3. The first annual survey of more than 300 chief audit executives (CAEs) from U.S.
institutions reveals the evolving nature of internal audit activities at home and abroad.
The survey indicates that the focus of internal audit is broadening beyond financial
compliance to drive greater value throughout the organization. Internal audit admirably
handled the most onerous demands of the Sarbanes-Oxley Act (SOX) and is ready
to take on different challenges around automation, technology risk and operational
improvements. While many of these challenges may have been considered in the
recent past, actively addressing these items seems to be the order of the day.
1
4. Chief Audit Executive Survey 2011
Executive summary
During the second half of 2010, Grant Thornton LLP’s After the introduction of SOX, the pendulum had swung far
Advisory Services professionals surveyed more than 300 CAEs to the end of the audit spectrum and was focused on compliance.
from a geographically dispersed mix of public and private U.S. This was true for public companies, and private companies,
institutions, with a focus on dynamic organizations in the middle too, began to go down the path of increased effort in financial
market. The purpose of this survey is to provide insights into controls compliance, focusing specifically on financial statement
current trends and identify how internal audit professionals are internal controls. Many operational audit areas were left
responding to the changing demands of their profession. unaddressed as organizations responded to an all-hands-on-deck
Internal audit is evolving along the value creation dimension. need to address SOX compliance needs.
Because of the changes in the profession, no single definition can Now CAEs and the boards are taking action to rebalance
capture the essence of what internal audit is. Internal audit is a their activities and restore a more even allocation of resources
little different for each organization and should be customized between compliance-related audits and operational audits. CAEs
accordingly. are addressing these concerns, which are known by the internal
“As attention once again moves beyond compliance, audit community and highlighted by operations management
CAEs believe that the audit committee, board of directors and and audit committees. This survey confirms that internal audit is
executive management want to rely more on internal audit to not only performing traditional activities involving compliance
be their eyes and ears on the ground,” says Paul Kanneman, and controls issues, but also has a new focus on responsibilities
Grant Thornton’s Business Advisory Services national managing such as evaluating emerging risks, ensuring appropriate
principal. “In response, CAEs are moving from a largely reactive corporate governance, and incorporating technology into
role to an increasingly proactive one.” internal audit processes. Following are highlights of what
CAEs responding to the survey had to say.
“ As attention once again moves beyond compliance, CAEs believe that the audit
committee, board of directors and executive management want to rely more on internal
audit to be their eyes and ears on the ground.”
2
5. A springboard for executive advancement Internal audit adds value to board
Nearly seven in 10 CAEs see internal audit as a springboard Virtually all CAEs (95%) believe they provide value to the audit
for advancement into other executive management positions at committee, in particular through risk-monitoring activities and
their own companies or into a CAE role with greater authority efforts that strengthen corporate governance oversight. Most
at a larger company. And 13% of CAEs serve on boards at respondents (89%) are comfortable with taking issues to the
outside organizations. audit committee that are inconsistent with management’s views
or positions.
The high value of internal audit
Organizations place high value on internal audit work as Governance, risk and compliance technology underused
demonstrated by in-house staffing trends: Twenty-three percent More than four in 10 respondents state that their organization
of CAEs expect their departments to grow. Most respondents is not using governance, risk and compliance (GRC)-specific
predicting growth come from organizations with internal audit technology effectively. However, data analytics has been
departments that have 10 or fewer professionals. The use of adopted by two-thirds of CAEs to help achieve more efficient
outsourcing and co-sourcing of internal audit services is largely internal audit processes and increased coverage.
expected to remain unchanged in the next 12 months.
Regulatory environment the greatest threat
Commitment to operational auditing confirmed; Almost one-half of CAEs see continuing changes to
outlook for continuous auditing less certain the regulatory environment as the greatest threat to their
More than nine in 10 CAEs perform operational auditing, organization’s governance performance. The next-highest
with nearly one-quarter of all respondents saying that hours threats in descending order of importance are global expansion
dedicated to operational auditing will increase. Only one-third into new regions or culturally different locations, new initiatives,
perform continuous auditing, but almost one-half see their and the launch of new products or services.
time commitment to continuous auditing increasing in the
next 12 months.
3
6. Anti-fraud efforts enhanced For more information, contact a member of the
Nearly three in four organizations have formal anti-fraud Governance, Risk and Compliance Solution Group:
measures in place. More than eight in 10 CAEs (86%) are
Warren Stippich
directly involved in fraud investigations, with in-house auditors
National and Midwest Region Solution Leader
taking the lead 46% of the time and chief counsel supervising just T 312.602.8499
under one-third of anti-fraud investigations. Regulatory changes E Warren.Stippich@us.gt.com
have the majority of organizations placing greater emphasis on
Bailey Jordan
maintaining an effective whistleblower program and monitoring Southeast Region Solution Leader
intermediaries in foreign locations via enhanced Foreign Corrupt T 919.881.2790
Practices Act (FCPA)-related policies and procedures. E Bailey.Jordan@us.gt.com
Bill Mellon
Technology risk Northeast Region Solution Leader
Nearly one-quarter of respondents have discussed information T 215.376.6087
E Bill.Mellon@us.gt.com
technology (IT) trends and governance implications with the
chief information officer (CIO) as many as five times in the Edward Hill
past year. While 69% of CAEs say their organizations use Central Region Solution Leader
cloud computing, 64% of them don’t include it in their T 832.476.3710
E Edward.Hill@us.gt.com
internal audit plan.
Justin Hendrickson
West Region Solution Leader
T 206.398.2436
E Justin.Hendrickson@us.gt.com
4
7. Chief Audit Executive Survey 2011
Internal audit career paths
Internal audit is coming of age. Audit professionals
I believe the internal audit function is a grooming place for future
increasingly view internal audit positions as a springboard to leadership roles elsewhere in my organization.
executive careers within today’s organizations: Nearly seven in
10 CAEs (68%) see the internal audit department as a stepping- Agree 68%
Neutral 19%
stone for advancement to future leadership positions beyond Disagree 13%
their current role.
Asked what their next career step might be, many CAEs say
they expect either to move into another executive management
position within their own organization (30%) or to make the
move to a CAE role with more authority at a larger company
(23%). SOX legislation, which heightened financial reporting
mandates, has elevated the status of internal audit. The post
of CAE now offers exposure to all aspects of business as Gaining this level of experience and exposure may still be a
an executive as well as to the board of directors, thus giving work in progress. Only 13% of respondents belong to a board
practitioners insight into the intricacies of how the organization of directors at another organization, usually a not-for-profit. Of
works. This experience is increasingly valued by leadership, those CAEs currently on outside boards, 36% serve on audit
who may rely on internal audit to help them understand committees, 22% on finance committees and 13% on governance
the implications of business decisions in today’s challenging committees. Up-and-coming professionals that embrace these
economic climate. trends may soon be pushing for experience on outside boards of
CAE perceptions today reinforce the August 2010 findings directors — and audit committees in particular — to obtain the
of The Institute of Internal Auditors’ License to Lead survey of broad view these types of oversight roles provide, even if that
CAEs and audit committee members. Conducted in conjunction board presence is within a charitable organization.
with Korn/Ferry International, the IIA survey found that audit “Sitting in an audit committee role at another organization
committees, CEOs and CFOs are demanding more from the gives the CAE a unique perspective of seeing the role of board
internal audit function than ever before. That survey indicates member and governance oversight monitoring firsthand
that today’s CAEs need broader experience, more business through a different lens,” explains National Governance, Risk
acumen, and other key leadership skills than ever before to be and Compliance (GRC) Solution Leader and Partner Warren
effective in today’s dynamic economic environment.1 Internal Stippich. “It can only make the CAE a better governance
audit is increasingly perceived as a business function that can executive and a better all-around business adviser to his or her
help save money, eliminate inefficient business practices and company.” Through advanced education and thought leadership
minimize risk. development, CAEs will be better able to meet the demands of
audit committees and management who are looking for internal
audit to more proactively provide strong business insight than
ever before.
See www.kornferryinstitute.com/about_us/thought_leadership_library/publication/2316/license_to_lead
1
5
8. Chief Audit Executive Survey 2011
Organizational structure
of internal audit departments
Many CAEs responding to our survey come from organizations How many in-house employees work in your internal audit organization?
whose audit shops are relatively small; 75% of CAEs rely on 10
or fewer employees. The size of internal audit departments is
expected to remain largely unchanged over the next 12 months; 0 2%
1-10 75%
73% of CAEs foresee no change in the size of their departments. 11-25 15%
More than 25 8%
Another 23% expect their departments to grow. Of CAEs that
expect growth, 71% are from departments that have fewer than
10 employees.
With U.S. unemployment figures still hovering at their
highest levels in 10 years, the expectation that departments will
continue to be staffed at 2010 levels indicates that the volatile
economic turmoil of the past three years may be subsiding.
Executive search consultant Buzz Patterson of Chicago-based How do you expect these numbers to change in the next 12 months?
Donahue/Patterson Associates notes that while the overall size
Increase 23%
of internal audit departments will likely not change, the makeup Stay the same 73%
of the individuals within those departments may. Many highly Decrease 4%
talented individuals are in the market for traditional internal
audit roles in corporate settings for the first time in a long while.
“This is an opportunity for companies to ‘change out’ the
individuals on the internal audit team, especially at the leadership
level,” observes Patterson.
Who actually performs internal audit activities will vary
across organizations. Almost two-thirds of respondents (63%)
indicate that all internal audit activities are performed in-house.
“ This is an opportunity for companies Another one-third (35%) rely on a co-sourcing mix, meaning
to ‘change out’ the individuals on the that internal audit responsibilities are shared between in-house
auditors and third-party service providers. Just over 2% of
internal audit team, especially at the respondents fully outsource their internal audit functions.
leadership level.” As internal audit activities expand into ever more complex
governance, business improvement and IT areas, more CAEs
will have to decide whether to invest in upgrading in-house skill
sets or increase reliance on third-party service providers for
subject-matter expertise.
6
9. Indeed, CAEs are already facing difficult sourcing decisions
What roles are you outsourcing/co-sourcing?
and coming to different conclusions about how to meet auditing
needs. Plans for outsourcing some audit activities in the next 100%
12 months are varied: About two-thirds of CAEs (64%) plan
80%
to continue outsourcing or co-sourcing at current levels,
while 20% expect to increase external sourcing. One CAE at a 60%
manufacturing company notes, “Finding the right talent on a
40%
timely basis has proven challenging, even in this down economy.
That is driving me to look outside for external service providers 20%
to help meet my scheduling needs.”
Another 16% of CAEs plan to decrease their reliance on 0%
Subject matter Staff Management
outside resources. The survey results indicate that in general, expertise
CAEs expect to make only marginal changes in their dependence
Respondents could select more than one answer.
on outsourcing and co-sourcing to meet auditing needs.
Nevertheless, as the trend to increase the scope of internal
audit activities continues, reliance on outsourcing and co- Almost one-half of all CAEs, meanwhile, rank strategic risks
sourcing is likely to persist given the sheer volume of work as the least important element in their audit focus. It is unclear
that needs to be done. CAEs indicate they will continue using whether this means that strategic risks are being evaluated
outsourcing and co-sourcing arrangements, particularly for elsewhere in the organization — for instance, within specific
subject matter expertise. Third-party providers are also relied operating units or an enterprise risk management (ERM)
upon for operational areas where in-house knowledge is shallow. program — or not at all. Or, as Stippich observes, the response
One of those areas is IT work. “Internal auditors are turning to might reflect a prioritization of limited resources that puts
providers with special knowledge to perform highly technical financial, operational and SOX-related risk mitigation efforts
IT audits,” says Stippich. “This is insight into an area that the ahead of strategic risk evaluations. Stippich notes, “As CAEs
organization’s internal auditors may know little about.” In fact, and internal auditors take on additional value-added activities,
55% of CAEs list IT audits — both security and nonsecurity — the opportunity exists for the internal audit function to work
as the most outsourced or co-sourced functions. through strategic risk assessments and discussions.”
Despite organizational demands pulling them in new
directions, CAEs say that their audit time is split almost evenly
among four main areas of risk: strategic, operational, financial
and compliance. While financial risk understandably consumes “ Internal auditors are turning to
the most time, some CAEs say that operational risk (36%) providers with special knowledge to
slightly edges out time spent on threats to compliance (33%).
perform highly technical IT audits.”
Given that SOX measures have largely been implemented by
now, our findings may indicate that internal audit may be able
to focus its attention more broadly on emerging risk areas and
operational risk.
7
10. Chief Audit Executive Survey 2011
Internal auditing approach
Virtually all CAEs are engaged in operational auditing, with One audit tool CAEs plan to rely on more to achieve higher
more than nine in 10 respondents (91%) now performing some levels of operational auditing is continuous auditing. The concept
form of operational audit. Operational audits generally focus of continuous auditing has been around for some time but is not
on the systematic review and evaluation of an aspect or area widely applied, as shown by the small number of internal audit
of a business or business unit to determine whether it is professionals currently engaged in the practice. Continuous
functioning effectively and efficiently, meeting objectives and auditing is any method used by auditors to perform audit-related
goals, and using resources appropriately.2 “In some respects activities on a more continuous or continual basis.3 Specifically,
this is surprising, based on what I’ve seen in the marketplace continuous auditing is the application of automated tools to
recently,” comments National GRC Solution Executive Co- provide assurance on financial and nonfinancial data within an
Sponsor Steve Siemborski. “I think the CAEs’ definition of organization on an ongoing basis throughout the year. “We live
operational auditing is quite broad. The real proof will be if in an era in which technology is the key to just about everything.
management and the audit committee agree that operational For internal auditors, technology is critical to enabling
auditing is taking place and adding value,” Siemborski continues. continuous auditing as a method to automatically perform
The percentage of internal audit time dedicated to control and risk monitoring on a more frequent basis and has
operational auditing varies among organizations. One-fourth to be embraced fully,” states National GRC Solution Executive
of CAEs (25%) currently spend more than 50% of their time Co-Sponsor Mike Rose. Continuous auditing changes the audit
focused on operational auditing, and nearly one-quarter (23%) paradigm from periodic reviews of a sample of transactions to
believe that amount of time will increase in the next 12 months ongoing audit testing of all transactions.
as businesses are pushed harder to achieve optimal performance One-third of CAEs say they rely on continuous auditing,
during the economic recovery. For organizations that had to yet more than one-half of those CAEs (56%) spend less than
reduce transaction processing and operating headcount, this area 10% of internal audit hours on these efforts. “The change
could be fraught with audit risk. A director of internal audit at management involved in implementing effective continuous
a retailer notes, “Trying to balance compliance audit needs with auditing has been a steep mountain to climb for many CAEs
operational audit opportunities continues to tax the group time- and internal audit departments, because it is a significant break
wise and skill-wise.” from the old way of doing things,” says Stippich.
When automated processes are used effectively, practitioners
can provide a higher level of assurance over more significant
“ Trying to balance compliance audit risks. CAEs recognize that value; almost half of respondents
needs with operational audit opportunities (44%) expect their hours dedicated to continuous auditing to
increase over the next 12 months.
continues to tax the group time-wise and
skill-wise.”
2
For more information about operational auditing, see Grant Thornton’s CorporateGovernor white paper The blank sheet of paper: An old tool is new again, www.GrantThornton.com/
corporategovernorseries.
3
The Institute of Internal Auditors, Global Technology Audit Guide 3, Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. The guide is available for purchase
at www.theiia.org/guidance/technology/gtag3/?search=GTAG%20continuous%20auditing.
8
11. Do you perform operational auditing? Do you perform continuous auditing?
Yes 91% Yes 33%
No 9% No 67%
What percentage of hours is dedicated to operational auditing? What percentage of hours is dedicated to continuous auditing?
Less than 10% 9% Less than 10% 56%
11-25% 35% 11-20% 27%
26-50% 32% 21-25% 10%
More than a25% More than 25% 7%
Responses do not total 100% due to rounding.
Operational auditing: How will your number of hours change in the Continuous auditing: How will your number of hours change in the
next 12 months? next 12 months?
Increase 23% Increase 44%
Stay the same 69% Stay the same 55%
Decrease 7% Decrease 1%
Responses do not total 100% due to rounding.
9
12. International resources
What percentage of non-U.S. work is conducted by domestic internal What perce
Internal audit operations are moving abroad as many audit staff traveling to those foreign locations? providers w
organizations pursue global agendas. About four in 10 CAEs
(39%) say that some of their organizations’ internal audit 0% 13% 0% 50%
1-25% 34% 1-25% 26%
activities take place on foreign soil. Of these CAEs, about 85% 26-50% 11% 26-50% 12
have domestic internal audit staff travel to foreign locations. 51-75% 9% 51-75% 7%
More than 75% 31% More than
These results indicate that U.S.-based internal auditors can Do not know 2% Do not kno
reasonably expect to travel abroad, the cost for which will be
borne by U.S. audit departments. But there is also a benefit:
As their international experience increases, U.S.-based internal
auditors can build valuable cross-cultural relationships. One
CAE at a global financial services firm notes, “The real balancing Responses do
act is controlling travel and entertainment costs for the global
travel of U.S.-based internal auditors with the benefits of
bringing the American culture to the local country subsidiary.” What percentage of current internal audit effort is in BRIC (Brazil,
Russia, India, China) countries?
Of CAEs reporting that their organizations perform internal
audit activities in other countries, more than two-thirds (69%) 0% 43%
note that foreign internal audit personnel do not report directly 1-25% 48%
26-50% 6%
to CAEs in the U.S. They may be reporting to a local internal 51-75% 2%
audit director assigned to that region of the world or even to More than 75% 1%
Do not know 2%
local business unit management.
Almost one-half of all CAEs (48%) whose organizations
perform foreign internal audit activities say that up to 25% of
that work is performed in BRIC countries (Brazil, Russia, India
and China). Their high economic growth and sustainable rate Responses do not total 100% due to rounding.
of economic activity signal a dynamic market shift that may
consume more internal audit resources in the coming years.
Internal audit departments must position themselves to handle
growth in risk monitoring in these parts of the world.
“The real balancing act is controlling travel and entertainment costs for the global travel
of U.S.-based internal auditors with the benefits of bringing the American culture to
the local country subsidiary.”
10
13. Chief Audit Executive Survey 2011
Board relationships
Virtually all CAEs (95%) believe that internal audit is
How many times a year do you meet one-on-one (in person
valuable to the audit committee, with most respondents or by phone) with the AC chair outside of regular committee and
placing emphasis on risk-monitoring activities and efforts that board meetings?
strengthen corporate governance oversight. Respondents think
1-2 29%
that business planning, increased efficiency and general business 3-5 31%
advice are of less value to the board right now. These results may 6-10 9%
More than 10 5%
indicate that CAEs are not doing enough of these activities to Never 25%
add consistent and recognizable value. Based on audit committee
feedback given to Grant Thornton GRC partners, we believe
that audit committees are always looking for additional value-
added discussions from the internal audit function. Providing
the board with strategic insight, business improvement
Responses do not total 100% due to rounding.
recommendations and general business advice should be
an area of value growth for internal audit.
Three in four CAEs (75%) meet individually with audit
committee chairs often, whether in person or by phone. Six As organizations expand their reach and activities in today’s
in 10 of those respondents (60%) meet up to five times a year higher-risk environment, this open line of communication
with the chair of the audit committee outside regular committee between objective auditors and overseers at the board level
and board meetings. On the other hand, one-quarter of CAEs can help provide a check-and-balance mechanism to prevent
do not meet with the audit committee chair outside committee problems from growing.
meetings at all. These results are surprising and may indicate a Stippich observes: “This data shows that CAEs are
need to improve communication, since it is customary to spend independent thinkers and are doing what’s right to uphold the
time with the audit committee chair outside a regular meeting, profession and to be the eyes and ears for the audit committee,
usually at his or her request, in order to establish a strong tone which is their primary job. Having a CAE report directly
of governance. to the audit committee helps ensure that the CAE feels safe
The requisite independent and objective mindset of internal about raising concerns that may run counter to management’s
auditors is illustrated by the large number of professionals who thinking.”
do not shy away from conflict. Roughly one-half of CAEs
(52%) say they have to take matters to the audit committee that
counter management’s view, and most CAEs — about nine in
10 (89%) — feel comfortable discussing issues with the audit
committee that are inconsistent with management’s position.
11
14. Chief Audit Executive Survey 2011
Internal audit technology
As the regulatory environment evolves, globalization increases
I believe that my organization effectively leverages governance,
and the business environment changes rapidly, audit committees risk and compliance (GRC)-specific technology.
and executive management are in need of timely, ongoing
assurance that controls are working properly and risk is being
Agree 26%
mitigated effectively. These demands have increased the pressure Neutral 30%
on internal audit staff — pressure that can be alleviated, at least in Disagree 44%
part, through a greater reliance on technology.
But when it comes to using technology, CAEs see plenty
of room for improvement in the internal audit department:
More than four in 10 of them (44%) say that their organizations
are not effectively leveraging GRC-specific technology. GRC
technology generally enables an organization to perform and
manage GRC-related strategy and implementation, such as
cataloging risks and compliance requirements and the controls Despite respondents’ generally limited use of GRC
associated with them. technology, two-thirds (66%) are using data analytics — or
Automated technology solutions that facilitate the GRC business and audit intelligence — to enhance the internal audit
process are at work in just over one-half of internal audit shops function. Data analytics has the potential to transform both the
(54%). Among these organizations, the top three uses for GRC internal audit department itself and the department’s value to
technology are internal audit documentation (37%), internal the organization by helping organizations identify and manage
audit function management and administration (31%), and risks more effectively, efficiently and promptly.4 The IIA already
SOX testing (28%). Use of GRC technology may increase as recognizes the growing importance of data analytics to the future
fundamental concerns about governance, risk management, of internal audit.
and compliance costs consume more time at the board and CAEs who are using data analytics have achieved more
management levels. efficient internal audit processes (76%); quicker pattern, trend
and relationship identification (71%); and increased internal
audit coverage (61%). CAEs whose organizations have not
yet adopted data analytics cite cost and training as their
primary reasons.
See Grant Thornton’s white paper Information overload: How to make data analytics work for the internal audit function, www.GrantThornton.com/informationoverload
4
12
15. Chief Audit Executive Survey 2011
Risk management
Internal audit helps organizations identify, assess and prioritize What do you believe is the single biggest risk to your company?
risk. Nearly one-half of CAEs (48%) find the shifting regulatory
landscape to pose the greatest threat to their companies. Since the
passage of SOX, organizations have had to dedicate significant
Changes in the regulatory environment 48%
resources to comply with a host of new laws and regulations, Expansion into new territories/locations with
including the Red Flags Rule, as mandated by the Fair and culturally different values and perspectives
on governance 22%
Accurate Credit Transactions Act of 2003 (FACT Act); Payment Number of change initiatives we are about
Card Industry (PCI) security standards; the HIPAA Privacy to undertake when the recovery happens 13%
Expansion into new products or services 12%
Rule; and, most recently, the Dodd-Frank Wall Street Reform Other 5%
and Consumer Protection Act (Dodd-Frank Act).
Additional risks beyond potential noncompliance with these
new laws, rules and regulations can be found in a variety of areas.
Among the risks CAEs cited most often were global expansion
into new regions or culturally different locations (22%), new Which of the following activities does your internal audit organization
perform?
initiatives as the economic recovery takes hold (13%), and the
launch of new products or services (12%). 100%
Despite the additional burden that SOX places on
organizations from a resource and cost standpoint, nearly 80%
nine in 10 CAEs (88%) do not believe that SOX should be 60%
repealed for all companies. Whether this outlook reflects
resistance to additional regulatory change in the form of repeal 40%
or, alternatively, recognition that SOX provides value to some
20%
organizations is unclear. Based on discussions with various
CAEs during the survey process, many believe that SOX brings 0%
Conducting fraud Educating board Having a role on Auditing the
a continued focus by management on financial and governance- investigations and management on the ERM team ERM process
related controls. Overwhelmingly, CAEs believe that entity- governance topics
level controls, monitoring controls and the tone at the top have Respondents could select more than one answer.
all improved over the nine years since SOX became effective.
For the respondents who believe that SOX should be repealed,
the cost of compliance was their main reason.
When it comes to risk management and governance, internal
audit takes part in a variety of activities within organizations.
More than three-quarters of the CAEs (77%) conduct fraud
investigations and 59% are engaged in educating the board and
management about governance topics. Other activities include
having a role on the ERM team and auditing the ERM process.
13
16. Nearly three in four organizations (72%) have formal anti-
With the passage of the Dodd-Frank Act and the enhanced
fraud policies and procedures in place. When internal fraud whistleblower provisions, I believe that my organization places
investigations are conducted, almost one-half of them are led by great importance on having an effective whistleblower program.
CAEs (46%), with just under one-third of investigations being
Agree 62%
supervised by the chief counsel (32%). These results might seem Neutral 28%
surprising since leading fraud investigation is an area usually Disagree 10%
outside of internal audit’s role. However, it indicates that many
organizations recognize that internal audit is well-equipped, in
skills and training, to undertake evidence collection, conduct
interrogations and perform other forensic accounting activities
necessary to investigate suspicious activities as they occur.
In response to new rules and regulations, most organizations
have enhanced anti-fraud efforts in specific areas. For relevant
companies, CAEs say that Dodd-Frank Act requirements and Relating to the Foreign Corrupt Practices Act (FCPA), what is your
organization doing to monitor your intermediaries in foreign locations?
enhanced whistleblower provisions have motivated them to
place greater emphasis on maintaining an effective whistleblower
We are not doing anything to 23%
program. Under the new law, a whistleblower that provides monitor intermediaries
information regarding securities violations, including FCPA
Conducting due diligence when 23%
violations, can receive up to 30% of the proceeds of any engaging for the first time
monetary penalty resulting from the violation. This provides
Performing an annual certification/ 15%
greater incentive for individuals to step forward when fraud is background-checking process
suspected, likely placing a higher investigative burden on internal Visiting the intermediary 10%
audit and the general counsel. home base
In order to comply with the FCPA, a majority of internal Hiring a third party to visit the 3%
auditors are looking to better oversee the activities of foreign intermediary home base
agents. More than half of respondents are monitoring Other 5%
intermediaries in foreign locations in some way, including
Not applicable 21%
conducting due diligence on foreign agents engaged for the first
time (23%), performing annual certification or background
checks (15%), or conducting visits to the intermediary
(10%). But 23% are not doing anything to comply with
FCPA requirements. The punitive sanctions associated with
noncompliance for companies and individuals should have all
CAEs engaged in compliance activities if their organizations
conduct operations overseas. “ Organizations should be cautious
“It is still very surprising that many executives do not
when performing FCPA investigations.
seem to understand the ramifications of FCPA violations for
the organizations involved for simply not being proactive in The investigation team should have the
trying to detect and deter such activity,” states William Olsen, proper skills and expertise for examining
a principal in Grant Thornton’s Forensics, Litigation and
Investigation Services practice. Olsen warns: “Organizations
these matters. Otherwise, violations
should be cautious when performing FCPA investigations. may go undetected.”
The investigation team should have the proper skills and
expertise for examining these matters. Otherwise, violations
may go undetected.”
14
17. Technology risk
In the past year, how often have you and the chief information officer/
IT issues are an important part of internal audit’s risk VP of IT engaged in conversations regarding IT trends and their
assessment process. IT’s impact on the organization’s overall governance implications?
risks has prompted dialogue between internal auditors and IT,
1-2 times 43%
management, and business process owners. More than two- 3-5 times 23%
fifths of respondents (43%) discuss IT trends and governance More than 5 times 16%
Never 18%
implications with the CIO once or twice a year; nearly one-
quarter (23%) have broached the topic up to five times in the
past year alone.
Survey respondents are relatively aware of cloud computing
and the possibilities inherent in pushing data from internal
corporate IT infrastructure to a global mesh of shared servers.
More than three in four CAEs (77%) are at least somewhat
familiar with cloud computing. Many respondents (69%) say
How much of your company’s IT environment currently operates in
that their organizations already use the cloud to reduce costs,
the cloud?
improve operations and gain strategic advantages. Despite
these statistics, 64% of CAEs say that cloud computing is not None 31%
part of the internal audit plan. These results indicate room for Minimal 43%
Moderate 20%
improvement in planning, auditing and risk mitigation efforts as Substantial 5%
cloud computing evolves. Extensive 1%
Survey responses suggest a lack of clarity around a
definition for cloud computing, an understanding of its risks,
and its implications for the business environment. Despite
their unanswered questions, close to one-half of respondents
(45%) expect their organization’s use of the cloud for hosting
applications to increase in the next 12 months.
Similar results appear in the 2011 CIO Agenda survey Which best describes your view as to the security, governance,
conducted by Gartner Executive Programs. CIOs responding to risk and controls implications in moving to a cloud environment?
the Gartner survey identify cloud computing as a top technology
I haven’t really given it much thought. 43%
priority for 2011. While only 3% of CIOs in that survey run There will be significant change, but we are already
the majority of their IT in the cloud or on software as a service working on it and understand the implications. 26%
It will not change the risk or controls profile of
(SaaS) technology today, that number is expected to jump to our company. 16%
43% over the next four years.5 There will be significant change, and neither
internal audit nor IT fully understands the
“Cloud computing is making real inroads at companies that implications. 15%
choose to support growth and operational efficiencies through
technology,” observes Grant Thornton’s National Business
Consulting Solutions Leader Susan Pentecost. “Embracing the
cloud can lead to real competitive advantages.”
Surprisingly, the security and controls implications of
cloud computing are not foremost in the minds of the CAEs
we surveyed: More than two in five of them (43%) have yet
“ Cloud computing is making real inroads
to give these issues any thought. “As more IT activities take
place in a cloud environment, CAEs will need to be prepared to at companies that choose to support
address the inherent risks and plan their internal audit approach growth and operational efficiencies
accordingly,” cautions Stippich.
through technology”
5
See Gartner Inc.’s 2011 press release Gartner Executive Programs Worldwide Survey of More Than 2,000 CIOs Identifies Cloud Computing as Top Technology Priority for CIOs in 2011,
www.gartner.com/it/page.jsp?id=1526414. For more information about the survey, see www.gartner.com/cioagenda.
15
18. Chief Audit Executive Survey 2011
Conclusion
The results of our survey confirm that CAEs are seeking to Commenting on the survey results, Stippich is optimistic:
create a new balance in the internal audit function. With their “It’s outstanding to see where the profession is going. CAEs
movement toward conducting fewer compliance-based activities are extremely focused on rebalancing how they audit and are
and providing more value to the organization, internal audit performing more operational audits. They are moving the meter
professionals are responding to the changing demands of the on the use of technology and considering technology risk. I
profession. The survey findings also showcase the fact that risk am also glad to see that global-mindedness is present in CAEs’
management, particularly as it relates to fraud, technology and thinking. The profession has a very exciting future, and I’m
regulatory change, is still a high priority and a main concern. thrilled to be part of it.”
16
19. About the Survey
Survey purpose
Budget constraints, emerging business risks, and the increasingly global reach of Responses came from public and private companies in geographically dispersed
today’s diverse and complex organizations have created a demand for new ways of U.S. locations. While there was a wide range of organizational revenues, the
doing business. Internal audit roles and responsibilities are expanding in response majority of respondents came from dynamic organizations in the middle market
to these changes. The 2011 survey of U.S. CAEs aimed to uncover how internal (defined as having $100 million to $5 billion in annual revenues). Respondents
audit is adjusting to the changing demands of its role. We hope that by identifying worked in a variety of industries such as professional services, consumer products,
trends taking place in the profession, we can provide CAEs with valuable insights technology, health care, not-for-profit and manufacturing. Respondents performed
for staffing, career progression, training, use of technology and audit planning. internal audit functions under varying titles, including director (40%), chief audit
executive (24%) and vice president (14%), among others. Throughout this survey,
Methodology we refer to all respondents as CAEs.
The survey was administered online and in person during November and December
2010. More than 300 internal audit professionals responded to the survey, which Anonymity
constituted 30-plus questions. Respondents were not required to answer every This report reflects the words of respondents to the maximum extent possible. To
question. preserve anonymity, the survey does not attribute responses to specific individuals.
Your company is: Your company’s revenues are:
Less than $100M 12%
Public 58% $100M-$500M 24%
Private 42% $500M-$1B 21%
$1B-$5B 30%
Greater than $5B 12%
Responses do not total 100% due to rounding.
Industry Titles
Professional services 16% Director 40%
Consumer products 12% Chief audit executive 24%
Technology 11% Vice president 14%
Retail 10% Internal auditor 13%
Health care 9% Chief financial officer 4%
Not-for-profit 8% Manager 4%
Manufacturing 8% Other 2%
Financial services 7%
Higher education 5%
Other 14%
Responses do not total 100% due to rounding.
17