The Current State of Internal Auditing

A personal perspective and assessment

I. Introduction
Norman Marks and Jay R. Taylor have been practitioners and thought leaders in the
internal auditing profession for many years. In this article, they bring their combined
experience and perspectives, as well as the results of their very broad networking with
other leaders around the globe, to assess the current state of internal auditing and share
their views on where the practice should be heading. While both have senior positions
within their organizations, and are very active within the IIA and ISACA, the views
expressed are theirs and theirs alone.
In this article, Jay and Norman review high-level issues such as standard-setting and
leadership of the profession, and where internal auditing should report. They then
consider each major aspect of internal auditing (such as audit planning and risk
assessment; performance of individual audits; staffing and resources; the use of
technology; fraud and investigations; the quality of audit reporting and other
communications; and value-add consulting and other services). The authors discuss how
internal auditing has improved and where opportunities for enhanced performance can be
found in each area.

II. The State of the Profession

Are we one profession, two, or even more?
While there are others (such as the Board of Environmental, Health & Safety
Compliance, which offers a valuable certification for EH&S auditors), there are two
dominant organizations for internal auditors: the Institute of Internal Auditors (IIA) and
ISACA (formerly known as the Information Systems Audit and Control Association).
We are, in truth, a single profession – but unfortunately we have two organizations that
profess to represent us and provide professional standards. While there have been
attempts in the past to reconcile and agree on common standards, the fact is there are two
sets.
We agree in principle with the ISACA statement that, “The specialised nature of
information systems (IS) auditing and the skills necessary to perform such audits require
standards that apply specifically to IS auditing.” But many of us are both Certified
Internal Auditors (CIA) and Certified Information System Auditors (CISA), and are
confused as to how we determine where one set of professional standards starts and ends
versus the other set. How can we, for example, realistically separate a business function
into the automated portion versus the non-automated portion when trying to seamlessly
evaluate controls within a single process from end-to-end? The truth is we cannot and
should not abdicate the evaluation of all technology-related areas to IT auditors. There
should only ever be one internal auditing department at any organization and IT auditors
are members of that department. Just as it makes no sense to us to have two people
making a single evaluation of controls, it also makes no sense to have two potentially
competing and conflicting standard-setting bodies for a single profession. We hope that

1
time and common sense will enable leaders within ISACA and IIA to move towards a
combined, authoritative set of standards. Initial areas of focus should include a single set
of standards around such things as the role and purpose of internal auditing within the
organization, audit planning, risk assessment, documenting the work, reporting, and other
areas where professionals see commonality. We certainly have no problem with the
existence of two professional organizations, with ISACA taking the lead on technical IT
guidance, certifications, and training. However, until there is a recognition that we are in
fact one profession, the wasteful and duplicative efforts of the two organizations will
likely continue. New thinking is needed to rationalize the domains of the two
organizations.
An interesting question is whether we are considered a profession by those that matter:
regulators, boards, and those responsible for governance and risk management
frameworks. The good news is that major progress has been made around the world in the
last decade. Although internal auditing still has a long way to go if it is to be considered
in the same league as external auditing, the IIA has been taking the lead in reaching out to
international governance, regulatory, and governmental organizations with their advocacy
programs to obtain the professional recognition needed.

What is internal auditing?

The IIA says that:

“Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.”
This definition was crafted in an atmosphere of controversy over several of its terms
(such as the removal of the prior statement that internal audit was ‘within the
organization’ in recognition of the possibility for outsourcing) in 1999. We are now ten
years on and it has aged well. While there are still a number of voluble individuals who
disagree that auditors should perform consulting activities, they are in the minority.
Fundamentally, internal auditing exists to provide “assurance” to senior management and
the audit committee that certain things are working effectively as intended: the
organization’s governance, risk management, and related internal control systems and
processes.
Deloitte & Touche (principle #9 in A Risk Intelligent Enterprise published in 2009) states
“…certain functions (e.g., internal audit, risk management, compliance, etc.) provide
objective assurance as well as monitor and report on the effectiveness of an
organization’s risk program to governing bodies and executive management”. A key
responsibility is to provide “comfort”, which is essentially providing reasonable
assurance that the organization’s risk management and internal control processes operate
effectively - thereby helping the executive team and board members sleep at night.

2
Building on this expectation, Tim Leech, a respected internal auditor and blogger for the
IIA, wrote in April 2009 that internal auditors have one primary reason for being:
ensuring that “senior management and the company’s directors are fully apprised of the
organization’s current residual risk status”. In other words, audits should not focus solely
on assessing the quality of the controls, but instead address the quality of risk
management and the health of the internal controls relied upon to manage risk. It is the
job of senior management and the board to be aware of, and continually monitor the
acceptability of, local or operating management’s residual risk acceptance decisions. Too
often internal auditors determine what is “acceptable”; this is not their role. It is the
responsibility of the board to set organizational risk tolerance, management to operate
within that level, and internal audit to provide assurance that the key risks are being
managed (through the operation of internal controls) within the tolerances established by
the board.
The IIA definition was advanced thinking for its time and internal auditors are still
wrestling with how they can provide assurance over not only the system of internal
controls for the organization, but also its risk management and governance processes. The
IIA has been producing guidance and related training on the topics of auditing
governance and risk management, but even ten years after the definition was approved
few are performing audits of those areas and providing overall assurance to the board and
executive management. We support the continued development of practice advisories,
practice guides, training and other information to help the profession ‘catch up’ with the
ten-year old requirement to audit governance and risk management. Perhaps additional
motivation to address risk management and governance objectives will be driven by
external quality assurance reviewers who understand and apply the definition of internal
auditing.
In fact, too many internal audit functions remain focused on performing individual audits
rather than providing any level of overall assurance – even on internal control. Based on
studies over the last few years and our personal experiences, only about 50% of internal
audit departments routinely include an overall assessment of the quality of risk
management and internal controls in their audit reports. While this is disappointing, it is
even more so that very few chief audit executives (CAEs) provide their board and
executive management with an overall assessment of the organization’s overall risk
management and internal controls processes. We believe this will change, if only to
comply with the increased tendency for international governance frameworks (many of
which are mandatory, such as in the U.K. and South Africa) to require a formal
assessment by internal audit of risk management and internal controls. We understand
that the new King Code III in South Africa will even require that the internal audit
assessment be included in the annual report to the shareholders.
One interesting issue related to the definition of internal auditing and related (IIA)
standards is the split (approximately 50:50) between internal audit functions in the U.S.
that test internal controls over financial reporting (for Sarbanes-Oxley section 404
compliance, “SOX”) on behalf of management and those that limit their involvement to
general oversight and reviewing the testing that is performed by management (or a
separate financial compliance group, or similar). The argument is between those who
believe that SOX testing is a value-add service to management and addresses the more

3
significant risks to the organization, and those who believe that SOX testing is a
management responsibility. The latter argue that management should periodically verify
that their controls are functioning adequately to provide a basis for their assertion in
connection with financial reporting, while the internal auditors should focus on
operational auditing. But shouldn’t internal auditors provide assurance on all the major
risks to the organization? Does it really make sense to perform no work on financial
reporting risks?
Those of us with longer memories can recall the pre-SOX days. A review of the 2003 IIA
GAIN survey discloses that rather than focusing on operational auditing, the average
internal audit function (across the more than 800 internal audit functions responding to
the survey) spent a large portion of their work auditing financial controls! While
operational auditing represented only 32% of audit time, assessing the adequacy of
internal accounting controls was a regular activity for 82% of the organizations in the
survey. Perhaps SOX did not put internal auditing as much out of balance as people think.
For us, the argument over whether internal audit departments should perform the SOX
testing or not is one for each individual company to make - its board, management, and
internal auditor. We take no position in this paper, only to say that reason should prevail
and the best interests of the organization should decide.
As to whether internal audit departments should only perform operational audits, or only
financial audits, or only compliance audits, our position is that all of these positions are
wrong. Internal audit departments should perform the activities necessary to provide
assurance on the governance, risk management, and internal control processes at their
organizations – consistent with the definition of internal auditing. They should select
specific areas to address based on a risk assessment, identifying the areas of greatest risk
to the effectiveness of those processes while leveraging any and all assessment work of
others when appropriate.
A question that many are asking is whether internal audit failures may have contributed to
the corporate risk management and governance failures that led to the current global
economic crisis1. Our view is that the answer depends on a number of factors. We
assume, first that the internal audit charter is consistent with the IIA’s definition of
internal auditing, where internal audit provides assurance on and contributes to the
improvement of the organization’s governance, risk management, and control processes –
in other words, the charter directs the CAE to assess the adequacy of governance and risk
management processes and practices. If the internal audit charter does not include this
requirement, there is another problem: the internal audit activity is not complying with
the IIA’s standards. We consider that a major problem.
If there were risk management or governance failures, and internal audit had such a
charter but either did not audit these areas or was unable to persuade the board and
management to make necessary improvements after an audit, then they failed. However,
if they performed an audit, found that the governance and risk management processes
were reasonably effective, and the failures were due to mistakes in judgment by
management, then we would not call that an internal audit failure. Internal audit can only
1
A survey by the Open Compliance and Ethics Group was inconclusive on this point, with about half
assigning some measure to internal audit and the rest holding them essentially harmless.

4
assess management’s processes, and there is always a risk that effective processes will
fail due to human error.

Where should internal auditing report?

This is another question that continues to be a “hot topic.” In this regard, IIA Standards
state:
“The chief audit executive must report to a level within the organization that
allows the internal audit activity to fulfill its responsibilities. The chief audit
executive must confirm to the board, at least annually, the organizational
independence of the internal audit activity.”
The IIA’s public position, although not enshrined in the Standards, is that the CAE should
report directly to the board (or audit committee) for functional purposes, and
administratively to the CEO. Although a large number of CAEs (probably a majority)
now report functionally to the chair of the audit committee of the board, the most
common administrative relationship continues to be to the CFO.
There is a growing body of opinion that the CAE should report directly to the
independent chairman of the board (or lead independent director if the CEO is the
chairman), both functionally and administratively. The reasons include:
o The audit committee of the board is generally focused on financial matters,
including financial risks, whereas internal audit needs to provide assurance on the
management of strategic, operational, and compliance risks in addition to
financial concerns. The downside of reporting to the audit committee is that
internal audit may be asked to limit the level and extent of non-financial
assurance provided the organization. This is especially a concern in organizations
with limited or declining internal audit budgets.
o Internal audit should provide objective assurance to the board on governance, risk
management, and internal control. This requires a level of independence from
management that is not achieved when management is able, through its ability to
control budgets and assess the performance (and set the compensation) of the
internal auditor (even when subject to approval by the board), to exert significant
influence over the audit work performed.
We agree the question should be studied further. Boards will have to be persuaded that
the role of internal audit is to provide them (primarily) and executive management
(secondarily) assurance on governance, risk management, and control. We look to the IIA
to continue their advocacy efforts to change this from an aspiration to a reality.

Do we have a Seat at the Table?

Do we get, within the company, the respect we deserve? Are we part of the senior
leadership team or a mere observer? Have we earned and do we have the ability to
effectively influence our organization to change?

5
Whether, as some assert, it is due to SOX and the critical contribution made by internal
audit to management’s assessment of internal control over financial reporting or whether
it is due to the continued efforts of practitioners and the IIA, the standing of internal
auditors within the business world has significantly improved over the last ten years:
o While ten years ago it was common for internal audit to be controlled by financial
management, it is now unusual for the CAE not to have strong support outlined in
an internal audit charter, or not report functionally to the board (or audit
committee) and have direct access to its members.
o In most cases, the audit committee must concur with the hiring or termination of
the CAE.
o At many organizations, the CAE has been a major force for change. Examples
include the establishment of disclosure committees and risk management
programs – often run in their initial stages by the CAE. In fact, so many CAEs
were being asked to set up and run enterprise risk management programs that the
IIA had to provide guidance on which risk management functions internal
auditors could and could not perform!
We believe that best-in-class CAEs are valued, have the ear not only of the board but of
the C-suite executives (CEO, CFO, CIO, and others) and have a major influence for
change within the organization. There is a clear trend in this direction, especially as those
who are given the opportunity seize it and consistently deliver.

III. Audit Planning and Risk Assessment

What should the audit plan cover?
To be effective, the internal audit plan should cover, over time, all of the significant risks
to the organization – including key strategic, operational, financial reporting, and
legal/regulatory risks – while leveraging the coverage provided by the organization’s
enterprise risk management process2. There has to be sufficient coverage of these risks to
allow the CAE to provide the required level of assurance over governance, risk
management, and related internal control processes.
In the attempt to “get it right”, many internal auditors spend significant time capturing all
auditable entities, activities, processes and even systems into something they call an
“audit universe” before performing an excruciatingly-detailed risk assessment. Later
they find their audit plan doesn’t make sense and has to be tempered with significant
business judgment before it becomes usable. Why does this occur? Fundamentally, the
auditors did not start their analysis by focusing on business risks to the organization. So
what approach should be taken?

2
According to Paisley in their 2009 Best Practices in GRC Convergence: Building a Business Case for
GRC Convergence (page 2), “the assurance functions of internal audit, risk management and compliance in
most cases do not share business processes, terminology, or a common assurance methodology”. Their
recommendation is to develop a discipline of “risk convergence” where governance, risk and compliance
are aligned and supported by a standardized technology solution across the enterprise.

6
We feel the key to starting the assessment properly is to begin at the top with a focus on
the identification of business risks. This can be difficult to do as it requires a good
understanding of the organization’s strategies, business environment (including external
activities and conditions affecting the business), applicable laws and regulations,
operations, plus intended and actual operating and financial results.
Often, internal audit is accused by management of not understanding the business. This
may be explained by the fact that, according to the results of the recent
PricewaterhouseCoopers’ 2009 State of the Internal Audit Profession Study, about 58% of
auditors have five or fewer years of experience – even though the complexity of global
business activities, systems and processes have increased significantly in their
organizations3. So are internal auditors really equipped to identify the risks that could
potentially impact organizational value? Forming good partnerships is one of the keys to
gaining this understanding.
Like never before, internal audit’s focus must be aligned with priorities in the business to
remain relevant4. Static risk models focusing on auditable entities will not produce the
appropriate emphasis on enterprise issues or emerging and other risks requiring greater
attention. According to the PwC study (page 9), “…successful internal audit departments
will be those that maintain alignment with the changing risk profile of their company and
the evolving needs and expectations of their key stakeholders”5. Nearly 60% of Fortune
500 respondents to the PwC survey believed the ability to identify emerging risks in the
coming year is a medium or high concern.
Accordingly, best practice is to form partnerships with senior leadership and members of
the audit committee and have continuing discussions to identify emerging and other
important risks. Once these are understood, and the related processes are identified, a
universe of significant business risks can be defined to begin a meaningful assessment
process. These discussions will go a long way toward defining the universe that should
be covered. Focusing on trying to cycle audit coverage through a universe of all possible
auditable activities, processes and systems should be avoided in most organizations
where resources are limited, and is highly likely in any organization to result in auditing
areas that are not the most significant risk areas.
Leading practitioners6 assess the effectiveness of management’s risk management process
and determine whether it can be relied upon by management – and by internal audit. To
be useful, management’s assessment has to be updated timely and regularly, be
sufficiently comprehensive and complete, and any risks that are not being mitigated or
transferred to others must be clearly articulated for management’s acceptance.

3
As we note in section V, below, the level of experience is improving – but improvements can still be
made.
4
IIA Standard 2010 on Planning states, “The chief audit executive must establish risk-based plans to
determine the priorities of the internal audit activity, consistent with the organization s goals.
5
PwC also suggested that many audit organizations still require a shift in their focus from financial
reporting controls to a focus on the sources of risk that impact or destroy shareholder value. We concur
with this observation.
6
One of the benefits of assessing and providing assurance over management’s risk management program is
that it can be brought up to the level where internal audit can rely on it to identify the significant risks to
include in the audit plan.

7
According to PricewaterhouseCoopers’ 2009 State of the Internal Audit Profession Study”
(page 29), internal auditors wanting to provide the greatest value should consider
providing assurance over the organization’s ERM function. The value comes out of
anticipating and monitoring the risks that are truly relevant to the success of the business.
PwC indicates that the strategic and business risks that have recently led to breathtakingly
rapid drops in shareholder values have caught even the most sophisticated risk
management functions by surprise. So providing assurance over the ERM function helps
to align internal audit’s efforts to the changing risk profiles and helps management protect
shareholder value. Where resources are lean, a strategy of reliance can be developed to
integrate the work of other assurance providers into the internal audit assessment.
However, care must be taken to ensure that the work of others is reliable and is performed
objectively by competent personnel.
Where deficiencies in management’s process are observed, internal auditing is well-
positioned to perform a consulting engagement with the purpose of recommending
enhancements that, once implemented, will allow senior management and the board to
rely on the process in the future. However, where a risk management process does not
exist or is immature, internal audit can work with senior management and the board to
build an integrated risk management framework for the enterprise with the goal of
providing a reliable and complete picture of the organization’s risks that everyone can
eventually leverage.

How do I keep the audit plan current?

These days, an annual or static internal audit plan is no longer adequate to meet the needs
of organizations facing a slew of new and increasing business risks. And who isn’t facing
a slew of new or increasing strategic, financial, regulatory or operational risks? Today
every CAE has to be concerned about the possibility that their plan is quickly becoming
stale like the chewing gum under the table. To cope with this kind of environment,
professionals are finding ways to periodically reassess their audit plan to ensure it is kept
fresh and responsive to organizational needs.
An increasing number (although less than half according to PwC’s 2008 State of the
Internal Auditing Profession study) of internal audit functions have moved away from
annual risk assessments and audit plans to more frequent updates. Unfortunately, most of
those have only moved to semi-annual updates and very few have implemented a process
described in PwC’s 2009 State of the Internal Audit Profession study as “continuously
confirm[ing] or refresh[ing] internal audit risk assessment results ... to steer audit focus
on a real-time basis.”
A few CAEs have taken an approach we believe excellent: a rolling three or six-month
plan, rather than an annual plan that is updated periodically. This enables the CAE to do
the right audits at the right time. However, this novel approach may require careful
communication and persuasion as it will be new to the board and executive committee.
We believe strongly in one change that needs to be made across the profession. One
traditional metric for measuring the effectiveness of internal auditing has to be
condemned to history books: percentage completion of the annual audit plan. This is an

8
incentive to perform audits of yesterday’s risks, an incentive to waste precious audit
resources. Instead, the measurement should be based on whether assurance is being
provided over the more significant organizational risks.
While techniques for performing periodic reassessments of the audit plan vary among
organizations, the leading practice discussed earlier centers on the performance of an
assessment of management’s risk assessment process. Having a robust and effective
enterprise risk management process that can be integrated with internal audit is the best
way to ensure that new and increasing business risks are being considered and addressed.
Other techniques for staying on top of the organization’s changing risk profile are also
found in practice. For example, many CAEs have assigned managers to areas of the
business so they can stay aware of changing risks and bring back almost real-time
information that can be assessed and compared against other data points. This is perhaps
a best practice. Other CAEs continually scan the internal and external environment for
issues potentially impacting their organization. They periodically assemble their internal
audit leadership team to discuss the implications of this new information on the audit plan
or the strategy for conducting particular audit projects to address these issues. Still other
CAEs prefer “MBWA” - management by walking around - attending senior management
meetings, visiting major locations and just listening. (Personally, we call this “auditing
by walking around”.) Sometimes staff who report to the CAE are delegated the
responsibility for developing and nurturing certain networking relationships with others
such as the general counsel, the CIO, and other key sources of information. All of these
methods can help keep the audit plan fresh. There is no right or wrong answer but the
point is to perform some on-going and defined level of work to capture information in an
organized manner and assess its importance to the control environment and the audit
plan.
Some CAEs have taken the approach of setting aside a large portion of their available
audit resources (in some cases, as much as 30%) for special projects. These are typically
projects that are requested by management or the board in response to an emerging risk or
opportunity, but can also be added by the internal audit management team when a risk
area is identified that was not in the audit plan. Unfortunately, while these organizations
have developed a process for adding audits, they are not always effective in removing
audits of yesterday’s risks, or changing the planned scope and approach in response to
changes in the nature or extent of the business risk. We believe in audit planning that
ensures that all and only significant risks that relate to current or future operations are
addressed.
In best-practice organizations, we also see more comprehensive, on-going monitoring of
key or strategic business risk areas and related controls versus the ad-hoc, “point in time”
assessment approach. The goal is almost continuous assurance on certain controls.
These audit departments have identified, with senior management assistance, the risks to
achieving important business objectives, then identified the combination of manual and
automated controls that should be monitored to achieve the targeted level of assurance.
While technology is used where feasible, regular checking on manual or administrative
controls is also required but is minimized by applying the effort in a focused or targeted
manner versus conducting full audit reviews. In this way, a portion of the audit plan can
be devoted to continually reviewing those controls most important to management that

9
provide the greatest level of risk management around achieving the organization’s
objectives. Further guidance on continuous auditing may be found on The IIA’s website
within its GTAG series while insight regarding continuous risk and controls assurance
(CRCA) may be found in SAP’s solutions for GRC7.
It goes without saying that on-going monitoring of risk will add no value unless there is
sufficient flexibility in the internal audit plan to deal with them. Gauging internal audit
value with a metric that measures the percentage of the annual audit plan completed will
only drive CAEs to auditing the risks of yesterday. As indicated earlier, an internal audit
plan that is not aligned with management’s risk management process will not be effective
- we need to find ways to address the risks of today and tomorrow.
During execution of the audit plan, internal auditors should be alert to changing
conditions and be responsive where possible to management and board-level requests for
assistance including special investigations and control consultations involving strategic
initiatives. However, there continues to be debate around whether internal auditors have
the skills required to assess strategic initiatives and related risks.
According to the January 2009 IIA Global Audit Information Network Knowledge Alert:
2009 Hot Topics for the Internal Audit Profession, nearly half of the survey participants
said they had no plans to increase the level of assurance provided on business efforts in
response to changes in their organizations’ strategic initiatives. However, IIA Chief
Advocacy Officer Dominique Vincenti recommends internal auditors provide assurance
by performing risk assessments once the organization decides to enter a new strategic
venture. To help internal auditors make the change, Vincenti provides a three-step
approach to guide an assessment or evaluation of strategic business initiatives. This
approach effectively enables auditors to better support management by “providing new
assurance on new risks”. These special projects and requests must be balanced against
the need to deliver on the audit plan as approved. Management requests should generally
not be taken on by internal audit where they may result in the postponement of assurance
reviews in high-risk areas.

How should technology risk be covered as part of the overall audit plan?
First, we feel that the term, “technology risk” should be stricken from the vocabulary.
There is no such thing as “IT risk”, since risk exists only in the context of the impact
technology could have on the organization or business operations. It is not some separate
evaluation that must be completed. Instead, the risk assessment internal auditors perform
around IT should be a sub-set of, and be integrated into, the overall internal audit risk
assessment process. The result is a comprehensive audit plan in which application-
related risks (including application general controls) are covered seamlessly during end-
to-end audits of the related business areas. An alternative is to conduct separate audits of
different sets of the controls over the end-to-end process, but in a way that ensures that all
the controls to address the business risk are addressed in an integrated fashion. For
7
The need for and benefits of a CRCA initiative to internal auditors can be found in a document entitled “A
Look into the Future: The Next Evolution of Internal Audit” at
http://download.sap.com/solutions/sapbusinessobjects/large/governance-risk-
compliance/brochures/index.epx

10
example, separate but coordinated audits might be performed over manual controls in a
shared service center in Ireland, automated controls managed by IT application support in
India, and data center controls in Canada. Many refer to this approach as “integrated
auditing”. Where it makes sense to do so, separate reviews of other aspects of the IT
environment including IT processes, infrastructure, and other areas may be performed but
must be directly connected to the business risk assessment to be relevant. For example,
conducting an audit of a data center makes most sense when the applications running
there are critical to the business processes and operations currently included in the overall
internal audit plan and are assessed as having a higher risk of impact on the business.
Unfortunately, this model is not predominant in the profession yet.

According to the March 2009 IIA GAIN 2009 IT Audit Benchmarking Study, only 52.9%
of internal audit respondents use an integrated planning approach in which potential IT
audit areas are determined as part of the risk assessment process or annual audit planning
process performed to determine all audit universe components. In the April 2009 issue of
Internal Auditor magazine, authors Anita Helpert and John Lazarine discussed the
importance and provide practical steps for “Making Integrated Audits Reality”. In the
integrated model, the audits focus simultaneously on an organization’s financial,
operational, and IT controls and processes. According to the authors, “integrated audits
not only save time and money, they also address true business risks in thoroughly
integrated findings” and are more “likely to identify points of exposure” while helping to
solve the underlying problems. While our experience is that this approach is the most
efficient and effective way to cover technology-related risk, many internal auditors lack
the knowledge required to perform appropriate scoping.

According to Protiviti’s 2009 Internal Audit Capabilities and Needs Survey (page 2), the
area ranked by internal auditors as the one in which they most needed to improve was
found within the category of General Technical Knowledge. Specifically, auditors felt
they needed a much better understanding of The IIA’s Guide to the Assessment of IT Risk
(GAIT) series of publications. The GAIT series describes the relationships among
business risks (including risks to the financial statements, the efficiency and effectiveness
of operations, and compliance with applicable laws and regulations), key controls at the
entity-level and within business processes, automated controls and other critical IT
functionality, and key controls within IT general controls. Understanding GAIT
principles allows the auditor to appropriately scope either IT audits or business process
audits with an IT component. We recommend every audit department review a copy of
GAIT for Business and IT Risk for use in both the scoping of individual audits and in their
2010 and continuing annual audit planning exercises.

Other surveys of the current needs of internal auditors also demonstrate the desire for IT
knowledge. For example, the PricewaterhouseCoopers 2009 State of the Internal Audit
Profession Study (page 18), revealed a knowledge gap in technology and indicated the IT
audit work is not well-shared in most organizations surveyed. Technology-related risks
tended to be addressed solely by IT auditors who were often in short supply. The study
recommended that special attention be directed toward developing integrated departments
whereby technology skills are embedded within the department rather than just being the
domain of the IT audit subgroup. We strongly concur with that recommendation.

11
Further, the need to better integrate IT-related risk and controls knowledge within the
skills set of every internal auditor has been supported by The Institute of Internal
Auditors for years in various publications from their International Advanced Technology
Committee and in the 2008 Competency Framework for Internal Auditors. While we feel
that a greater level of integration between the work of IT auditors and business auditors is
required to be successful, this integration may not be occurring in many organizations.
Continuing focus in this area is needed.

Closing thoughts on the audit plan

One area where we believe CAEs can do better is to take a step back and consider
whether the audit plan indeed addresses all aspects of business risk. For example, are all
entity-level risks being considered, including organizational structure, authority and
responsibility, governance, ethics, human resource policies and practices,
communications and transparency, fraud risk and other such areas? Each of these areas
are guided by policies and implemented by processes that internal audit should provide
assurance feedback about to the relevant stakeholders. We are pleased that the IIA is in
the process of developing practice guides in the areas of auditing governance and the
(COSO) control environment.
Also, every CAE must find the proper balance in their audit plan between assurance
engagements and value-add consulting projects. As discussed in greater detail in Section
IX (Value Add Consulting and Other Services), we caution that the desire to assist
management with consultative services should not be done at the expense of critical
assurance work - - the internal auditor’s primary responsibility.
Finally, the audit plan must include a mix of projects with elements of complexity and
difficulty to provide staff with opportunities to grow and develop. The existence and
availability of challenging work assignments is often cited in employee satisfaction
surveys as a key reason for joining or staying with one organization versus another.

IV. Use of Technology

Frankly, most internal audit departments struggle with the application of technology in
their audits. From speaking with other professionals, we observe that the two most
important uses of technology currently are to facilitate the management of the audit
process (e.g., work paper management) and to conduct certain audit tasks such as
documentation and testing8. Additional areas where software can and is being used in
internal audit include:
• Risk assessment
• Audit planning
• Data analytics

8
E&Y’s 2008 Global Internal Audit Survey reported that workpaper documentation, tracking findings, and
reporting were the primary areas where internal audit functions found technology very effective.

12
 • Process and control documentation
• Automated testing
• Access control and segregation of duties monitoring
• Technical IT auditing
• Self assessment
• Audit findings and “open issue” management
• Visualization and reporting
• Shared “governance, risk and control (GRC)” repositories
Clearly the ability to do more high-quality work using fewer resources is supported by
having the right tools and using them effectively By now, most organizations have
settled on the tools they need for automating and managing the audit process. Where
most of us are behind is in the application of technology to perform our work such as risk
assessment, analytical review, continuous monitoring, and sometimes even substantive
transaction testing.
It was no surprise to us that Protiviti’s 2009 Internal Audit Capabilities and Needs Survey
(page 7) indicated the area ranked by internal auditors as the one in which they most
needed to improve within the category of “Assessing Audit Process Knowledge” was a
tie between “continuous auditing” and “computer-assisted audit techniques (CAATs)”.
While this has been talked about and written about for years, the profession still has not
fully embraced available technology in a way that is meaningful to their audit objectives.
Perhaps we still have not reached a point where all internal auditors are expected to have
a certain baseline of technology-related knowledge to be seen as fully-skilled in the
profession? The authors believe it is time for this to change. Who among us can name a
key process in their organization that is not at least partially automated? And if there is
so much automation, why shouldn’t we expect all internal auditors to demonstrate basic
proficiency in the knowledge of IT-related risk and controls?
According to the PricewaterhouseCoopers 2009 State of the Internal Audit Profession
Study (page 17), most internal auditors unfortunately aren’t prepared to audit in an
automated environment. The survey reveals that internal auditors are still grappling with
a skills gap in technology, particularly in major ERP systems. This is very troubling to
the authors, who have for decades utilized computers in conducting their audits. The
PwC study indicates (page 16) that internal auditors should apply technology to conduct
real-time reviews, escalate issues, and ensure compliance with standards. This includes
the need to improve effectiveness by searching for errors or unusual transactions by
testing the entire data populations automatically. Training every auditor in appropriate
use of the tools and holding them accountable for their application are the foundation
critical to their effective use.
Even experienced IT auditors may not be familiar with advances in the technology
available to audit departments. Examples include:

13
 o Business intelligence (BI) solutions9 literally put ‘information at your fingertips’.
Used traditionally by financial and operations analysts, these products can be used
by internal auditors to run queries and get reports without programming. Some
companies, like Cisco, use BI for continuous risk monitoring and for data
analytics before starting an audit. Rather than meeting the auditee and asking
about their business, Cisco auditors start the meeting by asking about operating
trends and data anomalies they have identified using BI
o Automated testing products, also called continuous control monitoring10, enable
continuous data monitoring and control testing. Traditional CAATs rely on
periodic extracts from enterprise data and query and reporting programs. The
newer products are executed automatically on a schedule set by the auditor,
scanning and monitoring data as frequently as every minute11, and only reporting
exceptions or samples for investigation. The auditor identifies the controls to be
tested and the procedures to be followed. The products include the workflow for
responding to the items reported; maintaining the required audit documentation on
the results; and the auditor can assess the health of the tested controls. The
solutions typically include dashboards or similar reports so the auditor can see and
share the current results of testing
o Specialized tools for the IT environment are being developed or enhanced all the
time. One product that has exciting possibilities for internal auditors is able to
access system logs and monitor transactions for specific events or transactions.
Another scans outgoing network traffic to detect leakage of confidential or private
data (including intellectual property)
Just as monitoring yesterday’s risks adds no value, employing yesterday’s audit and risk
monitoring techniques and technologies will not create an efficient internal audit function
that provides the level of assurance needed by senior management and the board to
effectively manage business risk. The fact that internal auditors are finding technology
most effective in performing administrative tasks (such as work paper management and
tracking findings) is because, in our opinion, the value of today’s technology is
understood by few – a great opportunity for CAEs desiring to make dramatic
improvements in their internal audit operations.
Our obligation as professionals requires us to become knowledgeable in all of the
technologies that will help us become more efficient and effective. Because the work of
IT auditors and business auditors must become more integrated to be successful, we must
embed technology skills and the use of technology (such as on-demand data analytics
using BI) throughout the audit department rather than leaving this within the domain of
the IT audit team.

V. Staffing and Resources

9
The primary BI vendors include SAP Business Objects, Oracle Hyperion, and IBM Cognos
10
Vendors include ACL, SAP BusinessObjects, Oracle, Oversight, and IDEA
11
Some products do not require data extracts. They monitor the data from within the organization’s ERP,
enabling rapid identification and investigation of exceptions

14
An internal audit department is only as good as its people – an old adage but highly
applicable to the practice of internal auditing. The board and management rely on their
business-practical insight; balanced and fair assessments of governance, risk
management, and control processes; practical recommendations for improvement; ability
to effect change and obtain corrective action; and ability to communicate and influence
both management (at all levels) and the board.
Over the last few years, progress has been made on a number of fronts when it comes to
the quality of individuals in the internal audit function:
o Due in part to the improved position of internal auditing within most
organizations (our seat at the table, discussed in section II above), the majority of
CAEs are considered senior executives. As vice presidents (or better), they
command a higher salary and organizations are hiring and retaining more
experienced individuals. Companies are, for the most part, no longer looking to
promote senior internal auditors or hire managers out of public accounting to be
their audit director. Now, they are promoting managers or directors, or hiring
partners out of public accounting, to be their vice president of internal audit
o While there continues to be a natural progression for accomplished CAEs to be
moved into a senior finance or business position, there is more acceptance that the
CAE is not necessarily a transitory position. Individuals without audit experience
are less likely than in prior years to be brought into internal audit as CAE for a
couple of years, and accomplished CAEs are being retained longer and rewarded
for the business contribution internal audit is delivering
o The improvement at the CAE level has been accompanied by a corresponding
improvement in the compensation and experience levels of the balance of the
staff12. The greater business experience and practical insight has improved the
general level of value-add service provided to the board and management
o Training for internal auditors has expanded beyond the technical to include the
soft skills of listening and communication. Internal auditors are no longer seen as
watchdogs in search of issues; instead, there is an improved awareness that
internal audit must work collaboratively (but with objectivity and professional
skepticism) with management to improve operations and add value. Internal audit
functions evaluate the staff’s proficiency in the soft skill areas and provide
training as needed
o The number of auditors with specialized skills (such as in information technology
or financial reporting) has improved. While there is still, in our opinion, an
imbalance in many organizations between those with operational audit or public
accounting experience vs. those with information technology skills (of which
there are too few), improvements continue

12
Internal audit departments that are performing SOX testing have often hired more junior staff to support
that work. However, they are typically not involved in monitoring risks and establishing the scope for audit
projects, and are supervised in report development by more experienced auditors.

15
 o Almost every organization uses co-sourcing with a professional services provider
to complement their staffing, especially where specific technical or language
skills or experience is required
Prior to the economic crisis, internal audit budgets and staffing levels had generally
improved – in part, due to the need to address controls over financial reporting. But, a
March 2009 survey of CAEs attending an IIA roundtable reported that:
o 53% had experienced budget reductions over the last 12 months
o 80% eliminated or reduced co-sourcing support and training
o 40% had reduced staffing levels, and the rest were under a hiring freeze
The challenge for the next year and beyond will be to provide the necessary internal audit
services, which include additional attention to risk management processes and to
operational and strategic risks in particular, with a reduced budget. CAEs at the
roundtable indicated that one opportunity would be improved use of technology – as
discussed earlier.
Another challenge will be to extend the scope of internal audit departments’ work to
include assurance over governance and risk management processes. Although the IIA’s
definition of internal auditing and related standards require assurance over governance
and risk management processes in addition to controls, relatively few are meeting that
requirement. Doing so will require the acquisition of new skills and experiences,
especially where management’s risk management processes are complex or where they
are non-existent or immature.

VI. Performance of Individual Audits

The improved experience and skills in internal audit – as discussed earlier – together with
the use of technology, has resulted in a general level of improvement in the quality and
value of individual audits.
However, we are concerned at the continuing number of auditors at all levels to seek
checklists and standard audit programs when assigned a new area to audit. Rather than
using the preferred approach (in our opinion) of understanding the business risks and then
identifying the controls to include in scope, these auditors are using what somebody else
has designed – for a different situation. While locations like Jim Kaplan’s AuditNet are a
fantastic source of audit programs, they are what has been considered appropriate to
another business at another time. Even when auditors choose the audit program used in
the same audit last time, they are not considering that the business, related risks, types
and natures of transactions, and the systems and process used may be different.
Auditors have the intellect, imagination, skills, and experience to approach every audit
with the attitude that the risks to address and the controls to assess may be different from
the prior year – or from what is covered in a program obtained off the Internet.
The same applies to the tools and techniques that auditors use. Rather than using the same
audit approach as last year or as another company, auditors should understand there are
very many ways to perform an audit. Just because manual sampling and testing of

16
transactions was effective last time does not mean that using automated techniques or a
process audit approach would not be more effective in addressing the key business risks
this year.
As discussed earlier, technological advances enable internal auditors to change the way
they perform audits. Auditors should understand these developments and take advantage
of the following when appropriate:
o Continuous data and control auditing
o Data analytics, including the use of business intelligence tools already used by
Finance and other departments
o Wikis and other collaboration tools (e.g., for risk assessment, control self-
assessment, etc.)
o Enterprise risk management or governance, risk and control (GRC) repositories
and tools
o Enterprise application functionality, including audit functionality and security
monitoring
o On-line survey tools for quickly collecting and analyzing information or opinions
for the audit from diverse groups of people
o Specialized tools, especially related to IT security and privacy, such as those that
can be used to monitor outgoing network traffic for confidential data leakage
(e.g., Cisco Data Privacy, Vontu, etc. ), or those designed to identify IT
vulnerabilities (e.g., WebInspect, Qualys, etc.)
While advances are being made (for example, roughly half of internal audit departments
are making some use of continuous auditing technology), there remains significant room
for improvement – in prohibiting blind re-use of audit programs, and in taking advantage
of technology to provide an appropriate level of assurance.

VII. Fraud and Investigations

Advances in technology (e.g., in data analytics, security access monitoring, and
continuous data auditing) have also improved internal auditors’ abilities to assist
management in the investigation of suspected fraud, and to assess the controls and
processes in place to prevent, detect, or deter fraud.
One area of improvement has been in management (and internal audit’s) fraud risk
assessment processes. While management of few companies actually conduct regular
fraud risk assessments, internal audit departments are taking an active consulting role and
explaining the need for management to assess the risk of fraud – and not rely totally on
fraud risk assessments performed by internal audit. This is reflected in this section from
the summary of the IIA’s March 2009 CAE roundtable:
“As the financial crisis deepens, new suspicions of fraud have emerged. When
asked if their audit plan includes new activities to identify control or fraud
weaknesses, most CAEs reported that they have increased their focus on fraud,

17
 particularly in areas with recession-related risks. While many have embedded
additional fraud testing in their audit plans, others are expanding their scope using
automated data mining tools. One CAE said that his organization uses a fraud
framework to help clarify its focus.
“A few Fortune 100 company CAEs indicated that they are advocating self-
assessment activities within the organization’s business units, pushing control and
fraud monitoring accountability to operational management. This process, which
serves as a continuous monitoring tool, can help shift audit resources from
compliance testing to reviewing trends and the effectiveness of the self-
assessment process.
“By reviewing the results of self-assessment questionnaires, surveys, and
checklists, internal auditors can gain valuable information on control weakness
trends that could lead to fraudulent activity.”
We believe there is still room for improvement. Organizations considered best-in-class
require management to perform a fraud risk assessment, which internal audit reviews.
Management also has processes and controls in place to prevent or detect fraudulent
activity that are subject to periodic audits based on risk. Internal audit may perform
additional fraud detection procedures in high risk areas where necessary to provide
support (and thereby generate fee savings) the external auditor, or where requested by
executive management or the board.

VIII. Reporting and other Communications

As a profession, we continue to struggle with reporting the results of our audits:
o While a majority of departments assign some level of priority or significance to
individual audit findings, that is still not universal practice
o Too few audit reports include an overall opinion or assessment, the auditors
apparently being satisfied with assigning significance to the individual findings.
They don’t step back, look at the entire picture, and provide management and the
board with their assessment of the overall condition of the organization, process,
or risk management activity. This overall opinion is, in our opinion, highly
valuable and we are failing to complete the assignment and give full value for our
work without it
o Audit reports remain focused on whether the controls tested were operating
effectively, rather than addressing whether the business risks covered by the
controls are managed within organizational tolerances. It is essential that internal
auditors shift from a controls focus to a risk focus, consistent with board and
management thinking (as recommended by all the CPA firms, such as PWC in
their landmark publication Internal Audit 2012, where they said that, “Internal
audit leaders must adopt risk-centric mindsets if they want to remain key players
in assurance and risk management.”)
o Too many audit reports contain what auditors want to say, rather than what
management and the board want or need to know. While some leading thinkers

18
 have made excellent progress towards clear, concise, and meaningful
communications, we continue to see reports with these common failings:
o Background information that management already knows such as the size
of the organization audited and its management structure
o Details on the scope of the audit, sample size, and other data of no value
or importance to the executive reader. Audit reports should not be written
as if they are evidence, proof that the audit was to standards. They should
be written as communication vehicles, with consideration of executive and
board members’ limited time and desire for communications that get to the
point
o Discussion of issues and actions that are addressed by lower levels of
management and do not merit the attention of executive management or
the board
o A reluctance on the part of the auditor to say that the risk management and
control processes were, on the whole, effective with no significant issues –
and leave it at that. Instead, there is an impression that they have to justify
their existence and results by encumbering what should be a simple, short
report with pages and pages of information providing no real insight to the
executive reader. Instead of looking good, the auditor is actually
demonstrating they don’t know how to communicate with top
management
o Technology has enabled us to improve audit reporting in several ways. Again,
some leaders in the profession are taking advantage of these tools, but not enough:
o The ability to use information gathered by analytical tools to add context
to the report. For example, if there are issues with vendor selection
processes, information about purchasing patterns and levels, the number of
vendors used and whether there is concentration of purchases, helps the
reader understand the significance of the audit findings
o Visualization tools, such as Excelsius, enable the graphic representation of
results with drill-down capabilities for management to understand related
details. For example, if a report discusses a failure to effectively monitor
discounts taken, a chart that shows for each geographic region the level of
discounts (with detail available on discounts by month or product line)
provides management and the board with excellent information to improve
their understanding of the significance of the issue and the need for action
o Visualization tools can also be used in support of continuous auditing to
provide continuous reporting. Dashboards or similar communication
techniques can be used to show management and/or the board, on demand,
the current health of risks and related controls
o Finally, visualization tools can significantly improve the quality of the
CAE’s periodic reports to the board, and the presentation of the audit risk
assessment and plan

19
 o Another area where we believe there is room for improvement is the integration
of audit results and assessments into management’s risk management process.
Again, some companies have established a process where the risk office receives
all audit reports and considers the implications for changing the assessment of
related risks. The risk office also takes (or shares) ownership for monitoring
completion of remediation. However, this is far from common practice
Overall, there have been improvements but it is not a good sign when many audit
departments have average report lengths of 5 pages or more – some in double-digits. This
is a symptom that the department is using audit reports to document results rather than to
communicate to executive management and the board what they need to know.

IX. Value-Add Consulting and Other Services

At least for most departments impacted by the burden of SOX testing, value-add
consulting and other projects took a back seat over the last few years. Internal audit
functions dedicated a large part of their time to performing testing for management,
and/or working with management to ensure controls over financial reporting were
effectively designed and adequately tested. CAEs have been rebalancing their audit plan
over the last couple of years, with SOX work reduced significantly in most cases.
CAEs have turned their attention back to what they generally term ‘operational auditing’,
which is probably better described as audits that don’t focus solely on financial reporting
risks. They include compliance audits as well as audits of the effectiveness and efficiency
of operations. In many cases, ‘operational audits’ also include targeted audits of vendor
compliance, healthcare cost management, and other activities that are generally
considered as consulting rather than assurance.
The ability to perform value-add consulting services has been significantly improved by
advances in technology, notably in data analytics and continuous auditing tools.
Many CAEs are very proud of their value-add activities, which have been met with
acclaim and support from their management and board. After all, they are generating
millions of dollars of cost savings, risk reduction, of revenue opportunities.
We also commend these achievements – as long as they are not at the expense of
providing critical assurance services. We believe that a CAE’s first duty is to provide
assurance over all significant risks and related controls (including those related to
external and management financial reporting). Only then can CAEs afford to provide
value-add consulting activities.
We literally shudder at the thought that internal audit departments have been focusing
attention on generating millions of dollars in value-add services, yet ignoring and
allowing through their inattention, ineffective governance and risk management practices
to develop or continue without challenge.

X. Closing Thoughts

20
Overall, the profession and the practice of internal auditing has seen marked
improvement over the last five or so years.
o The standing of internal audit has improved, with the CAE frequently having a
seat at or near the senior executive table
o An increasing number of departments are starting to use continuous auditing
techniques
o Leading CAEs are updating their audit plans quarterly, with a few moving to
rolling three or six-month plans
o Technology advancements enable significant improvements in the efficiency and
effectiveness of internal auditing, for example in the area of data analytics or data
mining
However, we believe further improvements can and should be made.
o CAEs should provide formal assurance on their organization’s governance, risk
management, and related internal control processes
o Far more advantage should be taken of the significant improvements in available
technology
o Continued improvements in addressing IT as part of and not separate from
business risk
o CAEs need to raise the bar on the level of IT-related risk and control knowledge
expected of and held by the non-IT members of the team (business auditors),
particularly those aspiring to supervisory or leadership positions within internal
audit
o We need to become a single internal audit profession, with a single set of
standards
Jay and Norman welcome your comments at jay.r.taylor@gm.com and
norman.marks@sap.com.

21