer Assisted Audit
Techniques (CAATs)
• Data Analysis Tools
• Fraud Monitoring.
audit committees work effectively and provide sound andindependent stewardship when an independent board isnot present.
Challenges and TrendsThe following five areas were noted by surveyrespondents as emerging priorities for internal auditfunctions over the next three years:• Risk Management Attestation
• IT
• Major Projects Implementation
• Fraud and
• Core Financial Controls
These priorities are largely consistent across all sectorsand organisation sizes. As internal audit is increasinglyexpected to sign off on risk processes, risk managementattestation has accordingly become a top priority. Theeconomic downturn has also led to increased fraud riskas business cost-cutting curtails fraud preventionactivities while the motivation to commit fraud has risen in step with personal financial pressures.
QualityWhen asked whether their organisations’ internal auditactivity met quality benchmarks, 87% of respondentsindicated they ensure quality through compliance withthe Standards. However, on average only 42% revealedthey were fully compliant and 50% were only partiallycompliant. Partial compliance may suggest thatorganisations are choosing to comply with the lessdemanding elements of the Standards rather than themore significant and challenging ones.
Executive Summary
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page7
Organisations by type - Graph 1
• Data was collected from over 150 organisations.
• Participants in the survey included listed companies(37%), unlisted private companies (14%), federal,state and local government agencies (42%) and not-for-profit organisations (6%).
Organisations by size - Graph 2
• Small and medium organisations represented just overhalf of the respondents (54%).
• Almost one-third of respondents (32%) indicatedrevenues and/or budget exceeding AUD $1 billion.
Organisations by industry - Graph 3
• The public sector represented the largest single sectortaking part in the survey (38%).
• This was followed by the financial services (20%) andresources/utilities industries (14%).
Organisations by state - Graph 4
• Information was collected across each of the six statesand the Australian Capital Territory.
• The highest proportion of respondents came from NewSouth Wales (31%), followed by Victoria (21%) andQueensland (17%).
• A small proportion of respondents were residentoutside Australia (3%).
About this StudyThe study includes a diverse range of sectors and organisations. Participants invited to take part in the survey earlier this year were Chief Audit Executives (CAE) who are current members of the Institute of Internal Auditors-Australia (IIA).
14%
6%
1%
37%
42%
14%
32% 23%
31%
38%
7%
20%
14%
10%
5%6%
17%
12%
12%31%
21%
3%3% 1%
Graphs 1-4: Organisational graphs
� Listed Company� Unlisted Private
Sector or Company� Government� Not For Profit� Service Provider
� Small $0 to $100m� Medium $100m to $500m� Large $500m to $1b� Very large > $1b
� Financial Services� Resources and Utilities� Consumer Products and
Retail� Construction and
Manufacturing� Government� Not For Profit� Other
� NSW� VIC� QLD� ACT� WA� SA� Outside Australia� TAS
1
2
3
4
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page8
Authority, Independence andMandate
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page9
Appointment and removal of the Chief Audit Executive(CAE) – Graph 5 & 6
• In the majority of listed companies, the AuditCommittee Chair is responsible for the appointmentand removal of the CAE (64%).
• Of concern is the fact that in many listed companies,the Chief Financial Officer (CFO) is responsible forCAE appointments and removals (15%).
• In Government organisations, the Chief Executiveequivalent bears this responsibility (58%).
Authority, Independence and MandateInternal audit’s role in the governance process is optimised when the internal audit is independent frommanagement and reports to individuals with no perceived motivation to limit the scope of internal audit activities. A direct reporting line to the audit committee is best practice. Yet, the study indicates that internal audit’sfunctional independence is compromised by excessive influence from executive management on key matters such asappointments, performance evaluation, work scope and budgeting.
36%35%
14%4%
4%2% 3%2%
Graph 5: Who appoints and removes the CAE?
(all sectors)
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
08
110
Other0 0
80
Division Head5 0 0 0
Chief RiskOfficer
4 0 2 0
CompanySecretary /
General Counsel(or equivalent)
15
0 0 0
Chief FinancialOfficer (orequivalent)
18
45
58
33
Chief ExecutiveOfficer
64
32
23
33
Audit CommitteeChair
11
2317
33
Board
Not For ProfitGovernmentUnlistedListed
Graph 6: Appointment and removal of CAE by sector *
� Board� Audit Committee Chair� Chief Executive (or equivalent)� Chief Financial Officer (or equivalent)� Company Secretary/General Counsel (or equivalent)� Chief Risk Officer� Division Head� Other
* Percentages may exceed 100% as respondents provided more than one final decision-maker.
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page10
Authority, Independence and Mandate
Setting the remuneration and bonus of the CAE – Graph 7
• The Chief Executive (or equivalent) is primarilyresponsible for setting the remuneration and bonus ofthe CAE across all sectors.
• In listed companies, one-quarter (25%) of CFOsperform this function, despite this being contrary torecommended practice.
Evaluating the performance of the CAE – Graph 8
• The Chief Executive (or equivalent) and the AuditCommittee are responsible for evaluating theperformance of the CAE across all sectors.
• In listed companies, the CFO (27%) and the ChiefRisk Officer (11%) are the final decision-makersregarding CAE performance, again contrary torecommended practice.
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
5
1521
17
Other
40 5 0
Division Head
7 0 0 0
Chief RiskOfficer
110 3 0
CompanySecretary /
General Counsel(or equivalent)
25
5 30
Chief FinancialOfficer (orequivalent)
38
55
6256
Chief ExecutiveOfficer
2118
11
33
Audit CommitteeChair
914 12
0
Board
Not For ProfitGovernmentUnlistedListed
Graph 7: Setting the remuneration and bonus by sector *
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
2 8 7 0
Other
40
10
22
Division Head
110 0 0
Chief RiskOfficer
7 0 3 0
CompanySecretary /
General Counsel(or equivalent)
27
90 0
Chief FinancialOfficer (orequivalent)
23
5551
44
Chief ExecutiveOfficer
36
2329
33
Audit CommitteeChair
5 09 11
Board
Not For ProfitGovernmentUnlistedListed
Graph 8: Evaluating performance of the CAE *
* Percentages may exceed 100% as respondents provided more than one final decision-maker.
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page11
Approving the scope and budget of internal audit – Graph 9
• In almost two-thirds (64%) of listed companies, theAudit Committee approves the scope and budget ofthe internal audit function.
• 21% of CFOs in listed companies have thisresponsibility, again contrary to recommendedpractice.
Composition of the audit committee – Graph 10
• Almost all of the organisations that responded to thestudy have an audit committee or equivalent bodyacting in that capacity, which is encouraging.
• However, almost one half (43%) reported that theiraudit committee does not have an independentchairperson. In addition, 22% stated that their auditcommittee consists largely of executive management.
• 20% of listed company audit committees do not havean independent chairperson, which is contrary torecommended practice.
Authority, Independence and MandatePe
rcen
tage
%
0
10
20
30
40
50
60
70
80
5 0 3 0
Other2 0 5
11
Division Head0 0 0 0
Chief RiskOfficer
0 0 0 0
CompanySecretary /
General Counsel(or equivalent)
21
08
0
Chief FinancialOfficer (orequivalent)
16
5046 44
Chief ExecutiveOfficer
64
50
3833
Audit CommitteeChair
2 5
1722
Board
Not For ProfitGovernmentUnlistedListed
Graph 9: Approving internal scope and budget *
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
1No audit
committeein place
22
Auditcommitteemade upprimarily
of executives(management)
1No audit
committee,function is
servedby the full
Board
2No audit
committee,function isserved by asimilar sub-committeeor the Board
71
Majority/allindependent
members
57
IndependentChairperson
Graph 10: Composition of the audit committee
* Percentages may exceed 100% as respondents provided more than one final decision-maker.
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page12
Authority, Independence and Mandate
Private meetings without management – Graph 11
• The holding of private meetings between the CAE andAudit Committee without management present, is acritical element of an independent internal auditfunction.
• Almost one-third of CAEs (31%) do not hold privatemeetings with the audit committee. This is consistentthroughout all sectors and across medium to largeorganisations.
• In almost half (45%) of smaller organisations withturnover less than $100m, the CAE does not meetprivately with the audit committee in the absence ofmanagement.
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
45
33
2420
No
1215 14
9
Yes, private session withthe full Audit Committee
27 28
38 39
Yes, private session withAudit Committee Chair
15
24 24
33
Yes, separate privatesessions with Audit
Committee Chair and thefull Audit Committee
>1b500m-1b100m-500m0-100m
Graph 11: CAE meeting privately without management
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page13
Challenges and Trends
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page14
Change in structure and direction of internal audit in last 3years – Graph 12
• The level of change in the structure and direction ofthe internal audit function was significant for almosthalf (43%) of Australian organisations.
Change in scope of internal audit in last 3 years – Graph 13
• Assurance on risk mitigation and operational auditswere areas that saw an increase – 69% and 67%respectively.
• Financial process audits did not change in 40% oforganisations.
Challenges and TrendsInternal audit is a long-standing but rapidly evolving profession, with increasing demands on the extent and scopeof work performed. This poses challenges for the profession in meeting new expectations while not losing sight oftraditional core areas.
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
2Do not know
43
Significant change -significant changein structure, role
&/or reporting lines
31
Moderately stable - some changein these areas
24
Highly stable -no major changesto structure, role,reporting lines
Graph 12: Change in structure and direction of internalaudit in last 3 years
0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage %
Assurance onRisk Mitigation
Consulting/Advisory
Compliance audits(laws, regulations,
and policy)
Operationalaudits lists
Financial Process audits(including external
audit support)
Overall size ofplan (days)
12 28 47 22
2 5 35 40 19
1 13 35 41 9
1 6 26 47 20
4 16 40 28 11
2 6 24 41 28
Significantly increased
Somewhat increased
No change
Somewhat decreased
Significantly decreased
Graph 13: Change in scope of internal audit in last 3 years
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page15
Challenges and Trends
Change in scope of internal audit in next 3 years – Graph14
• Almost three-quarters of organisations (73%) expectthat assurance on risk mitigation will increase overthe next 3 years.
• Financial audits are likely to stay at the same levelsfor just over half or the organisations (54%).
0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage %
Assurance onRisk Mitigation
Consulting/Advisory
Compliance audits(laws, regulations,
and policy)
Operationalaudits lists
Financial Process audits(including external
audit support)
Overall size ofplan (days)
1 3 24 55 18
1 4 30 49 16
8 45 38 9
1 6 39 39 15
2 10 54 26 8
1 5 39 40 15
Significantly increased
Somewhat increased
No change
Somewhat decreased
Significantly decreased
Graph 14: Change in scope of internal audit in next 3 years
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page16
Emerging priorities for internal audit in the next 3 years –Graph 15
• The top five areas nominated as emerging prioritiesover the next 3 years are risk managementattestation, IT, major project implementations, fraudand core financial controls.
• These priorities are consistent across all sectors andorganisation size.
Impact of the Global Financial Crisis (GFC) on internalaudit activity – Graph 16
• Almost half of organisations (42%) indicated that theGFC would have no material impact on their internalaudit activity at the time of the survey.
• Over one-third (36%) stated that the internal auditbudget would face cost pressures as a result of theGFC.
• More than half indicated significant additionaldemands, with 33% indicating their scope includednew areas or areas brought forward and 21%indicating a change in control environment.
Challenges and TrendsPe
rcen
tage
%
0
10
20
30
40
50
60
70
80
5Other
11
The new ASXPrinciple 7(updated
during 2007)
14
Market/commodity
riskexposure
16
Treasury
21
Credit riskexposure
32
Emissionsreporting
andCarbon Pollution
Reduction Scheme
53
Core financialcontrols
61
Fraud
62
Major projectimplementation
66
IT
72
RiskManagementAttestation
Graph 15: Emerging priorities in next 3 years
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
21
Change incontrol
environmentas a result
of restructuring
3
Other(please specify)
33
New areas/areas broughtforward on
the audit plan
36
Cost pressureson the internalaudit budget
42
No materialimpact
Graph 16: Impact of the global financial crisis oninternal audit activity
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page17
Quality
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page18
Ensuring quality in internal audit – Graph 17
• Respondents in the majority of organisations revealed(87%) that the best way to ensure quality in theirinternal audit activity was to comply with theInternational Standards for the professional practiceof Internal Audit (Standards).
• Internal audit team members were encouraged to bemembers of the IIA by almost 8 out of 10organisations (79%).
Level of compliance with the Standards – Graphs 18 & 19
• Despite acknowledgement of the importance ofadherence to the Standards, less than half (42%) ofrespondents indicated they fully complied with theStandards, with 50% indicating partial compliance,2% not complying and 6% unsure.
• The level of compliance with the Standards wasrelatively consistent across all sectors andorganisation size.
• The government and not for profit organisationsindicated a higher level of full compliance (49% and44%) than listed and unlisted companies (33% and38%).
QualityThis section asked participants to indicate how they ensured quality and professionalism in their teams andfunctions. Surprisingly, despite seeing the importance of membership, certification, quality programs and compliancewith the Standards, these requirements are still not universally applied.
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
100 3
12
Do not know2 5 2 0
Not inCompliance
55 57
46 44
PartialCompliance
3338
4944
FullCompliance
Not For ProfitGovernmentUnlistedListed
Graph 19: Level of compliance with the Standards by sector
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
90
43
IA StaffCertification
(CIA)
10
Other
31
ReportsSigned Off
by CIA
55
QualityProgram(ISPPIA
Standard 1310)
79
IA StaffMembership
(IIA)
87
Compliancewith
IIA theStandards
Graph 17: Ensuring quality in internal audit
6%
42%
50%
2%
Graph 18: Level of compliance with the Standards
� Full Compliance� Partial Compliance� Not in Compliance� Do Not Know
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page19
Last external quality assessment review – Graphs 20 & 21
• The Standards require quality assessment of theinternal audit function at least every five years withinternal quality processes to be performed on anongoing basis.
• Less than half (43%) of respondents had undertakenan external quality assessment within the last 3years.
• One-fifth had completed an assessment within thelast 12 months.
• Organisations with less than five internal audit staffwere less likely to have undertaken an externalassessment.
• 43% of respondents had never completed an externalquality assessment.
QualityPe
rcen
tage
%
0
10
20
30
40
50
60
70
80
6Do notknow
43
Nevercompleted
1More than5 years
ago
64-5 years
ago
23
1-3 yearsago
20
Withinthe last
12 months
Graph 20: Last external quality assessment review
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
3 95 0
Do not know
58
3934
14
Never completed1 0 0 0More than 5years ago
7 08 7
4-5 years ago
20
35
2629
1-3 years ago
1117
26
50
Within the last12 months
>20 staff11-20 staff6-10 staff1-5 staff
Graph 21: Last external quality assessment by number of staff in internal audit
Internal Audit Resources andCompetencies
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page20
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page21
Number of full time equivalent (FTE) personnel in internalaudit – Graph 22
• Almost 60% of organisations employed between oneand five FTE staff in their internal audit department.
• The average number of full time internal audit employeesin an in-house capacity was five and the averagenumber of FTE personnel either in-house or externalwas seven.
Unfilled demand for key technical skills – Graph 23
• The top three technical skills in greatest demandwere IT (45%), risk management (33%) andoperations (26%).
• While financial and accounting skills are still indemand, this is now exceeded by demand for projectmanagement skills.
Internal Audit Resources and CompetenciesAs internal audit’s scope and remit continues to broaden, skills, resources and competencies need to evolve to keep apace. This section outlines key findings in this area.
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
11
>20
316 - 20
911 - 15
19
6 - 10
58
1 - 5
Graph 22: Number of FTE personnel in internal audit
0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage %
Treasury andFinance
Operations
RiskManagement
Environment andSustainability
ProjectManagement
IT Skills
Financial andAccounting
14 28 30 10 3 14
13 17 36 19 7 9
10 15 33 25 8 8
17 29 26 8 2 17
12 15 44 16 6 8
10 9 29 33 12 7
15 27 31 12 105
Very High Demand
Not Applicable
High Demand
In Demand
Low Demand
Very Low Demand
Graph 23: Unfilled demands for technical skills
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page22
Internal Audit Resources and Competencies
Internal audit team competencies and areas forimprovement – Graph 24
• Respondents were asked to assess, on a scale of oneto five, their team’s competency in 25 areas oftechnical knowledge important to internal audit, withone being the lowest competency and five being thehighest. They were then asked to indicate whetherthey believed their team possessed adequatecompetencies or if there was room for improvement,taking into account the circumstances of theirorganisation and industry.
• Respondents indicated that their teams would bemore effective with enhanced competencies in 1)continuous auditing, 2) data analysis and 3) marketingof the internal audit function (top right quadrant).
• These findings are consistent with those from a 2009international internal audit study focussedpredominately on the United States, United Kingdomand Europe, where similar skill deficiencies wereidentified, namely continuous auditing, data analysistools and fraud monitoring.
Low
erH
ighe
r
Lower Higher
Com
pete
ncy
Need to Improve
Graph 24: IA capabilities and needs
A Financial ReviewB Compliance with RegulationsC Compliance with ASX Principle 7D Operational ReviewE External Audit AssistanceF Risk Management AssuranceG Operational EfficiencyH Revenue EnhancementI FraudJ Anti-Money LaunderingK Culture AssessmentL Mergers and AcquisitionsM Governance StructuringN Continuous AuditO Data AnalysisP Self Assessment TechniquesQ Developing RecommendationsR Internal Quality Assessment (ongoing)S Internal Quality Assessment (periodic)T External Quality AssessmentU Marketing Internal AuditV Planning Audit StrategyW Presenting to Audit CommitteeX Report WritingY Resource Management
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page23
Chief Audit Executive competencies and areas forimprovement
• Respondents were asked to assess on a scale of oneto five – with one being the lowest competency andfive being the highest – their competency in 16 typesof Personal Skills and Capabilities.
• They were then asked to indicate whether theybelieved their competency level was adequate or inneed of improvement, taking into account thecircumstances of their organisation and the nature oftheir industry. Listed on this page are the 16 PersonalSkills and Capabilities.
• Developing outside contacts and networking wasidentified as the top area for improvement followedin second place by the need to improve leadershipwithin the internal audit profession.
• The need to develop other Board Committeerelationships was the third most important skill toimprove. This is broadly comparable with the findingsof the aforementioned 2009 international internalaudit survey where developing relationships withother Board members has been the top priority forseveral years.
• Even though respondents reported relatively highcompetency levels in most of the top-ranked skillsand capabilities, the findings nevertheless suggestthat further improvement is essential as these areasremain key priorities.
Internal audit certification
Respondents were asked whether they were accredited asa Certified Internal Auditor (CIA). Almost half (48%)were not while 35% of respondents were CIA-certified.The remainder (17%) had intentions to become CIAqualified in the future.
Internal Audit Resources and Competencies
Needs to Personal Skill CompetencyImprove Rank & Capabilities (5 pt scale)
1 Developing outside 3.8contacts/networking
2 Leadership (within 3.4the IA profession)
3 Developing other 3.7Board Committeerelationships
4 Time management 3.9
5 Strategic thinking 4.2
1 = Change Management2 = Coaching/Mentoring3 = Creating a learning IA function4 = Developing Audit Committee relationships5 = Developing other Board Committee relationships6 = Developing rapport with senior executives7 = Developing outside contacts/networking8 = Leadership (within your organisation)9 = Leadership (within the IA profession)10 = Negotation11 = Personnel performance evaluation12 = Presenting (small groups)13 = Persuasion14 = Strategic thinking15 = Time management16 = Written communication
Enablers and Technology
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page24
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page25
Relationship between the Internal Audit and RiskManagement functions – Graphs 25 and 26
• Almost one fifth (19%) of respondents indicatedthere was either no risk management function at allwithin their organisation or that internal audit wasfacilitating aspects of the risk management work.
• The larger the organisation, the greater the likelihoodthat risk management and internal audit wouldoperate as separate functions with different reportinglines. Over half (53%) of companies with revenuesover $1 billlion had completely separate internalaudit and risk management functions with differentreporting lines. By contrast, only 21% oforganisations with revenues of less than $100 millionseparated their risk management and internal auditfunctions.
Enablers and TechnologyThe efficiency of the internal audit function can be enhanced with the support of appropriate frameworks andtechnology solutions. This section outlines findings in this area.
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
1Other
4
No riskmanagementfunction -InternalAudit not
charged withresponsibility forrisk management
15
No riskmanagementfunction -Internal
Audit facilitatesaspects of this
23
Integratedfunction
18
Separateunits withcommonleadership
reporting lines
39
Completelyseparate
with differentreporting lines
Graph 25: Relationship between the internal audit andrisk management functions
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
30 0 0
Other4 5 0 5
No riskmanagementfunction -
Internal Auditnot charged withresponsibility forrisk management
17
26
115
No riskmanagementfunction -
Internal Auditfacilitates
aspects of this
38
2126
16
Integratedfunction
21
13
21 21
Separate units with common
leadershipreporting lines
21
32
42
53
Completelyseparate
with differentreporting lines
>1B 500M - 1B100M - 500M0 - 100M
Graph 26: Relationship between the internal audit and risk management functions
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page26
Functionality provided by technology solutions – Graph 27
• Automated work papers, on-line review and sign-offwere considered to be the most useful (39%)functionalities provided by the primary internal auditsoftware tool. This was followed by action tracking(37%) and data analytics (30%).
• Resource scheduling and time recording wereconsidered to be the most problematic functions(6%).
Enablers and Technology
0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage %
Resource Schedulingand Time Recording
Automated Work Papers,Online Review and
Sign Off
RiskRegister
Web Support/Information Modules
Control SelfAssessment
Action Tracking andEmail Follow-ups
Team Collaboration
Integrated withother Systems
Extensive ManagementReporting
Continuous ControlMonitoring
Data Analytics30 27 6 4 2310
14 23 10 4 3316
16 26 14 3 2616
11 21 4 3 3624
37 13 6 4 2317
20 17 4 4 3420
13 17 6 4 3921
24 29 11 4 247
39 16 6 3 2710
14 20 4 6 3323
17 26 3 3619
Very Problematic
Not Applicable
Somewhat Problematic
No Impact
Somewhat Useful
Very Useful
Graph 27: Functionality provided by the primary tool and its usefulness
Internal Audit methodology
• 42% of respondents used an in-house internal auditmanual, while 31% used the IIA’s methodology.
• 95% of respondents indicated that the internal auditplan was based on a formal risk identification andassessment undertaken within their organisation, asrequired by the Standards.
Computer assisted Audit Techniques (CAATs) and softwaretools
• Almost two-thirds (62%) used CAATs on an ad-hocbasis with limited use on specific projects.
• Over half (57%) indicated they used audit softwaretools and of those, the majority (75%) used ‘off theshelf’ tools.
Outcomes
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page27
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page28
Reliance by external auditor – Graph 28
• A coordinated approach between internal andexternal auditors prevents duplication of effort andpresents a holistic assurance plan to the auditcommittee. It also enables greater reliance to beplaced on internal audit work.
• Coordinated approaches were more common in thegovernment sector (55%) where Federal and StateAuditor Generals provided the external audit servicethemselves, or oversaw the outsourcing of theexternal audit to an appropriate audit provider.
• In one in ten listed companies and 15% of unlistedcompanies, the external auditor placed no reliance onthe work of the internal audit team.
OutcomesFor the value of the internal audit function to be understood by the organisation, appropriate accountabilityframeworks must be in place for internal audit so that results are achieved and communicated in a transparent way.This section outlines key findings in this area.
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
1015
6 0
No reliance
49
40 40
63
Limited reliance in a smallnumber of specific areas
4145
55
30
Coordinated approach withhigh degree of reliance
placed on IA work
Not for ProfitGovernmentUnlistedListed
Graph 28: Extent of reliance by external auditor
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page29
Outcomes
Key Performance Indicators (KPI) for internal audit – Graph29
• A broad range of KPIs were used to measure theperformance of Internal Audit.
• The percentage of audits completed was the mostcommon KPI to measure internal audit performance(59%).
• Another key measure was recommendations acceptedand implemented (56%).
0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2%Auditing related cost to support cost ratio4%Staff transferred to/from the business4%Other
7%None – we do not track KPIs9%$ cost savings and/or $revenue generated9%Budgeted IA headcount Vs actual10%Number of material events/breaches/high risk findings identified
12%Staff turnover
15%Number of qualified staff eg. CA, CPA, CISA, CIA etc16%Training hours (total or Vs budget)
22%Reliance by external audit on the internal audit activity25%Completion of overdue audit issues26%Post-implementation results on implemented recommendations27%Number of management requests for internal audit projects28%Audit committee ratings/scores28%Staff satisfaction scores eg. through staff survey
40%Cycle time from entrance meeting to draft report42%Percentage of planned audits completed on time
45%Auditee service service scores eg. via post audit survey of auditee46%Budgeted IA costs Vs actual
56%Recommendations accepted/implemented59%Percentage of planned audits completed
Graph 29: KPIs used to measure internal audit performance
©2009 Protiviti & Institute of Internal Auditors - Australia / Achieving High Performance in Internal Audit page30
Reporting
• Accountability was mixed for monitoring correctiveaction – see table on left.
• Almost three-quarters (73%) of respondents indicatedthat internal audit has the primary responsibility forreporting the status of audit issues/recommendations.
• Over half (53%) used software such as spreadsheetsor a database to track audit issues. One-fifth had adedicated tracking system, while the same proportionused manual processes.
• Half of respondents indicated that Internal Auditused both issue rankings and report gradings tohighlight significant findings from their review.
• Almost one quarter (23%) indicated that reportformats and approaches had undergone major orsubstantial changes with the majority (60%)indicating moderate changes.
Providing assurance opinions – Graph 30
• Internal audit is increasingly being asked to provideaudit opinions. Respondents reported that themajority of opinions provided were positive andcapable of confirming reasonable assurance.
• Almost one-third of listed companies (29%) did notprovide assurance opinions.
Outcomes
Monitoring Primarycorrective action responsibilitytaken and resolution reporting the of audit issues/ status of recommendations audit issues/
recommendations
Management 26% 11%
Internal Audit 32% 73%
Both 41% 16%
Other 1% 0%
Perc
enta
ge %
0
10
20
30
40
50
60
70
80
0 54
13
Don’t know
29
21 21
0
No opinions
12
0
15 13
Negative opinions(Limited assurance
– nothing to indicate conditions met)
59
74
60
75
Positive opinions(Reasonable assurance
– conditions met)
Not for ProfitGovernmentUnlistedListed
Graph 30: Providing assurance opinions
36%Audit Committee Chair
35%Chief Executive(or equivalent)
14%Board
4% Chief Financial Officer(or equivalent)
4% Other
2% Company Secretary/General Counsel(or equivalent)
3% Division Head
2% Chief Risk Officer
Who Appoints and Removes the CAE? (all sectors)
36%Audit Committee Chair
35%Chief Executive(or equivalent)
14%Board
4% Chief Financial Officer(or equivalent)
4% Other
2% Company Secretary/General Counsel(or equivalent)
3% Division Head
2% Chief Risk Officer
Who Appoints and Removes the CAE? (all sectors)
Protiviti (www.protiviti.com.au) is a global business consulting and internal audit
firm composed of experts specialising in risk, advisory and transaction services.
The firm helps solve problems in finance and transactions, operations, technology,
litigation, governance, risk, and compliance. Protiviti’s highly trained, results-
oriented professionals provide a unique perspective on a wide range of critical
business issues for clients in the Americas, Asia-Pacific, Europe and the
Middle East.
MELBOURNELevel 17,140 William StreetMelbourne, VIC 3000 AUSTRALIA Ph: (03) 9948 1200Fax: (03) 9602 [email protected]
SYDNEYLevel 45, MLC Centre19 Martin Place Sydney, NSW 2000 AUSTRALIA Ph: (02) 8220 9500 Fax: (02) 9247 7241 [email protected]
PERTHLevel 29,221 St Georges TerracePerth, WA 6000AUSTRALIAPh: (08) 9214 3865 Fax: (08) 9288 [email protected]
CANBERRALevel 5,71 Northbourne Avenue Canberra, ACT 2600 AUSTRALIA Ph: (02) 6113 3900 Fax: (02) 6262 7567 [email protected]
BRISBANELevel 15, 333 Ann StreetBrisbane, QLD 4000 AUSTRALIAPh: (07) 3039 4000Fax: (07) 3039 4098 [email protected]
IIA provides internal auditing practitioners, executive management, boards
of directors and audit committees with standards, guidance and information
on internal auditing best practices. Established in Australia in 1952, the IIA has
chapters across the country. Globally, the IIA serves more than 160,000 members
in internal auditing, governance and internal control, IT audit, education and
security from more than 165 countries.
SYDNEYThe Institute of Internal AuditorsPO Box A2311Sydney South NSW 1235AUSTRALIAPh: + 61 2 9267 9155Fax: + 61 2 9264 [email protected] 7/133 Castlereagh StreetSydney NSW 2000 Australia
All marks used are the property of their respective owners.
©2009 Protiviti Pty Limited / An Equal Opportunity Employer / BMSR02/09-09