internal audit's value addition approach - a study in the dallas-fort worth area - dallas
DESCRIPTION
Internal Audit's Value AdditionTRANSCRIPT
-
2011
Internal Audit's Value Addition Approach - A Study in the Dallas-Fort Worth Area The Research Committee of the Dallas Chapter of the IIA
2011 - The IIA Research Foundation
-
The Dallas Chapter of the Institute of Internal Auditors
Internal Audits Value Addition Approach
Worth Area
Contents
Introduction ................................Value Addition ApproachesSurvey Design ................................Project Plan ................................Participants Profile ................................Represented Organizations ProfileRepresented Internal Audit Departments ProfileArea Specific Observations
Project Management ................................Enterprise Risk ManagementCorporate Governance ................................Social and Sustainability Audits and ConsultationStrategy Audits and Consultation
Data Analysis ................................Conclusions and ImplicationsLimitations and Future OpportunitiesAcknowledgements ................................Appendix I: Statistical TablesAppendix II: Interpreting Correlation Coefficients and CovarianceAppendix III: Pre-Interview QuestionnaireAppendix IV: Interview QuestionnaireReferences ................................
The Dallas Chapter of the Institute of Internal Auditors
Internal Audits Value Addition Approach- a Study in the Dallas
................................................................................................
Value Addition Approaches .........................................................................................................................................................................................
................................................................................................
................................................................................................
Represented Organizations Profile ................................................................Represented Internal Audit Departments Profile .......................................................Area Specific Observations .......................................................................................
..............................................................................................
ise Risk Management ...........................................................................................................................................................
Social and Sustainability Audits and Consultation................................Strategy Audits and Consultation ................................................................
................................................................................................
Conclusions and Implications ....................................................................................Limitations and Future Opportunities ................................................................
................................................................................................
Appendix I: Statistical Tables .....................................................................................Appendix II: Interpreting Correlation Coefficients and Covariance ............................
Interview Questionnaire ................................................................Appendix IV: Interview Questionnaire ................................................................
................................................................................................
2
a Study in the Dallas-Fort
.................................................. 3 ......................... 6
............................................. 9 ............................................... 10
.................................... 10 ........................................... 13
....................... 15
....................... 17 .............................. 18
................................................. 21 ........................... 26
.................................................. 30 ........................................... 33
............................................. 35 .................... 35
......................................... 36 .................................... 37
..................... 38 ............................ 39
................................. 40 ........................................ 42
................................................ 47
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Introduction
As Richard Chambers observed, from the back room to the board roominternal auditors to provide additional value to the organizationthan everii. The objective of thisthe efforts of internal audit organizations in this endeavor. committee (committee) leveragedAUDIT SURVEY- Characteristics of an emerging focus areas in which internal auditors could add valueinnovative approaches. From this foundation, whether the internal audit departments these emerging focus areas.
The hypothesis for this studywill experience a push to increasingly focus below) and to generate additionalor financial audit areas. The committees for focused research and conducting area to evaluate the level of experience local internal auditemerging audit areas. Keeping in perspective that the study is a chapter research project, the committee focusedperceived by the committee as and that can be performed by size. Based on these criteria, Table-1 for study from the 2010 IIA Global Internal Audit Survey: Characteristics of an Internal Audit Activity- Report I
The Dallas Chapter of the Institute of Internal Auditors
As Richard Chambers observed, the internal auditing profession and its rom the back room to the board roomi is being closely watched. The demand for
internal auditors to provide additional value to the organizations they servethis study is to identify the factors that contribute to or inhibit
the efforts of internal audit organizations in this endeavor. To that end, the leveraged the results of the 2010 IIA GLOBAL INTERNAL
Characteristics of an internal audit Activityiii as a basis to identify in which internal auditors could add value using nontraditional or
From this foundation, the committee sought to determine the internal audit departments in the Dallas/Fort Worth Metroplex are
for this study is that internal audit departments (respondentswill experience a push to increasingly focus on certain emerging types of audits (noted
additional value outside the traditional operational, compliance The committees approach involved identifying the audit areas
conducting targeted interviews with Audit Executives in the to evaluate the level of experience local internal audit departments have with these
. Keeping in perspective that the study is a chapter research ed on a selection of internal audit activities that
ommittee as unique and innovative, that were emerging in popularityerformed by a wide variety of audit functions, regardless of industry or
Based on these criteria, the committee selected the five focus areas2010 IIA Global Internal Audit Survey: Characteristics of an
Report I.
3
profession and its journey is being closely watched. The demand for
s they serve is higher is to identify the factors that contribute to or inhibit
he research the results of the 2010 IIA GLOBAL INTERNAL
as a basis to identify using nontraditional or
sought to determine in the Dallas/Fort Worth Metroplex are active in
respondents) ging types of audits (noted
operational, compliance identifying the audit areas
with Audit Executives in the have with these
. Keeping in perspective that the study is a chapter research udit activities that were
emerging in popularity, regardless of industry or
areas noted in 2010 IIA Global Internal Audit Survey: Characteristics of an
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Table 1 Focus Areas Activity Levels and Ranking
Focus Area
1 Audits of enterprise risk management
processes
2 Project management assurance/
audits of major projects
3 Corporate governance reviews
4 Reviews addressing linkage of
strategy and company performance
5 Social and sustainability audits
The above areas were considered to meet the Committees selection criteria based our review of the Global Internal Audit Survey. According to the Survey:
The areas were not traditionaldepartments, with activity amount
There was a fairly even distribution of operational, governance and strategic areas.
The selection included emerging issues such as environmental sustainability and strategy audits.
The aspects considered by the committee through this study
How many respondents had begun to integrate these areas into their audit plans, and what percentages of resources were
Have these engagements added value the progress being measured?
For organizations not performing these engagements, what are the main roadblocks and concerns?
If these activities are not performed currently, what is the timeframe for adoption? What challenges are facing internal auditors in their attempts to add value in their
organizations in these areas?
The Dallas Chapter of the Institute of Internal Auditors
Focus Areas Activity Levels and Ranking
Activity Rank
Audits of enterprise risk management 56.6% 8
Project management assurance/
audits of major projects
55.4% 9
Corporate governance reviews 44.5% 13
Reviews addressing linkage of
strategy and company performance
25.3% 19
and sustainability audits 19.6% 22
considered to meet the Committees selection criteria based our review of the Global Internal Audit Survey. According to the Survey:
traditional focus areas by the majority of internal audit vity amounting to less than 60%.
There was a fairly even distribution of operational, governance and strategic
The selection included emerging issues such as environmental sustainability and
by the committee through this study included the following:
How many respondents had begun to integrate these areas into their audit plans, percentages of resources were being allocated?
these engagements added value to their organizations, and if sothe progress being measured? For organizations not performing these engagements, what are the main roadblocks and concerns? If these activities are not performed currently, what is the timeframe for adoption?
enges are facing internal auditors in their attempts to add value in their organizations in these areas?
4
Rank
considered to meet the Committees selection criteria based on
internal audit
There was a fairly even distribution of operational, governance and strategic
The selection included emerging issues such as environmental sustainability and
the following:
How many respondents had begun to integrate these areas into their audit plans,
eir organizations, and if so, how is
For organizations not performing these engagements, what are the main
If these activities are not performed currently, what is the timeframe for adoption? enges are facing internal auditors in their attempts to add value in their
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Methodology For the purposes of the study, the committee use
as the framework to evaluate the level of maturity of thedepartment as well as its maturity and experience level related to each specific area. The Capability Maturity Model is a continuum used to evaluate the maturity of a process, department or organization, with the stages
Initial: No sustainable repeatable capabilities (little or no internal audit department or process exists)Infrastructure: Sustainable and repeatable procedures (compliance audits)Integrated: IA management and professional practices uniformly applied (advisory services) Managed: Integrates information from across the organization to improve governance and risk management (overall assurance on Governance, Risk Management and control)Optimized: IA learning from inside and outside the organization for continuous improvement (internal a
First, the committee asked each respondent to maturity level of their overall internal overall evaluation was to provide a evaluation for each specific audit area.activity areas, the respondentslevel with respect to that particularthe assessment of maturity levels of the organization versus the maturity level of focus areas.
The Dallas Chapter of the Institute of Internal Auditors
of the study, the committee used the Capability Maturity as the framework to evaluate the level of maturity of the respondents internal audit department as well as its maturity and experience level related to each specific area. The Capability Maturity Model is a continuum used to evaluate the maturity of a process, department or organization, with the stages of maturity defined as follows:
No sustainable repeatable capabilities (little or no internal audit department or process exists)
Sustainable and repeatable internal audit (IA) practices and procedures (compliance audits)
IA management and professional practices uniformly applied
Integrates information from across the organization to improve governance and risk management (overall assurance on Governance, Risk Management and control)
IA learning from inside and outside the organization for continuous audit recognized as key agent of change)
ommittee asked each respondent to in their opinion nternal audit department. The purpose of obtaining this
provide a basis against which to compare the maturity evaluation for each specific audit area. Then, for each of the above identified audit
ondents were asked to assess their internal audit teams to that particular area. The committee then studied the maturity levels of the organization versus the maturity level of focus
5
Maturity Model respondents internal audit
department as well as its maturity and experience level related to each specific focus area. The Capability Maturity Model is a continuum used to evaluate the maturity of a
of maturity defined as follows:
No sustainable repeatable capabilities (little or no internal audit
practices and
IA management and professional practices uniformly applied
Integrates information from across the organization to improve governance and risk management (overall assurance on Governance, Risk
IA learning from inside and outside the organization for continuous
evaluate the . The purpose of obtaining this
against which to compare the maturity or each of the above identified audit
their internal audit teams maturity the differences in
maturity levels of the organization versus the maturity level of focus
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Value Addition Approaches As mentioned previously, five value addition approaches were selected. A brief
description of each value addition approach follows. These descriptions were to each respondent:
1) Project Management refers to the activities performed by the or consulting support for the organizations project management initiatives. Some organizations/companies may not have a dedicated Project Ma(PMO) or Project Management (PM) framework. Internal audits engagement may include the following types of activities:
Post Implementation R Consultative services Implementation verification
2) Enterprise Risk Management (ERM)and processes used by organizationopportunities by embedding risk awareness into the strategyERM is different from audit risk assessment, seeking to accomplish the broader initiatives of linking risks to strategic objectives, responses, and managing risk to within risk appetite on an enterpriseInternal audit departments however, the Institute of the acceptable roles internal auditobjective of our study was to determine the extent to which to support ERM implementation while Figure 1iv.
The Dallas Chapter of the Institute of Internal Auditors
e Addition Approaches As mentioned previously, five value addition approaches were selected. A brief
description of each value addition approach follows. These descriptions were
Project Management Audit and Consultation activities refers to the activities performed by the internal audit department to provide audit or consulting support for the organizations project management initiatives. Some organizations/companies may not have a dedicated Project Management Office (PMO) or Project Management (PM) framework. Internal audits engagement may include the following types of activities:
Post Implementation Reviews Consultative services during the design and implementation phaseImplementation verification and validation
Enterprise Risk Management (ERM) ERM generally refers to the methods and processes used by organizations to strategically manage risks and leverage
by embedding risk awareness into the strategy-setting process. rent from audit risk assessment, seeking to accomplish the broader
of linking risks to strategic objectives, developing appropriate risk responses, and managing risk to within risk appetite on an enterpriseInternal audit departments could be involved in a number of ways in this processhowever, the Institute of internal auditors has established guidelines surrounding
internal auditors can take on with respect to ERMobjective of our study was to determine the extent to which internal
support ERM implementation while staying within the boundaries as defined
6
As mentioned previously, five value addition approaches were selected. A brief description of each value addition approach follows. These descriptions were provided
t and Consultation activities epartment to provide audit
or consulting support for the organizations project management initiatives. Some nagement Office
(PMO) or Project Management (PM) framework. Internal audits engagement
during the design and implementation phase
enerally refers to the methods manage risks and leverage
setting process. rent from audit risk assessment, seeking to accomplish the broader
developing appropriate risk responses, and managing risk to within risk appetite on an enterprise-wide level.
ould be involved in a number of ways in this process; delines surrounding
ors can take on with respect to ERM. An nternal audit is able
within the boundaries as defined in
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
3) Corporate Governance:customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or contra significant role in assisting the board with corporate governance. According to the IIA Position Paper Organizational Governance: Guidance for Internal Auditors, Often, internal auditors can assist organizationboard of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are operating. The type of activities performed by related to the maturity of the Governance Model in the organization, as the IIAs Internal Audit Governance Maturity Model of our study was to identify the level of maturity exhibited by respondents in providing the advisory support recommended by the IIA.
The Dallas Chapter of the Institute of Internal Auditors
Figure 1 Internal Audit Roles
Corporate Governance: Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. Internal audit departments play a significant role in assisting the board with corporate governance. According to the IIA Position Paper Organizational Governance: Guidance for Internal Auditors, Often, internal auditors can assist organizations better by advising the board of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are operating. The type of activities performed by internal audit can typically be
ated to the maturity of the Governance Model in the organization, as the IIAs Internal Audit Governance Maturity Model shows in the Figure 2v
of our study was to identify the level of maturity exhibited by respondents in e advisory support recommended by the IIA.
7
Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or
Internal audit departments play a significant role in assisting the board with corporate governance. According to the IIA Position Paper Organizational Governance: Guidance for Internal
s better by advising the board of directors and executive management on needed improvements and changes in structure and design, not just whether established processes are
udit can typically be ated to the maturity of the Governance Model in the organization, as the IIAs
v. An objective
of our study was to identify the level of maturity exhibited by respondents in
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Figure 2
4) Social and sustainability (Corporate social responsibility, environmental) audits: Social and sustainability initiatives include the pwhereby an organization integrates its social responsibilities and sustainable business practices. Social responsibilities might include activities to promote public interest, charitable, and/or philanthropic activities. Sustainabiinclude practices to promote environmentally friendly activities, prevent environmental disasters, or prevent misterm profits rather than for customer welfare.)initiatives are gaining significant prominence in business and government in recent years. The latest sustainability reporting trends indicate that 142 regulatory instruments addressing sustainability reporting exist in 30 countries and 65% of the standards from government, a series of challenges were noted in a survey by Deloittepart of our study objectives we sought to understand the rate of voluntary adoption of sustainability initiatives in the
The Dallas Chapter of the Institute of Internal Auditors
2 Internal Audit Governance Maturity Model
Social and sustainability (Corporate social responsibility, environmental) Social and sustainability initiatives include the processes and practices,
whereby an organization integrates its social responsibilities and sustainable business practices. Social responsibilities might include activities to promote
interest, charitable, and/or philanthropic activities. Sustainabiinclude practices to promote environmentally friendly activities, prevent environmental disasters, or prevent mis-selling (e.g. selling of products for shortterm profits rather than for customer welfare.) Social and sustainability goals and
itiatives are gaining significant prominence in business and government in recent years. The latest sustainability reporting trends indicate that 142 regulatory instruments addressing sustainability reporting exist in 30 countries and 65% of the standards are considered mandatoryvi. Even with significant push from government, a series of challenges were noted in a survey by Deloittepart of our study objectives we sought to understand the rate of voluntary adoption of sustainability initiatives in the DFW Metroplex, the extent of
8
Social and sustainability (Corporate social responsibility, environmental) and practices,
whereby an organization integrates its social responsibilities and sustainable business practices. Social responsibilities might include activities to promote
interest, charitable, and/or philanthropic activities. Sustainability might include practices to promote environmentally friendly activities, prevent
selling (e.g. selling of products for short-Social and sustainability goals and
itiatives are gaining significant prominence in business and government in recent years. The latest sustainability reporting trends indicate that 142 regulatory instruments addressing sustainability reporting exist in 30 countries
. Even with significant push from government, a series of challenges were noted in a survey by Deloittevii. As part of our study objectives we sought to understand the rate of voluntary
the extent of
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
respondents activities to support these initiatives, noted.
5) Strategy Audits: The definition of business strategy is a long term plan of action designed to achieve a particular goal or set of goalmay be comprised of two types: 1) Assessing the adequacy of the strategy making process and subsequent monitoringof a business and comparing that to the planned direction as outlined istrategic plan. Strategy respondents to the Global Internal Audit Survey reporting that they are a significant part of their organizations audit plans. However, they important way for internalmeasurement and feedback on performance in association with achievement of strategic objectives. As the consultative partner, advising controls that impact achievement of strategic objectives and value creation, we sought to determine whether these audits are being performed in pursuit of this direction.
Survey Design The committee contacted
having at least 25 participants)audit executive uniquely represented one formally functioning internal audit department. During this process the committeeand organization sizes.
The data was collected in two phases. In the first phase, the requested to complete a preliminary III). In the second phase, the reminutes to obtain additional informationquestionnaire (see Appendix- 25 respondents for this study.
The Dallas Chapter of the Institute of Internal Auditors
respondents activities to support these initiatives, and the particular challenges
: The definition of business strategy is a long term plan of action designed to achieve a particular goal or set of goals or objectives. Strategy audits may be comprised of two types: 1) Assessing the adequacy of the strategy making process and subsequent monitoring, or 2) Assessing the actual direction of a business and comparing that to the planned direction as outlined istrategic plan. Strategy audits are not common, with less than 25% of respondents to the Global Internal Audit Survey reporting that they are a significant part of their organizations audit plans. However, they can be an important way for internal auditors to add value through providing independent measurement and feedback on performance in association with achievement of
As the internal audit profession seeks to emerge as a consultative partner, advising management and the board on the risks and controls that impact achievement of strategic objectives and value creation, we sought to determine whether these audits are being performed in pursuit of this
The committee contacted approximately 40 audit executives (with a goal of having at least 25 participants) in the DFW area for participation in this study
uniquely represented one formally functioning internal audit department. During this process the committee attempted to cover a wide array of industry sectors
The data was collected in two phases. In the first phase, the respondents were preliminary written data-gathering questionnaire
In the second phase, the respondents were interviewed for approximatelyminutes to obtain additional information based on the responses provided in the initial
IV). The committee was able to meet the goal of having for this study.
9
and the particular challenges
: The definition of business strategy is a long term plan of action s or objectives. Strategy audits
may be comprised of two types: 1) Assessing the adequacy of the strategy or 2) Assessing the actual direction
of a business and comparing that to the planned direction as outlined in the are not common, with less than 25% of
respondents to the Global Internal Audit Survey reporting that they are a can be an
auditors to add value through providing independent measurement and feedback on performance in association with achievement of
udit profession seeks to emerge as a oard on the risks and
controls that impact achievement of strategic objectives and value creation, we sought to determine whether these audits are being performed in pursuit of this
(with a goal of in the DFW area for participation in this study. Each
uniquely represented one formally functioning internal audit department. wide array of industry sectors
respondents were questionnaire (see Appendix
approximately 30 based on the responses provided in the initial
The committee was able to meet the goal of having
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Project Plan
The research project was completed in three phases starting from Octhrough March 2011 as shown below:
Figure 3 Project Plan
Participants Profile The research committee solicited
organizations that are based in DFW area. The parameters defined by the committee for the participants were as follows:
Chief Audit Executive (CAE), the topequivalent department with the responsibility of providing
Audit Executive (AE), an existinggroup who has a direct reporting relationship to a CAE
The Dallas Chapter of the Institute of Internal Auditors
The research project was completed in three phases starting from October 2010 through March 2011 as shown below:
The research committee solicited audit executives in the DFW areabased in the DFW area or that have significant operations in the
he parameters defined by the committee for the participants were as
Chief Audit Executive (CAE), the top-most person in the internal auditequivalent department with the responsibility of providing internal auditAudit Executive (AE), an existing member of the internal audit management
who has a direct reporting relationship to a CAE.
10
tober 2010
area who serve icant operations in the
he parameters defined by the committee for the participants were as
internal audit or internal audit services.
internal audit management
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Ex-CAEs or Ex-AEs, who have served in audit management year, but are not currently em
Other Director or higher level personnel in the audit organizationsufficient knowledge of internal audit activities of the organization.
Professional Service Practitioners (PSP), Partnerservices firms who hafunctions. These categormajor clients as the representative organization for the purpose of the survey.
Each participant represented a uniDFW area.
The quality of the data is greatly dependent on the experience level of the participants and their tenure with the organization. The data cooverall experience levels of respondents respondents being the internal audithaving at least 10 years experiencethe experience levels of the respondents
24%
4%8%
The Dallas Chapter of the Institute of Internal Auditors
AEs, who have served in audit management rolesnot currently employees.
higher level personnel in the audit organizationsufficient knowledge of internal audit activities of the organization. Professional Service Practitioners (PSP), Partner-level personnel in professional
o have adequate knowledge of their clients. These categories of participants were requested to select one of their
major clients as the representative organization for the purpose of the survey.Each participant represented a unique functional internal audit department in the
Figure 4 Respondents' Profile
The quality of the data is greatly dependent on the experience level of the participants and their tenure with the organization. The data collected indicated that the
levels of respondents were high, with approximately twointernal audit leaders (CAEs) and 84% of the respondents experience. Figure-5 provides an overview of th
the experience levels of the respondents.
64%
Respondents' Profile
Chief Audit Executive
(CAE)
Audit Executive
Ex-CAE
Professional Services
Partner
11
roles within the past
higher level personnel in the audit organizations who have
level personnel in professional adequate knowledge of their clients internal audit of participants were requested to select one of their
major clients as the representative organization for the purpose of the survey. que functional internal audit department in the
The quality of the data is greatly dependent on the experience level of the llected indicated that the
two-thirds of the % of the respondents
provides an overview of the distribution of
Chief Audit Executive
Professional Services
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Respondents' experience Figure-6. The data collected from the respondents (84%) of the respondents had at least organization and two audit calendar cycles of experience with the practices of the organization.
Figure
28%
Overall Experience Levels
28%
16%
Respondents' Experience with the
The Dallas Chapter of the Institute of Internal Auditors
Figure 5 Overall Experience Levels
Respondents' experience with their respective organizations The data collected from the respondents indicated that a high proportion
%) of the respondents had at least two or more years of tenure within their current audit calendar cycles of experience with the practices of the
Figure 6 Experience with the Organization
4%12%
56%
Overall Experience Levels
Less than 5 years
5 to 10 years
10 to 25 years
More than 25 years
16%
40%
Respondents' Experience with the
Organization
Less than 2 years
2 to 5 years
5 to 10 years
More than 10 years
12
is depicted in indicated that a high proportion
f tenure within their current audit calendar cycles of experience with the practices of the
Less than 5 years
More than 25 years
Less than 2 years
More than 10 years
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Represented Organizations ProfileTo ensure the data was representative, t
obtain data covering a wide variety of industries.NAICS as a reference to identify the were noted to operate in more than one industry sector. For example, operated in both the construction and manufacturing operated in both the transportation and information sectors. The committee noted thatoverall; the responding organizations represented all the NAICS industry sectorfully or partially.
The data collected represented a wide variety of organizationemployees and revenue. Howeverorganizations (76%) achieved
Figure
In terms of employee countorganizations had at least 10,000 employeedistribution by number of employees.
32%
Revenue of Respondents'
The Dallas Chapter of the Institute of Internal Auditors
Represented Organizations Profile data was representative, the research committee attempted to
obtain data covering a wide variety of industries. The research committee used the tify the major industry sectors. A number of organizations
were noted to operate in more than one industry sector. For example, oneconstruction and manufacturing sectors while another respondent
rtation and information sectors. The committee noted thatthe responding organizations represented all the NAICS industry sector
The data collected represented a wide variety of organizational sizes in terms of owever, the majority of respondents reported that their
achieved at least 1 billion or more in yearly revenue.
Figure 7 Revenue of Respondents Organization
count, it was noted that about half (48%) of the least 10,000 employees or more. Please see Figure
by number of employees.
8%
12%
4%
44%
Revenue of Respondents'
Organization
Less than $200 million
$200 million to $500
million
$500 million to $1 billion
$1 billion to $5 billion
More than $5 billion
13
he research committee attempted to The research committee used the
industry sectors. A number of organizations one respondent
another respondent rtation and information sectors. The committee noted that,
the responding organizations represented all the NAICS industry sectors either
sizes in terms of respondents reported that their
least 1 billion or more in yearly revenue.
of the Please see Figure-8 for
Less than $200 million
$200 million to $500
$500 million to $1 billion
$1 billion to $5 billion
More than $5 billion
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Figure 8 Size of Respondents
In terms of geography, operate internationally. Please see
Figure
20%
20%
8%
Size of Respondents' Organization (By
48%
4%
Respondents' Organization Type
The Dallas Chapter of the Institute of Internal Auditors
Size of Respondents Organization (by Employees)
In terms of geography, about half (48%) of the respondents organizations Please see Figure-9 for distribution by organization type
Figure 9 Respondents Organization Type
12%
40%
8%
Size of Respondents' Organization (By
Employees)
Less than 1000
1,000 to 10,000
10,000 to 50,000
50,000 to 100,000
100,000 +
16%
32%
4%
Respondents' Organization Type
Regional
National
International/ Trans
national
Others and Not-
Applicable
14
organizations by organization type.
Less than 1000
1,000 to 10,000
10,000 to 50,000
50,000 to 100,000
International/ Trans-
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Represented Internal Audit Departments ProfileThe respondents audit
respondents had departments half (56%) of the respondents reporting that their internal audit department consisted of at least 11 members.
Figure
In terms of maturity by respondents internal audit departments the majority of them (over 60%)Figure-11 for the distribution by the duration of operations of internal audit departments.
36%
12%
8%
Respondents' IA Department Size
The Dallas Chapter of the Institute of Internal Auditors
Represented Internal Audit Departments Profile audit departments were of various sizes. The majority
had departments in the 11 to 25 members category and slightly more than half (56%) of the respondents reporting that their internal audit department consisted of
Figure 10 Respondents IA Department Size
In terms of maturity by the length of operation, the data indicated that 8departments have been operating for at least 5 years and
(over 60%) have been in operation for over 10 years.by the duration of operations of internal audit departments.
24%
20%
Respondents' IA Department Size
Less than 5 members
6 to 10 members
11 to 25 members
26 to 50 members
More than 50 members
15
ajority of the and slightly more than
half (56%) of the respondents reporting that their internal audit department consisted of
ion, the data indicated that 80% of the have been operating for at least 5 years and
have been in operation for over 10 years. Please see by the duration of operations of internal audit departments.
Less than 5 members
More than 50 members
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Figure 11 Respondents IA Department's Duration of Operations
In terms of the maturity of was noted that most (88%) of the organizations rated themselves aslevel of Integrated or Managed.level of the internal audit department.
Figure 12 Overall Maturity Level as Assessed by Respondents
60%
Respondents' IA Departments'
Duration of Operations
48%
Overall Maturity Level
The Dallas Chapter of the Institute of Internal Auditors
Respondents IA Department's Duration of Operations
In terms of the maturity of internal audits process as rated by the respondents, it of the organizations rated themselves as having a maturity
level of Integrated or Managed. Please see Figure-12 for distribution by overall internal audit department.
Overall Maturity Level as Assessed by Respondents
4%
16%
20%
Respondents' IA Departments'
Duration of Operations
One year or less
1 to 5 years
5 to 10 years
10 or more years
4% 4%
40%
4%
Overall Maturity Level
Initial
Infrastructure
Integrated
Managed
Optimized
16
udits process as rated by the respondents, it having a maturity
overall maturity
One year or less
5 to 10 years
10 or more years
Infrastructure
Integrated
Managed
Optimized
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
In terms of the activities performed by the internal audit departments, the distribution pattern in Table 2 departments had higher involvement in audit and assurance activities and compliance activities.
Table 2 Respondents Internal Audit Departments
Level/ Activity A&A Activities
No Time (0%) _ 0% to 10% _ 10% to 25% 2 26% to 50% 8 51% to 75% 14
More than 75% 1
Area Specific ObservationsAs touched on previously, the process of collecti
was executed in two phases. In the first phase, respondents were asked to complete pre-interview questionnaires to provide a baseline understanding of thematurity and resource allocation rationale for each fowere then targeted to the responses provided in the preon the rationale that the information available from respondents would vary depending on the experience with that area. For example, a Cdepartments maturity in performing Strategy Audits as Initial would likely have limited input on the benefits of conducting such activities, but may be able to answer questions related to future plans in this area. Conversely,maturity as Optimized could offer additional information about the benefits and roadblocks in conducting such activities, and how value and continuous improvement programs are monitored and measured. For the complete list to Appendices III and IV.
The Dallas Chapter of the Institute of Internal Auditors
In terms of the activities performed by the internal audit departments, the was noted and the data indicated that most of the audit
had higher involvement in audit and assurance activities and compliance
Internal Audit Departments Time Allocation for Various Activities.
Consulting Compliance Administration
1 1 -
9 8 13
12 7 11
3 8 1
- 1 -
- - -
Area Specific Observations As touched on previously, the process of collecting the data for each focus area
was executed in two phases. In the first phase, respondents were asked to complete interview questionnaires to provide a baseline understanding of their
maturity and resource allocation rationale for each focus area. Follow-up interviews were then targeted to the responses provided in the pre-interview questionnaires based on the rationale that the information available from respondents would vary depending on the experience with that area. For example, a CAE or AE who assessed his departments maturity in performing Strategy Audits as Initial would likely have limited input on the benefits of conducting such activities, but may be able to answer questions related to future plans in this area. Conversely, a respondent who assessed the maturity as Optimized could offer additional information about the benefits and roadblocks in conducting such activities, and how value and continuous improvement programs are monitored and measured. For the complete list of survey questions, refer
17
In terms of the activities performed by the internal audit departments, the was noted and the data indicated that most of the audit
had higher involvement in audit and assurance activities and compliance
inistration Others
12
11
2
-
-
-
ng the data for each focus area was executed in two phases. In the first phase, respondents were asked to complete
experience, up interviews
interview questionnaires based on the rationale that the information available from respondents would vary depending
AE or AE who assessed his departments maturity in performing Strategy Audits as Initial would likely have limited input on the benefits of conducting such activities, but may be able to answer questions
a respondent who assessed the maturity as Optimized could offer additional information about the benefits and roadblocks in conducting such activities, and how value and continuous improvement
of survey questions, refer
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
A summary of the data and observationseach focus area is provided in the subsections below.
Project Management
The data collected in this area indicated that maturity level with about oneorganizations at this maturity level and 7see figure 13 for the distribution of the assessed maturity levels.
Figure 13 Maturity Level (Project Management) as Assessed by Respondents
About half of the respondentsdepartments internal audit time in respondents indicated that their internal audit department spends at least 5% or more of their departments time in this area.
36%
20%
Maturity Level as Assessed by
The Dallas Chapter of the Institute of Internal Auditors
A summary of the data and observations (for the sample size of 25)each focus area is provided in the subsections below.
The data collected in this area indicated that Integrated was the medianabout one-third (36%) of the respondents identifying their
organizations at this maturity level and 76% at the Integrated level or below.for the distribution of the assessed maturity levels.
Maturity Level (Project Management) as Assessed by Respondents
respondents organizations (54%) spent less thaninternal audit time in the project management area. About 46%dicated that their internal audit department spends at least 5% or more of
their departments time in this area.
20%
20%
4%
Maturity Level as Assessed by
Respondents
Initial
Infrastructure
Integrated
Managed
Optimized
18
(for the sample size of 25) relative to
as the median of the respondents identifying their
level or below. Please
Maturity Level (Project Management) as Assessed by Respondents
than 6% of their About 46% of the
dicated that their internal audit department spends at least 5% or more of
Infrastructure
Integrated
Managed
Optimized
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Figure 14
Approximately half of the respondents noted that internal audit time on audit and assurance activities.
Figure 15 Allocation of Time Between Consulting and Assurance Activities
12%
17%
17%
Time Spent for Project Management
20%
12%
4% 4%
Allocation of Time Between Consulting
The Dallas Chapter of the Institute of Internal Auditors
Time Spent for Project Management Activities
Approximately half of the respondents noted that their departments spend 75% of n audit and assurance activities.
Allocation of Time Between Consulting and Assurance Activities
8%
46%
0%
Time Spent for Project Management
Activities
No Time Spent
0% to 5%
6% to 10%
11% to 15%
16% to 25%
More than 25%
8%
52%
4%
Allocation of Time Between Consulting
and Assurance No consulting time (all audit/assurance)
Some consulting (Less than 25%
of time)
Half consulting (Other 50% of
time for audit/assurance)
Mostly consulting (75% or more
time)
All consulting (no
auidt/assurance)
Not applicable
19
spend 75% of their
Allocation of Time Between Consulting and Assurance Activities
No Time Spent
11% to 15%
16% to 25%
More than 25%
Some consulting (Less than 25%
Half consulting (Other 50% of
Mostly consulting (75% or more
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
The vast majority of the respondentslevels were appropriate for the project management area
Figure 16
Some of the themes noted during the interviews are as follows: A number of respondent
Information Technology (IT) initiatives (asmanagement activities such as construction projectetc.)
A large number of organizations had department (mainly IT) framework.
About 60% of the respondentsin project management type internal audit activitiesto be involved in this area in the near future.
A large portion of the respondents indicated that there is not an organizationwide project management framework, indicating opportunity for management to streamline their project management activities across th
We feel allocation is appropriate
Area is not applicable for our business
Area not a high risk to our business
Budgetary constraints
Business goals have not been defined
Project Management Resource Allocation
The Dallas Chapter of the Institute of Internal Auditors
vast majority of the respondents (75%) felt that the allocations at the current for the project management area as noted below:
16 Project Management Resource Allocation
Some of the themes noted during the interviews are as follows: A number of respondents associated the term project management Information Technology (IT) initiatives (as opposed to business process management activities such as construction projects, process re
number of organizations had a specially assigned project department (mainly IT) and a few organizations had a wider project management
About 60% of the respondents organizations were noted to be currently involved in project management type internal audit activities, while 25% do
be involved in this area in the near future. A large portion of the respondents indicated that there is not an organizationwide project management framework, indicating opportunity for management to streamline their project management activities across the organization.
0 5 10 15
We feel allocation is appropriate
Area is not applicable for our business
Area not a high risk to our business
Budgetary constraints
Business goals have not been defined
Others
Project Management Resource Allocation
20
allocations at the current as noted below:
project management with opposed to business process
, process re-engineering,
a specially assigned project management project management
noted to be currently involved 25% dont have plans
A large portion of the respondents indicated that there is not an organization-wide project management framework, indicating opportunity for management to
e organization.
20
Project Management Resource Allocation
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Some key observations from
When asked how activities in this area added value to their organizations, and how the value was measured, many respondents stated that their consultative activities in this area provided substantioften not be quantified. For example, many respondents stated that they were regularly consulted to advise on project risks and make control recommendations in the planning stage of major projects. By identifying critical risks that threaten the success of the project and recommending mitigating controls before project implementation, these respondents believed internal auditproject initiatives. Additionally, some respondents stated that they were consulted to review process design within major projects and recommend improvements to streamline the process and gain efficiencies. These process improvement recommendations often resulted in reduced cost organization. Various roadblocks and challenges were noted by respondents related to their activities in this area. A small number of respondents stated that they lacked human resources and training for lowersupport. One respondent stated that occasionally independence can become an issue when process owners and project managers do not understand boundaries and the need to maintain independence. The retwo key methods of overcoming this issue are communication with the project team at the inception of the project planning phase to clearly define limiting internal audits involvement to advisory in the involvement in the implementation phase.
Enterprise Risk Management
The data collected in this area indicated that Integrated or lower level of maturity in this area with the
The Dallas Chapter of the Institute of Internal Auditors
Some key observations from interviews:
When asked how activities in this area added value to their organizations, and how the value was measured, many respondents stated that their consultative activities in this area provided substantial value to the organization, although this value could often not be quantified. For example, many respondents stated that they were regularly consulted to advise on project risks and make control recommendations in the planning
By identifying critical risks that threaten the success of the project and recommending mitigating controls before project implementation, these
internal audit played a significant role in ensuring success of tionally, some respondents stated that they were consulted to
review process design within major projects and recommend improvements to streamline the process and gain efficiencies. These process improvement recommendations often resulted in reduced cost of the overall project to the
Various roadblocks and challenges were noted by respondents related to their activities in this area. A small number of respondents stated that they lacked human resources and training for lower-level staff to provide adequate Project Management support. One respondent stated that occasionally independence can become an issue when process owners and project managers do not understand boundaries and the need to maintain independence. The respondent also stated that two key methods of overcoming this issue are communication with the project team at the inception of the project planning phase to clearly define internal a
udits involvement to advisory in the design phase, with less involvement in the implementation phase.
Enterprise Risk Management
The data collected in this area indicated that 75% of the organizations had an level of maturity in this area with the median in the
21
When asked how activities in this area added value to their organizations, and how the value was measured, many respondents stated that their consultative activities
al value to the organization, although this value could often not be quantified. For example, many respondents stated that they were regularly consulted to advise on project risks and make control recommendations in the planning
By identifying critical risks that threaten the success of the project and recommending mitigating controls before project implementation, these
played a significant role in ensuring success of tionally, some respondents stated that they were consulted to
review process design within major projects and recommend improvements to streamline the process and gain efficiencies. These process improvement
of the overall project to the
Various roadblocks and challenges were noted by respondents related to their activities in this area. A small number of respondents stated that they lacked human
o provide adequate Project Management support. One respondent stated that occasionally independence can become an issue when process owners and project managers do not understand internal audits
spondent also stated that two key methods of overcoming this issue are communication with the project team at
audits role, and design phase, with less
5% of the organizations had an in the Infrastructure
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
stages of adopting ERM processesby ERM process maturity.
Figure 17 Maturity Level (ERM) as Assessed by Respondents
The data collected indicated that all respondents spend atarea, with about one-third of internal audit dinvolvement (more than 10% of time)over assurance activities as compared to consulting activitiesFigure-19.
Figure
20%
24%
Maturity Level As Assessed by
16%
8%
8%
Time Spent for ERM Activities
The Dallas Chapter of the Institute of Internal Auditors
stages of adopting ERM processes. Please see figure-17 for the distribution of samples
Maturity Level (ERM) as Assessed by Respondents
The data collected indicated that all respondents spend at least some time in this internal audit departments having higher level of
(more than 10% of time). The extent of involvement appears to be more over assurance activities as compared to consulting activities as noted in Figure
Figure 18 Time Spent for ERM Activities
24%
28%
4%
Maturity Level As Assessed by
Respondents
Initial
Infrastructure
Integrated
Managed
Optimized
36%
32%
8% 0%
Time Spent for ERM Activities
No Time Spent
0% to 5%
6% to 10%
11% to 15%
16% to 25%
More than 25%
22
bution of samples
least some time in this epartments having higher level of
. The extent of involvement appears to be more in Figure-18 and
Infrastructure
Integrated
Managed
Optimized
No Time Spent
11% to 15%
16% to 25%
More than 25%
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Figure 19 Allocation of Time to Consulting and Assurance Activities
The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondents (75%) felt that the alcurrent levels were appropriate as noted below:
28%
4% 4% 0%
Allocation of Time to Consulting and Assurance
We feel allocation is appropriate
Area is not applicable for our business
Area not a high risk to our business
Budgetary constraints
Business goals have not been defined
ERM Resource Allocation
The Dallas Chapter of the Institute of Internal Auditors
Allocation of Time to Consulting and Assurance Activities
The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondents (75%) felt that the allocation
appropriate as noted below:
Figure 20 ERM Resource Allocation
20%
44%
0%
Allocation of Time to Consulting and Assurance
ActivitiesNo consulting time (all
audit/assurance)
Some consulting (Less than 25% of
time)
Half consulting (Other 50% of time for
audit/assurance)
Mostly consulting (75% or more time)
All consulting (no auidt/assurance)
Not applicable
0 5 10 15
We feel allocation is appropriate
Area is not applicable for our business
Area not a high risk to our business
Budgetary constraints
Business goals have not been defined
Others
ERM Resource Allocation
23
The data collected regarding the rationale for resource allocation and focus locations at the
Allocation of Time to Consulting and Assurance
Some consulting (Less than 25% of
Half consulting (Other 50% of time for
Mostly consulting (75% or more time)
All consulting (no auidt/assurance)
20
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
The themes noted during the interviews are as follows: A number of respondents indicated that internal audit is involved in co
of the ERM initiatives at their organizations. In some instances, been asked to be the owner of the process as no other departments accepted the responsibility.
A vast number of organizations indicated that they have a formal prplace (70%).
About 25% of the respondents (among the organizations in early stages) indicated that they do not
Independence was not identified as a concern in this area.
Some key observations from
According to the IIA, internal risk awareness within the organization. However, several respondents stated in interviews that a major barrier to getting ERM off the ground in their organizations is convincing executives of its beneficial impact.
One respondent who has experience getting successful ERM implementations off the ground stated that implementing ERM is more an art than a science. Getting buy-in from top-level management can be a challengrespondent has developed several innovative approaches to address the issue while demonstrating the value of the initiative:
- Proactively discuss risks with top level management in formal and informal discussions. Gain an understanding of what keeps management up at night and identify events that would negatively impact the achievement of objectives. In this effort, establish what the problems are, whether they are systemic or isolated, and begin to identify what the key controls are. Do the controls currently exist, or must they be designed? Where the key controls shouldprocess owners begin having to be accountable through the quarterly certification
The Dallas Chapter of the Institute of Internal Auditors
he themes noted during the interviews are as follows: A number of respondents indicated that internal audit is involved in coof the ERM initiatives at their organizations. In some instances, internal auditbeen asked to be the owner of the process as no other departments accepted
A vast number of organizations indicated that they have a formal pr
About 25% of the respondents (among the organizations in early stages) do not plan to increase their level of involvement.
Independence was not identified as a concern in this area.
Some key observations from interviews:
nternal audit can and should be a champion of ERM and risk awareness within the organization. However, several respondents stated in interviews that a major barrier to getting ERM off the ground in their organizations is
nvincing executives of its beneficial impact. One respondent who has experience getting successful ERM implementations
off the ground stated that implementing ERM is more an art than a science. Getting level management can be a challenge due to various factors, and the
respondent has developed several innovative approaches to address the issue while demonstrating the value of the initiative:
Proactively discuss risks with top level management in formal and informal n an understanding of what keeps management up at night and
identify events that would negatively impact the achievement of objectives. In this effort, establish what the problems are, whether they are systemic or isolated, and begin
e key controls are. Do the controls currently exist, or must they be the key controls should be located to ensure optimization? As
process owners begin having to be accountable through the quarterly certification
24
A number of respondents indicated that internal audit is involved in co-ordination internal audit has
been asked to be the owner of the process as no other departments accepted
A vast number of organizations indicated that they have a formal process in
About 25% of the respondents (among the organizations in early stages) plan to increase their level of involvement.
udit can and should be a champion of ERM and risk awareness within the organization. However, several respondents stated in interviews that a major barrier to getting ERM off the ground in their organizations is
One respondent who has experience getting successful ERM implementations off the ground stated that implementing ERM is more an art than a science. Getting
e due to various factors, and the respondent has developed several innovative approaches to address the issue while
Proactively discuss risks with top level management in formal and informal n an understanding of what keeps management up at night and
identify events that would negatively impact the achievement of objectives. In this effort, establish what the problems are, whether they are systemic or isolated, and begin
e key controls are. Do the controls currently exist, or must they be be located to ensure optimization? As
process owners begin having to be accountable through the quarterly certification
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
process for exceptions, less and less exceptions should occur over time. These results can then be presented to management as evidence of the success of the initiative, as it demonstrates effective results in reducing the risks that keep management up at night. This can solidify and increase support for a formal ERM effort built on continuous improvement. This approach allows adoption of ERM as an incremental effort, rather than an overnight implementation.
- Develop a pilot of ERM for a single department, such as AccountRoll ERM out in that one department by identifying the departments objectives, linking them to risks, and developing risk responses and control activities. Self Assessment testing should be performed periodically to evaluate the success the successes and opportunities for improved implementation. Build on the knowledge learned to refine the process in that department. Present the results to senior management as a proposal for a phased implementation that is morbe more easily integrated into the business processes. If management understands that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buyis easier to achieve.
Another respondent acknowledged that ERM wastage within his organization, but stated that this was intentional and that the company was where it wanted to be with respect to ERM with limited additional investment. With his approach, all the elements of tto link risks to strategy, increase risk awareness in the company, and increase process owner accountability for developing risk responses. benefit to his approach to ERM is that it has allowed and build risk awareness into the culture of the organization over time, without overwhelming process owners with the ERM terminology. In annual risk assessments, internal audit gains an understanding of the highest risks facing the organization. Then, when the audit plan is developed it is linked to the companys strategy risks are linked to strategic objectives and the audit plan is linked to strategy. These are key objectives within ERM and the respondent believes he is accomplishing them
The Dallas Chapter of the Institute of Internal Auditors
less and less exceptions should occur over time. These results can then be presented to management as evidence of the success of the initiative, as it demonstrates effective results in reducing the risks that keep management up at night.
dify and increase support for a formal ERM effort built on continuous improvement. This approach allows adoption of ERM as an incremental effort, rather than an overnight implementation.
Develop a pilot of ERM for a single department, such as AccountRoll ERM out in that one department by identifying the departments objectives, linking them to risks, and developing risk responses and control activities. Self Assessment testing should be performed periodically to evaluate the success of the initiative, noting the successes and opportunities for improved implementation. Build on the knowledge learned to refine the process in that department. Present the results to senior management as a proposal for a phased implementation that is more practical and can be more easily integrated into the business processes. If management understands that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buy
Another respondent acknowledged that ERM was probably in the Initial or Infrastructure stage within his organization, but stated that this was intentional and that the company was where it wanted to be with respect to ERM with limited additional investment. With his approach, all the elements of the internal audit / compliance functions work together to link risks to strategy, increase risk awareness in the company, and increase process owner accountability for developing risk responses. This respondent believes that a key
to ERM is that it has allowed internal audit to link risk to strategy and build risk awareness into the culture of the organization over time, without overwhelming process owners with the ERM terminology. In annual risk assessments,
an understanding of the highest risks facing the organization. Then, when the audit plan is developed it is linked to the companys strategy risks are linked to strategic objectives and the audit plan is linked to strategy. These are
y objectives within ERM and the respondent believes he is accomplishing them
25
less and less exceptions should occur over time. These results can then be presented to management as evidence of the success of the initiative, as it demonstrates effective results in reducing the risks that keep management up at night.
dify and increase support for a formal ERM effort built on continuous improvement. This approach allows adoption of ERM as an incremental effort, rather
Develop a pilot of ERM for a single department, such as Accounting or Finance. Roll ERM out in that one department by identifying the departments objectives, linking them to risks, and developing risk responses and control activities. Self Assessment
of the initiative, noting the successes and opportunities for improved implementation. Build on the knowledge learned to refine the process in that department. Present the results to senior
e practical and can be more easily integrated into the business processes. If management understands that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buy-in
s probably in the Initial or Infrastructure stage within his organization, but stated that this was intentional and that the company was where it wanted to be with respect to ERM with limited additional investment. With
he internal audit / compliance functions work together to link risks to strategy, increase risk awareness in the company, and increase process
This respondent believes that a key udit to link risk to strategy
and build risk awareness into the culture of the organization over time, without overwhelming process owners with the ERM terminology. In annual risk assessments,
an understanding of the highest risks facing the organization. Then, in this manner,
risks are linked to strategic objectives and the audit plan is linked to strategy. These are y objectives within ERM and the respondent believes he is accomplishing them
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
without creating a separate ERM effort. This helps gain the buyhe presents the audit plan, because management sees a risklinked to the company's core objectives, and it makes sense to them.
A major benefit noted by various respondents was that the ERM implementation process resulted in positive changes to the risk culture of the organization. Often, the process of conducting risk assessments and discussing risks with management resulted in increased risk awareness and more accountability on the part of process owners and managers.
Corporate Governance
The data collected in this area maturity level with 32% of the respondents identifying their organizations at this maturity level and about two-thirds (64
Figure 21 Maturity Level (Corporate Governance) as Assessed by
More than half of the respondents (departments time was spent at least 1
32%
Maturity Level as Assessed by
The Dallas Chapter of the Institute of Internal Auditors
without creating a separate ERM effort. This helps gain the buy-in of management when he presents the audit plan, because management sees a risk-based audit plan that is
the company's core objectives, and it makes sense to them. A major benefit noted by various respondents was that the ERM implementation
process resulted in positive changes to the risk culture of the organization. Often, the sessments and discussing risks with management resulted
in increased risk awareness and more accountability on the part of process owners and
The data collected in this area indicated that Integrated was the median% of the respondents identifying their organizations at this maturity
thirds (64%) below the Integrated maturity level or below.
Maturity Level (Corporate Governance) as Assessed by Respondents
More than half of the respondents (60%) indicated that their internal audit at least 10% or more in this area.
12%
20%
32%
4%
Maturity Level as Assessed by
Respondents
Initial
Infrastructure
Integrated
Managed
Optimized
26
in of management when based audit plan that is
A major benefit noted by various respondents was that the ERM implementation process resulted in positive changes to the risk culture of the organization. Often, the
sessments and discussing risks with management resulted in increased risk awareness and more accountability on the part of process owners and
as the median % of the respondents identifying their organizations at this maturity
level or below.
Respondents
60%) indicated that their internal audit
Infrastructure
Integrated
Managed
Optimized
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Figure 22 Time Spent for Corporate Governance Activities
Of the time spent in this areatheir internal audit departmentsthe Figure below.
Figure 23 Allocation of Time between Consulting and Assuran
24%
28%
Time Spent for Corporate
Governance Activities
4%4%
4% 4%
Allocation of Time Between Consulting and
The Dallas Chapter of the Institute of Internal Auditors
Time Spent for Corporate Governance Activities
in this area, a majority (68%) of the respondents noted that their internal audit departments time spent is in assurance type activities as shown in
Allocation of Time between Consulting and Assurance Activities
4%
20%
16%
8%
Time Spent for Corporate
Governance Activities
No Time Spent
0% to 5%
6% to 10%
11% to 15%
16% to 25%
More than 25%
16%
68%
Allocation of Time Between Consulting and
Assurance ActivitiesNo consulting time (all
audit/assurance)
Some consulting (Less than 25% of
time)
Half consulting (Other 50% of time
for audit/assurance)
Mostly consulting (75% or more
time)
All consulting (no auidt/assurance)
Not applicable
27
the respondents noted that time spent is in assurance type activities as shown in
ce Activities
No Time Spent
11% to 15%
16% to 25%
More than 25%
Some consulting (Less than 25% of
Half consulting (Other 50% of time
Mostly consulting (75% or more
All consulting (no auidt/assurance)
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondentscurrent levels was appropriate as noted
Figure 24
Some of the themes noted during the interviews are as follows: A number of respondents indicated that
key activity in this area. A large number of organizations in
organizations are requested by management or activities in this area.
Some key observations from
A key roadblock noted by several respondents was that there is a laguidance on how to audit corporate governance. One respondent stated that this can result in difficulties developing the scope and objectives for corporate governance audits.
We feel allocation is appropriate
Area is not applicable for our business
Area not a high risk to our business
Budgetary constraints
Business goals have not been defined
Corporate Governance
The Dallas Chapter of the Institute of Internal Auditors
The data collected regarding the rationale for resource allocation and focus indicated that a vast majority of the respondents (85%) felt that the allocation at the current levels was appropriate as noted in Figure-24.
24 Corporate Governance Resource Allocations
Some of the themes noted during the interviews are as follows: A number of respondents indicated that the Entity-level controls review key activity in this area.
number of organizations indicated that there are set procedures or their organizations are requested by management or the audit committee to perform
Some key observations from interviews:
A key roadblock noted by several respondents was that there is a laguidance on how to audit corporate governance. One respondent stated that this can result in difficulties developing the scope and objectives for corporate governance
0 5 10 15 20
We feel allocation is appropriate
Area is not applicable for our business
Area not a high risk to our business
Budgetary constraints
Business goals have not been defined
Others
Corporate Governance - Resource
Allocation
28
The data collected regarding the rationale for resource allocation and focus 5%) felt that the allocation at the
level controls review was the
dicated that there are set procedures or their audit committee to perform
A key roadblock noted by several respondents was that there is a lack of guidance on how to audit corporate governance. One respondent stated that this can result in difficulties developing the scope and objectives for corporate governance
25
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Several respondents noted that a major benefit of performing these typeengagements is that they can help strengthen the corporate culture and ethical climate. This benefit can be achieved through identifying exceptions and following up to verify remediation, and also through making recommendations when deficiencies in tdesign of organizational governance processes are noted.
A large healthcare services organization'sadopted a number of organization wreinforcement initiatives that appear to have been received well by the auditeesarea. Some of the key initiatives are as follows: * "Audit Trophy", an award given to the units that meet or exceed certain scor
in the yearly rotational audits. * "Audit update newsletter", an email blast that is sent on a monthly basis to
communicate the audit and governance initiatives. * "Quarterly audit webcasts", an online webinar inviting organization wide
participants for education and discussions on hot topics. * "Data Analysis Dashboards",
management to monitor business trends.
The Dallas Chapter of the Institute of Internal Auditors
Several respondents noted that a major benefit of performing these typeengagements is that they can help strengthen the corporate culture and ethical climate. This benefit can be achieved through identifying exceptions and following up to verify remediation, and also through making recommendations when deficiencies in tdesign of organizational governance processes are noted.
A large healthcare services organization's CAE notes that internal audit has adopted a number of organization wide internal audit communication and other positive reinforcement initiatives that appear to have been received well by the auditees
. Some of the key initiatives are as follows: * "Audit Trophy", an award given to the units that meet or exceed certain scor
in the yearly rotational audits. * "Audit update newsletter", an email blast that is sent on a monthly basis to
communicate the audit and governance initiatives. * "Quarterly audit webcasts", an online webinar inviting organization wide
ts for education and discussions on hot topics. * "Data Analysis Dashboards", data summary reports for internal audit and
management to monitor business trends.
29
Several respondents noted that a major benefit of performing these types of engagements is that they can help strengthen the corporate culture and ethical climate. This benefit can be achieved through identifying exceptions and following up to verify remediation, and also through making recommendations when deficiencies in the
internal audit has ide internal audit communication and other positive
reinforcement initiatives that appear to have been received well by the auditees in this
* "Audit Trophy", an award given to the units that meet or exceed certain score
* "Audit update newsletter", an email blast that is sent on a monthly basis to
* "Quarterly audit webcasts", an online webinar inviting organization wide
data summary reports for internal audit and
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Social and Sustainability Audits and Consultation
The data collected in this area indicated that a majority of the respondents (7have not been involved in this area and were at the Initial
Figure 25 Maturity Level (Social & Sustainability Audit) as assessed by Respondents
The trend of involvement of with the amount of time spent involvement as noted in Figure 26 and Figure 27
Figure 26 Time Spent for Social and Sustainability Related Activities
12%
8% 0%4%
Maturity Level As Assessed by
36%
8%
Time Spent for Social and
Sustainability Audit Activities
The Dallas Chapter of the Institute of Internal Auditors
Social and Sustainability Audits and Consultation
The data collected in this area indicated that a majority of the respondents (7have not been involved in this area and were at the Initial
Maturity Level (Social & Sustainability Audit) as assessed by Respondents
trend of involvement of internal audit departments in this area also coincided nt about half of the respondents did not have any
in Figure 26 and Figure 27.
Time Spent for Social and Sustainability Related Activities
76%
4%
Maturity Level As Assessed by
Respondents
Initial
Infrastructure
Integrated
Managed
Optimized
56%
8% 0%0%0%
Time Spent for Social and
Sustainability Audit Activities
No Time Spent
0% to 5%
6% to 10%
11% to 15%
16% to 25%
More than 25%
30
The data collected in this area indicated that a majority of the respondents (76%) have not been involved in this area and were at the Initial maturity level.
Maturity Level (Social & Sustainability Audit) as assessed by Respondents
udit departments in this area also coincided the respondents did not have any
Infrastructure
No Time Spent
11% to 15%
16% to 25%
More than 25%
2011 - The IIA Research Foundation
KRevelsText Box
-
The Dallas Chapter of the Institute of Internal Auditors
Of the internal audit departments that spent time in this area, a large propo(87%) spent most of their time in assurance type activities as noted in the Figure 27.
Figure 27 Spread of Time between Audit and Consulting Activities
The data collected regarding the rationale for resource allocation andindicated that a vast majority of the respondentscurrent levels was appropriate below:
Figure 28 Allocation of Resources to Soc
8%0%0%
40%
Allocation of Time Between
Consulting and Audit Activities
We feel allocation is appropriate
Area is not applicable for our business
Area not a high risk to our business
Budgetary constraints
Business goals have not been defined
Social and Sustainability Audits: Resource
The Dallas Chapter of the Institute of Internal Auditors
Of the internal audit departments that spent time in this area, a large propo(87%) spent most of their time in assurance type activities as noted in the Figure 27.
Spread of Time between Audit and Consulting Activities
T