internal audit's value addition approach - the institute ... documents/internal audit's value... ·...

2011

Internal Audit's Value Addition Approach - A Study in the Dallas-Fort Worth Area The Research Committee of the Dallas Chapter of the IIA

2011 - The IIA Research Foundation

The Dallas Chapter of the Institute of Internal Auditors

Internal Audits Value Addition Approach

Worth Area

Contents

Introduction ................................

Value Addition Approaches

Survey Design ................................

Project Plan ................................

Participants Profile ................................

Represented Organizations Profile

Represented Internal Audit Departments Profile

Area Specific Observations

Project Management ................................

Enterprise Risk Management

Corporate Governance ................................

Social and Sustainability Audits and Consultation

Strategy Audits and Consultation

Data Analysis ................................

Conclusions and Implications

Limitations and Future Opportunities

Acknowledgements ................................

Appendix I: Statistical Tables

Appendix II: Interpreting Correlation Coefficients and Covariance

Appendix III: Pre-Interview Questionnaire

Appendix IV: Interview Questionnaire

References ................................


Internal Audits Value Addition Approach- a Study in the Dallas

................................................................................................

Value Addition Approaches .........................................................................................

................................................................................................

................................................................................................

................................................................................................

Represented Organizations Profile ................................................................

Represented Internal Audit Departments Profile .......................................................

Area Specific Observations .......................................................................................

..............................................................................................

ise Risk Management ................................................................

...........................................................................................

Social and Sustainability Audits and Consultation................................

Strategy Audits and Consultation ................................................................

................................................................................................

Conclusions and Implications ....................................................................................

Limitations and Future Opportunities ................................................................

................................................................................................

Appendix I: Statistical Tables .....................................................................................

Appendix II: Interpreting Correlation Coefficients and Covariance ............................

Interview Questionnaire ................................................................

Appendix IV: Interview Questionnaire ................................................................

................................................................................................

2

a Study in the Dallas-Fort

.................................................. 3

......................... 6

............................................. 9

............................................... 10

.................................... 10

........................................... 13

....................... 15

....................... 17

.............................. 18

................................................. 21

........................... 26

.................................................. 30

........................................... 33

............................................. 35

.................... 35

......................................... 36

.................................... 37

..................... 38

............................ 39

................................. 40

........................................ 42

................................................ 47


KRevelsText Box


Introduction

As Richard Chambers observed,

from the back room to the board room

internal auditors to provide additional value to the organization

than everii. The objective of this

the efforts of internal audit organizations in this endeavor.

committee (committee) leveraged

AUDIT SURVEY- Characteristics of an

emerging focus areas in which internal auditors could add value

innovative approaches. From this foundation,

whether the internal audit departments

these emerging focus areas.

The hypothesis for this study

will experience a push to increasingly focus

below) and to generate additional

or financial audit areas. The committees

for focused research and conducting

area to evaluate the level of experience local internal audit

emerging audit areas. Keeping in perspective that the study is a chapter research

project, the committee focused

perceived by the committee as

and that can be performed by

size. Based on these criteria,

Table-1 for study from the 2010 IIA Global Internal Audit Survey: Characteristics of an

Internal Audit Activity- Report I


As Richard Chambers observed, the internal auditing profession and its

rom the back room to the board roomi is being closely watched. The demand for

internal auditors to provide additional value to the organizations they serve

this study is to identify the factors that contribute to or inhibit

the efforts of internal audit organizations in this endeavor. To that end, the

leveraged the results of the 2010 IIA GLOBAL INTERNAL

Characteristics of an internal audit Activityiii as a basis to identify

in which internal auditors could add value using nontraditional or

From this foundation, the committee sought to determine

the internal audit departments in the Dallas/Fort Worth Metroplex are

for this study is that internal audit departments (respondents

will experience a push to increasingly focus on certain emerging types of audits (noted

additional value outside the traditional operational, compliance

The committees approach involved identifying the audit areas

conducting targeted interviews with Audit Executives in the

to evaluate the level of experience local internal audit departments have with these

. Keeping in perspective that the study is a chapter research

ed on a selection of internal audit activities that

ommittee as unique and innovative, that were emerging in popularity

erformed by a wide variety of audit functions, regardless of industry or

Based on these criteria, the committee selected the five focus areas

2010 IIA Global Internal Audit Survey: Characteristics of an

Report I.

3

profession and its journey

is being closely watched. The demand for

s they serve is higher

is to identify the factors that contribute to or inhibit

he research

the results of the 2010 IIA GLOBAL INTERNAL

as a basis to identify

using nontraditional or

sought to determine

in the Dallas/Fort Worth Metroplex are active in

respondents)

ging types of audits (noted

operational, compliance

identifying the audit areas

with Audit Executives in the

have with these

. Keeping in perspective that the study is a chapter research

udit activities that were

emerging in popularity,

regardless of industry or

areas noted in

2010 IIA Global Internal Audit Survey: Characteristics of an


KRevelsText Box


Table 1 Focus Areas Activity Levels and Ranking

Focus Area

1 Audits of enterprise risk management

processes

2 Project management assurance/

audits of major projects

3 Corporate governance reviews

4 Reviews addressing linkage of

strategy and company performance

5 Social and sustainability audits

The above areas were considered to meet the Committees selection criteria based

our review of the Global Internal Audit Survey. According to the Survey:

The areas were not traditional

departments, with activity amount

There was a fairly even distribution of operational, governance and strategic

areas.

The selection included emerging issues such as environmental sustainability and

strategy audits.

The aspects considered by the committee through this study

How many respondents had begun to integrate these areas into their audit plans,

and what percentages of resources were

Have these engagements added value

the progress being measured?

For organizations not performing these engagements, what are the main

roadblocks and concerns?

If these activities are not performed currently, what is the timeframe for adoption?

What challenges are facing internal auditors in their attempts to add value in their

organizations in these areas?


Focus Areas Activity Levels and Ranking

Activity Rank

Audits of enterprise risk management 56.6% 8

Project management assurance/

audits of major projects

55.4% 9

Corporate governance reviews 44.5% 13

Reviews addressing linkage of

strategy and company performance

25.3% 19

and sustainability audits 19.6% 22

considered to meet the Committees selection criteria based

our review of the Global Internal Audit Survey. According to the Survey:

traditional focus areas by the majority of internal audit

vity amounting to less than 60%.



by the committee through this study included the following:


percentages of resources were being allocated?

these engagements added value to their organizations, and if so

the progress being measured?


roadblocks and concerns?


enges are facing internal auditors in their attempts to add value in their

organizations in these areas?

4

Rank

considered to meet the Committees selection criteria based on

internal audit



the following:


eir organizations, and if so, how is



enges are facing internal auditors in their attempts to add value in their


KRevelsText Box


Methodology

For the purposes of the study, the committee use

as the framework to evaluate the level of maturity of the

department as well as its maturity and experience level related to each specific

area. The Capability Maturity Model is a continuum used to evaluate the maturity of a

process, department or organization, with the stages

Initial: No sustainable repeatable capabilities (little or no internal audit

department or process exists)

Infrastructure: Sustainable and repeatable

procedures (compliance audits)

Integrated: IA management and professional practices uniformly applied

(advisory services)

Managed: Integrates information from across the organization to improve

governance and risk management (overall assurance on Governance, Risk

Management and control)

Optimized: IA learning from inside and outside the organization for continuous

improvement (internal a

First, the committee asked each respondent to

maturity level of their overall internal

overall evaluation was to provide a

evaluation for each specific audit area.

activity areas, the respondents

level with respect to that particular

the assessment of maturity levels of the organization versus the maturity level of focus

areas.


of the study, the committee used the Capability Maturity

as the framework to evaluate the level of maturity of the respondents internal audit

department as well as its maturity and experience level related to each specific


process, department or organization, with the stages of maturity defined as follows:

No sustainable repeatable capabilities (little or no internal audit

department or process exists)

Sustainable and repeatable internal audit (IA) practices and

procedures (compliance audits)

IA management and professional practices uniformly applied

Integrates information from across the organization to improve


Management and control)

IA learning from inside and outside the organization for continuous

audit recognized as key agent of change)

ommittee asked each respondent to in their opinion

nternal audit department. The purpose of obtaining this

provide a basis against which to compare the maturity

evaluation for each specific audit area. Then, for each of the above identified audit

ondents were asked to assess their internal audit teams

to that particular area. The committee then studied the

maturity levels of the organization versus the maturity level of focus

5

Maturity Model

respondents internal audit

department as well as its maturity and experience level related to each specific focus


of maturity defined as follows:

No sustainable repeatable capabilities (little or no internal audit

practices and

IA management and professional practices uniformly applied

Integrates information from across the organization to improve


IA learning from inside and outside the organization for continuous

evaluate the

. The purpose of obtaining this

against which to compare the maturity

or each of the above identified audit

their internal audit teams maturity

the differences in

maturity levels of the organization versus the maturity level of focus


KRevelsText Box


Value Addition Approaches

As mentioned previously, five value addition approaches were selected. A brief

description of each value addition approach follows. These descriptions were

to each respondent:

1) Project Management

refers to the activities performed by the

or consulting support for the organizations project management initiatives. Some

organizations/companies may not have a dedicated Project Ma

(PMO) or Project Management (PM) framework. Internal audits engagement

may include the following types of activities:

Post Implementation R

Consultative services

Implementation verification

2) Enterprise Risk Management (ERM)

and processes used by organization

opportunities by embedding risk awareness into the strategy

ERM is different from audit risk assessment, seeking to accomplish the broader

initiatives of linking risks to strategic objectives,

responses, and managing risk to within risk appetite on an enterprise

Internal audit departments

however, the Institute of

the acceptable roles internal audit

objective of our study was to determine the extent to which

to support ERM implementation while

Figure 1iv.


e Addition Approaches


description of each value addition approach follows. These descriptions were

Project Management Audit and Consultation activities

refers to the activities performed by the internal audit department to provide audit


organizations/companies may not have a dedicated Project Management Office


may include the following types of activities:

Post Implementation Reviews

Consultative services during the design and implementation phase

Implementation verification and validation

Enterprise Risk Management (ERM) ERM generally refers to the methods

and processes used by organizations to strategically manage risks and leverage

by embedding risk awareness into the strategy-setting process.

rent from audit risk assessment, seeking to accomplish the broader

of linking risks to strategic objectives, developing appropriate risk

responses, and managing risk to within risk appetite on an enterprise

Internal audit departments could be involved in a number of ways in this process

however, the Institute of internal auditors has established guidelines surrounding

internal auditors can take on with respect to ERM

objective of our study was to determine the extent to which internal

support ERM implementation while staying within the boundaries as defined

6


description of each value addition approach follows. These descriptions were provided

t and Consultation activities

epartment to provide audit


nagement Office


during the design and implementation phase

enerally refers to the methods

manage risks and leverage

setting process.

rent from audit risk assessment, seeking to accomplish the broader

developing appropriate risk

responses, and managing risk to within risk appetite on an enterprise-wide level.

ould be involved in a number of ways in this process;

delines surrounding

ors can take on with respect to ERM. An

nternal audit is able

within the boundaries as defined in


KRevelsText Box


3) Corporate Governance:

customs, policies, laws, and institutions affecting the way a corporation (or

company) is directed, administered or contr

a significant role in assisting the board with corporate governance. According to

the IIA Position Paper Organizational Governance: Guidance for Internal

Auditors, Often, internal auditors can assist organization

board of directors and executive management on needed improvements and

changes in structure and design, not just whether established processes are

operating. The type of activities performed by

related to the maturity of the Governance Model in the organization, as the IIAs

Internal Audit Governance Maturity Model

of our study was to identify the level of maturity exhibited by respondents in

providing the advisory support recommended by the IIA.


Figure 1 Internal Audit Roles

Corporate Governance: Corporate governance is the set of processes,


company) is directed, administered or controlled. Internal audit departments play



Auditors, Often, internal auditors can assist organizations better by advising the



operating. The type of activities performed by internal audit can typically be

ated to the maturity of the Governance Model in the organization, as the IIAs

Internal Audit Governance Maturity Model shows in the Figure 2v


e advisory support recommended by the IIA.

7

Corporate governance is the set of processes,


Internal audit departments play



s better by advising the



udit can typically be

ated to the maturity of the Governance Model in the organization, as the IIAs

v. An objective



KRevelsText Box


Figure 2

4) Social and sustainability (Corporate social responsibility, environmental)

audits: Social and sustainability initiatives include the p

whereby an organization integrates its social responsibilities and sustainable

business practices. Social responsibilities might include activities to promote

public interest, charitable, and/or philanthropic activities. Sustainabi

include practices to promote environmentally friendly activities, prevent

environmental disasters, or prevent mis

term profits rather than for customer welfare.)

initiatives are gaining significant prominence in business and government in

recent years. The latest sustainability reporting trends indicate that 142

regulatory instruments addressing sustainability reporting exist in 30 countries

and 65% of the standards

from government, a series of challenges were noted in a survey by Deloitte

part of our study objectives we sought to understand the rate of voluntary

adoption of sustainability initiatives in the


2 Internal Audit Governance Maturity Model

Social and sustainability (Corporate social responsibility, environmental)

Social and sustainability initiatives include the processes and practices,



interest, charitable, and/or philanthropic activities. Sustainabi


environmental disasters, or prevent mis-selling (e.g. selling of products for short

term profits rather than for customer welfare.) Social and sustainability goals and

itiatives are gaining significant prominence in business and government in



and 65% of the standards are considered mandatoryvi. Even with significant push

from government, a series of challenges were noted in a survey by Deloitte


adoption of sustainability initiatives in the DFW Metroplex, the extent of

8

Social and sustainability (Corporate social responsibility, environmental)

and practices,



interest, charitable, and/or philanthropic activities. Sustainability might


selling (e.g. selling of products for short-

Social and sustainability goals and

itiatives are gaining significant prominence in business and government in



. Even with significant push

from government, a series of challenges were noted in a survey by Deloittevii. As


the extent of


KRevelsText Box


respondents activities to support these initiatives,

noted.

5) Strategy Audits: The definition of business strategy is a long term plan of action

designed to achieve a particular goal or set of goal

may be comprised of two types: 1) Assessing the adequacy of the strategy

making process and subsequent monitoring

of a business and comparing that to the planned direction as outlined i

strategic plan. Strategy

respondents to the Global Internal Audit Survey reporting that they are a

significant part of their organizations audit plans. However, they

important way for internal

measurement and feedback on performance in association with achievement of

strategic objectives. As the

consultative partner, advising

controls that impact achievement of strategic objectives and value creation, we

sought to determine whether these audits are being performed in pursuit of this

direction.

Survey Design

The committee contacted

having at least 25 participants)

audit executive uniquely represented one formally functioning internal audit department.

During this process the committee

and organization sizes.

The data was collected in two phases. In the first phase, the

requested to complete a preliminary

III). In the second phase, the re

minutes to obtain additional information

questionnaire (see Appendix-

25 respondents for this study.


respondents activities to support these initiatives, and the particular challenges

: The definition of business strategy is a long term plan of action

designed to achieve a particular goal or set of goals or objectives. Strategy audits


making process and subsequent monitoring, or 2) Assessing the actual direction

of a business and comparing that to the planned direction as outlined i

strategic plan. Strategy audits are not common, with less than 25% of


significant part of their organizations audit plans. However, they can be an

important way for internal auditors to add value through providing independent


As the internal audit profession seeks to emerge as a

consultative partner, advising management and the board on the risks and



The committee contacted approximately 40 audit executives (with a goal of

having at least 25 participants) in the DFW area for participation in this study

uniquely represented one formally functioning internal audit department.

During this process the committee attempted to cover a wide array of industry sectors

The data was collected in two phases. In the first phase, the respondents were

preliminary written data-gathering questionnaire

In the second phase, the respondents were interviewed for approximately

minutes to obtain additional information based on the responses provided in the initial

IV). The committee was able to meet the goal of having

for this study.

9

and the particular challenges

: The definition of business strategy is a long term plan of action

s or objectives. Strategy audits


or 2) Assessing the actual direction

of a business and comparing that to the planned direction as outlined in the

are not common, with less than 25% of


can be an

auditors to add value through providing independent


udit profession seeks to emerge as a

oard on the risks and



(with a goal of

in the DFW area for participation in this study. Each

uniquely represented one formally functioning internal audit department.

wide array of industry sectors

respondents were

questionnaire (see Appendix

approximately 30

based on the responses provided in the initial

The committee was able to meet the goal of having


KRevelsText Box


Project Plan

The research project was completed in three phases starting from Oc

through March 2011 as shown below:

Figure 3 Project Plan

Participants Profile

The research committee solicited

organizations that are based in

DFW area. The parameters defined by the committee for the participants were as

follows:

Chief Audit Executive (CAE), the top

equivalent department with the responsibility of providing

Audit Executive (AE), an existing

group who has a direct reporting relationship to a CAE


The research project was completed in three phases starting from October 2010

through March 2011 as shown below:

The research committee solicited audit executives in the DFW area

based in the DFW area or that have significant operations in the

he parameters defined by the committee for the participants were as

Chief Audit Executive (CAE), the top-most person in the internal audit

equivalent department with the responsibility of providing internal audit

Audit Executive (AE), an existing member of the internal audit management

who has a direct reporting relationship to a CAE.

10

tober 2010

area who serve

icant operations in the

he parameters defined by the committee for the participants were as

internal audit or

internal audit services.

internal audit management


KRevelsText Box


Ex-CAEs or Ex-AEs, who have served in audit management

year, but are not currently em

Other Director or higher level personnel in the audit organization

sufficient knowledge of internal audit activities of the organization.

Professional Service Practitioners (PSP), Partner

services firms who ha

functions. These categor

major clients as the representative organization for the purpose of the survey.

Each participant represented a uni

DFW area.

The quality of the data is greatly dependent on the experience level of the

participants and their tenure with the organization. The data co

overall experience levels of respondents

respondents being the internal audit

having at least 10 years experience

the experience levels of the respondents

24%

4%8%


AEs, who have served in audit management roles

not currently employees.

higher level personnel in the audit organization

sufficient knowledge of internal audit activities of the organization.

Professional Service Practitioners (PSP), Partner-level personnel in professional

o have adequate knowledge of their clients

. These categories of participants were requested to select one of their


Each participant represented a unique functional internal audit department in the

Figure 4 Respondents' Profile


participants and their tenure with the organization. The data collected indicated that the

levels of respondents were high, with approximately two

internal audit leaders (CAEs) and 84% of the respondents

experience. Figure-5 provides an overview of th

the experience levels of the respondents.

64%

Respondents' Profile

Chief Audit Executive

(CAE)

Audit Executive

Ex-CAE

Professional Services

Partner

11

roles within the past

higher level personnel in the audit organizations who have

level personnel in professional

adequate knowledge of their clients internal audit

of participants were requested to select one of their


que functional internal audit department in the


llected indicated that the

two-thirds of the

% of the respondents

provides an overview of the distribution of

Chief Audit Executive

Professional Services


KRevelsText Box


Respondents' experience

Figure-6. The data collected from the respondents

(84%) of the respondents had at least

organization and two audit calendar cycles of experience with the practices of the

organization.

Figure

28%

Overall Experience Levels

28%

16%

Respondents' Experience with the


Figure 5 Overall Experience Levels

Respondents' experience with their respective organizations

The data collected from the respondents indicated that a high proportion

%) of the respondents had at least two or more years of tenure within their current

audit calendar cycles of experience with the practices of the

Figure 6 Experience with the Organization

4%12%

56%

Overall Experience Levels

Less than 5 years

5 to 10 years

10 to 25 years

More than 25 years

16%

40%

Respondents' Experience with the

Organization

Less than 2 years

2 to 5 years

5 to 10 years

More than 10 years

12

is depicted in

indicated that a high proportion

f tenure within their current

audit calendar cycles of experience with the practices of the

Less than 5 years

More than 25 years

Less than 2 years

More than 10 years


KRevelsText Box



To ensure the data was representative, t

obtain data covering a wide variety of industries.

NAICS as a reference to identify the

were noted to operate in more than one industry sector. For example,

operated in both the construction and manufacturing

operated in both the transportation and information sectors. The committee noted that

overall; the responding organizations represented all the NAICS industry sector

fully or partially.

The data collected represented a wide variety of organization

employees and revenue. However

organizations (76%) achieved

Figure

In terms of employee count

organizations had at least 10,000 employee

distribution by number of employees.

32%

Revenue of Respondents'



data was representative, the research committee attempted to

obtain data covering a wide variety of industries. The research committee used the

tify the major industry sectors. A number of organizations

were noted to operate in more than one industry sector. For example, one

construction and manufacturing sectors while another respondent

rtation and information sectors. The committee noted that

the responding organizations represented all the NAICS industry sector

The data collected represented a wide variety of organizational sizes in terms of

owever, the majority of respondents reported that their

achieved at least 1 billion or more in yearly revenue.

Figure 7 Revenue of Respondents Organization

count, it was noted that about half (48%) of the

least 10,000 employees or more. Please see Figure

by number of employees.

8%

12%

4%

44%

Revenue of Respondents'

Organization

Less than $200 million

$200 million to $500

million

$500 million to $1 billion

$1 billion to $5 billion

More than $5 billion

13

he research committee attempted to

The research committee used the

industry sectors. A number of organizations

one respondent

another respondent

rtation and information sectors. The committee noted that,

the responding organizations represented all the NAICS industry sectors either

sizes in terms of

respondents reported that their

least 1 billion or more in yearly revenue.

of the

Please see Figure-8 for

Less than $200 million

$200 million to $500

$500 million to $1 billion

$1 billion to $5 billion

More than $5 billion


KRevelsText Box


Figure 8 Size of Respondents

In terms of geography,

operate internationally. Please see

Figure

20%

20%

8%

Size of Respondents' Organization (By

48%

4%

Respondents' Organization Type


Size of Respondents Organization (by Employees)

In terms of geography, about half (48%) of the respondents organizations

Please see Figure-9 for distribution by organization type

Figure 9 Respondents Organization Type

12%

40%

8%

Size of Respondents' Organization (By

Employees)

Less than 1000

1,000 to 10,000

10,000 to 50,000

50,000 to 100,000

100,000 +

16%

32%

4%

Respondents' Organization Type

Regional

National

International/ Trans

national

Others and Not-

Applicable

14

organizations

by organization type.

Less than 1000

1,000 to 10,000

10,000 to 50,000

50,000 to 100,000

International/ Trans-


KRevelsText Box



The respondents audit

respondents had departments

half (56%) of the respondents reporting that their internal audit department consisted of

at least 11 members.

Figure

In terms of maturity by

respondents internal audit departments

the majority of them (over 60%)

Figure-11 for the distribution by the duration of operations of internal audit departments.

36%

12%

8%

Respondents' IA Department Size



audit departments were of various sizes. The majority

had departments in the 11 to 25 members category and slightly more than


Figure 10 Respondents IA Department Size

In terms of maturity by the length of operation, the data indicated that 8

departments have been operating for at least 5 years and

(over 60%) have been in operation for over 10 years.

by the duration of operations of internal audit departments.

24%

20%

Respondents' IA Department Size

Less than 5 members

6 to 10 members

11 to 25 members

26 to 50 members

More than 50 members

15

ajority of the

and slightly more than


ion, the data indicated that 80% of the

have been operating for at least 5 years and

have been in operation for over 10 years. Please see

by the duration of operations of internal audit departments.

Less than 5 members

More than 50 members


KRevelsText Box


Figure 11 Respondents IA Department's Duration of Operations

In terms of the maturity of

was noted that most (88%) of the organizations rated themselves as

level of Integrated or Managed.

level of the internal audit department.

Figure 12 Overall Maturity Level as Assessed by Respondents

60%

Respondents' IA Departments'

Duration of Operations

48%

Overall Maturity Level


Respondents IA Department's Duration of Operations

In terms of the maturity of internal audits process as rated by the respondents, it

of the organizations rated themselves as having a maturity

level of Integrated or Managed. Please see Figure-12 for distribution by overall

internal audit department.

Overall Maturity Level as Assessed by Respondents

4%

16%

20%

Respondents' IA Departments'

Duration of Operations

One year or less

1 to 5 years

5 to 10 years

10 or more years

4% 4%

40%

4%

Overall Maturity Level

Initial

Infrastructure

Integrated

Managed

Optimized

16

udits process as rated by the respondents, it

having a maturity

overall maturity

One year or less

5 to 10 years

10 or more years

Infrastructure

Integrated

Managed

Optimized


KRevelsText Box


In terms of the activities performed by the internal audit departments, the

distribution pattern in Table 2

departments had higher involvement in audit and assurance activities and compliance

activities.

Table 2 Respondents Internal Audit Departments

Level/ Activity A&A

Activities

No Time (0%) _

0% to 10% _

10% to 25% 2

26% to 50% 8

51% to 75% 14

More than 75% 1


As touched on previously, the process of collecti

was executed in two phases. In the first phase, respondents were asked to complete

pre-interview questionnaires to provide a baseline understanding of the

maturity and resource allocation rationale for each fo

were then targeted to the responses provided in the pre

on the rationale that the information available from respondents would vary depending

on the experience with that area. For example, a C

departments maturity in performing Strategy Audits as Initial would likely have limited

input on the benefits of conducting such activities, but may be able to answer questions

related to future plans in this area. Conversely,

maturity as Optimized could offer additional information about the benefits and

roadblocks in conducting such activities, and how value and continuous improvement

programs are monitored and measured. For the complete list

to Appendices III and IV.



was noted and the data indicated that most of the audit

had higher involvement in audit and assurance activities and compliance

Internal Audit Departments Time Allocation for Various Activities.

Consulting Compliance Administration

1 1 -

9 8 13

12 7 11

3 8 1

- 1 -

- - -


As touched on previously, the process of collecting the data for each focus area


interview questionnaires to provide a baseline understanding of their

maturity and resource allocation rationale for each focus area. Follow-up interviews

were then targeted to the responses provided in the pre-interview questionnaires based


on the experience with that area. For example, a CAE or AE who assessed his



related to future plans in this area. Conversely, a respondent who assessed the



programs are monitored and measured. For the complete list of survey questions, refer

17


was noted and the data indicated that most of the audit

had higher involvement in audit and assurance activities and compliance

inistration Others

12

11

2

-

-

-

ng the data for each focus area


experience,

up interviews

interview questionnaires based


AE or AE who assessed his



a respondent who assessed the



of survey questions, refer


KRevelsText Box


A summary of the data and observations

each focus area is provided in the subsections below.

Project Management

The data collected in this area indicated that

maturity level with about one

organizations at this maturity level and 7

see figure 13 for the distribution of the assessed maturity levels.

Figure 13 Maturity Level (Project Management) as Assessed by Respondents

About half of the respondents

departments internal audit time in

respondents indicated that their internal audit department spends at least 5% or more of

their departments time in this area.

36%

20%

Maturity Level as Assessed by


A summary of the data and observations (for the sample size of 25)

each focus area is provided in the subsections below.

The data collected in this area indicated that Integrated was the median

about one-third (36%) of the respondents identifying their

organizations at this maturity level and 76% at the Integrated level or below.

for the distribution of the assessed maturity levels.

Maturity Level (Project Management) as Assessed by Respondents

respondents organizations (54%) spent less than

internal audit time in the project management area. About 46%

dicated that their internal audit department spends at least 5% or more of

their departments time in this area.

20%

20%

4%


Respondents

Initial

Infrastructure

Integrated

Managed

Optimized

18

(for the sample size of 25) relative to

as the median

of the respondents identifying their

level or below. Please

Maturity Level (Project Management) as Assessed by Respondents

than 6% of their

About 46% of the

dicated that their internal audit department spends at least 5% or more of

Infrastructure

Integrated

Managed

Optimized


KRevelsText Box


Figure 14

Approximately half of the respondents noted that

internal audit time on audit and assurance activities.

Figure 15 Allocation of Time Between Consulting and Assurance Activities

12%

17%

17%

Time Spent for Project Management

20%

12%

4% 4%

Allocation of Time Between Consulting


Time Spent for Project Management Activities

Approximately half of the respondents noted that their departments spend 75% of

n audit and assurance activities.

Allocation of Time Between Consulting and Assurance Activities

8%

46%

0%

Time Spent for Project Management

Activities

No Time Spent

0% to 5%

6% to 10%

11% to 15%

16% to 25%

More than 25%

8%

52%

4%

Allocation of Time Between Consulting

and Assurance No consulting time (all audit/assurance)

Some consulting (Less than 25%

of time)

Half consulting (Other 50% of

time for audit/assurance)

Mostly consulting (75% or more

time)

All consulting (no

auidt/assurance)

Not applicable

19

spend 75% of their

Allocation of Time Between Consulting and Assurance Activities

No Time Spent

11% to 15%

16% to 25%

More than 25%

Some consulting (Less than 25%

Half consulting (Other 50% of



KRevelsText Box


The vast majority of the respondents

levels were appropriate for the project management area

Figure 16

Some of the themes noted during the interviews are as follows:

A number of respondent

Information Technology (IT) initiatives (as

management activities such as construction project

etc.)

A large number of organizations had

department (mainly IT)

framework.

About 60% of the respondents

in project management type internal audit activities

to be involved in this area in the near future.

A large portion of the respondents indicated that there is not an organization

wide project management framework, indicating opportunity for management to

streamline their project management activities across th

We feel allocation is appropriate

Area is not applicable for our business

Area not a high risk to our business

Budgetary constraints

Business goals have not been defined

Project Management Resource Allocation


vast majority of the respondents (75%) felt that the allocations at the current

for the project management area as noted below:

16 Project Management Resource Allocation


A number of respondents associated the term project management

Information Technology (IT) initiatives (as opposed to business process

management activities such as construction projects, process re

number of organizations had a specially assigned project

department (mainly IT) and a few organizations had a wider project management

About 60% of the respondents organizations were noted to be currently involved

in project management type internal audit activities, while 25% do

be involved in this area in the near future.

A large portion of the respondents indicated that there is not an organization


streamline their project management activities across the organization.

0 5 10 15






Others


20

allocations at the current

as noted below:

project management with

opposed to business process

, process re-engineering,

a specially assigned project management

project management

noted to be currently involved

25% dont have plans

A large portion of the respondents indicated that there is not an organization-


e organization.

20



KRevelsText Box


Some key observations from

When asked how activities in this area added value to their organizations, and

how the value was measured, many respondents stated that their consultative activities

in this area provided substanti

often not be quantified. For example, many respondents stated that they were regularly

consulted to advise on project risks and make control recommendations in the planning

stage of major projects. By identifying critical risks that threaten the success of the

project and recommending mitigating controls before project implementation, these

respondents believed internal audit

project initiatives. Additionally, some respondents stated that they were consulted to

review process design within major projects and recommend improvements to

streamline the process and gain efficiencies. These process improvement

recommendations often resulted in reduced cost

organization.

Various roadblocks and challenges were noted by respondents related to their

activities in this area. A small number of respondents stated that they lacked human

resources and training for lower

support. One respondent stated that occasionally independence can become an issue

when process owners and project managers do not understand

boundaries and the need to maintain independence. The re

two key methods of overcoming this issue are communication with the project team at

the inception of the project planning phase to clearly define

limiting internal audits involvement to advisory in the

involvement in the implementation phase.


The data collected in this area indicated that

Integrated or lower level of maturity in this area with the


Some key observations from interviews:



in this area provided substantial value to the organization, although this value could



By identifying critical risks that threaten the success of the


internal audit played a significant role in ensuring success of

tionally, some respondents stated that they were consulted to



recommendations often resulted in reduced cost of the overall project to the



resources and training for lower-level staff to provide adequate Project Management


when process owners and project managers do not understand

boundaries and the need to maintain independence. The respondent also stated that


the inception of the project planning phase to clearly define internal a

udits involvement to advisory in the design phase, with less

involvement in the implementation phase.


The data collected in this area indicated that 75% of the organizations had an

level of maturity in this area with the median in the

21



al value to the organization, although this value could



By identifying critical risks that threaten the success of the


played a significant role in ensuring success of

tionally, some respondents stated that they were consulted to



of the overall project to the



o provide adequate Project Management


when process owners and project managers do not understand internal audits

spondent also stated that


audits role, and

design phase, with less

5% of the organizations had an

in the Infrastructure


KRevelsText Box


stages of adopting ERM processes

by ERM process maturity.

Figure 17 Maturity Level (ERM) as Assessed by Respondents

The data collected indicated that all respondents spend at

area, with about one-third of internal audit d

involvement (more than 10% of time)

over assurance activities as compared to consulting activities

Figure-19.

Figure

20%

24%

Maturity Level As Assessed by

16%

8%

8%

Time Spent for ERM Activities


stages of adopting ERM processes. Please see figure-17 for the distribution of samples

Maturity Level (ERM) as Assessed by Respondents

The data collected indicated that all respondents spend at least some time in this

internal audit departments having higher level of

(more than 10% of time). The extent of involvement appears to be more

over assurance activities as compared to consulting activities as noted in Figure

Figure 18 Time Spent for ERM Activities

24%

28%

4%

Maturity Level As Assessed by

Respondents

Initial

Infrastructure

Integrated

Managed

Optimized

36%

32%

8% 0%

Time Spent for ERM Activities

No Time Spent

0% to 5%

6% to 10%

11% to 15%

16% to 25%

More than 25%

22

bution of samples

least some time in this

epartments having higher level of

. The extent of involvement appears to be more

in Figure-18 and

Infrastructure

Integrated

Managed

Optimized

No Time Spent

11% to 15%

16% to 25%

More than 25%


KRevelsText Box


Figure 19 Allocation of Time to Consulting and Assurance Activities

The data collected regarding the rationale for resource allocation and focus

indicated that a vast majority of the respondents (75%) felt that the al

current levels were appropriate as noted below:

28%

4% 4% 0%

Allocation of Time to Consulting and Assurance






ERM Resource Allocation


Allocation of Time to Consulting and Assurance Activities


indicated that a vast majority of the respondents (75%) felt that the allocation

appropriate as noted below:

Figure 20 ERM Resource Allocation

20%

44%

0%


ActivitiesNo consulting time (all

audit/assurance)

Some consulting (Less than 25% of

time)

Half consulting (Other 50% of time for

audit/assurance)

Mostly consulting (75% or more time)

All consulting (no auidt/assurance)

Not applicable

0 5 10 15






Others

ERM Resource Allocation

23


locations at the



Half consulting (Other 50% of time for

Mostly consulting (75% or more time)


20


KRevelsText Box


The themes noted during the interviews are as follows:

A number of respondents indicated that internal audit is involved in co

of the ERM initiatives at their organizations. In some instances,

been asked to be the owner of the process as no other departments accepted

the responsibility.

A vast number of organizations indicated that they have a formal pr

place (70%).

About 25% of the respondents (among the organizations in early stages)

indicated that they do not

Independence was not identified as a concern in this area.


According to the IIA, internal

risk awareness within the organization. However, several respondents stated in

interviews that a major barrier to getting ERM off the ground in their organizations is

convincing executives of its beneficial impact.

One respondent who has experience getting successful ERM implementations

off the ground stated that implementing ERM is more an art than a science. Getting

buy-in from top-level management can be a challeng

respondent has developed several innovative approaches to address the issue while

demonstrating the value of the initiative:

- Proactively discuss risks with top level management in formal and informal

discussions. Gain an understanding of what keeps management up at night and

identify events that would negatively impact the achievement of objectives. In this

effort, establish what the problems are, whether they are systemic or isolated, and begin

to identify what the key controls are. Do the controls currently exist, or must they be

designed? Where the key controls should

process owners begin having to be accountable through the quarterly certification


he themes noted during the interviews are as follows:

A number of respondents indicated that internal audit is involved in co

of the ERM initiatives at their organizations. In some instances, internal audit


A vast number of organizations indicated that they have a formal pr


do not plan to increase their level of involvement.

Independence was not identified as a concern in this area.


nternal audit can and should be a champion of ERM and



nvincing executives of its beneficial impact.



level management can be a challenge due to various factors, and the


demonstrating the value of the initiative:

Proactively discuss risks with top level management in formal and informal

n an understanding of what keeps management up at night and



e key controls are. Do the controls currently exist, or must they be

the key controls should be located to ensure optimization? As


24

A number of respondents indicated that internal audit is involved in co-ordination

internal audit has


A vast number of organizations indicated that they have a formal process in


plan to increase their level of involvement.

udit can and should be a champion of ERM and





e due to various factors, and the


Proactively discuss risks with top level management in formal and informal

n an understanding of what keeps management up at night and



e key controls are. Do the controls currently exist, or must they be

be located to ensure optimization? As



KRevelsText Box


process for exceptions, less and less exceptions should occur over time. These results

can then be presented to management as evidence of the success of the initiative, as it

demonstrates effective results in reducing the risks that keep management up at night.

This can solidify and increase support for a formal ERM effort built on continuous

improvement. This approach allows adoption of ERM as an incremental effort, rather

than an overnight implementation.

- Develop a pilot of ERM for a single department, such as Account

Roll ERM out in that one department by identifying the departments objectives, linking

them to risks, and developing risk responses and control activities. Self Assessment

testing should be performed periodically to evaluate the success

the successes and opportunities for improved implementation. Build on the knowledge

learned to refine the process in that department. Present the results to senior

management as a proposal for a phased implementation that is mor

be more easily integrated into the business processes. If management understands

that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buy

is easier to achieve.

Another respondent acknowledged that ERM wa

stage within his organization, but stated that this was intentional and that the company

was where it wanted to be with respect to ERM with limited additional investment. With

his approach, all the elements of t

to link risks to strategy, increase risk awareness in the company, and increase process

owner accountability for developing risk responses.

benefit to his approach to ERM is that it has allowed

and build risk awareness into the culture of the organization over time, without

overwhelming process owners with the ERM terminology. In annual risk assessments,

internal audit gains an understanding of the highest risks facing the organization. Then,

when the audit plan is developed it is linked to the companys strategy

risks are linked to strategic objectives and the audit plan is linked to strategy. These are

key objectives within ERM and the respondent believes he is accomplishing them


less and less exceptions should occur over time. These results



dify and increase support for a formal ERM effort built on continuous


than an overnight implementation.

Develop a pilot of ERM for a single department, such as Account



testing should be performed periodically to evaluate the success of the initiative, noting



management as a proposal for a phased implementation that is more practical and can


that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buy

Another respondent acknowledged that ERM was probably in the Initial or Infrastructure



his approach, all the elements of the internal audit / compliance functions work together


owner accountability for developing risk responses. This respondent believes that a key

to ERM is that it has allowed internal audit to link risk to strategy



an understanding of the highest risks facing the organization. Then,

when the audit plan is developed it is linked to the companys strategy


y objectives within ERM and the respondent believes he is accomplishing them

25

less and less exceptions should occur over time. These results



dify and increase support for a formal ERM effort built on continuous


Develop a pilot of ERM for a single department, such as Accounting or Finance.



of the initiative, noting



e practical and can


that ERM doesnt have to be all at once, and doesnt have to be overcomplicated, buy-in

s probably in the Initial or Infrastructure



he internal audit / compliance functions work together


This respondent believes that a key

udit to link risk to strategy



an understanding of the highest risks facing the organization. Then,

in this manner,


y objectives within ERM and the respondent believes he is accomplishing them


KRevelsText Box


without creating a separate ERM effort. This helps gain the buy

he presents the audit plan, because management sees a risk

linked to the company's core objectives, and it makes sense to them.

A major benefit noted by various respondents was that the ERM implementation

process resulted in positive changes to the risk culture of the organization. Often, the

process of conducting risk assessments and discussing risks with management resulted

in increased risk awareness and more accountability on the part of process owners and

managers.

Corporate Governance

The data collected in this area

maturity level with 32% of the respondents identifying their organizations at this maturity

level and about two-thirds (64

Figure 21 Maturity Level (Corporate Governance) as Assessed by

More than half of the respondents (

departments time was spent at least 1

32%



without creating a separate ERM effort. This helps gain the buy-in of management when

he presents the audit plan, because management sees a risk-based audit plan that is

the company's core objectives, and it makes sense to them.



sessments and discussing risks with management resulted


The data collected in this area indicated that Integrated was the median

% of the respondents identifying their organizations at this maturity

thirds (64%) below the Integrated maturity level or below.

Maturity Level (Corporate Governance) as Assessed by Respondents

More than half of the respondents (60%) indicated that their internal audit

at least 10% or more in this area.

12%

20%

32%

4%


Respondents

Initial

Infrastructure

Integrated

Managed

Optimized

26

in of management when

based audit plan that is



sessments and discussing risks with management resulted


as the median

% of the respondents identifying their organizations at this maturity

level or below.

Respondents

60%) indicated that their internal audit

Infrastructure

Integrated

Managed

Optimized


KRevelsText Box


Figure 22 Time Spent for Corporate Governance Activities

Of the time spent in this area

their internal audit departments

the Figure below.

Figure 23 Allocation of Time between Consulting and Assuran

24%

28%

Time Spent for Corporate

Governance Activities

4%4%

4% 4%

Allocation of Time Between Consulting and


Time Spent for Corporate Governance Activities

in this area, a majority (68%) of the respondents noted that

their internal audit departments time spent is in assurance type activities as shown in

Allocation of Time between Consulting and Assurance Activities

4%

20%

16%

8%

Time Spent for Corporate

Governance Activities

No Time Spent

0% to 5%

6% to 10%

11% to 15%

16% to 25%

More than 25%

16%

68%

Allocation of Time Between Consulting and

Assurance ActivitiesNo consulting time (all

audit/assurance)


time)

Half consulting (Other 50% of time

for audit/assurance)


time)


Not applicable

27

the respondents noted that

time spent is in assurance type activities as shown in

ce Activities

No Time Spent

11% to 15%

16% to 25%

More than 25%


Half consulting (Other 50% of time




KRevelsText Box



indicated that a vast majority of the respondents

current levels was appropriate as noted

Figure 24


A number of respondents indicated that

key activity in this area.

A large number of organizations in

organizations are requested by management or

activities in this area.


A key roadblock noted by several respondents was that there is a la

guidance on how to audit corporate governance. One respondent stated that this can

result in difficulties developing the scope and objectives for corporate governance

audits.






Corporate Governance



indicated that a vast majority of the respondents (85%) felt that the allocation at the

current levels was appropriate as noted in Figure-24.

24 Corporate Governance Resource Allocations


A number of respondents indicated that the Entity-level controls review

key activity in this area.

number of organizations indicated that there are set procedures or their

organizations are requested by management or the audit committee to perform


A key roadblock noted by several respondents was that there is a la



0 5 10 15 20






Others

Corporate Governance - Resource

Allocation

28


5%) felt that the allocation at the

level controls review was the

dicated that there are set procedures or their

audit committee to perform

A key roadblock noted by several respondents was that there is a lack of



25


KRevelsText Box


Several respondents noted that a major benefit of performing these type

engagements is that they can help strengthen the corporate culture and ethical climate.

This benefit can be achieved through identifying exceptions and following up to verify

remediation, and also through making recommendations when deficiencies in t

design of organizational governance processes are noted.

A large healthcare services organization's

adopted a number of organization w

reinforcement initiatives that appear to have been received well by the auditees

area. Some of the key initiatives are as follows:

* "Audit Trophy", an award given to the units that meet or exceed certain scor

in the yearly rotational audits.

* "Audit update newsletter", an email blast that is sent on a monthly basis to

communicate the audit and governance initiatives.

* "Quarterly audit webcasts", an online webinar inviting organization wide

participants for education and discussions on hot topics.

* "Data Analysis Dashboards",

management to monitor business trends.


Several respondents noted that a major benefit of performing these type

engagements is that they can help strengthen the corporate culture and ethical climate.

This benefit can be achieved through identifying exceptions and following up to verify

remediation, and also through making recommendations when deficiencies in t

design of organizational governance processes are noted.

A large healthcare services organization's CAE notes that internal audit has

adopted a number of organization wide internal audit communication and other positive

reinforcement initiatives that appear to have been received well by the auditees

. Some of the key init

internal audit's value addition approach - the institute ... documents/internal audit's value... ·...

Documents