pulse of internal audit supplemental report: internal ... · 2 internal audit management insights...

www.theiia.org/Pulse

*The financial services category was created by extracting financial services respondents from the other four categories: publicly traded, public sector,

privately held, and nonprofit.

About the Pulse of Internal Audit The IIA’s Audit Executive Center® (AEC®) has gathered insight from leaders in the profession through the annual Pulse of Internal Audit survey since 2009. Each survey collects information about both established and emerging issues that are important to the profession as well as information about internal audit management (such as areas of focus, staff, and budget levels).

The 2017 North American Pulse of Internal Audit survey (Pulse) was conducted online from Oct. 20, 2016, to Nov. 11, 2016, with survey invitations distributed through the AEC,

The IIA, and social media. The IIA collected data from 538 respondents, including 460 chief audit executives (CAEs) and 78 director/senior managers. In Pulse reports, CAEs and director/senior managers are collectively referred to as CAEs. See the Appendix for additional information on respondent demographics.

The survey results are analyzed and presented in multiple reports of which this is one. Complimentary high-level reports are made available to the public through The IIA’s Pulse of Internal Audit resource page (visit www.theiia.org/Pulse). More in-depth reports for internal audit management are available exclusively to members of the AEC. For more information about joining the AEC, visit www.theiia.org/AEC.

RESPONDENT DEMOGRAPHICS

Internal Audit Position Country

Number of Responses

CAEs 460

Director/senior managers

78

Total 538

86%

14%CAE

Director/seniormanager

27%

33%

24%

10%6%

1 to 3 4 to 9 10 to 24 25 to 49 50 or more

32%

20%

10% 10%

28%

Publiclytraded

Publicsector

Privatelyheld

Nonprofit Financialservices

Organization Type* Internal Audit Function Size (FTEs)

84%

12%4%

United States

Canada

Other

www.theiia.org/Pulse 1

Contents Executive Summary ....................................................................................................................................................... 2

Summary of Findings ............................................................................................................................................. 2

Section 1: Staffing and Budgets ..................................................................................................................................... 3

Staff Sizes in 2016 .................................................................................................................................................. 3

Staffing: 2016 Actual and 2017 Projections .......................................................................................................... 4

Budget: 2016 Actual and 2017 Projections ........................................................................................................... 6

Perspective on Projections .................................................................................................................................... 7

Section 2: Internal Audit Reporting Lines ...................................................................................................................... 8

Functional Reporting Lines .................................................................................................................................... 9

Administrative Reporting Lines ........................................................................................................................... 10

Section 3: Audit Effort and Risk ................................................................................................................................... 11

Allocation of Audit Effort ..................................................................................................................................... 11

Assessment of Risk ............................................................................................................................................... 17

Comparison of Assessed Risk and Audit Effort .................................................................................................... 18

Comparison of Assessed Risk and Audit Effort per Risk Area ............................................................................. 19

Allocation of Audit Effort to Strategic Goals ....................................................................................................... 24

Section 4: Internal Audit Skills and Training ................................................................................................................ 25

Skill Importance Variances and Methods of Training ......................................................................................... 26

Section 5: Action Items for CAEs ................................................................................................................................. 27

Appendix: Methodology .............................................................................................................................................. 28

ABOUT THE AUDIT EXECUTIVE CENTER The IIA’s Audit Executive Center® (AEC®) is the essential resource to empower CAEs to be more successful. The Center’s suite of information, products, and services enables CAEs to respond to the unique challenges and emerging risks of the profession. For more information on the Center, visit www.theiia.org/AEC.

ABOUT THIS DOCUMENT The information included in this report is general in nature and is not intended to address any particular individual, internal audit function, or organization. The objective of this document is to share information and other internal audit practices, trends, and issues. However, no individual, internal audit function, or organization should act on the information provided in this document without appropriate consultation or examination. To download a digital version of this report, visit www.theiia.org/Pulse.

COPYRIGHT Copyright © 2017 by The Institute of Internal Auditors (IIA) located at 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, U.S.A. All rights reserved. This report, including the written content, information, images, charts, as well as the pages themselves, is subject to protection under copyright laws. As copyright owners, only The IIA has the right to 1) copy any portion; 2) allow copies to be made; 3) distribute; or 4) authorize how the report is displayed, performed, or used in public. You may use this report for non‐commercial, review purposes. You may not make further reuse of this report. Specifically, do not incorporate the written content, information, images, charts, or other portions of the report into other mediums or you may violate The IIA’s rights as copyright owner. If you want to do any of these things, you must get permission from The IIA.

This report is reserved for your exclusive use as a member of the Audit Executive Center. To distribute this report or any contents, you must get permission from The IIA.

2 Internal Audit Management Insights

Executive SummaryCAEs require high-level expertise in risk management, internal control, and governance processes to address established and emerging issues that are important to the profession. In addition, CAEs also require skills in administrative management — the efficient use of resources to achieve the internal audit function’s objectives.

This is The IIA’s first stand-alone report focusing on management of the internal audit function. There are four main topics addressed in this report, based on a broad survey of CAEs in North America. This report is intended to help CAEs benchmark against their peers, understand differences, and ensure that reasons for these differences are understood and explainable to management and the board.

SUMMARY OF FINDINGS

STAFFING AND BUDGETING

Almost a third of respondents expect staff size to increase in 2017, nearly the same that experienced an increase in 2016. Few expect staff size to decrease.

The internal audit profession has been much better at predicting when staff will increase than when staff will decrease.

REPORTING LINES

Overwhelmingly, CAEs functionally report to the board level. Public sector CAEs are the exception, most likely due to differences in governance structure.

CAE administrative reporting lines vary considerably based on organization type. The majority of CAEs in

publicly traded organizations report administratively to the chief financial officer (CFO), while administrative reporting lines in other sectors are more diverse.

AUDIT FOCUS

Overall, CAEs devote one-third of audit effort to risks aligned to the organization’s strategy.

The top five risks identified are cyber, compliance, IT, third-party, and operational risks.

CAEs devote the highest level of internal audit effort to addressing operational risks. However, CAEs in publicly traded organizations devote their highest level of effort to financial reporting.

Risk is a key driver for audit effort allocation.

Other factors such as internal auditor competencies and past practices also appear to strongly impact the allocation of audit effort.

SKILLS AND TRAINING

Analytical/critical thinking and communication skills are the most important skills for internal auditors.

Data analytics and cybersecurity are the two areas where internal auditors most need training.

Most differences in responses are attributed to the respondent’s organization type. Rarely were there notable differences based on the size of the internal audit function or the size of the organization.


Section 1: Staffing and Budgets Staff and budget are typically the most substantial resources used by internal audit to accomplish its mission.

STAFF SIZES IN 2016

Internal audit functions range widely in size. Across all types of organizations, the majority (59 percent) of internal audit functions are staffed with fewer than 10 full-time equivalents (FTEs). Public-sector and privately held organizations have the biggest share of smaller internal audit functions (1–3 FTEs). Larger audit functions are most commonly seen among financial services and publicly traded organizations, where one in five audit functions have 25 or more FTEs.

Smaller internal audit functions face a number of unique challenges. For example, it is more difficult to dedicate

resources to specific tasks, or to ensure sufficient breadth and depth of skills to cover the organization’s full scope of risks. Throughout this report, it is noted where responses from CAEs managing smaller functions differ considerably from responses of those managing larger functions. However, in most cases, responses were consistent across staff size.

Exhibit 1: Number of Full‐time Equivalent Staff by Organization Type

AUDIT FOCUS

IIA Standard 2030: Resource Management

The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

Note: Q35: Approximately how many full‐time equivalent employees make up your internal audit department? n = 520.

37%

36%

31%

27%

15%

26%

34%

38%

30%

29%

36%

33%

22%

14%

35%

23%

28%

25%

7%

12%

4%

21%

21%

16%

Public sector

Privately held

Nonprofit

Financial services

Publicly traded

All respondents

1 to 3 4 to 9 10 to 24 25 or more


STAFFING: 2016 ACTUAL AND 2017 PROJECTIONS

2016 ACTUAL CHANGE IN STAFF SIZE

Survey respondents were asked how much staffing increased or decreased in 2016. Exhibit 2 shows the percentage of CAEs that reported an increase or decrease in the number of internal audit staff in 2016. For most organization types, more internal audit functions increased staff in 2016 than decreased staff.

Organization types that are more highly regulated (such as financial services and publicly traded organizations) were more likely to increase staff size and less likely to decrease staff size in 2016. Among nonprofit organizations, the number of internal audit functions that increased staff size exceeded the number of audit functions that decreased staff size by 31 percentage points — the biggest difference among all organization types. The reported nonprofit staff size increase was driven by healthcare respondents.

The impact of internal audit function size was explored and size had no apparent impact on whether an internal audit function had an increase or decrease in staff size in 2016. Also, considering each organization type on its own, little difference was noted between internal audit functions of different sizes with one exception — only 8 percent of smaller audit function CAEs (1–3 FTEs) in financial services reported a 2016 staff increase, compared to 32 percent among all financial services CAEs.

For all organization types and internal audit function sizes, the average percentage by which staff increased (for those who reported an increase) was greater than the average percentage by which staff decreased (for those who reported a decrease).

Exhibit 2: Percentage of Internal Audit Functions with Staff Increases or Decreases in 2016

32%

39%

30%

23%20%

29%

9% 8%

17% 15%20%

14%

Financial services Nonprofit Publicly traded Public sector Privately held All respondents

Increased staff in 2016 Decreased staff in 2016

Note: Q36: Looking back over the past 12 months, the number of full‐time equivalent staff within your internal audit department has

increased, decreased, remained the same, don't know, not applicable? (Choose one). n = 519.


2017 EXPECTED CHANGE IN STAFF SIZE

Looking at 2017, Exhibit 3 indicates that 30 percent of all CAEs expect their staff size to increase while only 5 percent expect a decrease. This is similar to the actual experience in 2016 when more internal audit functions increased than decreased staff size. However, considerably fewer internal audit functions expect a decrease in staff in 2017 (5 percent), than experienced a decrease in 2016 (14 percent).

As with the actual experience in 2016, expectations for 2017 differ noticeably by organization type. CAEs in privately held organizations have the highest expectations, with 42 percent expecting an increase. If realized, this will be a dramatic change from 2016 when staff size for this sector was stagnant (Exhibit 2). Insights into how these additional resources will be directed are provided in Section 3: Risk and Audit Focus.

Exhibit 3: Percentage of Internal Audit Functions Expecting Staff Increases or Decreases in 2017

33%35%

24%26%

42%

30%

5%

0%

7%4%

6% 5%


Expect to increase staff Expect to decrease staff

Note: Q37: Looking ahead at the next 12 months, do you expect the number of full‐time equivalent staff within your internal audit

function to increase, remain the same, decrease, don't know, not applicable? (Choose one.) n = 512.


BUDGET: 2016 ACTUAL AND 2017 PROJECTIONS

2016 ACTUAL CHANGE IN BUDGET

Internal audit budgets are typically driven by staff compensation, travel, and co-source costs, with staff compensation costs likely to account for the largest share. Expectations for changes in budget largely mirrored expectations for changes in staff size, with some notable differences. Forty percent of CAEs experienced a budget increase in 2016 (Exhibit 4) compared to 30 percent who experienced a staff size increase in the same year (Exhibit 3). This suggests that budget increases were due at least in part to expenses other than staff compensation costs.

The largest variances in staff size and budget increases/decreases in 2016 were reported in financial services and nonprofit organizations.

2017 EXPECTED CHANGE IN BUDGET

As with 2016 actual variances, the largest variances in expected staff size and budget increases/decreases in 2017 were reported by financial services and nonprofit organizations (Exhibit 5).

Exhibit 4: Percentage of Internal Audit Functions with Budget Increases or Decreases in 2016

Exhibit 5: Percentage of Internal Audit Functions Expecting Budget Increases or Decreases in 2017

Note: Q39: Looking ahead at the next 12 months, do you expect the budget of your internal audit function to increase, remain the same,

decrease, don’t know, not applicable (choose one). n = 509.

51%

41%33%

39%47%

41%

9%0%

11%7% 10% 8%


Expect to increase budget Expect to decrease budget

48% 47%38% 35%

25%

40%

12%8%

20%13% 14% 14%

Financial services Nonprofit Publicly traded Public sector Private All respondents

Increased budget in 2016 Decreased budget in 2016

Note: Q38: Looking back over the past 12 months, the budget of your internal audit function increased, remained the same, decreased,

don’t know, not applicable (choose one). n = 512.


PERSPECTIVE ON PROJECTIONS

Pulse 2015 and 2016 survey results indicate the internal audit profession as a whole is much better at predicting increases in staff size than decreases.

Exhibit 6 compares 2015 predictions for 2016, compared to what actually happened in 2016. In 2015, 26 percent of CAEs representing the broad internal audit profession expected staff size to increase in 2016, which aligns closely to the 29 percent of CAEs who reported an actual staff increase in 2016.

However, the internal audit profession may not be as good in predicting a decrease in staff size. As shown in Exhibit 7, only 4 percent of CAEs in 2015 said they expected staff size to decrease in 2016 while 14 percent reported an actual decrease. While there are many possible reasons, a comparison of 2015 and 2016 survey results indicates internal auditors may be better at predicting good news (staff increases) than predicting bad news (staff decreases). The message for CAEs is to carefully consider the possibility of unexpected decreases in staff in the future.

Exhibit 6: Staff Size Increases in 2016 Compared to Projections in 2015

Exhibit 7: Staff Size Decreases in 2016 Compared to Projections in 2015

28% 26% 25%28%

20%

26%

32% 30%

23%20%

39%

29%

Financial services Publicly traded Public sector Privately held Nonprofit All respondents

Projected in 2015 to increase staff in 2016 Actually increased staff in 2016

5% 5% 6%3% 1%

4%9%

17% 15%20%

8%

14%

Financial services Publicly traded Public sector Privately held Nonprofit All respondents

Projected in 2015 to decrease staff in 2016 Actually reduced staff in 2016

Note for Exhibits 6 and 7: CBOK 2015/Pulse 2016 survey, Q26: In the next calendar year, how do you anticipate that your permanent staff

levels will change? n = 603. Compared to Pulse 2017 survey, Q36: Looking back over the past 12 months, the number of full‐time

equivalent staff within your internal audit department has increased, decreased, remained the same, don't know, not applicable?

(Choose one). n = 519.


Section 2: Internal Audit Reporting Lines Internal audit’s effectiveness and efficiency can be significantly impacted by reporting lines. Most CAEs have separate functional and administrative reporting lines. IIA Standard 1110: Organizational Independence requires

that CAEs report to a level within the organization that allows the internal audit activity to fulfill its responsibilities, which is interpreted as a functional reporting line to the board.

AUDIT FOCUS

IIA Standard 1110: Organizational Independence

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

Interpretation

Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:

Approving the internal audit charter.

Approving the risk-based internal audit plan.

Approving the internal audit budget and resource plan.

Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.

Approving decisions regarding the appointment and removal of the chief audit executive.

Approving the remuneration of the chief audit executive.

Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.


FUNCTIONAL REPORTING LINES

Functional reporting refers to oversight of the responsibilities of the internal audit activity, including approval of the internal audit charter, the audit plan, evaluation of the CAE, and compensation of the CAE. Functional reporting is important to prevent the specific interests of one function within the organization inappropriately impacting the work of internal audit.

For most CAEs, functional reporting is to a board-level oversight group (Exhibit 8). Among CAEs in more heavily regulated organizations such as financial services organizations and health care organizations (included in the nonprofit category), nearly all report to an audit committee, board, or equivalent. This falls to 9 out of 10 CAEs in publicly traded organizations, 8 out of 10 in privately held organizations, and 7 out of 10 in public sector organizations.

The lower percentage of CAEs reporting to an audit committee, board, or equivalent in the public sector is likely due to the public sector’s unique governance structure, where an audit committee or board may not exist. Survey findings from The IIA’s American Center for Government Auditing indicate that when a government organization does have a board structure similar to other organizations, the CAE nearly always reports to that board or one of its committees.

No differences in reporting lines were noted based on internal audit function size. Across all organization types, internal audit functions of all sizes had the same likelihood of functionally reporting to a board-level oversight group.

Exhibit 8: Functional Reporting Lines for CAEs

66%

98%

98%

84%

92%

89%

22%

1%

2%

2%

1%

5%

4%

1%

8%

5%

3%

8%

6%

2%

3%

Public sector

Financial services

Nonprofit

Privately held

Publicly traded

All respondents

Board, audit committee CEO, president, agency head CFO, vice president of finance Other chief officers

Note: What is the primary functional reporting line for the chief audit executive (CAE) or head of internal audit in your organization?

n = 520.


ADMINISTRATIVE REPORTING LINES

Administrative reporting refers to oversight of day-to-day matters including such items as expense approval, human resource administration, normal internal communications, and internal policies and procedures. CAEs most often report administratively to the CFO, followed closely by reporting to the CEO. These results are similar to results from prior years.

However, there are substantive differences based on organization type (Exhibit 9). The majority of CAEs in public-sector and financial services organizations report administratively to the CEO or a board-level oversight group, while only 15 percent of CAEs in publicly traded organizations report administratively to these highest

levels of the organization. More than two-thirds of CAEs in publicly traded organizations report administratively to the CFO.

Administrative reporting lines were analyzed for CAEs of different sized internal audit functions. Within each organization type, there were no meaningful differences in administrative reporting lines based on internal audit function size.

As shown in Exhibit 8, a notable percentage of public sector CAEs report functionally to a member of executive management. These CAEs nearly always report administratively to the same position.

Exhibit 9: Administrative Reporting Lines for CAEs

51%

49%

31%

18%

11%

33%

10%

21%

31%

58%

69%

39%

15%

23%

28%

16%

14%

18%

17%

3%

4%

4%

4%

6%

7%

4%

6%

4%

2%

4%

Public sector

Financial services

Nonprofit

Privately held

Publicly traded

All respondents

CEO, president, agency head CFO, vice president of finance Other chief officers Board, audit committee Other

Note: Q33: What is the primary administrative reporting line for the chief audit executive (CAE) or head of internal audit in your

organization? n = 520.


Section 3: Audit Effort and Risk ALLOCATION OF AUDIT EFFORT

Internal audit is committed to bringing value to its organization. As such, the focus of internal audit functions is usually on areas that present the highest risk to the organization. Internal audit focuses on what is most important. Internal audit effort (i.e., resources) is allocated to various areas of the organization based on an assessment of risk, the ease or difficulty in performing audit work in different areas, and consideration of assurance provided by other parties.

Overall, internal audit resources are primarily allocated to operational, financial reporting, and compliance risks (Exhibit 10).

Different organization types allocate effort differently. The following section discusses the allocation of audit effort for the five different organization types. For each organization type, the top five risk areas are highlighted in light blue (Exhibits 11–15).

Exhibit 10: Percentage of Audit Plan Allocated per Risk Area

Operational (not included elsewhere) 19%

Financial reporting (including Sarbanes‐Oxley testing) 14%

Compliance/regulatory (not related to financial reporting) 13%

IT (not covered in other choices) 9%

Financial areas other than financial reporting 9%

Cyber (prevention and/or recovery) 6%

Fraud identification and investigation (not covered in other audits) 6%

Support for external audit 6%

Enterprise risk management programs and related processes 5%

Cost/expense reduction or containment 4%

Governance and culture 4%

Management of third‐party relationships 3%

Sustainability or other nonfinancial reporting 1%

Other 1%

Total 100%

AUDIT FOCUS

IIA Standard 2010: Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.

Note: Q43: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to

each of the risk categories listed. n = 535.


ALLOCATION OF AUDIT EFFORT WITHIN PUBLICLY TRADED ORGANIZATIONS

CAEs in publicly traded organizations generally allocate more effort to financial reporting risks (including compliance with Section 404 requirements of the U.S. Sarbanes-Oxley Act of 2002) than any other area in the organization — nearly 30 percent of all audit effort.

An analysis of effort devoted to financial reporting considered whether there was a relationship with administrative reporting line. The extent of focus on financial reporting was analyzed by industry type and then by administrative reporting line. While a focus on financial reporting is common in situations where the

CAE reports administratively to the CFO, the data indicates that being a publicly traded organization is the key attribute. Within publicly traded organizations as a group, administrative reporting line had no relationship to the extent of focus on financial reporting. That is, for publicly traded organizations, whether the CAE reported to the CEO or the CFO had no association with the percent of effort devoted to financial reporting. It could be inferred that the reason so many CAEs in publicly traded organizations report to the CFO is the organization’s strong focus on financial reporting — not the reverse.

Exhibit 11: Percentage of Audit Plan Allocated per Risk Area (Publicly Traded Organizations)

13%

29%

10%

9%

8%

6%

6%

6%

4%

4%

2%

2%

0%

1%

Operational (not included elsewhere)

Financial reporting (including Sarbanes‐Oxley testing)

Compliance/regulatory (not related to financial reporting)

IT (not covered in other choices)

Financial areas other than financial reporting

Cyber (prevention and/or recovery)

Fraud identification and investigation (not covered inother audits)

Support for external audit

Enterprise risk management programs and relatedprocesses

Cost/expense reduction or containment

Governance and culture

Management of third‐party relationships

Sustainability or other nonfinancial reporting

Other


each of the risk categories listed. (Publicly traded organizations only. The top five risk areas chosen are highlighted.) n = 166.


ALLOCATION OF AUDIT EFFORT WITHIN FINANCIAL SERVICES AND PRIVATELY HELD

ORGANIZATIONS

CAEs in financial services and privately held organizations allocate more effort to operational risks than any other area in these organizations. Organizations

of both types devote more effort to financial reporting risks and other finance area risks than public sector or nonprofit organizations (Exhibits 12–15).

Exhibit 12: Percentage of Audit Plan Allocated per Risk Area (Financial Services Organizations)

22%

11%

14%

11%

7%

7%

4%

6%

5%

3%

4%

4%

1%

1%














Other


each of the risk categories listed. (Financial services organizations only. The top five risk areas chosen are highlighted.) n = 148.


Exhibit 13: Percentage of Audit Plan Allocated per Risk Area (Privately Held Organizations)

19%

13%

11%

9%

12%

6%

5%

7%

3%

7%

3%

3%

1%

1%














Other


each of the risk categories listed. (Privately held organizations only. The top five risk areas chosen are highlighted.) n = 50.


ALLOCATION OF AUDIT EFFORT WITHIN PUBLIC‐SECTOR AND NONPROFIT ORGANIZATIONS

Public-sector and nonprofit internal audit functions are similar in that operational risks are allocated the greatest resources. CAEs in public-sector and nonprofit organizations also allocate noticeably less effort on financial reporting compared to publicly held, financial services, or privately held organizations. Nonprofit respondents work primarily in healthcare and educational services organizations, and may have similar interests to

CAEs working in public-sector organizations (e.g., serving the public interest). This likely is a key reason for similar allocations of audit effort.

Public-sector CAEs also pay a somewhat higher level of attention to fraud, consistent with a common focus of fraud by government auditors (Exhibits 14–15).

Exhibit 14: Percentage of Audit Plan Allocated per Risk Area (Public‐Sector Organizations)

24%

2%

16%

8%

10%

5%

9%

4%

5%

5%

6%

3%

1%

2%














Other


each of the risk categories listed. (Public‐sector organizations only. The top five risk areas chosen are highlighted.) n = 103.


Exhibit 15: Percentage of Audit Plan Allocated per Risk Area (Nonprofit Organizations)

17%

5%

16%

9%

13%

9%

7%

3%

7%

4%

4%

4%

1%

1%














Other


each of the risk categories listed. (Nonprofit organizations only. The top five risk areas chosen are highlighted.) n = 51.


ASSESSMENT OF RISK

Identifying, analyzing, and assessing risk requires substantial effort and professional judgment, but this helps to ensure that CAEs focus internal audit’s effort on areas of greatest importance to the organization. Topping the list of CAEs’ assessment of higher organizational risks are, in order: cyber, compliance/regulatory, IT, third-party, and operational risks.

Exhibit 16: Risk Assessment per Risk Area

59%

40%

38%

34%

31%

18%

18%

15%

13%

12%

12%

3%

2%

30%

40%

45%

39%

52%

46%

44%

41%

30%

39%

43%

10%

16%

10%

18%

14%

24%

15%

34%

33%

41%

44%

45%

42%

80%

62%

1%

2%

3%

3%

2%

2%

5%

3%

13%

4%

3%

7%

20%






Fraud identification and investigation (not covered in otheraudits)

Enterprise risk management programs and related processes







High or very high Medium Low or very low Not applicable

AUDIT FOCUS

IIA Standard 2010: Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. 2010.A1: The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

Note: Q45: How would you describe the level of risk in your organization in the following areas? n = 535.


COMPARISON OF ASSESSED RISK AND AUDIT EFFORT

A number of factors influence the amount of audit effort allocated to specific areas of an organization. The internal auditor’s assessment of risk determines, in part, priorities of the risk-based audit plan, but it is not the only factor that can influence the allocation of audit effort. In addition, externally imposed compliance requirements, preferences of key stakeholders (e.g., board members), scope of internal audit work as defined in its charter, and even internal audit capabilities can affect how much effort is devoted to specific areas.

Three metrics help illustrate the relationship between assessed risk levels, existing percentage of audit plan allocated to addressing the risk area, and anticipated percentage of the audit plan allocated to addressing the

risk area (Exhibits 17 and 10). Comparing these three different, but related, metrics can help explain how CAEs are planning to allocate audit effort in 2017.

In general, there is strong positive relationship between areas considered high or very high risk and plans to allocate more of the audit plan to that risk area. However, this is not always the case. For example, CAEs who already devote adequate attention to a high or very high risk area may not need to allocate more of the audit plan to that risk. There is not a strong positive relationship between areas considered high or very high risk and the percentage of the audit plan that is allocated to that risk. This is evidence that a multitude of factors, in addition to risk, impact the overall allocation of audit effort.

Exhibit 17: Comparison of Assessed Risk, Audit Plan Allocation, and Plans to Increase Audit Effort Allocation per Risk Area

Risk Areas

Percentage Who Assess Risk Area as High or Very High (Q45)

Percentage of Audit Plan Allocated per Risk Area (Q43)

Net Percentage Who Expect to Increase Audit Effort per Risk Area in 2017a (Q44)

Cyber (prevention and/or recovery) 59% 6% 44%

Compliance/regulatory (not related to financial reporting) 40% 13% 26%

IT (not covered in other choices) 38% 9% 27%

Management of third‐party relationships 34% 3% 24%

Operational (not included elsewhere) 31% 19% 20%

Fraud identification and investigation (not covered in other audits) 18% 6% 20%

Enterprise risk management programs and related processes 18% 5% 25%

Governance and culture 16% 4% 22%

Financial reporting (including Sarbanes‐Oxley testing) 13% 14% 10%

Financial areas others than financial reporting 12% 9% 16%

Cost/expense reduction or containment 12% 4% 19%

Support for external audit 3% 6% 13%

Sustainability or other nonfinancial reporting 2% 1% 4%

Other ‐‐‐ 1% ‐‐‐

Note: Q45: How would you describe the level of risk in your organization in the following areas? Very high, high, medium, low, very low. n = 538. Q43: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. n = 535. Q44: Projected change [in audit plan] from the last 12 months to the next 12 months. Increase, decrease, no change, not applicable. n = 535. a Percentage who expect to allocate more of the 2017 audit plan to addressing the risk area minus the percentage who expect to allocate less of the 2017 audit plan to addressing the risk area.


COMPARISON OF ASSESSED RISK AND AUDIT EFFORT PER RISK AREA

Audit effort for specific risk areas is explored in more detail in Exhibits 18–26. Throughout these exhibits, it is apparent that CAEs who describe an area as higher risk in their organization planned to devote more audit effort to that area in 2017, and were more likely to be increasing that effort compared to the previous year. Analysis indicates this pattern was consistent across all organization types, for all risk areas presented in these exhibits.

CYBER

Cyber is the area considered higher risk by more CAEs than any other area. While it is the area where most CAEs are likely to be increasing audit effort compared to other areas, cyber is expected to receive only a small allocation of audit effort in 2017.

There are a number of possible reasons for the low level of audit effort planned to be devoted to cyber. CAEs may be deciding to limit audit effort if the maturity of the organization’s response to cyber risk is low and multiple other parties are working on improvements (e.g., IT security, external consultants). It may be premature to devote high levels of audit effort if the conclusion is obvious. Alternatively, internal audit’s lack of specialty

skills might preclude it from performing more extensive audit work. Whether one of these reasons, or some other reason, applies to a specific internal audit function, cyber is the area where more internal auditors are increasing effort in 2017 than any other.

COMPLIANCE/REGULATORY

The compliance/regulatory area was assessed as higher risk by many organizations, but there were notable differences based on organization type. Approximately half of CAEs in financial services and nonprofit organizations assessed this risk as higher, while only one-third of those in the other organization types did the same. Similarly, the decision

AUDIT FOCUS

IIA Standard 1210: Proficiency

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

7%

41%

5%

29%

Percentage of audit planallocated to risk area (Q43)

Net percentage who expectto increase audit effort in

2017 (Q44)

Exhibit 18: Cyber Risk Assessment Compared to Audit Effort

59% assess risk as high or very high (Q45)

Assessed risk as high or very high

Assessed risk as medium, low, or very low

17%

20%

11%

14%


Net percentage who expectto increase audit effort in

2017 (Q44)

Exhibit 19: Compliance/Regulatory Risk Assessment Compared to Audit Effort





whether to increase audit effort in 2017 was closely related to the risk assessment — approximately 30 percent of CAEs in financial services and nonprofit organizations plan to increase audit effort, compared to only 10 percent to 20 percent of CAEs in public sector, privately held, or publicly traded organizations.

As health care related organizations make up a substantial portion of the nonprofit sector, it is not unexpected that nonprofit CAEs would need to devote resources to compliance risks. Both financial services and health care organizations are faced with a wide variety of compliance requirements. Even if compliance/regulatory is not considered a higher risk, external requirements may leave these organizations with little choice but to have internal audit devote substantial effort to compliance.

INFORMATION TECHNOLOGY

Information technology was considered a higher risk by the third highest percentage of CAEs, and a strong percentage of CAEs plan to increase audit effort in this area. However, CAEs break a common pattern seen in other areas. When analyzed by industry group, there is little relationship between assessment of higher risk and plans to increase audit effort or the amount of effort currently allocated to the area. Those increasing audit effort are likely responding to organization-specific

factors, not a general low level of attention in past years or a low assessment of risk. As noted earlier, risk is not the only factor that drives decisions regarding allocation of audit effort.

MANAGEMENT OF THIRD PARTIES

CAEs allocate one of their lowest levels of audit effort to third-party risks, but a higher-than-average percentage of CAEs considered it an area of higher risk. Use of third parties by organizations has risen notably over the years, but the extent of this use can vary substantially between organizations. The large difference in how many organizations are expecting to increase audit effort in 2017 (ranging from 42 percent of CAEs who consider this a higher risk area to 9 percent of CAEs who do not consider this a higher risk area) illustrates the nature of risk assessment and resource allocation — the response of CAEs to risk varies substantially due to many factors.

The data also indicates certain generalizations based on organization type. Nonprofit organizations have both the greatest percentage of CAEs describing this area as higher risk and the greatest percentage of CAEs planning to increase audit effort. CAEs in public-sector and publicly traded organizations are least concerned with the third-party risks.

12%

32%

8%

16%


Net percentage who expect toincrease audit effort in 2017

(Q44)

Exhibit 20: Information Technology Risk(Risk Assessment Compared to Audit Effort)




5%

42%

3%

9%



(Q44)

Exhibit 21: Management ofThird‐party Relationships Risk

(Risk Assessment Compared to Audit Effort)





OPERATIONAL

CAEs allocate the greatest level of planned audit effort to operational audits in 2017. Since CAEs rank operational audits fifth in the list of areas considered higher risk, there are clearly factors involved other than risk assessment that drive a higher level of audit effort.

Public-sector CAEs plan to devote the most effort to this area in 2017, followed closely by financial services CAEs. CAEs in publicly traded organizations plan to devote the least amount of effort to this area. CAEs in publicly traded organizations are also the least likely to rate operational risks as a higher risk, but findings did not show any other apparent relationship between assessment of risk as higher and the allocation of audit effort for other organization types. For example, CAEs in privately held and publicly traded organizations are the most likely to increase audit effort in the operational risk area. However, CAEs in privately held organizations are the most likely to consider this a higher risk area, while, in contrast, CAEs in publicly traded organziations are the least likely to consider this a higher risk area.

Operational audits are commonly considered part of the “bread and butter” of internal audit. Internal audit has been devoting significant resources to operational audits for decades and some of what is seen in this data may be a reflection of prior pattens being continued, even though other newer areas have higher risks. In addition, most internal audit functions have strong competencies in operations and can effectively perform operational audits without needing new skills or tools.

FRAUD IDENTIFICATION/INVESTIGATION

Fraud can take a number of different forms in an organization, ranging from theft to false reporting to bribery and more. Those who consider fraud a higher risk area in their organizations are planning to increase attention to it in 2017. The public sector has the highest percentage of CAEs who consider fraud a higher risk area and these CAEs correspondingly give this area more attention than CAEs in any other type of organization.

22%

19%

17%

4%



(Q44)

Exhibit 22: Operational Risk (Risk Assessment Compared to Audit Effort)




10%

32%

5%

13%



(Q44)

Exhibit 23: Fraud Risk (Risk Assessment Compared to Audit Effort)





ENTERPRISE RISK MANAGEMENT (ERM)

The increase in the amount of attention given to ERM over the last years is expected to continue with an updated COSO ERM Framework Enterprise Risk Management — Aligning Risk with Strategy and Performance, and ISO 31000: Risk Management — Principles and Guidelines expected in 2017. Whether due to these anticipated updates or other reasons, enterprise risk management is among the top 5 risk areas for which CAEs plan to increase audit effort in 2017, even though it is not assessed as an area of particularly high risk.

GOVERNANCE AND CULTURE

Governance and culture has been getting increasing attention with a number of issues that surfaced in the last year (e.g., VW, Toshiba, Wells Fargo). However, little audit effort has been devoted to this area and it is considered a higher risk by only a modest percentage of CAEs. Interestingly, CAEs in publicly traded organizations where governance and culture risk exposure may be greatest, are least likely to consider governance and culture a higher risk or plan to increase audit effort in 2017.

While 1 in 8 CAEs indicate increasing attention to governance and culture in 2017, more may move in this direction as they become more cognizant of the risks and more adept in learning how to audit them.

7%

45%

5%

18%



(Q44)

Exhibit 24: Enterprise Risk Management Risk(Risk Assessment Compared to Audit Effort)




5%

34%

3%

16%



(Q44)

Exhibit 25: Governance and Culture Risk(Risk Assessment Compared to Audit Effort)





FINANCIAL REPORTING (INCLUDING

SARBANES‐OXLEY TESTING)

Financial reporting has been a traditional internal audit focus area and became a primary focal point for publicly traded companies with the passage of Sarbanes-Oxley, especially considering the requirements of Section 404 Management of Assessment of Internal Controls. Since 2002, however, audit effort devoted to financial reporting has declined and Pulse results suggest that will continue. Financial reporting is the only area surveyed where, on average, more CAEs plan to decrease audit effort than increase.

CAEs in publicly traded organizations devote more attention to financial reporting than CAEs in all other types of organizations (averaging approximately 29 percent of total audit effort in 2017). However, CAEs in publicly traded organizations also are most likely to decrease audit effort in the area in 2017. Thirty-three percent of these CAEs plan to reduce effort compared to only 23 percent who plan to increase it (creating a 10 percent difference).

29%

13%

14%

‐6%



(Q44)

Exhibit 26: Financial Reporting Risk(Including Sarbanes‐Oxley Testing)

(Risk Assessment Compared to Audit Effort)





ALLOCATION OF AUDIT EFFORT TO STRATEGIC GOALS

Stakeholders have expressed a desire for internal audit to devote more attention to strategic risks, as discussed in Voice of the Customer: Stakeholders’ Messages for Internal Audit (published by the Internal Audit Foundation). CAEs allocate equal amounts of effort on the organizations’ strategic goals and routine operations (Exhibit 27). While there are minor differences based on organizational type, no substantive differences are noted

based on the size of the internal audit function. However, findings do suggest rotational CAEs spend more time on strategic-aligned activities and less time on compliance activities (Exhibit 28). A rotational CAE’s heightened focus on strategic activities could be due to several factors, such as a rotational CAE having a higher level of business acumen or greater alignment with management.

Exhibit 27: Allocation of Audit Effort to Strategic Goals

Exhibit 28: Audit Effort Among Rotational CAEs Compared to Non‐Rotational CAEs

Note: Q47: What percentage of your total audit effort addresses your organization's activities grouped into the following categories? n = 518.

45%

35%

10% 9%

2%

35% 36%

18%

9%

2%

Strategic goals Routine operations Regulatorycompliance

Lower importance Other

Rotational CAE Non‐rotational CAE

Note: Q47: What percentage of your total audit effort addresses your organization's activities grouped into the following categories? n =

42 for rotational CAEs. n = 482 for non‐rotational CAEs.

36%

30%

38%

35%

45%

36%

36%

37%

38%

35%

33%

36%

19%

21%

11%

15%

12%

17%

8%

9%

10%

13%

9%

9%

1%

3%

3%

2%

1%

2%

Publicly traded

Financial services

Public sector

Privately held

Nonprofit

All respondents

Strategic goals Routine operations Regulatory compliance Lower importance Other


Section 4: Internal Audit Skills and Training Internal audit needs qualified staff to accomplish its mission and objectives. These personnel must possess a wide variety of skills, which may vary in importance by organization. Survey respondents were asked to rate the importance of various skills that enable the audit function to perform its responsibilities. Exhibit 29 shows the percentage of CAEs that rated a skill as extremely or very important compared with the percentage who stated internal audit staff need more training in the area.

CAEs indicate the most essential internal auditing skills are analytical/critical thinking, communication skills,

persuasion and collaboration, and understanding professional ethics. This is consistent with the previous year’s ratings, and no discernable differences were noted in responses based on audit function size or organization type.

Survey results show little association between the importance of a skill and the need for training. Training needs can be very dissimilar across internal audit functions based on existing skill levels. Similarly, there are no apparent differences in training needs based on organization type. However, respondents from different organization types rated the importance of skills differently.

Exhibit 29: Skill Importance Compared to Need for Training

Skill Agree That Skill Is Extremely or Very

Essential

Need More Training

Analytical/critical thinking 96% 49%

Communication skills 95% 45%

Understanding of professional ethics 79% 4%

Persuasion and collaboration 79% 33%

Understanding the audit process 76% 9%

Business acumen 76% 34%

Understanding of governance, risk, and control 62% 23%

Understanding of the International Professional Practices Framework (IPPF) 51% 14%

Industry‐specific knowledge 46% 36%

Process improvement and innovation 48% 33%

Risk management assurance 46% 18%

Accounting and finance 45% 11%

Basic IT knowledge 43% 24%

Data mining and analytics 35% 67%

Cybersecurity and privacy 33% 52%

Fraud auditing 20% 23%

Note: Q49: For each of the skills listed, please indicate to what degree it is essential to your audit function's ability to perform its responsibilities. Q50: In which of the following areas do you feel your staff members need more training? (Select all that apply.) n = 537.


SKILL IMPORTANCE VARIANCES AND METHODS OF TRAINING

There are key differences in the assessment of skill importance between organization types, including:

Business acumen was considered more important by CAEs in publicly traded organizations and less important by public-sector CAEs.

Industry specific knowledge was considered more important by financial services CAEs and less important by CAEs in publicly traded organizations.

Understanding of governance, risk, and control was considered more important by financial services CAEs than by CAEs in any other type of organization.

Accounting and finance was considered more important by CAEs in publicly traded organizations and less important by public-sector CAEs. This is consistent with the high level of effort put into financial reporting by publicly traded organizations and the low level of effort by public-sector organizations.

Knowledge of fraud was considered more important by public-sector CAEs than CAEs in any other type of organization.

Exhibit 30 shows the methods of training used for the three basic levels of internal audit staff. Methods of training did not vary substantially by organization type. Similarly, the size of the internal audit function had little impact on training methods, except that the largest organizations are more likely to rely on in-house training programs.

Exhibit 30: Methods of External Training by Staff Level

AUDIT FOCUS

IIA Standard 1230: Continuing Professional Development

Internal auditors must enhance their knowledge, skills, and other competencies through continuous professional development.

93%

64%

69%

65%

53%

7%

93%

84%

71%

61%

51%

6%

90%

91%

71%

52%

47%

5%

Webinars

Conferences

Seminars

In‐house training

On‐demand courses

Other

Staff Manager Director

Note: Q42: What methods of external training do you plan to use for each level of internal audit staff? (Select all that apply.) n = 432.


Section 5: Action Items for CAEs This report provides a wealth of information that CAEs can use to compare their functions with those of their peers. The data indicates the primary differences are either due to the type of organization or factors specific to an organization. Except for a select few instances, the size of the internal audit function did not have an apparent impact on most of the responses included in this survey.

In analyzing this information, an approach CAEs should consider is:

Understand the similarities and differences between their functions and the findings included in this report.

Consider whether these differences are explained by unique organizational factors or different evaluations and decisions made by other CAEs.

Where peers have made different decisions, consider whether changes might improve internal audit’s effectiveness. Don’t assume past practice is most appropriate when evidence exists that peer organizations are notably different.

Explore potential changes, perform additional benchmarking and inquiry, and critically evaluate what is in the best interest of the organization.

Decide on specific action steps to implement needed changes.

Of special note should be the discussion regarding assessment of risk and decisions to allocate audit effort. Internal auditors are partially, but not wholly, driven by risk in making decisions allocating audit effort. While survey responses indicate the presence of factors other than risk impacting decisions to allocate audit effort, each CAE should be very careful that old habits, limitations of current skills, inattention, or other factors don’t preclude allocating sufficient audit effort to any higher risk area.

The information and data presented in this report is necessarily at a high level. Much more in-depth analysis of these topics, as well as many other additional topics, is possible through The IIA by using the benchmarking capabilities of The IIA Audit Intelligence Suite.


Appendix: Methodology Internal audit management metrics are provided for five organization types: publicly traded, privately held, public sector, nonprofit, and financial services. The financial services organization type was created by extracting

financial services respondents from the other four organization types. The top industries represented within each organization type are shown below.

PUBLICLY TRADED

Manufacturing (33%)

Utilities (10%)

Mining, quarrying, and oil and gas extraction (10%)

Retail trade (9%)

Other services (7%)

PUBLIC SECTOR

Public administration (48%)

Educational services (30%)

Health care and social assistance (7%)

FINANCIAL SERVICES

Finance and insurance (includes financial institutions, insurance asset management, and broker dealer) (100%)

PRIVATELY HELD

Manufacturing (28%)

Retail trade (14%)

Other services (8%)


Arts, entertainment, and recreation (8%)

NONPROFIT


Educational services (25%)

Other services (12%)

With more than 700 members, the Audit Executive Center is a comprehensive program for chief audit executives (CAEs) from organizations of any size, and in any industry. Three levels of membership are offered and benefits can include:

Center members receive exclusive Pulse of Internal Audit reports throughout the year, including Internal Audit Management Metrics, and the Pulse Solutions Series.

Learn more about how the Center can support your needs. Please visit www.theiia.org/aec.

The CAE's Strategic Advantage

A robust, content-focused website containing timely, relevant thought leadership, blogs, white papers, CAE bulletins, and stakeholder resources.

The Small Audit Function and Audit Committee Resource Exchanges — tailored to the needs of these stakeholders and groups.

Exclusive networking and knowledge sharing opportunities with fellow CAEs via forums, roundtables, and the Peer Request Program.

The Audit Intelligence Suite providing organization-specific benchmarking reports, to gauge your audit function performance, skills assessments to evaluate team members' proficiency, and stakeholder surveys.

•

•

•

•

pulse of internal audit supplemental report: internal ... · 2 internal audit management insights...

Documents