Today A MESSAGE FROM THE INSTITUTE OF INTERNAL AUDITORS
Understanding Internal Auditing Around the World
6 10 12 Vo l u m e 2
/
Issue 2
/
March 2011
IIA Releases Results From Its Most Comprehensive Global Study Ever April - May Training Opportunities from The IIA Why Audit Your Organization’s Social Media Efforts?
Your Trusted Partner for Audit Analytics
Take your audit to the next level.
analytics
acl.com/steps
The new ACL Audit Analytic Capability Model provides clear guidance for organizations looking to improve their use of analytics. It’s how to talk to the business about the value of audit. Theodore K. Walter CPA Manager, Financial Audits, Scripps Health
Welcome message
Today PUBLICATION DIRECTOR
Carrie Summerlin EDITOR
Melissa Calhoun STAFF EDITORS
Lisa Krist Paula Michaels CONTRIBUTING EDITORS
Margo Baeta Christina Brune ART DIRECTOR
Jon Peters PRODUCTION MANAGER
Lori Shewack IIA PRESIDENT AND CEO
Dear IIA Member: As vice president of The IIA Research Foundation (IIARF), the independent research arm of The Institute of Internal Auditors, I’m pleased to share with you the initial findings of our 2010 Global Internal Audit Survey, a component of The IIARF’s ongoing Common Body of Knowledge (CBOK) study. It’s the most comprehensive global survey ever conducted on the practice of internal auditing, and it includes responses from audit practitioners in more than 107 countries. This issue’s feature story, Understanding Internal Auditing Around the World, on page 6, explores the fascinating practices uncovered by the research and highlights critical areas for improvement worldwide. The researchers worked tirelessly to analyze the results of this survey, and we think you’ll be interested to learn about some of the common issues facing auditors around the globe. For instance, did you know that nearly half of internal audit organizations lack a mission statement and strategy for internal auditing? How does your audit function compare?
Richard F. Chambers, CIA, CCSA, CGAP IIA CHAIRMAN OF THE BOARD
Günther Meggeneder, CIA
IIA Today is a bimonthly publication produced exclusively for members of The IIA. To learn more about this publication, please visit www.theiia.org/IIAToday . We welcome all comments, questions, and feedback. Please send your message to IIAToday@theiia.org and include your name and contact information.
The Institute of Internal Auditors
The study also explores trends such as the growing reliance on internal audit service providers, increased use of computer-assisted audit techniques, and heightened focus on risk management activities. Is your audit activity prepared to address these emerging issues? With the CBOK database’s vast information about internal audit practices worldwide, the possibilities for further research analysis are endless. Perhaps you have your own area of interest or questions that can be answered by digging deeper into the data collected by the Global Internal Audit Survey. The IIARF encourages budding researchers to participate in the research process by submitting a proposal. For more information on how to become an author or researcher for The IIARF, visit www.theiia.org/research . Bonnie Ulmer Vice President IIA Research Foundation
247 Maitland Ave. Altamonte Springs, FL 32701-4201 USA +1-407-937-1100 www.theiia.org All contents copyright © The Institute of Internal Auditors (IIA) 2010.
w w w. t h e i i a . o r g
/
March 2011
/
3
News
The Sky’s the Limit for IIA On-site Training
How Do Stakeholders Perceive Internal Auditing? Nearly one-third of internal audit stakeholders in the United States believe the internal audit group is insufficiently funded to fulfill its responsibilities, according to a recent survey conducted by The IIA Research Foundation (IIARF). “The lack of support may become evident when audit plans are insufficient to cover the needs of the organization; when talent becomes difficult to attract; and when internal auditing is forced to limit itself to a traditional role of controls verification at the expense of providing counsel on efficiency, governance, risk, and strategy,” says Dan Bolger, author of the study’s research report, A Call to Action: Stakeholders’ Perspective on Internal Auditing. The Stakeholders’ Expectations and Perceptions Study, a component of The IIARF’s Common Body of Knowledge, sought feedback from nearly 200 audit committee members, board chairs, CEOs, and chief financial officers. Its resulting research report offers themes and trends within the profession as well as helpful insights and actionable intelligence to chief audit executives (CAEs) and other internal audit professionals. According to the report, recommendations for optimizing internal auditing include: ■■ Ensuring that the CAE is well connected to the executive branch to keep abreast of the activities of the organization. ■■ Building relationships based on trust so that the internal audit team is seen as a collaborator rather than a watchdog. ■■ Engaging management throughout the audit process to enhance understanding of operations, strategy, and strategic initiatives. The report also offers insight for improving talent development, communications with internal audit stakeholders, and strategic risk and corporate governance. IIA members can download A Call to Action: Stakeholders’ Perspective on Internal Auditing free from The IIARF Bookstore, www.theiia.org/NewProducts . 4
/
I I A To d a y
/
w w w. t h e i i a . o r g
The IIA’s On-site Training has a solid reputation for delivering professionally developed, practitioner-led, and affordable internal audit training. In 2011, On-site Training has upped the ante with the addition of 100% course customization and a combination of live and virtual seminar delivery. According to IIA On-site Training Director Alan Dean, “I’ve added a ‘master builder’ to my team who is dedicated to designing and customizing training that meets client needs.” That means you can choose from 60+ existing courses or have one built from the ground up to your specifications at no additional cost. “We are also one of the first on-site training providers to combine live and virtual delivery,” explains Dean, “which enables us to engage your entire team regardless of their physical location.” Learn more about On-site Training’s new “the sky’s the limit” features by visiting www.theiia.org/Onsite or calling +1-407-937-1388.
News
Enhanced to Provide Greater Value Vision University, a division of The IIA’s executive training program created specifically for chief audit executive (CAE) development, has adjusted its offerings to provide a more value-added experience for new CAEs. The fourday course offers a limited class size to provide maximum interaction and networking opportunities. For years, Vision University has offered two programs — Vision University: The New Chief Audit Executive (known as VU 1) and Vision University: The Experienced Chief Audit Executive (known as VU 2). “The programs have been second to none,” says Agnes Amos, director of Conferences & Executive Training for The IIA. “But, today’s experienced CAEs are looking for a more personalized networking forum, rather than a classroom experience.” For that reason, Vision University has begun a focused effort to retool the courses. The revised class for new CAEs and senior-level executives preparing to become CAEs incorporates elements from the VU 2 program such as the leadership component and strategic framework. The updated program also covers such topics as professional practices, client relationships, risk and control models, control self-assessment, human resources, and others. “For now, the VU 2 class for experienced auditors is being discontinued, although we’re looking into ways to take material from that program and roll it into The IIA’s new Audit Executive Center,” notes Amos. The Audit Executive Center, launched in October 2010, provides an array of services developed specifically to meet the needs of today’s CAEs. To learn more about the Audit Executive Center, visit www.theiia.org/CAE . In 2011, the updated VU 1 program for new CAEs will be available in Chicago from May 23 to May 26, and in San Diego from November 7 to November 10. For more information about Vision University or to enroll in the program, visit www.theiia.org/VisionU .
Free Webinar on Health Care Fraud The cost of health care is staggering. It’s estimated that annual expenditures for health care in the United States exceed US $2 trillion — that’s more than the annual revenues of any Fortune 500 company. Fraud in the health care industry is estimated to be as high as 10 percent, or US $200 billion. Learn more about the scope and elements of health care fraud by attending The IIA’s free Members-Only Webinar, “Taming the Beast: Reining in Health Care Fraud,” on April 26 from 1:00 to 2:00 p.m. EST. If your company provides health care benefits, combating health care fraud is critical to controlling the cost of that valuable employee benefit. Webinar presenter Dennis McGuffie, vice president of Audit Services for Tenet Healthcare, will explain how health care fraud can impact your business and employees, regardless of your industry. Discover practical strategies for mitigating the risk of health care fraud within your own organization. Don’t miss out on this valuable member benefit, which allows you to earn continuing professional education credits without leaving your desk or writing a check. To register for the webinar, visit www.theiia.org/mow . Members can also access an archived recording of February’s Members-Only Webinar on identity theft, which had more than 5,400 registrants, by visiting www.theiia.org/membership and clicking on the Members-Only Webinar Series button.
w w w. t h e i i a . o r g
/
March 2011
/
5
Feature story
6
/
I I A To d a y
/
w w w. t h e i i a . o r g
Feature story
Understanding Internal Auditing Around the World IIA Releases Results From its Most Comprehensive Global Study Ever To meet the ever-demanding needs of their stakeholders, today’s internal auditors must move beyond traditional internal control and assurance activities and sharpen their focus on risk management, governance processes, and enhanced use of audit technology and automated tools. These are just a few of the findings uncovered by The IIA Research Foundation’s (IIARF’s) groundbreaking 2010 Global Internal Audit Survey. The study, a component of The IIARF’s ongoing Common Body of Knowledge (CBOK) project, represents a two-year effort to collect and analyze responses from 13,582 practitioners in 22 languages and more than 107 countries. It’s the most comprehensive global study ever conducted on the practice of internal auditing, and its completion — marked by the release of five survey analysis reports — signifies the early stages of an unprecedented effort to understand and improve the practice of internal auditing globally.
“The purpose of the CBOK project, which began in 2006, is to create a living, comprehensive global database,” says IIARF Vice President Bonnie Ulmer, who points out that due to forward-looking questions on the 2010 survey, the CBOK database already includes information stretching from 2006 to 2015. “It’s an ongoing effort that allows the internal audit profession to stay relevant, vibrant, and visionary. We want researchers to take this information, ask more questions, dive deeper into specific areas, compare results, and do trending,” she says.
w w w. t h e i i a . o r g
/
March 2011
/
7
Feature story
In the meantime, the Global Internal Audit Survey’s initial five-report analysis provides a snapshot of the profession worldwide and offers a wealth of tangible information to help chief audit executives (CAEs) and their teams make decisions and plan future initiatives regarding internal audit staffing, compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), and the role of the internal audit activity. The first four reports examine: ■■ Characteristics of an internal audit activity, including demographics, staffing levels, and reporting relationships. ■■ The most important competencies for today’s internal auditors as well as compliance with The IIA’s Standards. ■■ Measurement of the value of internal auditing to the organization. ■■ Perceived changes in the roles of the internal audit activity over the next five years.
The fifth report, Imperatives for Change: The IIA’s Global Internal Audit Survey in Action, builds on the findings of the first four reports. It contains overall conclusions and observations from the Global Internal Audit Survey as well as a related 2010 CBOK study, Stakeholders’ Perspective on Internal Auditing, which sought feedback from nearly 200 internal audit stakeholders in the United States. The Imperatives for Change report comprises 10 imperatives and detailed action items to help CAEs plan a strategy for emphasizing risk management and governance, addressing key stakeholder priorities, optimizing internal audit resources, and leveraging technology effectively.
Emphasizing Risk Management and Governance “Internal auditors need to sharpen their focus on risk management and governance processes, which are projected to become the cornerstones of the internal audit profession,” researchers say. According to the survey, 80 percent of respondents foresee an increase in their risk man-
agement activities, and 23 percent project more corporate governance reviews in the next five years. A number of factors are contributing to the heightened focus, including: (1) the increasing frequency and complexity of major risk events, (2) the fact that internal audit activities have stepped up their coverage of many risks in response to serious control breakdowns in the financial services sector, (3) the rethinking of risk oversight by audit committees and boards, and (4) The IIA’s Standards requirement that internal auditors evaluate governance and risk management capabilities. Survey results also highlight the need for CAEs to conduct a more responsive and flexible risk-based audit plan. “The idea that an internal audit activity can update its audit plan only once a year and still remain timely, responsive, and effective needs to be challenged strongly,” researchers say, pointing to the survey results, which revealed that more than 60 percent of respondents update their audit plans only once a year; approximately one-third update their plans more frequently.
Addressing Key Stakeholder Priorities
Access the Five Reports IIA members can download the research reports for free from The IIARF Bookstore, www.theiia.org/ NewProducts , or purchase printed copies of the six reports as a bundle for US $50 (US $75 for nonmembers). Individual printed reports are available for US $25 to members and US $45 each for nonmembers.
8
/
I I A To d a y
/
w w w. t h e i i a . o r g
Only 57 percent of survey respondents have developed a mission statement for internal auditing, and just 51 percent have an internal audit strategy in place. This isn’t sufficient, say researchers, who encourage CAEs to strengthen their relationships and communications with the audit committee, determine the specific expectations of committee members and other chief stakeholders, and develop strategies and tactics to address these expectations.
Feature story
Conducting stakeholder surveys is one of the best ways to assess the value of internal auditing, say researchers; however, less than 11 percent of study participants use surveys or feedback from the board, audit committee, or senior management to assess internal auditing’s value. Instead, according to the survey, the most common method used to measure the value of internal auditing is by looking at the percentage of the audit plan that was completed. Another key area where internal auditing needs to step up its efforts to respond to stakeholder priorities is compliance with The IIA’s Standards. Although 90 percent of internal audit stakeholders expressed strong support for compliance with the Standards, less than half of internal audit organizations are in full compliance with the Standards. The reasons for this disconnect should be explored via further discussions among the CAE, senior management, and the board, researchers say.
Optimizing Internal Audit Resources Approximately half of organizations responding to the global study expect to recruit more staff during the next five years, and the two skills in greatest demand are: (1) understanding the business, and (2) knowledge of risk analysis and control assessment techniques. Researchers also note the growing need for specialized training in data collection and analysis, operational research, and new audit tools and technologies due to the changing nature of internal audit procedures and their increasing automation. The report advises
CAEs to conduct an inventory of the skills needed to execute the organization’s strategy or vision, assess the skills and competencies of current staff members, and develop a plan to acquire required technical skills. The growing trend of relying on internal audit service providers as an alternate source of support to address specific internal audit needs is evidenced by the more than 44 percent of respondents who reported being involved in a third-party outsourcing or co-sourcing arrangement to augment their skills and capabilities. “With such a large group of qualified internal audit professionals now practicing their profession as serviceprovider employees, CAEs have a large, knowledgeable source of talent to consider when assessing their resource needs,” researchers say.
Leveraging Technology Effectively Rather than conducting separate “operational” and “IT” audits, auditors today are more likely to look for ways to conduct integrated and automated testing across entire populations, researchers say. In fact, nearly half of survey respondents report using computer-assisted audit techniques (CAATs), and approximately onethird use continuous auditing. Still, 21 percent of survey participants aren’t using any technology-based tools for their internal audit work. During the next five years, survey respondents predict an increase in the use of CAATs, electronic workpapers, continuous/real-time auditing, data mining, and risk-based audit planning. To leverage the advan-
tages of technology-enabled auditing and keep pace with technological advancements, researchers advise CAEs to take a number of actions, including: ■■ Establishing close ties with the in-house IT function to ensure the pursuit of complementary strategies and take advantage of available technological resources. ■■ Developing a long-term technology strategy that addresses budget requirements to achieve technology-related goals. ■■ Creating a comprehensive training program to support both current and long-term technology use.
Support The Next Global Study The William G. Bishop III, CIA, Memorial Fund is the sole financial contributor to the CBOK project and was established to honor Bill Bishop, who served as president of The IIA from September 1992 until his untimely death in March 2004. Bishop’s dedication to and pride in the internal audit profession were unwavering. Visit www.theiia.org/Research to learn how to support this project.
w w w. t h e i i a . o r g
/
March 2011
/
9
Calendar
2011 IIA Members: Register early for IIA training and save.
April 2011 April 4 – 6 / Gaming Conference Planet Hollywood, Las Vegas, NV
Gain new perspectives from recognized practitioners while networking with colleagues and earning 18 CPE. Post-conference workshops earn you an additional 3 CPE.
4, 6, 8, 11, 13, 15, 18, 20, 22, 25, 27, 29 / Virtual Seminar CIA Review Part III / 6:00 – 8:15 p.m.
Prepare to pass with a comprehensive study of the entire Part 3 syllabus.
4, 6, 8, 11, 13, 15 / Virtual Seminar
Enterprise Risk Management (ERM): An Introduction / 3:00 – 5:15 p.m. ET Improve your understanding of ERM and the COSO ERM framework.
4, 6, 8, 11, 13, 15 / Virtual Seminar
Risk-based Auditing: A Value Add Proposition / 6:00 – 8:15 p.m. ET Learn how to align your organization’s strategies, visions, and values with the internal audit process.
4 – 7 / IIA/Deloitte Seminar Auditing JD Edwards / Costa Mesa, CA
Through hands-on computer experience, participants will learn about One World audit risks, navigation, and organizational structure.
25, 27, 29, May 2, 4, 6 / Virtual Seminar Operational Auditing: An Introduction / 3:00 – 5:15 p.m. ET
Get started reviewing those areas of your organization where business actually gets done — operations.
10
/
I I A To d a y
/
w w w. t h e i i a . o r g
All offerings are subject to change without notice.
Calendar
2 – 5 / IIA/Deloitte Seminar Auditing Oracle Applications / Costa Mesa, CA
Learn ways to provide an effective and efficient audit in an Oracle applications environment and how to audit Oracle applications security.
3 – 6 / Seminars Chicago, IL
The IIA is bringing 13 of its most popular courses to the windy city.
9, 11, 13, 16, 18, 20 / Virtual Seminar Operational Auditing: Advanced / 6:00 – 8:15 p.m. ET
The operational auditing tools in the course are real-world techniques that can improve the controls in your organization
10 – 13 / Seminars San Francisco, CA
2011
May 2011
Join your colleagues in the “city by the bay” for one of 15 tried-and-true courses.
16 – 19 / IIA/Deloitte Seminar
Ask about group discounts on IIA training.
Introduction to Auditing SAP ERP / Chicago, IL
This course provides an essential knowledge base as well as hands-on training in an SAP ERP system.
17, 19, 24, 26 / Virtual Seminar Audit Report Writing / 2:00 – 5:20 p.m. ET
UPDATED IN 2011! This is a hands-on, dynamic seminar. It includes lectures, discussions, exercises, and writing practice.
23 – 26 / Seminars Orlando, FL
Select from 9 two- or four-day career-enhancing courses in Orlando.
For details, additional offerings, and to register, visit www.theiia.org/Training
All offerings are subject to change without notice.
w w w. t h e i i a . o r g
/
March 2011
/
11
Bookstore
Why Audit Your Organization's Social Media Efforts? 12
/
I I A To d a y
/
w w w. t h e i i a . o r g
Bookstore
Someone, somewhere, is currently saying things about your organization. That part of the human experience has not changed for thousands of years. As long as communication has existed, people have used it to express their opinions. However, there is an aspect of communication that has changed significantly in the last few years. While in the past such conversations may have been limited to gossiping over the neighbor’s fence or sharing a story over a cup of coffee, social media has taken that conversation and allowed it to be heard by millions of people worldwide at the speed of light. Despite the magnitude of this change, most organizations do not understand the risks involved with this broadened conversation, nor have they taken steps to mitigate those risks. Many organizations ignore social media, shrugging it off as a passing fad. On the other hand, some organizations have jumped in wholeheartedly, without realizing their leap of faith is propelling them into a maelstrom of words, images, and audio that may already be out of their control. Well-informed auditors can help their organization by understanding these risks and evaluating how well the organization is analyzing and responding to them. Auditing Social Media: A Governance and Risk Guide arms auditors with the information they need to understand, evaluate, and audit the organization’s approach to social media. The book discusses what social media is, how it is being used as a tool within corporations, and how it should be monitored. In addition, it addresses the various risks involved with the use of social media (e.g., reputation/brand risk; compliance risks; proprietary information risks; employee privacy risks; and vendor risks). It also covers compliance with U.S. Federal Trade Commission guidelines such as education and disclosure requirements as well as audit and record-keeping requirements. Visit The IIA’s Bookstore at www.theiia.org/NewProducts to purchase this useful guide.
International Professional Practices Framework (IPPF) 2011 The IIA's authoritative guidance on the internal audit profession was recently updated and went into effect January 1, 2011. The IPPF presents current, relevant, internationally consistent information for internal audit professionals worldwide, and it includes both mandatory and strongly recommended guidance. The new IPPF 2011 features improved clarity, increased transparency, measurable accountability, a defined cycle of review for all guidance, and availability in hard copy and as a fully interactive CD-ROM. www.theiia.org/Bookstore .
w w w. t h e i i a . o r g
/
March 2011
/
13
Special feature
Genesis of a Great Profession As The IIA celebrates its 70th anniversary, it’s fitting to reflect back — beyond just the formative years of The Institute, but to the birth of the profession itself. Where did internal auditing originate? What did the job entail in those early years? How has the profession evolved? The term auditor appeared in the early Greek and Roman writings of Aristophanes, Caesar, and Cicero. Similarly, ancient documents from approximately 2,500 years ago reveal that internal audits were performed to manage the estates of Greek ruler Ptolemy Philadelphus II. These early audits examined the accuracy of accounting records and evaluated the propriety of activities reflected in the accounts. In the United States, the need for internal auditing was initially recognized in government. The first Congress in 1789 approved the appointment of a secretary of the treasury, comptroller, and auditor. At 14
/
I I A To d a y
/
w w w. t h e i i a . o r g
the time, the auditor's job was essentially a clerical function and involved receiving and examining all public accounts and certifying the balances. Still, it wasn’t until the latter part of the 19th century that the first legitimate internal auditors appeared on the scene. Hired by railroad businesses, these “traveling auditors” visited ticket agents to verify that money was properly accounted for. The popularity of internal auditing soared in the early part of the 20th century with the development of large corporations that employed thousands of people and conducted operations in numerous locations. In those early days, the major objective of internal auditing was to discover fraud quicker than it could be uncovered by the public accountant during the annual audit. Over the years, with the increased use of computers and automatic checking procedures, internal auditors became free to expand their traditional role
of transaction verifier and focus not only on fraud, but also on waste and inefficiency. In 1941, two dozen audit practitioners gathered in New York City to share their experiences, common challenges, and desires for the future growth of their beloved profession. Out of that initial meeting was born The IIA, a now global professional association for internal auditors. Through its 70 years, The IIA has led internal auditors in the practice of their dynamic, continually evolving profession. It has guided auditors through the advent of personal computers, the first electronic spreadsheet, and the enactment of the U.S. Sarbanes-Oxley Act of 2002. Today, as always, The Institute remains committed to advancing this great profession.
Help us celebrate our 70th! Visit www.theiia.org/Anniversary .
Our Principal Partners Make a Difference The IIA acknowledges the ongoing support from our Principal Partners, who help enhance the internal audit profession by sharing their resources and knowledge with our most valuable asset – our members. These partners actively serve as members and volunteers within The IIA, participate in the introduction of new guidance, develop world-class training, and show their commitment in many other ways in an effort to advance the internal audit profession.
The IIA encourages you to tap into the expertise of our Principal Partners in 2011!
IIA Conference Schedule 247 Maitland Avenue Altamonte Springs, FL 32701-4201 USA
April 4 – 6, 2011
Gaming Conference
Planet Hollywood / Las Vegas, NV
Please recycle this brochure by passing it along to a colleague.
July 10 – 13, 2011
70th International Conference
Kuala Lumpur Convention Centre / Kuala Lumpur, Malaysia
August 29 – 31, 2011
Governance, Risk, and Compliance Conference Omni Orlando Resort at ChampionsGate / Orlando, FL
October 17 – 19, 2011
All Star Conference The Bellagio / Las Vegas, NV
Issue 2
/
Register early for IIA Conferences and save! www.theiia.org/Conferences
/
Gaylord Palms Resort & Convention Center / Kissimmee (Orlando), FL
Vo l u m e 2
General Audit Management Conference
01/11036/MC/jp
March 19 – 21, 2012
NONPROFIT ORGANIZATION U.S. POSTAGE PAID THE INSTITUTE OF INTERNAL AUDITORS
March 2011
Understanding Internal Auditing Around the World
Today A M E M B E R S - O N LY P U B L I C AT I O N