internal audit's value addition approach - a study in the dallas-fort worth area - dallas

2011

Internal Audit's Value Addition Approach - A Study in the Dallas-Fort Worth Area The Research Committee of the Dallas Chapter of the IIA

2011 - The IIA Research Foundation

The Dallas Chapter of the Institute of Internal Auditors

Internal Audits Value Addition Approach

Worth Area

Contents

Introduction ................................Value Addition ApproachesSurvey Design ................................Project Plan ................................Participants Profile ................................Represented Organizations ProfileRepresented Internal Audit Departments ProfileArea Specific Observations

Project Management ................................Enterprise Risk ManagementCorporate Governance ................................Social and Sustainability Audits and ConsultationStrategy Audits and Consultation

Data Analysis ................................Conclusions and ImplicationsLimitations and Future OpportunitiesAcknowledgements ................................Appendix I: Statistical TablesAppendix II: Interpreting Correlation Coefficients and CovarianceAppendix III: Pre-Interview QuestionnaireAppendix IV: Interview QuestionnaireReferences ................................


Internal Audits Value Addition Approach- a Study in the Dallas

................................................................................................

Value Addition Approaches .........................................................................................................................................................................................

................................................................................................

................................................................................................

Represented Organizations Profile ................................................................Represented Internal Audit Departments Profile .......................................................Area Specific Observations .......................................................................................

..............................................................................................

ise Risk Management ...........................................................................................................................................................

Social and Sustainability Audits and Consultation................................Strategy Audits and Consultation ................................................................

................................................................................................

Conclusions and Implications ....................................................................................Limitations and Future Opportunities ................................................................

................................................................................................

Appendix I: Statistical Tables .....................................................................................Appendix II: Interpreting Correlation Coefficients and Covariance ............................

Interview Questionnaire ................................................................Appendix IV: Interview Questionnaire ................................................................

................................................................................................

2

a Study in the Dallas-Fort

.................................................. 3 ......................... 6

............................................. 9 ............................................... 10

.................................... 10 ........................................... 13

....................... 15

....................... 17 .............................. 18

................................................. 21 ........................... 26

.................................................. 30 ........................................... 33

............................................. 35 .................... 35

......................................... 36 .................................... 37

..................... 38 ............................ 39

................................. 40 ........................................ 42

................................................ 47


KRevelsText Box


Introduction

As Richard Chambers observed, from the back room to the board roominternal auditors to provide additional value to the organizationthan everii. The objective of thisthe efforts of internal audit organizations in this endeavor. committee (committee) leveragedAUDIT SURVEY- Characteristics of an emerging focus areas in which internal auditors could add valueinnovative approaches. From this foundation, whether the internal audit departments these emerging focus areas.

The hypothesis for this studywill experience a push to increasingly focus below) and to generate additionalor financial audit areas. The committees for focused research and conducting area to evaluate the level of experience local internal auditemerging audit areas. Keeping in perspective that the study is a chapter research project, the committee focusedperceived by the committee as and that can be performed by size. Based on these criteria, Table-1 for study from the 2010 IIA Global Internal Audit Survey: Characteristics of an Internal Audit Activity- Report I


As Richard Chambers observed, the internal auditing profession and its rom the back room to the board roomi is being closely watched. The demand for

internal auditors to provide additional value to the organizations they servethis study is to identify the factors that contribute to or inhibit

the efforts of internal audit organizations in this endeavor. To that end, the leveraged the results of the 2010 IIA GLOBAL INTERNAL

Characteristics of an internal audit Activityiii as a basis to identify in which internal auditors could add value using nontraditional or

From this foundation, the committee sought to determine the internal audit departments in the Dallas/Fort Worth Metroplex are

for this study is that internal audit departments (respondentswill experience a push to increasingly focus on certain emerging types of audits (noted

additional value outside the traditional operational, compliance The committees approach involved identifying the audit areas

conducting targeted interviews with Audit Executives in the to evaluate the level of experience local internal audit departments have with these

. Keeping in perspective that the study is a chapter research ed on a selection of internal audit activities that

ommittee as unique and innovative, that were emerging in popularityerformed by a wide variety of audit functions, regardless of industry or

Based on these criteria, the committee selected the five focus areas2010 IIA Global Internal Audit Survey: Characteristics of an

Report I.

3

profession and its journey is being closely watched. The demand for

s they serve is higher is to identify the factors that contribute to or inhibit

he research the results of the 2010 IIA GLOBAL INTERNAL

as a basis to identify using nontraditional or

sought to determine in the Dallas/Fort Worth Metroplex are active in

respondents) ging types of audits (noted

operational, compliance identifying the audit areas

with Audit Executives in the have with these

. Keeping in perspective that the study is a chapter research udit activities that were

emerging in popularity, regardless of industry or

areas noted in 2010 IIA Global Internal Audit Survey: Characteristics of an


KRevelsText Box


Table 1 Focus Areas Activity Levels and Ranking

Focus Area

1 Audits of enterprise risk management

processes

2 Project management assurance/

audits of major projects

3 Corporate governance reviews

4 Reviews addressing linkage of

strategy and company performance

5 Social and sustainability audits

The above areas were considered to meet the Committees selection criteria based our review of the Global Internal Audit Survey. According to the Survey:

The areas were not traditionaldepartments, with activity amount

There was a fairly even distribution of operational, governance and strategic areas.

The selection included emerging issues such as environmental sustainability and strategy audits.

The aspects considered by the committee through this study

How many respondents had begun to integrate these areas into their audit plans, and what percentages of resources were

Have these engagements added value the progress being measured?

For organizations not performing these engagements, what are the main roadblocks and concerns?

If these activities are not performed currently, what is the timeframe for adoption? What challenges are facing internal auditors in their attempts to add value in their

organizations in these areas?


Focus Areas Activity Levels and Ranking

Activity Rank

Audits of enterprise risk management 56.6% 8

Project management assurance/

audits of major projects

55.4% 9

Corporate governance reviews 44.5% 13

Reviews addressing linkage of

strategy and company performance

25.3% 19

and sustainability audits 19.6% 22

considered to meet the Committees selection criteria based our review of the Global Internal Audit Survey. According to the Survey:

traditional focus areas by the majority of internal audit vity amounting to less than 60%.

There was a fairly even distribution of operational, governance and strategic

The selection included emerging issues such as environmental sustainability and

by the committee through this study included the following:

How many respondents had begun to integrate these areas into their audit plans, percentages of resources were being allocated?

these engagements added value to their organizations, and if sothe progress being measured? For organizations not performing these engagements, what are the main roadblocks and concerns? If these activities are not performed currently, what is the timeframe for adoption?

enges are facing internal auditors in their attempts to add value in their organizations in these areas?

4

Rank

considered to meet the Committees selection criteria based on

internal audit

There was a fairly even distribution of operational, governance and strategic

The selection included emerging issues such as environmental sustainability and

the following:

How many respondents had begun to integrate these areas into their audit plans,

eir organizations, and if so, how is

For organizations not performing these engagements, what are the main

If these activities are not performed currently, what is the timeframe for adoption? enges are facing internal auditors in their attempts to add value in their


KRevelsText Box


Methodology For the purposes of the study, the committee use

as the framework to evaluate the level of maturity of thedepartment as well as its maturity and experience level related to each specific area. The Capability Maturity Model is a continuum used to evaluate the maturity of a process, department or organization, with the stages

Initial: No sustainable repeatable capabilities (little or no internal audit department or process exists)Infrastructure: Sustainable and repeatable procedures (compliance audits)Integrated: IA management and professional practices uniformly applied (advisory services) Managed: Integrates information from across the organization to improve governance and risk management (overall assurance on Governance, Risk Management and control)Optimized: IA learning from inside and outside the organization for continuous improvement (internal a

First, the committee asked each respondent to maturity level of their overall internal overall evaluation was to provide a evaluation for each specific audit area.activity areas, the respondentslevel with respect to that particularthe assessment of maturity levels of the organization versus the maturity level of focus areas.


of the study, the committee used the Capability Maturity as the framework to evaluate the level of maturity of the respondents internal audit department as well as its maturity and experience level related to each specific area. The Capability Maturity Model is a continuum used to evaluate the maturity of a process, department or organization, with the stages of maturity defined as follows:

No sustainable repeatable capabilities (little or no internal audit department or process exists)

Sustainable and repeatable internal audit (IA) practices and procedures (compliance audits)

IA management and professional practices uniformly applied

Integrates information from across the organization to improve governance and risk management (overall assurance on Governance, Risk Management and control)

IA learning from inside and outside the organization for continuous audit recognized as key agent of change)

ommittee asked each respondent to in their opinion nternal audit department. The purpose of obtaining this

provide a basis against which to compare the maturity evaluation for each specific audit area. Then, for each of the above identified audit

ondents were asked to assess their internal audit teams to that particular area. The committee then studied the maturity levels of the organization versus the maturity level of focus

5

Maturity Model respondents internal audit

department as well as its maturity and experience level related to each specific focus area. The Capability Maturity Model is a continuum used to evaluate the maturity of a

of maturity defined as follows:

No sustainable repeatable capabilities (little or no internal audit

practices and

IA management and professional practices uniformly applied

Integrates information from across the organization to improve governance and risk management (overall assurance on Governance, Risk

IA learning from inside and outside the organization for continuous

evaluate the . The purpose of obtaining this

against which to compare the maturity or each of the above identified audit

their internal audit teams maturity the differences in

maturity levels of the organization versus the maturity level of focus


KRevelsText Box


Value Addition Approaches As mentioned previously, five value addition approaches were selected. A brief

description of each value addition approach follows. These descriptions were to each respondent:

1) Project Management refers to the activities performed by the or consulting support for the organizations project management initiatives. Some organizations/companies may not have a dedicated Project Ma(PMO) or Project Management (PM) framework. Internal audits engagement may include the following types of activities:

Post Implementation R Consultative services Implementation verification

2) Enterprise Risk Management (ERM)and processes used by organizationopportunities by embedding risk awareness into the strategyERM is different from audit risk assessment, seeking to accomplish the broader initiatives of linking risks to strategic objectives, responses, and managing risk to within risk appetite on an enterpriseInternal audit departments however, the Institute of the acceptable roles internal auditobjective of our study was to determine the extent to which to support ERM implementation while Figure 1iv.


e Addition Approaches As mentioned previously, five value addition approaches were selected. A brief

description of each value addition approach follows. These descriptions were

Project Management Audit and Consultation activities refers to the activities performed by the internal audit department to provide audit or consulting support for the organizations project management initiatives. Some organizations/companies may not have a dedicated Project Management Office (PMO) or Project Management (PM) framework. Internal audits engagement may include the following types of activities:

Post Implementation Reviews Consultative services during the design and implementation phaseImplementation verification and validation

Enterprise Risk Management (ERM) ERM generally refers to the methods and processes used by organizations to strategically manage risks and leverage

by embedding risk awareness into the strategy-setting process. rent from audit risk assessment, seeking to accomplish the broader

of linking risks to strategic objectives, developing appropriate risk responses, and managing risk to within risk appetite on an enterpriseInternal audit departments could be involved in a number of ways in this processhowever, the Institute of internal auditors has established guidelines surrounding

internal auditors can take on with respect to ERMobjective of our study was to determine the extent to which internal

support ERM implementation while staying within the boundaries as defined

6

As mentioned previously, five value addition approaches were selected. A brief description of each value addition approach follows. These descriptions were provided

t and Consultation activities epartment to provide audit

or consulting support for the organizations project management initiatives. Some nagement Office

(PMO) or Project Management (PM) framework. Internal audits engagement

during the design and implementation phase

enerally refers to the methods manage risks and leverage

setting process. rent from audit risk assessment, seeking to accomplish the broader

developing appropriate risk responses, and managing risk to within risk appetite on an enterprise-wide level.

ould be involved in a number of ways in this process; delines surrounding

ors can take on with respect to ERM. An nternal audit is able

within the boundaries as defined in


KRevelsText Box


3) Corporate Governance:customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or contra significant role in assisting the board with corporate governance. According to the IIA Position Paper Organizational Governance: Guidance for Internal Auditors, Often, internal auditors can assist organizationboard of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are operating. The type of activities performed by related to the maturity of the Governance Model in the organization, as the IIAs Internal Audit Governance Maturity Model of our study was to identify the level of maturity exhibited by respondents in providing the advisory support recommended by the IIA.


Figure 1 Internal Audit Roles

Corporate Governance: Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. Internal audit departments play a significant role in assisting the board with corporate governance. According to the IIA Position Paper Organizational Governance: Guidance for Internal Auditors, Often, internal auditors can assist organizations better by advising the board of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are operating. The type of activities performed by internal audit can typically be

ated to the maturity of the Governance Model in the organization, as the IIAs Internal Audit Governance Maturity Model shows in the Figure 2v

of our study was to identify the level of maturity exhibited by respondents in e advisory support recommended by the IIA.

7

Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or

Internal audit departments play a significant role in assisting the board with corporate governance. According to the IIA Position Paper Organizational Governance: Guidance for Internal

s better by advising the board of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are

udit can typically be ated to the maturity of the Governance Model in the organization, as the IIAs

v. An objective

of our study was to identify the level of maturity exhibited by respondents in


KRevelsText Box


Figure 2

4) Social and sustainability (Corporate social responsibility, environmental) audits: Social and sustainability initiatives include the pwhereby an organization integrates its social responsibilities and sustainable business practices. Social responsibilities might include activities to promote public interest, charitable, and/or philanthropic activities. Sustainabiinclude practices to promote environmentally friendly activities, prevent environmental disasters, or prevent misterm profits rather than for customer welfare.)initiatives are gaining significant prominence in business and government in recent years. The latest sustainability reporting trends indicate that 142 regulatory instruments addressing sustainability reporting exist in 30 countries and 65% of the standards from government, a series of challenges were noted in a survey by Deloittepart of our study objectives we sought to understand the rate of voluntary adoption of sustainability initiatives in the


2 Internal Audit Governance Maturity Model

Social and sustainability (Corporate social responsibility, environmental) Social and sustainability initiatives include the processes and practices,

whereby an organization integrates its social responsibilities and sustainable business practices. Social responsibilities might include activities to promote

interest, charitable, and/or philanthropic activities. Sustainabiinclude practices to promote environmentally friendly activities, prevent environmental disasters, or prevent mis-selling (e.g. selling of products for shortterm profits rather than for customer welfare.) Social and sustainability goals and

itiatives are gaining significant prominence in business and government in recent years. The latest sustainability reporting trends indicate that 142 regulatory instruments addressing sustainability reporting exist in 30 countries and 65% of the standards are considered mandatoryvi. Even with significant push from government, a series of challenges were noted in a survey by Deloittepart of our study objectives we sought to understand the rate of voluntary adoption of sustainability initiatives in the DFW Metroplex, the extent of

8

Social and sustainability (Corporate social responsibility, environmental) and practices,

whereby an organization integrates its social responsibilities and sustainable business practices. Social responsibilities might include activities to promote

interest, charitable, and/or philanthropic activities. Sustainability might include practices to promote environmentally friendly activities, prevent

selling (e.g. selling of products for short-Social and sustainability goals and

itiatives are gaining significant prominence in business and government in recent years. The latest sustainability reporting trends indicate that 142 regulatory instruments addressing sustainability reporting exist in 30 countries

. Even with significant push from government, a series of challenges were noted in a survey by Deloittevii. As part of our study objectives we sought to understand the rate of voluntary

the extent of


KRevelsText Box


respondents activities to support these initiatives, noted.

5) Strategy Audits: The definition of business strategy is a long term plan of action designed to achieve a particular goal or set of goalmay be comprised of two types: 1) Assessing the adequacy of the strategy making process and subsequent monitoringof a business and comparing that to the planned direction as outlined istrategic plan. Strategy respondents to the Global Internal Audit Survey reporting that they are a significant part of their organizations audit plans. However, they important way for internalmeasurement and feedback on performance in association with achievement of strategic objectives. As the consultative partner, advising controls that impact achievement of strategic objectives and value creation, we sought to determine whether these audits are being performed in pursuit of this direction.

Survey Design The committee contacted

having at least 25 participants)audit executive uniquely represented one formally functioning internal audit department. During this process the committeeand organization sizes.

The data was collected in two phases. In the first phase, the requested to complete a preliminary III). In the second phase, the reminutes to obtain additional informationquestionnaire (see Appendix- 25 respondents for this study.


respondents activities to support these initiatives, and the particular challenges

: The definition of business strategy is a long term plan of action designed to achieve a particular goal or set of goals or objectives. Strategy audits may be comprised of two types: 1) Assessing the adequacy of the strategy making process and subsequent monitoring, or 2) Assessing the actual direction of a business and comparing that to the planned direction as outlined istrategic plan. Strategy audits are not common, with less than 25% of respondents to the Global Internal Audit Survey reporting that they are a significant part of their organizations audit plans. However, they can be an important way for internal auditors to add value through providing independent measurement and feedback on performance in association with achievement of

As the internal audit profession seeks to emerge as a consultative partner, advising management and the board on the risks and controls that impact achievement of strategic objectives and value creation, we sought to determine whether these audits are being performed in pursuit of this

The committee contacted approximately 40 audit executives (with a goal of having at least 25 participants) in the DFW area for participation in this study

uniquely represented one formally functioning internal audit department. During this process the committee attempted to cover a wide array of industry sectors

The data was collected in two phases. In the first phase, the respondents were preliminary written data-gathering questionnaire

In the second phase, the respondents were interviewed for approximatelyminutes to obtain additional information based on the responses provided in the initial

IV). The committee was able to meet the goal of having for this study.

9

and the particular challenges

: The definition of business strategy is a long term plan of action s or objectives. Strategy audits

may be comprised of two types: 1) Assessing the adequacy of the strategy or 2) Assessing the actual direction

of a business and comparing that to the planned direction as outlined in the are not common, with less than 25% of

respondents to the Global Internal Audit Survey reporting that they are a can be an

auditors to add value through providing independent measurement and feedback on performance in association with achievement of

udit profession seeks to emerge as a oard on the risks and

controls that impact achievement of strategic objectives and value creation, we sought to determine whether these audits are being performed in pursuit of this

(with a goal of in the DFW area for participation in this study. Each

uniquely represented one formally functioning internal audit department. wide array of industry sectors

respondents were questionnaire (see Appendix

approximately 30 based on the responses provided in the initial

The committee was able to meet the goal of having


KRevelsText Box


Project Plan

The research project was completed in three phases starting from Octhrough March 2011 as shown below:

Figure 3 Project Plan

Participants Profile The research committee solicited

organizations that are based in DFW area. The parameters defined by the committee for the participants were as follows:

Chief Audit Executive (CAE), the topequivalent department with the responsibility of providing

Audit Executive (AE), an existinggroup who has a direct reporting relationship to a CAE


The research project was completed in three phases starting from October 2010 through March 2011 as shown below:

The research committee solicited audit executives in the DFW areabased in the DFW area or that have significant operations in the

he parameters defined by the committee for the participants were as

Chief Audit Executive (CAE), the top-most person in the internal auditequivalent department with the responsibility of providing internal auditAudit Executive (AE), an existing member of the internal audit management

who has a direct reporting relationship to a CAE.

10

tober 2010

area who serve icant operations in the

he parameters defined by the committee for the participants were as

internal audit or internal audit services.

internal audit management


KRevelsText Box


Ex-CAEs or Ex-AEs, who have served in audit management year, but are not currently em

Other Director or higher level personnel in the audit organizationsufficient knowledge of internal audit activities of the organization.

Professional Service Practitioners (PSP), Partnerservices firms who hafunctions. These categormajor clients as the representative organization for the purpose of the survey.

Each participant represented a uniDFW area.

The quality of the data is greatly dependent on the experience level of the participants and their tenure with the organization. The data cooverall experience levels of respondents respondents being the internal audithaving at least 10 years experiencethe experience levels of the respondents

24%

4%8%


AEs, who have served in audit management rolesnot currently employees.

higher level personnel in the audit organizationsufficient knowledge of internal audit activities of the organization. Professional Service Practitioners (PSP), Partner-level personnel in professional

o have adequate knowledge of their clients. These categories of participants were requested to select one of their

major clients as the representative organization for the purpose of the survey.Each participant represented a unique functional internal audit department in the

Figure 4 Respondents' Profile

The quality of the data is greatly dependent on the experience level of the participants and their tenure with the organization. The data collected indicated that the

levels of respondents were high, with approximately twointernal audit leaders (CAEs) and 84% of the respondents experience. Figure-5 provides an overview of th

the experience levels of the respondents.

64%

Respondents' Profile

Chief Audit Executive

(CAE)

Audit Executive

Ex-CAE

Professional Services

Partner

11

roles within the past

higher level personnel in the audit organizations who have

level personnel in professional adequate knowledge of their clients internal audit of participants were requested to select one of their

major clients as the representative organization for the purpose of the survey. que functional internal audit department in the

The quality of the data is greatly dependent on the experience level of the llected indicated that the

two-thirds of the % of the respondents

provides an overview of the distribution of

Chief Audit Executive

Professional Services


KRevelsText Box


Respondents' experience Figure-6. The data collected from the respondents (84%) of the respondents had at least organization and two audit calendar cycles of experience with the practices of the organization.

Figure

28%

Overall Experience Levels

28%

16%

Respondents' Experience with the


Figure 5 Overall Experience Levels

Respondents' experience with their respective organizations The data collected from the respondents indicated that a high proportion

%) of the respondents had at least two or more years of tenure within their current audit calendar cycles of experience with the practices of the

Figure 6 Experience with the Organization

4%12%

56%

Overall Experience Levels

Less than 5 years

5 to 10 years

10 to 25 years

More than 25 years

16%

40%

Respondents' Experience with the

Organization

Less than 2 years

2 to 5 years

5 to 10 years

More than 10 years

12

is depicted in indicated that a high proportion

f tenure within their current audit calendar cycles of experience with the practices of the

Less than 5 years

More than 25 years

Less than 2 years

More than 10 years


KRevelsText Box


Represented Organizations ProfileTo ensure the data was representative, t

obtain data covering a wide variety of industries.NAICS as a reference to identify the were noted to operate in more than one industry sector. For example, operated in both the construction and manufacturing operated in both the transportation and information sectors. The committee noted thatoverall; the responding organizations represented all the NAICS industry sectorfully or partially.

The data collected represented a wide variety of organizationemployees and revenue. Howeverorganizations (76%) achieved

Figure

In terms of employee countorganizations had at least 10,000 employeedistribution by number of employees.

32%

Revenue of Respondents'


Represented Organizations Profile data was representative, the research committee attempted to

obtain data covering a wide variety of industries. The research committee used the tify the major industry sectors. A number of organizations

were noted to operate in more than one industry sector. For example, oneconstruction and manufacturing sectors while another respondent

rtation and information sectors. The committee noted thatthe responding organizations represented all the NAICS industry sector

The data collected represented a wide variety of organizational sizes in terms of owever, the majority of respondents reported that their

achieved at least 1 billion or more in yearly revenue.

Figure 7 Revenue of Respondents Organization

count, it was noted that about half (48%) of the least 10,000 employees or more. Please see Figure

by number of employees.

8%

12%

4%

44%

Revenue of Respondents'

Organization

Less than $200 million

$200 million to $500

million

$500 million to $1 billion

$1 billion to $5 billion

More than $5 billion

13

he research committee attempted to The research committee used the

industry sectors. A number of organizations one respondent

another respondent rtation and information sectors. The committee noted that,

the responding organizations represented all the NAICS industry sectors either

sizes in terms of respondents reported that their

least 1 billion or more in yearly revenue.

of the Please see Figure-8 for

Less than $200 million

$200 million to $500

$500 million to $1 billion

$1 billion to $5 billion

More than $5 billion


KRevelsText Box


Figure 8 Size of Respondents

In terms of geography, operate internationally. Please see

Figure

20%

20%

8%

Size of Respondents' Organization (By

48%

4%

Respondents' Organization Type


Size of Respondents Organization (by Employees)

In terms of geography, about half (48%) of the respondents organizations Please see Figure-9 for distribution by organization type

Figure 9 Respondents Organization Type

12%

40%

8%

Size of Respondents' Organization (By

Employees)

Less than 1000

1,000 to 10,000

10,000 to 50,000

50,000 to 100,000

100,000 +

16%

32%

4%

Respondents' Organization Type

Regional

National

International/ Trans

national

Others and Not-

Applicable

14

organizations by organization type.

Less than 1000

1,000 to 10,000

10,000 to 50,000

50,000 to 100,000

International/ Trans-


KRevelsText Box


Represented Internal Audit Departments ProfileThe respondents audit

respondents had departments half (56%) of the respondents reporting that their internal audit department consisted of at least 11 members.

Figure

In terms of maturity by respondents internal audit departments the majority of them (over 60%)Figure-11 for the distribution by the duration of operations of internal audit departments.

36%

12%

8%

Respondents' IA Department Size


Represented Internal Audit Departments Profile audit departments were of various sizes. The majority

had departments in the 11 to 25 members category and slightly more than half (56%) of the respondents reporting that their internal audit department consisted of

Figure 10 Respondents IA Department Size

In terms of maturity by the length of operation, the data indicated that 8departments have been operating for at least 5 years and

(over 60%) have been in operation for over 10 years.by the duration of operations of internal audit departments.

24%

20%

Respondents' IA Department Size

Less than 5 members

6 to 10 members

11 to 25 members

26 to 50 members

More than 50 members

15

ajority of the and slightly more than

half (56%) of the respondents reporting that their internal audit department consisted of

ion, the data indicated that 80% of the have been operating for at least 5 years and

have been in operation for over 10 years. Please see by the duration of operations of internal audit departments.

Less than 5 members

More than 50 members


KRevelsText Box


Figure 11 Respondents IA Department's Duration of Operations

In terms of the maturity of was noted that most (88%) of the organizations rated themselves aslevel of Integrated or Managed.level of the internal audit department.

Figure 12 Overall Maturity Level as Assessed by Respondents

60%

Respondents' IA Departments'

Duration of Operations

48%

Overall Maturity Level


Respondents IA Department's Duration of Operations

In terms of the maturity of internal audits process as rated by the respondents, it of the organizations rated themselves as having a maturity

level of Integrated or Managed. Please see Figure-12 for distribution by overall internal audit department.

Overall Maturity Level as Assessed by Respondents

4%

16%

20%

Respondents' IA Departments'

Duration of Operations

One year or less

1 to 5 years

5 to 10 years

10 or more years

4% 4%

40%

4%

Overall Maturity Level

Initial

Infrastructure

Integrated

Managed

Optimized

16

udits process as rated by the respondents, it having a maturity

overall maturity

One year or less

5 to 10 years

10 or more years

Infrastructure

Integrated

Managed

Optimized


KRevelsText Box


In terms of the activities performed by the internal audit departments, the distribution pattern in Table 2 departments had higher involvement in audit and assurance activities and compliance activities.

Table 2 Respondents Internal Audit Departments

Level/ Activity A&A Activities

No Time (0%) _ 0% to 10% _ 10% to 25% 2 26% to 50% 8 51% to 75% 14

More than 75% 1

Area Specific ObservationsAs touched on previously, the process of collecti

was executed in two phases. In the first phase, respondents were asked to complete pre-interview questionnaires to provide a baseline understanding of thematurity and resource allocation rationale for each fowere then targeted to the responses provided in the preon the rationale that the information available from respondents would vary depending on the experience with that area. For example, a Cdepartments maturity in performing Strategy Audits as Initial would likely have limited input on the benefits of conducting such activities, but may be able to answer questions related to future plans in this area. Conversely,maturity as Optimized could offer additional information about the benefits and roadblocks in conducting such activities, and how value and continuous improvement programs are monitored and measured. For the complete list to Appendices III and IV.


In terms of the activities performed by the internal audit departments, the was noted and the data indicated that most of the audit

had higher involvement in audit and assurance activities and compliance

Internal Audit Departments Time Allocation for Various Activities.

Consulting Compliance Administration

1 1 -

9 8 13

12 7 11

3 8 1

- 1 -

- - -

Area Specific Observations As touched on previously, the process of collecting the data for each focus area

was executed in two phases. In the first phase, respondents were asked to complete interview questionnaires to provide a baseline understanding of their

maturity and resource allocation rationale for each focus area. Follow-up interviews were then targeted to the responses provided in the pre-interview questionnaires based on the rationale that the information available from respondents would vary depending on the experience with that area. For example, a CAE or AE who assessed his departments maturity in performing Strategy Audits as Initial would likely have limited input on the benefits of conducting such activities, but may be able to answer questions related to future plans in this area. Conversely, a respondent who assessed the maturity as Optimized could offer additional information about the benefits and roadblocks in conducting such activities, and how value and continuous improvement programs are monitored and measured. For the complete list of survey questions, refer

17

In terms of the activities performed by the internal audit departments, the was noted and the data indicated that most of the audit

had higher involvement in audit and assurance activities and compliance

inistration Others

12

11

2

-

-

-

ng the data for each focus area was executed in two phases. In the first phase, respondents were asked to complete

experience, up interviews

interview questionnaires based on the rationale that the information available from respondents would vary depending

AE or AE who assessed his departments maturity in performing Strategy Audits as Initial would likely have limited input on the benefits of conducting such activities, but may be able to answer questions

a respondent who assessed the maturity as Optimized could offer additional information about the benefits and roadblocks in conducting such activities, and how value and continuous improvement

of survey questions, refer


KRevelsText Box


A summary of the data and observationseach focus area is provided in the subsections below.

Project Management

The data collected in this area indicated that maturity level with about oneorganizations at this maturity level and 7see figure 13 for the distribution of the assessed maturity levels.

Figure 13 Maturity Level (Project Management) as Assessed by Respondents

About half of the respondentsdepartments internal audit time in respondents indicated that their internal audit department spends at least 5% or more of their departments time in this area.

36%

20%

Maturity Level as Assessed by


A summary of the data and observations (for the sample size of 25)each focus area is provided in the subsections below.

The data collected in this area indicated that Integrated was the medianabout one-third (36%) of the respondents identifying their

organizations at this maturity level and 76% at the Integrated level or below.for the distribution of the assessed maturity levels.

Maturity Level (Project Management) as Assessed by Respondents

respondents organizations (54%) spent less thaninternal audit time in the project management area. About 46%dicated that their internal audit department spends at least 5% or more of

their departments time in this area.

20%

20%

4%


Respondents

Initial

Infrastructure

Integrated

Managed

Optimized

18

(for the sample size of 25) relative to

as the median of the respondents identifying their

level or below. Please

Maturity Level (Project Management) as Assessed by Respondents

than 6% of their About 46% of the

dicated that their internal audit department spends at least 5% or more of

Infrastructure

Integrated

Managed

Optimized


KRevelsText Box


Figure 14

Approximately half of the respondents noted that internal audit time on audit and assurance activities.

Figure 15 Allocation of Time Between Consulting and Assurance Activities

12%

17%

17%

Time Spent for Project Management

20%

12%

4% 4%

Allocation of Time Between Consulting


Time Spent for Project Management Activities

Approximately half of the respondents noted that their departments spend 75% of n audit and assurance activities.

Allocation of Time Between Consulting and Assurance Activities

8%

46%

0%

Time Spent for Project Management

Activities

No Time Spent

0% to 5%

6% to 10%

11% to 15%

16% to 25%

More than 25%

8%

52%

4%

Allocation of Time Between Consulting

and Assurance No consulting time (all audit/assurance)

Some consulting (Less than 25%

of time)

Half consulting (Other 50% of

time for audit/assurance)

Mostly consulting (75% or more

time)

All consulting (no

auidt/assurance)

Not applicable

19

spend 75% of their

Allocation of Time Between Consulting and Assurance Activities

No Time Spent

11% to 15%

16% to 25%

More than 25%

Some consulting (Less than 25%

Half consulting (Other 50% of



KRevelsText Box


The vast majority of the respondentslevels were appropriate for the project management area

Figure 16

Some of the themes noted during the interviews are as follows: A number of respondent

Information Technology (IT) initiatives (asmanagement activities such as construction projectetc.)

A large number of organizations had department (mainly IT) framework.

About 60% of the respondentsin project management type internal audit activitiesto be involved in this area in the near future.

A large portion of the respondents indicated that there is not an organizationwide project management framework, indicating opportunity for management to streamline their project management activities across th

We feel allocation is appropriate

Area is not applicable for our business

Area not a high risk to our business

Budgetary constraints

Business goals have not been defined

Project Management Resource Allocation


vast majority of the respondents (75%) felt that the allocations at the current for the project management area as noted below:

16 Project Management Resource Allocation

Some of the themes noted during the interviews are as follows: A number of respondents associated the term project management Information Technology (IT) initiatives (as opposed to business process management activities such as construction projects, process re

number of organizations had a specially assigned project department (mainly IT) and a few organizations had a wider project management

About 60% of the respondents organizations were noted to be currently involved in project management type internal audit activities, while 25% do

be involved in this area in the near future. A large portion of the respondents indicated that there is not an organizationwide project management framework, indicating opportunity for management to streamline their project management activities across the organization.

0 5 10 15






Others


20

allocations at the current as noted below:

project management with opposed to business process

, process re-engineering,

a specially assigned project management project management

noted to be currently involved 25% dont have plans

A large portion of the respondents indicated that there is not an organization-wide project management framework, indicating opportunity for management to

e organization.

20



KRevelsText Box


Some key observations from

When asked how activities in this area added value to their organizations, and how the value was measured, many respondents stated that their consultative activities in this area provided substantioften not be quantified. For example, many respondents stated that they were regularly consulted to advise on project risks and make control recommendations in the planning stage of major projects. By identifying critical risks that threaten the success of the project and recommending mitigating controls before project implementation, these respondents believed internal auditproject initiatives. Additionally, some respondents stated that they were consulted to review process design within major projects and recommend improvements to streamline the process and gain efficiencies. These process improvement recommendations often resulted in reduced cost organization. Various roadblocks and challenges were noted by respondents related to their activities in this area. A small number of respondents stated that they lacked human resources and training for lowersupport. One respondent stated that occasionally independence can become an issue when process owners and project managers do not understand boundaries and the need to maintain independence. The retwo key methods of overcoming this issue are communication with the project team at the inception of the project planning phase to clearly define limiting internal audits involvement to advisory in the involvement in the implementation phase.

Enterprise Risk Management

The data collected in this area indicated that Integrated or lower level of maturity in this area with the


Some key observations from interviews:

When asked how activities in this area added value to their organizations, and how the value was measured, many respondents stated that their consultative activities in this area provided substantial value to the organization, although this value could often not be quantified. For example, many respondents stated that they were regularly consulted to advise on project risks and make control recommendations in the planning

By identifying critical risks that threaten the success of the project and recommending mitigating controls before project implementation, these

internal audit played a significant role in ensuring success of tionally, some respondents stated that they were consulted to

review process design within major projects and recommend improvements to streamline the process and gain efficiencies. These process improvement recommendations often resulted in reduced cost of the overall project to the

Various roadblocks and challenges were noted by respondents related to their activities in this area. A small number of respondents stated that they lacked human resources and training for lower-level staff to provide adequate Project Management support. One respondent stated that occasionally independence can become an issue when process owners and project managers do not understand boundaries and the need to maintain independence. The respondent also stated that two key methods of overcoming this issue are communication with the project team at the inception of the project planning phase to clearly define internal a

udits involvement to advisory in the design phase, with less involvement in the implementation phase.

Enterprise Risk Management

The data collected in this area indicated that 75% of the organizations had an level of maturity in this area with the median in the

21

When asked how activities in this area added value to their organizations, and how the value was measured, many respondents stated that their consultative activities

al value to the organization, although this value could often not be quantified. For example, many respondents stated that they were regularly consulted to advise on project risks and make control recommendations in the planning

By identifying critical risks that threaten the success of the project and recommending mitigating controls before project implementation, these

played a significant role in ensuring success of tionally, some respondents stated that they were consulted to

review process design within major projects and recommend improvements to streamline the process and gain efficiencies. These process improvement

of the overall project to the

Various roadblocks and challenges were noted by respondents related to their activities in this area. A small number of respondents stated that they lacked human

o provide adequate Project Management support. One respondent stated that occasionally independence can become an issue when process owners and project managers do not understand internal audits

spondent also stated that two key methods of overcoming this issue are communication with the project team at

audits role, and design phase, with less

5% of the organizations had an in the Infrastructure


KRevelsText Box


stages of adopting ERM processesby ERM process maturity.

Figure 17 Maturity Level (ERM) as Assessed by Respondents

The data collected indicated that all respondents spend atarea, with about one-third of internal audit dinvolvement (more than 10% of time)over assurance activities as compared to consulting activitiesFigure-19.

Figure

20%

24%

Maturity Level As Assessed by

16%

8%

8%

Time Spent for ERM Activities


stages of adopting ERM processes. Please see figure-17 for the distribution of samples

Maturity Level (ERM) as Assessed by Respondents

The data collected indicated that all respondents spend at least some time in this internal audit departments having higher level of

(more than 10% of time). The extent of involvement appears to be more over assurance activities as compared to consulting activities as noted in Figure

Figure 18 Time Spent for ERM Activities

24%

28%

4%


Respondents

Initial

Infrastructure

Integrated

Managed

Optimized

36%

32%

8% 0%

Time Spent for ERM Activities

No Time Spent

0% to 5%

6% to 10%

11% to 15%

16% to 25%

More than 25%

22

bution of samples

least some time in this epartments having higher level of

. The extent of involvement appears to be more in Figure-18 and

Infrastructure

Integrated

Managed

Optimized

No Time Spent

11% to 15%

16% to 25%

More than 25%


KRevelsText Box


Figure 19 Allocation of Time to Consulting and Assurance Activities

The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondents (75%) felt that the alcurrent levels were appropriate as noted below:

28%

4% 4% 0%

Allocation of Time to Consulting and Assurance






ERM Resource Allocation


Allocation of Time to Consulting and Assurance Activities

The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondents (75%) felt that the allocation

appropriate as noted below:

Figure 20 ERM Resource Allocation

20%

44%

0%


ActivitiesNo consulting time (all

audit/assurance)

Some consulting (Less than 25% of

time)

Half consulting (Other 50% of time for

audit/assurance)

Mostly consulting (75% or more time)

All consulting (no auidt/assurance)

Not applicable

0 5 10 15






Others

ERM Resource Allocation

23

The data collected regarding the rationale for resource allocation and focus locations at the



Half consulting (Other 50% of time for

Mostly consulting (75% or more time)


20


KRevelsText Box


The themes noted during the interviews are as follows: A number of respondents indicated that internal audit is involved in co

of the ERM initiatives at their organizations. In some instances, been asked to be the owner of the process as no other departments accepted the responsibility.

A vast number of organizations indicated that they have a formal prplace (70%).

About 25% of the respondents (among the organizations in early stages) indicated that they do not

Independence was not identified as a concern in this area.


According to the IIA, internal risk awareness within the organization. However, several respondents stated in interviews that a major barrier to getting ERM off the ground in their organizations is convincing executives of its beneficial impact.

One respondent who has experience getting successful ERM implementations off the ground stated that implementing ERM is more an art than a science. Getting buy-in from top-level management can be a challengrespondent has developed several innovative approaches to address the issue while demonstrating the value of the initiative:

- Proactively discuss risks with top level management in formal and informal discussions. Gain an understanding of what keeps management up at night and identify events that would negatively impact the achievement of objectives. In this effort, establish what the problems are, whether they are systemic or isolated, and begin to identify what the key controls are. Do the controls currently exist, or must they be designed? Where the key controls shouldprocess owners begin having to be accountable through the quarterly certification


he themes noted during the interviews are as follows: A number of respondents indicated that internal audit is involved in coof the ERM initiatives at their organizations. In some instances, internal auditbeen asked to be the owner of the process as no other departments accepted

A vast number of organizations indicated that they have a formal pr

About 25% of the respondents (among the organizations in early stages) do not plan to increase their level of involvement.

Independence was not identified as a concern in this area.


nternal audit can and should be a champion of ERM and risk awareness within the organization. However, several respondents stated in interviews that a major barrier to getting ERM off the ground in their organizations is

nvincing executives of its beneficial impact. One respondent who has experience getting successful ERM implementations

off the ground stated that implementing ERM is more an art than a science. Getting level management can be a challenge due to various factors, and the

respondent has developed several innovative approaches to address the issue while demonstrating the value of the initiative:

Proactively discuss risks with top level management in formal and informal n an understanding of what keeps management up at night and

identify events that would negatively impact the achievement of objectives. In this effort, establish what the problems are, whether they are systemic or isolated, and begin

e key controls are. Do the controls currently exist, or must they be the key controls should be located to ensure optimization? As

process owners begin having to be accountable through the quarterly certification

24

A number of respondents indicated that internal audit is involved in co-ordination internal audit has

been asked to be the owner of the process as no other departments accepted

A vast number of organizations indicated that they have a formal process in

About 25% of the respondents (among the organizations in early stages) plan to increase their level of involvement.

udit can and should be a champion of ERM and risk awareness within the organization. However, several respondents stated in interviews that a major barrier to getting ERM off the ground in their organizations is

One respondent who has experience getting successful ERM implementations off the ground stated that implementing ERM is more an art than a science. Getting

e due to various factors, and the respondent has developed several innovative approaches to address the issue while

Proactively discuss risks with top level management in formal and informal n an understanding of what keeps management up at night and

identify events that would negatively impact the achievement of objectives. In this effort, establish what the problems are, whether they are systemic or isolated, and begin

e key controls are. Do the controls currently exist, or must they be be located to ensure optimization? As

process owners begin having to be accountable through the quarterly certification


KRevelsText Box


process for exceptions, less and less exceptions should occur over time. These results can then be presented to management as evidence of the success of the initiative, as it demonstrates effective results in reducing the risks that keep management up at night. This can solidify and increase support for a formal ERM effort built on continuous improvement. This approach allows adoption of ERM as an incremental effort, rather than an overnight implementation.

- Develop a pilot of ERM for a single department, such as AccountRoll ERM out in that one department by identifying the departments objectives, linking them to risks, and developing risk responses and control activities. Self Assessment testing should be performed periodically to evaluate the success the successes and opportunities for improved implementation. Build on the knowledge learned to refine the process in that department. Present the results to senior management as a proposal for a phased implementation that is morbe more easily integrated into the business processes. If management understands that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buyis easier to achieve.

Another respondent acknowledged that ERM wastage within his organization, but stated that this was intentional and that the company was where it wanted to be with respect to ERM with limited additional investment. With his approach, all the elements of tto link risks to strategy, increase risk awareness in the company, and increase process owner accountability for developing risk responses. benefit to his approach to ERM is that it has allowed and build risk awareness into the culture of the organization over time, without overwhelming process owners with the ERM terminology. In annual risk assessments, internal audit gains an understanding of the highest risks facing the organization. Then, when the audit plan is developed it is linked to the companys strategy risks are linked to strategic objectives and the audit plan is linked to strategy. These are key objectives within ERM and the respondent believes he is accomplishing them


less and less exceptions should occur over time. These results can then be presented to management as evidence of the success of the initiative, as it demonstrates effective results in reducing the risks that keep management up at night.

dify and increase support for a formal ERM effort built on continuous improvement. This approach allows adoption of ERM as an incremental effort, rather than an overnight implementation.

Develop a pilot of ERM for a single department, such as AccountRoll ERM out in that one department by identifying the departments objectives, linking them to risks, and developing risk responses and control activities. Self Assessment testing should be performed periodically to evaluate the success of the initiative, noting the successes and opportunities for improved implementation. Build on the knowledge learned to refine the process in that department. Present the results to senior management as a proposal for a phased implementation that is more practical and can be more easily integrated into the business processes. If management understands that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buy

Another respondent acknowledged that ERM was probably in the Initial or Infrastructure stage within his organization, but stated that this was intentional and that the company was where it wanted to be with respect to ERM with limited additional investment. With his approach, all the elements of the internal audit / compliance functions work together to link risks to strategy, increase risk awareness in the company, and increase process owner accountability for developing risk responses. This respondent believes that a key

to ERM is that it has allowed internal audit to link risk to strategy and build risk awareness into the culture of the organization over time, without overwhelming process owners with the ERM terminology. In annual risk assessments,

an understanding of the highest risks facing the organization. Then, when the audit plan is developed it is linked to the companys strategy risks are linked to strategic objectives and the audit plan is linked to strategy. These are

y objectives within ERM and the respondent believes he is accomplishing them

25

less and less exceptions should occur over time. These results can then be presented to management as evidence of the success of the initiative, as it demonstrates effective results in reducing the risks that keep management up at night.

dify and increase support for a formal ERM effort built on continuous improvement. This approach allows adoption of ERM as an incremental effort, rather

Develop a pilot of ERM for a single department, such as Accounting or Finance. Roll ERM out in that one department by identifying the departments objectives, linking them to risks, and developing risk responses and control activities. Self Assessment

of the initiative, noting the successes and opportunities for improved implementation. Build on the knowledge learned to refine the process in that department. Present the results to senior

e practical and can be more easily integrated into the business processes. If management understands that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buy-in

s probably in the Initial or Infrastructure stage within his organization, but stated that this was intentional and that the company was where it wanted to be with respect to ERM with limited additional investment. With

he internal audit / compliance functions work together to link risks to strategy, increase risk awareness in the company, and increase process

This respondent believes that a key udit to link risk to strategy

and build risk awareness into the culture of the organization over time, without overwhelming process owners with the ERM terminology. In annual risk assessments,

an understanding of the highest risks facing the organization. Then, in this manner,

risks are linked to strategic objectives and the audit plan is linked to strategy. These are y objectives within ERM and the respondent believes he is accomplishing them


KRevelsText Box


without creating a separate ERM effort. This helps gain the buyhe presents the audit plan, because management sees a risklinked to the company's core objectives, and it makes sense to them.

A major benefit noted by various respondents was that the ERM implementation process resulted in positive changes to the risk culture of the organization. Often, the process of conducting risk assessments and discussing risks with management resulted in increased risk awareness and more accountability on the part of process owners and managers.

Corporate Governance

The data collected in this area maturity level with 32% of the respondents identifying their organizations at this maturity level and about two-thirds (64

Figure 21 Maturity Level (Corporate Governance) as Assessed by

More than half of the respondents (departments time was spent at least 1

32%



without creating a separate ERM effort. This helps gain the buy-in of management when he presents the audit plan, because management sees a risk-based audit plan that is

the company's core objectives, and it makes sense to them. A major benefit noted by various respondents was that the ERM implementation

process resulted in positive changes to the risk culture of the organization. Often, the sessments and discussing risks with management resulted

in increased risk awareness and more accountability on the part of process owners and

The data collected in this area indicated that Integrated was the median% of the respondents identifying their organizations at this maturity

thirds (64%) below the Integrated maturity level or below.

Maturity Level (Corporate Governance) as Assessed by Respondents

More than half of the respondents (60%) indicated that their internal audit at least 10% or more in this area.

12%

20%

32%

4%


Respondents

Initial

Infrastructure

Integrated

Managed

Optimized

26

in of management when based audit plan that is

A major benefit noted by various respondents was that the ERM implementation process resulted in positive changes to the risk culture of the organization. Often, the

sessments and discussing risks with management resulted in increased risk awareness and more accountability on the part of process owners and

as the median % of the respondents identifying their organizations at this maturity

level or below.

Respondents

60%) indicated that their internal audit

Infrastructure

Integrated

Managed

Optimized


KRevelsText Box


Figure 22 Time Spent for Corporate Governance Activities

Of the time spent in this areatheir internal audit departmentsthe Figure below.

Figure 23 Allocation of Time between Consulting and Assuran

24%

28%

Time Spent for Corporate

Governance Activities

4%4%

4% 4%

Allocation of Time Between Consulting and


Time Spent for Corporate Governance Activities

in this area, a majority (68%) of the respondents noted that their internal audit departments time spent is in assurance type activities as shown in

Allocation of Time between Consulting and Assurance Activities

4%

20%

16%

8%

Time Spent for Corporate

Governance Activities

No Time Spent

0% to 5%

6% to 10%

11% to 15%

16% to 25%

More than 25%

16%

68%

Allocation of Time Between Consulting and

Assurance ActivitiesNo consulting time (all

audit/assurance)


time)

Half consulting (Other 50% of time

for audit/assurance)


time)


Not applicable

27

the respondents noted that time spent is in assurance type activities as shown in

ce Activities

No Time Spent

11% to 15%

16% to 25%

More than 25%


Half consulting (Other 50% of time




KRevelsText Box


The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondentscurrent levels was appropriate as noted

Figure 24

Some of the themes noted during the interviews are as follows: A number of respondents indicated that

key activity in this area. A large number of organizations in

organizations are requested by management or activities in this area.


A key roadblock noted by several respondents was that there is a laguidance on how to audit corporate governance. One respondent stated that this can result in difficulties developing the scope and objectives for corporate governance audits.






Corporate Governance


The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondents (85%) felt that the allocation at the current levels was appropriate as noted in Figure-24.

24 Corporate Governance Resource Allocations

Some of the themes noted during the interviews are as follows: A number of respondents indicated that the Entity-level controls review key activity in this area.

number of organizations indicated that there are set procedures or their organizations are requested by management or the audit committee to perform


A key roadblock noted by several respondents was that there is a laguidance on how to audit corporate governance. One respondent stated that this can result in difficulties developing the scope and objectives for corporate governance

0 5 10 15 20






Others

Corporate Governance - Resource

Allocation

28

The data collected regarding the rationale for resource allocation and focus 5%) felt that the allocation at the

level controls review was the

dicated that there are set procedures or their audit committee to perform

A key roadblock noted by several respondents was that there is a lack of guidance on how to audit corporate governance. One respondent stated that this can result in difficulties developing the scope and objectives for corporate governance

25


KRevelsText Box


Several respondents noted that a major benefit of performing these typeengagements is that they can help strengthen the corporate culture and ethical climate. This benefit can be achieved through identifying exceptions and following up to verify remediation, and also through making recommendations when deficiencies in tdesign of organizational governance processes are noted.

A large healthcare services organization'sadopted a number of organization wreinforcement initiatives that appear to have been received well by the auditeesarea. Some of the key initiatives are as follows: * "Audit Trophy", an award given to the units that meet or exceed certain scor

in the yearly rotational audits. * "Audit update newsletter", an email blast that is sent on a monthly basis to

communicate the audit and governance initiatives. * "Quarterly audit webcasts", an online webinar inviting organization wide

participants for education and discussions on hot topics. * "Data Analysis Dashboards",

management to monitor business trends.


Several respondents noted that a major benefit of performing these typeengagements is that they can help strengthen the corporate culture and ethical climate. This benefit can be achieved through identifying exceptions and following up to verify remediation, and also through making recommendations when deficiencies in tdesign of organizational governance processes are noted.

A large healthcare services organization's CAE notes that internal audit has adopted a number of organization wide internal audit communication and other positive reinforcement initiatives that appear to have been received well by the auditees

. Some of the key initiatives are as follows: * "Audit Trophy", an award given to the units that meet or exceed certain scor

in the yearly rotational audits. * "Audit update newsletter", an email blast that is sent on a monthly basis to

communicate the audit and governance initiatives. * "Quarterly audit webcasts", an online webinar inviting organization wide

ts for education and discussions on hot topics. * "Data Analysis Dashboards", data summary reports for internal audit and

management to monitor business trends.

29

Several respondents noted that a major benefit of performing these types of engagements is that they can help strengthen the corporate culture and ethical climate. This benefit can be achieved through identifying exceptions and following up to verify remediation, and also through making recommendations when deficiencies in the

internal audit has ide internal audit communication and other positive

reinforcement initiatives that appear to have been received well by the auditees in this

* "Audit Trophy", an award given to the units that meet or exceed certain score

* "Audit update newsletter", an email blast that is sent on a monthly basis to

* "Quarterly audit webcasts", an online webinar inviting organization wide

data summary reports for internal audit and


KRevelsText Box


Social and Sustainability Audits and Consultation

The data collected in this area indicated that a majority of the respondents (7have not been involved in this area and were at the Initial

Figure 25 Maturity Level (Social & Sustainability Audit) as assessed by Respondents

The trend of involvement of with the amount of time spent involvement as noted in Figure 26 and Figure 27

Figure 26 Time Spent for Social and Sustainability Related Activities

12%

8% 0%4%


36%

8%

Time Spent for Social and

Sustainability Audit Activities


Social and Sustainability Audits and Consultation

The data collected in this area indicated that a majority of the respondents (7have not been involved in this area and were at the Initial

Maturity Level (Social & Sustainability Audit) as assessed by Respondents

trend of involvement of internal audit departments in this area also coincided nt about half of the respondents did not have any

in Figure 26 and Figure 27.

Time Spent for Social and Sustainability Related Activities

76%

4%


Respondents

Initial

Infrastructure

Integrated

Managed

Optimized

56%

8% 0%0%0%

Time Spent for Social and

Sustainability Audit Activities

No Time Spent

0% to 5%

6% to 10%

11% to 15%

16% to 25%

More than 25%

30

The data collected in this area indicated that a majority of the respondents (76%) have not been involved in this area and were at the Initial maturity level.

Maturity Level (Social & Sustainability Audit) as assessed by Respondents

udit departments in this area also coincided the respondents did not have any

Infrastructure

No Time Spent

11% to 15%

16% to 25%

More than 25%


KRevelsText Box


Of the internal audit departments that spent time in this area, a large propo(87%) spent most of their time in assurance type activities as noted in the Figure 27.

Figure 27 Spread of Time between Audit and Consulting Activities

The data collected regarding the rationale for resource allocation andindicated that a vast majority of the respondentscurrent levels was appropriate below:

Figure 28 Allocation of Resources to Soc

8%0%0%

40%

Allocation of Time Between

Consulting and Audit Activities






Social and Sustainability Audits: Resource


Of the internal audit departments that spent time in this area, a large propo(87%) spent most of their time in assurance type activities as noted in the Figure 27.

Spread of Time between Audit and Consulting Activities

T

internal audit's value addition approach - a study in the dallas-fort worth area - dallas

Documents

sustainability audits

consultationstrategy

dallas chapter

dallasfort worth area

participants profile

iia research foundation

research committee

statistical tablesappendix