_________________________________________________________
Table of Contents 1
A GLOBAL SUMMARY
OF THE
COMMON BODY
OF KNOWLEDGE 2006
Principal Researchers
Priscilla A. Burnaby, PhD, CPA
Mohammad J. Abdolmohammadi, DBA, CPA
Susan Hass, CPA
Rob Melville, PhD, MIIA, FIIA
Marco Allegrini, PhD, CPA
Giuseppe D’Onza, PhD
Leen Paape, PhD, RA, RO, CIA
Gerrit Sarens, PhD
Marinda M. Marais, M Com Auditing, CIA
Elmarie Sadler, DCompt CA
Houdini Fourie, M Tech: Internal Auditing
Barry J. Cooper, PhD
Philomena Leung, PhD
William L. Taylor, CPA, CGFM
Chairman, CBOK Steering Committee
2 CGAP Examination Study Guide
___________________________________________
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States
of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
in any form by any means — electronic, mechanical, photocopying, recording, or otherwise —
without prior written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is
intended to provide information, but is not a substitute for legal or accounting advice. The IIARF
does not provide such advice and makes no warranty as to any legal or accounting results through
its publication of this document. When legal or accounting issues arise, professional assistance
should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises
the full range of existing and developing practice guidance for the profession. The IPPF provides
guidance to internal auditors globally and paves the way to world-class internal auditing.
The mission of The IIA Research Foundation (IIARF) is to expand knowledge and understanding
of internal auditing by providing relevant research and educational products to advance the profession
globally.
ISBN 978-0-89413-618-4
08063 01/08
First Printing
_________________________________________________________
Table of Contents 7
DEDICATION
This research is dedicated to the memory of
William G. Bishop III, CIA
William G. Bishop III, CIA, served as president of The Institute of Internal Auditors (IIA) from
September 1992 until his untimely death in March 2004. With a motto of “I’m proud to be an
internal auditor,” he strived to make internal auditing a truly global profession. He was the driving
force behind the rapid growth of The IIA to over 120,000 members in approximately 100 countries.
Bill Bishop advocated quality research for the enhancement of the stature and practice of internal
auditing. To help enhance the future of this profession, it is vital for the profession to document the
evolution of the similarities and differences in the Common Body of Knowledge (CBOK) of internal
auditing worldwide.
The Institute of Internal Auditors Research Foundation
________________________________________________________________
Contents iii
CONTENTS
Acknowledgments ........................................................................................................................ ix
Chapter 1: Introduction ............................................................................................................. 1
CBOK 2006 ............................................................................................................................ 1
Overview ................................................................................................................................. 1
CBOK 2006 - Benefits to the Profession ............................................................................... 3
Prior IIA CBOK Studies ......................................................................................................... 4
Project Teams ......................................................................................................................... 5
CBOK 2006 Questionnaires .................................................................................................... 6
Clustering for Groups ............................................................................................................ 10
Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires .......................... 12
Appendix 1-B: Clustering of Groups and Number of Responses .......................................... 19
Chapter 2: A Worldwide Picture of the Internal Audit Activity ......................................... 25
Introduction ........................................................................................................................... 25
Survey Demographics Summary ........................................................................................... 26
Compliance with Internal Auditing Standards ...................................................................... 29
Staffing and Professional Development ................................................................................ 43
Internal Auditor Skills ............................................................................................................ 44
Internal Auditor Competencies and Knowledge Areas ......................................................... 48
Emerging Roles of the Internal Audit Activity ....................................................................... 53
Summary ............................................................................................................................... 58
Chapter 3: Survey Demographics .......................................................................................... 61
Introduction ........................................................................................................................... 61
Staff Levels of Respondents ................................................................................................. 63
IIA Membership .................................................................................................................... 64
Age of the Respondents ........................................................................................................ 67
Highest Level of Formal Education ....................................................................................... 70
Professional Qualifications .................................................................................................... 76
Areas of Professional Experience ......................................................................................... 80
Years of Existence of IAA and Years of CAE Experience .................................................. 81
Types of Organizations .......................................................................................................... 86
Service Providers of Internal Audit Services ........................................................................ 89
Age of Organizations ............................................................................................................ 90
The Institute of Internal Auditors Research Foundation
iv A Global Summary of the Common Body of Knowledge 2006
______________________
Industry Classification(s) ....................................................................................................... 91
Geographical Area Served by Organization .......................................................................... 96
Appendix 3 ............................................................................................................................ 99
Chapter 4: The Professional Practices Framework .......................................................... 105
Introduction ......................................................................................................................... 105
CBOK 2006 Survey Questions Related to the Standards .................................................. 107
Use of the Standards in Whole or in Part .......................................................................... 108
Compliance with the Standards ........................................................................................... 110
Adequacy of the Guidance Provided by the Standards ....................................................... 115
Use of and Adequacy of the Guidance Provided by the Practice Advisories ...................... 118
Reasons for Not Complying with the Standards ................................................................ 121
Quality Assurance and Improvement Program ................................................................... 128
Compliance with The IIA’s Code of Ethics ......................................................................... 146
Appendix 4-A: The IIA’s Standards, Practice Advisories, and
Glossary to the Standards as of September 2006 ........................................................ 147
Appendix 4-B ...................................................................................................................... 165
Chapter 5: Current Status of the Internal Audit Activity ................................................. 183
Introduction ......................................................................................................................... 183
The IAA’s Relationship within the Organization ................................................................. 184
Relationship with the Audit Committee ............................................................................... 191
External Relationships - Legislation Affecting Internal Auditing ......................................... 192
Organizations’ and CAEs’ Perceptions About the IAA ...................................................... 194
Methods Used to Measure the Value Added by the IAA ................................................... 197
Internal Audit Activity ......................................................................................................... 200
Managing the Internal Audit Activity .................................................................................. 202
Creating the Audit Plan ....................................................................................................... 204
Allocation of IAAs’ Time .................................................................................................... 207
Performing the Engagement - The Use of Tools ................................................................ 214
Current Usage of Audit Tools and Techniques ................................................................... 216
Predictive Changes in the Use of Audit Tools and Techniques
Over the Next Three Years .......................................................................................... 227
Resolution of Major Differences ......................................................................................... 233
Reporting of Findings .......................................................................................................... 235
Monitoring Corrective Action .............................................................................................. 237
Summary ............................................................................................................................. 239
Appendix 5 .......................................................................................................................... 240
The Institute of Internal Auditors Research Foundation
________________________________________________________________
Contents v
Chapter 6: Staffing and Professional Development ........................................................... 251
Introduction ......................................................................................................................... 251
Staffing ................................................................................................................................ 252
Service Providers ................................................................................................................ 259
Continuing Professional Development ................................................................................. 266
Summary ............................................................................................................................. 271
Appendix 6 .......................................................................................................................... 272
Chapter 7: Internal Audit Skills ........................................................................................... 279
Introduction ......................................................................................................................... 279
Technical Skills .................................................................................................................... 281
Behavioral Skills .................................................................................................................. 289
Summary ............................................................................................................................. 299
Appendix 7 .......................................................................................................................... 300
Chapter 8: Internal Auditor Competencies ........................................................................ 305
Introduction ......................................................................................................................... 305
Competencies ...................................................................................................................... 307
Areas of Knowledge ........................................................................................................... 323
Summary ............................................................................................................................. 331
Appendix 8 .......................................................................................................................... 332
Chapter 9: Emerging Roles of Internal Audit Activities .................................................. 339
Introduction ......................................................................................................................... 339
Years That the IAA and Organizations Have Existed ........................................................ 340
Changing Emphasis on Types of Audits .............................................................................. 344
Emerging Roles in Organizations’ Activities ........................................................................ 346
Organizational Environment and Key Activities of the IAA ............................................... 352
Summary ............................................................................................................................. 357
Chapter 10: Research Method and Literature Review ................................................... 359
Research Method ................................................................................................................ 359
Project Teams ............................................................................................................... 359
Pilot Test and Literature Review .................................................................................. 361
CBOK 2006 Questionnaires ......................................................................................... 363
Clustering for Groups .................................................................................................... 364
The Institute of Internal Auditors Research Foundation
vi A Global Summary of the Common Body of Knowledge 2006
______________________
Literature Review ............................................................................................................... 367
Introduction ................................................................................................................... 367
Prior IIA CBOK Studies .............................................................................................. 367
North American Literature Review on Internal Auditing ............................................. 372
Summary ....................................................................................................................... 379
Asia Pacific Literature Review on Internal Auditing .................................................... 380
European Literature Review on Internal Auditing ........................................................ 390
South African Literature Review on Internal Auditing ................................................. 398
Appendix 10-A: Pre-scope Questionnaire for CBOK ........................................................ 406
Appendix 10-B: Topical Areas That Are Addressed in Past and Current
IIA CBOK Studies ....................................................................................................... 418
Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire ................................... 421
The William G. Bishop III, CIA, Memorial Fund Contributors .................................................. 455
The IIA Research Foundation Chairman’s Circle ..................................................................... 458
The IIA Research Foundation Board of Trustees ..................................................................... 459
The IIA Research Foundation Board of Research and Education Advisors ............................ 460
The Institute of Internal Auditors Research Foundation
_________________________________________________________ Acknowledgments ix
ACKNOWLEDGMENTS
With a project of this magnitude and importance, there are literally thousands of people who have
contributed to the successful completion of the Common Body of Knowledge (CBOK) 2006 research
report. I would like to start by thanking William Taylor, chair of the CBOK Steering Committee,
who was the heart of the project. His goal was to make sure that this report honored the memory
of William G. Bishop III, CIA, past president of The Institute of Internal Auditors (IIA) who was
the driving force behind the rapid growth of The IIA to over 120,000 members in approximately
100 countries. At The IIA, the entire staff provided guidance and input. Special thanks to Jeffrey
Swerdlow, PMP, chair of the CBOK Oversight Committee and the director of project management
for The IIA Research Foundation. He worked tirelessly to keep the project on time and performed
numerous duties such as monitoring the translations of the questionnaires into 16 additional languages,
keeping all of us on track, and coordinating the many needs and demands of those involved at The
IIA and on the research teams. It is a true tribute to his skills that this expansive project was
completed on time with such a quality product. Two other key people on The IIA staff that I would
like to recognize are Donna Batten, director of Global Audit Information Network (GAIN), and
Sylvia Boyd, director of affiliate relations. Both were instrumental in the success of the project. I
would also like to thank all the IIA members who participated by completing the pilot study, the
questionnaires, and editing the text.
Team Americas was truly blessed with four wonderful graduate research assistants. On the first
phase of the project, Lisa Hsi was instrumental with the literature review, development of the
questionnaires, and creation of a database for the affiliates. After Lisa graduated, we were fortunate
to hire Diana Tien. She helped with data cleansing, completing the report for the affiliates, and
transferring the data into tables. Yi Zhou worked on the tables and the editing process to make sure
that all the references and numbers were correct in the text. On the final phase of writing the
report, Shubin Liang converted tables into figures. From Bentley’s Academic Technology Center,
Maria Skaletsky and Gaurav Shah helped with the many software packages needed to complete
this product.
The cooperation and sharing among the three research teams made this project a truly collaborative
effort. On the two occasions when we had summits, we all agreed it was extremely exciting and
exhilarating to have so many professors who selected internal auditing as their primary field of
teaching and research together in one room. As team coordinators, Barry Cooper and Rob Melville
did a great job getting participants for the pilot study and working with local affiliates. All the
members of both teams made significant contributions to the research project.
The Institute of Internal Auditors Research Foundation
x A Global Summary of the Common Body of Knowledge 2006
______________________
I saved the members of my team to thank last. Both Mohammad (Ali) Abdolmohammadi and
Susan Hass made significant contributions to the planning and construction of the CBOK 2006. Ali
did a hero’s job on the data cleansing and analysis. He worked tirelessly to provide data for the
tables. Susan Hass and I did most of the work on the development of the questionnaires, data
presentation for the tables, writing many of the chapters, and editing the other teams’ contributions
to the final text. Each did an extraordinary job under a great deal of pressure. Audrey Gramling and
Richard Cleary contributed in a consulting capacity.
This report owes its contents to thousands of IIA members all over the world, each of whom
contributed to The IIA’s Common Body of Knowledge 2006. Thank you all!
Priscilla A. Burnaby, PhD, CPA
Professor of Accountancy
Bentley College
Waltham, MA, USA
Coordinator of CBOK 2006
The Institute of Internal Auditors Research Foundation
_________________________________________________________ Acknowledgments xi
It has been my pleasure to be the chair of the CBOK Steering Committee and The William G.
Bishop III, CIA, Memorial Fund from which this project was funded. As a former IIA chair of the
board, I recognize the importance of this project as we seek to further understand our profession,
how it is practiced throughout the world, and how we will continue to add value to our organizations
in the future.
Completing this project has been a monumental accomplishment. We were fortunate to have a
tremendously talented group of IIA committees, volunteers, and IIA staff working with us. I would
like to personally thank several people and groups without whom this project would not have been
possible.
The IIA Research Foundation Board of Trustees provided sound guidance and advice throughout
the project. Their input, feedback, and suggestions ensured that the project lived up to its expectations.
A special thank you goes to Roderick Winters, CIA, president of The Research Foundation and
vice chair of The IIA Board. Rod provided a great deal of support to this project and truly established
the vision for what we accomplished.
The CBOK Steering Committee was an active participant throughout the project. This committee
provided valuable guidance and overall direction to the project. I am proud that the Steering Committee
is comprised of individuals from throughout the world. Members of the Steering Committee are
Jackie Cain, Phil Tarling, Warren Hersch, Sri Ramamoorti, Urton Anderson, Louis Vaurs, Chris
McRostie, Thijs Smit, Charity Prentice, and Jeffrey Swerdlow.
The Research Foundation’s Board of Research and Education Advisors (BREA) played a critical
role throughout the project. This extremely dedicated committee is responsible for reviewing all
proposals received and reviewing all research and educational products produced by The Research
Foundation. Throughout the course of the project, BREA provided valuable opinions and helped to
shape the format of the complete research report. Bob Foster has been the chair of BREA during
this project and has contributed immensely to our success.
Considering the importance of this project, we wanted to ensure that we received a wide variety of
input and feedback. To this end, we recruited almost 100 volunteers from all of The IIA’s international
committees to review and provide feedback on the early first drafts of the complete research
report. The reviewers provided us with candid and valuable feedback which helped shape the
report. To manage a review effort of this magnitude, six members of BREA graciously volunteered
their time to act as review team leaders. Thomas Clooney, Susan Driver, Don Espersen, Dan
Gould, Raj Muthu Venkatachalam, and Mark Radde deserve special recognition for performing
this vital role.
The Institute of Internal Auditors Research Foundation
xii A Global Summary of the Common Body of Knowledge 2006 ______________________
Dominique Vincenti, CIA, chief advocacy officer of The IIA and executive director of The Research
Foundation, dedicated a great deal of her time to the project. Dominique was able to bring her
background as a CAE to the project. She provided feedback and leadership at all stages of the
project and her contribution was critical to its success.
Jeffrey Swerdlow, PMP, director of project management for The Research Foundation, was the
primary reason the project was completed on time and within budget. He proved that managing
such an expansive project required participation from not only all worldwide affiliates and members
but also the knowledge leaders of The IIA and staff. His overall plans and programs required
participation from many interested groups and he performed in an exemplary manner, truly indicating
that a project of this magnitude requires not only audit leaders, but a dedicated and professional
project manager.
I would be remiss if I did not thank each and every person and organization that donated to The
William G. Bishop III, CIA, Memorial Fund. This fund underwrote the cost of CBOK 2006. Thanks
to the generous donations we received, CBOK was funded to ensure a top quality result.
William L. Taylor, CPA, CGFM
Former IIA Chair of the Board
McLean, Virginia, U.S.A.
CBOK Steering Committee Chair
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 1
Chapter 1: Introduction.............................................................................................................. 1
CBOK 2006 ............................................................................................................................ 1
Overview................................................................................................................................. 1
CBOK 2006 - Benefits to the Profession ................................................................................ 3
Prior IIA CBOK Studies ......................................................................................................... 4
Project Teams ......................................................................................................................... 5
CBOK 2006 Questionnaires ................................................................................................... 6
Clustering for Groups ........................................................................................................... 10
Appendix 1-A: Glossary of Terms Sent with CBOK 2006 Questionnaires.......................... 12
Appendix 1-B: Clustering of Groups and Number of Responses ......................................... 19
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 1
CHAPTER 1
INTRODUCTION
CBOK 2006
The Common Body of Knowledge (CBOK) 2006 study is part of an ongoing global research
program funded by The Institute of Internal Auditors Research Foundation (IIARF) to broaden the
understanding of how internal auditing is practiced throughout the world. The overall purpose of
the CBOK 2006 project is to develop the most comprehensive database ever to capture a current
view of the global state of the internal audit profession. The database contains information about
compliance with The Institute of Internal Auditors’ (IIA) International Standards for the
Professional Practice of Internal Auditing (Standards), the state of the internal audit activity
(IAA), staffing, skills, competencies, and the emerging roles of the IAA. Some information was
collected about the influences of cultural and legal factors about the development and practice of
internal auditing around the world. The objective is to establish a baseline for comparison when the
CBOK study is repeated in the future. The database will be updated to understand the evolution of
global internal audit practices. Future studies will build upon this baseline, allowing for comparison,
analysis, and trending.
Overview1
The objectives of this chapter are to introduce CBOK 2006, provide a brief overview of past
CBOK studies, review actions taken to perform the study, and to explain how the groupings of
chapters and affiliates were determined. Within the United States and Canada, local groups of The
IIA’s members are called chapters. Affiliates are independent organizations outside North America
that provide services to members in their geographic locations. IIA affiliates are now referred to
as “chapters and institutes.” This change officially took place after the CBOK 2006 survey was
conducted. It was approved by The IIA’s Board of Directors on July 14, 2007, for implementation
on January 1, 2008. For this reason, the use of “affiliates” is maintained throughout the CBOK
2006 report.
1
The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue of
Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of
MAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A
review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK
2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby,
“The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
The Institute of Internal Auditors Research Foundation
2 A Global Summary of the Common Body of Knowledge 2006
______________________
At the core of the CBOK 2006 study were three surveys sent to internal auditors worldwide to
gather information concerning how they comply with the Standards, how their IAAs function, and
emerging roles of the IAA. One survey was sent to chief audit executives (CAEs), another to all
other levels of internal auditing Practitioners, and a third to the leadership of The IIA’s affiliates.
Since the Standards were first promulgated, internal auditors have had the opportunity to apply
them to create a high level of standardization resulting in best practices for internal auditors
worldwide. While the Standards provide a unifying mechanism for enhancing value and consistency
across diverse legal and economic environments, research suggests that cultural, legal, and economic
differences influence the practice of internal auditing in each country. The CBOK 2006 study has
produced a body of data for the continuing study of the evolution of the global practice of internal
auditing.
As discussed in The IIARF’s Competency Framework for Internal Auditing: An Overview,
core competencies change over time (McIntosh, 1999). Some of the major factors influencing
these changes are the needs of organizations, technology, and the complexity of business transactions
and systems. CBOK 2006 adds to this body of literature and expands the scope by extending the
population surveyed to the entire international membership of The IIA. To include current practices
and explore emerging roles for the profession, CBOK 2006 added several topical areas that were
not included in prior CBOK studies. In Chapter 10, Appendix 10-B lists the topics studied in the
current and past CBOK studies. As described below in The IIA’s 1999 definition of internal auditing,
CBOK 2006 uses the expanded scope of the IAA as the basis for its focus.
The IIA’s 1999 vision for the future task force recommended that the new Professional Practices
Framework should be “a more comprehensive and elastic framework.” Based on this
recommendation, the task force provided the following definition of internal auditing which was
adopted by The IIA’s Board of Directors in June 1999:
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
The expanded definition of internal auditing includes consulting activities and value-added services
for evaluation and improvement of the effectiveness of the risk management and governance
processes. Since the CBOK 2006 questionnaires were sent out in September 2006, all references
to The IIA’s Standards are as of that date.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 3
The expansion of the internal audit scope has necessitated that internal auditors continuously develop
new skills and learn new audit tools and technologies. There is very little information about the
current state of skills, tools, and technologies used on engagements in existing internal auditing
literature. The CBOK 2006 database includes the skills, tools, and techniques respondents indicate
are necessary for internal auditors currently, and in the future, to perform their jobs and enhance
audit efficiency and effectiveness. It also identifies emerging roles that The IIA will need to address
in support of its members and the profession. The resulting CBOK 2006 database and research
report can be used to improve the understanding of the current state of internal audit practices,
anticipate the use of new skills, tools, and technologies, and promote the enhancement of
standardization and performance of internal auditing worldwide.
Chapter 2 provides a brief summary of selected CBOK 2006 data. Chapters 3 through 9 provide
details of all the data collected in total from all respondents and by staff level and/or by groups as
applicable. Chapter 10 contains the process used to collect the data and a detailed literature review
of previously published articles about internal auditing around the world.
CBOK 2006 - Benefits to the Profession
The Standards have three purposes: educating internal auditors about the role and responsibilities
of internal auditing, providing a basis for measuring performance, and improving the practice of
internal auditing. Internal auditing is performed in diverse economic and cultural environments
within organizations that vary in purpose, size, and structure. These differences affect compliance
with the Standards. CBOK 2006 identifies some of these diverse environments and groups culturally
similar chapters and affiliates together. The groups’ usage of the Standards and the scope of the
IAA are then compared.
The information gathered in CBOK 2006 can be useful in many different ways. For example, the
results of the study can be used as a resource, reference, or comparison mechanism by internal
auditors and other stakeholders of the internal audit profession. Where there is a need for knowledge
and skills to be enhanced, the CBOK 2006 results can be used as a guide for The IIA to develop
continuing education materials so their members can acquire and then implement the appropriate
knowledge and skills in their work.
CBOK results can also provide useful information when periodically updating the competency
framework. The IIA has expressed interest in conducting CBOK studies at regular intervals in the
future to provide a mechanism for comparison and improvement. The CBOK 2006 results will
contribute to future internal audit Standards and practices as well as identify important new
knowledge and skills to be included in the CIA exam. The results can also be utilized during an
IAA’s self-assessment program and/or the completion of external quality assessments.
The Institute of Internal Auditors Research Foundation
4 A Global Summary of the Common Body of Knowledge 2006
______________________
Prior IIA CBOK Studies
The IIA has sponsored four prior CBOK studies. Table 1-1 compares the number of participating
countries and usable questionnaire responses used in each CBOK study. While all prior CBOK
studies were only conducted in English, CBOK 2006 translated the questionnaires into 16 additional
languages.
Table 1-1
Comparison of CBOK’s Number of Countries
and Number of Respondents
CBOK
Number
I
II
III
IV
V
Year
1972
1985
1991
1999
2006
Number of
Countries
Number of Usable
Respondents
1
2
2
21
91
75
340
1,163
136
9,366
CBOK 2006 is the first study that invited The IIA’s entire worldwide membership to participate.
The participation of members from 91 countries and 9,366 usable respondents makes CBOK 2006
the most comprehensive study in The IIA’s history.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 5
Project Teams
The research team was comprised of three international teams that were selected from the responses
to the CBOK Request for Proposals. Based on the location of the selected research teams, the
international affiliates and North American chapters were broken down into three broad geographical
areas. Table 1-2 lists the members of the three CBOK 2006 teams.
Table 1-2
Research Teams
Teams
Lead Team
• Priscilla A. Burnaby (Bentley College, United States) Project Coordinator and Team Coordinator
• Mohammad J. Abdolmohammadi (Bentley College,
United States)
• Susan Hass (Simmons College, United States)
• Rob Melville (Cass Business School, United Kingdom) Team Coordinator
• Marco Allegrini and Giuseppe D’Onza
(University of Pisa, Italy)
• Leen Paape (Erasmus University, Netherlands)
• Gerrit Sarens (University of Ghent, Belgium)
• Marinda M. Marais (University of South Africa)
• Elmarie Sadler (University of South Africa)
• Houdini Fourie (Tshwane University of
Technology, South Africa)
• Barry J. Cooper (Deakin University, Australia) Team Coordinator
• Philomena Leung (Deakin University, Australia)
General Areas
of Responsibilities
North, Central, and
South America and
the Caribbean
Europe and Africa
Asia and Pacific
The Institute of Internal Auditors Research Foundation
6 A Global Summary of the Common Body of Knowledge 2006
______________________
CBOK 2006 Questionnaires
To gain an understanding of what had been published about internal auditing and to develop an
inventory of questions to use as a basis for developing the global CBOK 2006 questionnaires, an
extensive literature review was conducted. Each team prepared a literature review for their general
areas of responsibility. Based on this work, the teams then prepared a pilot study to poll members
about the types of questions that should be included in the final survey. The three literature reviews
and the results of the pilot study can be found in the CBOK 2006 issue of Managerial Auditing
Journal (MAJ), Volume 21, Issue 8, published in October 2006. A summary is included in Chapter
10 of this research report. Based on the results of the pilot study, the survey questions were refined
and finalized. The CBOK Steering Committee decided that the surveys should take a respondent
approximately 40 minutes to complete. As a result, it was decided to create three CBOK 2006
questionnaires:
1. Affiliates: The IIA is fortunate to have numerous affiliates around the world that provide
services to their geographic area in cooperation with The IIA headquarters. This questionnaire
asked affiliate leaders questions about regulatory and cultural differences affecting the application
of ethics and The IIA Standards in their area. One questionnaire was sent to each participating
affiliate.
2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest position
within the organization responsible for the internal audit activity (IAA). Data on the status of
the IAA within the organization, application of the Standards, skills needed at each staff level,
and emerging audit roles were collected from CAEs worldwide.
3. Practitioners: For purposes of this study, Practitioners are all other internal auditors who are
not CAEs. Data about the application of the Standards, how an audit is performed, skill sets
needed, and the emerging role of internal auditing were collected from internal auditors
worldwide.
The three detailed questionnaires developed by the CBOK 2006 teams were subjected to careful
scrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, the
questionnaires were reviewed by a group of over 100 internal auditors worldwide to ensure
completeness and validity. Based on their comments, the final questionnaires were developed in
English. The IIA translated them into 16 additional languages for the convenience of The IIA
membership (Arabic, Bulgarian, Czech, Simplified Chinese, Unsimplified Chinese, French, German,
Indonesian, Italian, Japanese, Polish, Portuguese, Russian, Spanish, Swedish, and Turkish). The
combined CAE and Practitioner questionnaires are in Appendix 10-C in Chapter 10.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 7
In September 2006, using the survey software Perseus, the CAE and Practitioner questionnaires
were distributed electronically to members outside North America by participating international
affiliates and by IIA headquarters to members within North America. The questionnaire to affiliate
leadership was distributed by The IIA in December 2006. The Glossary in Appendix 1-A was
provided with the questionnaires so respondents could reference definitions of key terms and
words. This glossary is a combination of the glossary from The IIA’s Professional Practices
Framework dated January 2005 and other key words used in the questionnaires.
Number of Respondents
The total number of responses to the CAE and Practitioner questionnaires was 15,028. After
consultation with an independent statistical expert, responses were determined to be not useable
for reasons such as a blank reply or the respondent did not answer enough questions on important
sections such as the use and application of the Standards. Upon completion of this process, 9,366
useable responses remained. This results in an overall 7.3% response from the 127,735 IIA members
as of September 30, 2006. Due to some affiliates not participating and some members who have
opted not to receive e-mail from The IIA, the invitation to participate in the survey was sent to
approximately 99,000 members resulting in an estimated 9.5% response rate.
Table 1-3 indicates the chapters (United States, Canada, and Caribbean) and affiliates (organizations
around the world that serve their geographical area) listed on The IIA’s Web site as of September
2006 and notes the number that participated in this study for each one. A total of 133 United States
chapters, all of the Canadian chapters, and 7 of the Caribbean chapters had at least one member
who participated in CBOK 2006. Eighty-three affiliates had at least one usable CAE or Practitioner
response. Forty-six affiliate leaders returned the CBOK Affiliate questionnaire by the January 15,
2007, cutoff date for data collection.
The Institute of Internal Auditors Research Foundation
8 A Global Summary of the Common Body of Knowledge 2006
______________________
Table 1-3
Number of Participating Chapters and Affiliates
Area
U.S.A.
Canada
Caribbean
Number of
Chapters/Affiliates*
1 or More Usable
Responses from
Chapters/Affiliates
Number of
Affiliates that
Returned CBOK
Affiliate
Questionnaire
143
11
9
133
11
7
Not Applicable
Not Applicable
Not Applicable
94
83
46
IIA Affiliates
*Tallied from The IIA’s Web site
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those that participated in the survey answered all the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
The Institute of Internal Auditors Research Foundation
_____________________________________________________
Chapter 1: Introduction 9
Below is a list of all the affiliates, the United States, Canada, and Caribbean chapters, from which
one or more usable responses were received. Please note that the individual chapters within the
United States and Canada from which responses were received are not listed here.
Algeria
Argentina
Aruba
Australia
Austria
Azerbaijan
Bahamas
Bangladesh
Barbados
Belgium
Bermuda
Bolivia
Botswana
Brazil
Bulgaria
Cameroon
Canada
Chile
China
Chinese Taiwan
Colombia
Congo-Kinshasa
Costa Rica
Cyprus
Czech Republic
Denmark
Dominican Republic
Ecuador
Egypt
Estonia
Ethiopia
Finland
France
Germany
Ghana
Greece
Guatemala
Hong Kong, China
Iceland
India
Indonesia
Israel
Italy
Jamaica
Japan
Kenya
Korea
Latvia
Lebanon
Lithuania
Luxembourg
Malawi
Malaysia
Mexico
Netherlands
New Zealand
Nicaragua
Nigeria
Norway
Oman
Pakistan-Islamabad
Pakistan-Karachi
Pakistan-Lahore
Panama
Paraguay
Peru
Philippines
Poland
Portugal
Puerto Rico
Qatar
Romania
Russia-Moscow
Singapore
Slovenia
South Africa
Spain
Sri Lanka
Sweden
Switzerland
Thailand
Trinidad and Tobago
Tunisia
Turkey
Uganda
Ukraine
United Arab Emirates
United Kingdom and
Ireland
United States of America
Venezuela
Zambia
Zimbabwe
The Institute of Internal Auditors Research Foundation
10 A Global Summary of the Common Body of Knowledge 2006 ______________________
Clustering for Groups
As data was collected from numerous affiliates and chapters, a methodology was sought to combine
them into groups for the comparison of responses. Clustering literature was reviewed for plausible
ways to combine affiliates and chapters by cultural classification. Hofstede (1980; 1983) introduced
this concept and proposed a number of dimensions to classify 50 countries into cultural clusters.
Expanding on Hofstede’s work, House et al. (2004) classified 62 societies into various cultural
clusters.
Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62
societies was insufficient for complete classification of the CBOK 2006 participants. By using
additional information from the Central Intelligence Agency World Fact Book (2006), language(s)
spoken in the affiliate’s geographical area, geographical location, and discussions with The IIA
staff and leadership, the affiliates and chapters were classified into 12 groups. Respondents who
did not indicate membership in a specific affiliate or chapter were clustered into a 13th group that
was included in statistical summaries for the aggregate results but not in discussions of affiliate or
chapter cultural cluster group results. Appendix 1-B lists the 13 groups used for the discussion of
responses for CBOK 2006. WHENEVER GROUPS ARE MENTIONED IN THE TEXT, TO
DETERMINE WHICH CHAPTERS OR AFFILIATES ARE IN EACH GROUP, PLEASE
REFER TO APPENDIX 1-B IN CHAPTER 1 OF THIS REPORT.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 11
References
1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body of
knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,”
Managerial Auditing Journal 21 8, 2006, pp. 811-821.
2. CIA World Fact Book, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.
3. Hofstede, G, Culture’s consequences: International differences in work-related values
(London, UK: Sage), 1980.
4. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B.
Deregowski, S. Dziurawiec and R.C. Annis (Eds.), Explications in Cross-Cultural
Psychology, Swets and Zeitling, 1983.
5. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,
and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage
Publications), 2004.
6. McIntosh, E.R, Competency Framework for Internal Auditing: An Overview (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation), 1999.
7. The Institute of Internal Auditors, A Vision for the Future: Professional Practices Framework
for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research
Foundation), 1999.
8. The Institute of Internal Auditors, Professional Practices Framework (Altamonte Springs, FL:
The Institute of Internal Auditors Research Foundation), 2005.
The Institute of Internal Auditors Research Foundation
12 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 1-A
GLOSSARY OF TERMS SENT WITH
CBOK 2006 QUESTIONNAIRES
Add Value
Value is provided by improving opportunities to achieve organizational objectives, identify operational
improvement, and/or reducing risk exposure through both assurance and consulting services.
Adequate Control
Present if management has planned and organized (designed) in a manner that provides reasonable
assurance that the organization’s risks have been managed effectively and that the organization’s
goals and objectives will be achieved efficiently and economically.
Advisory Role
A position having or exercising the power to advise and function purely as a consultative role.
Assurance Services
An objective examination of evidence for the purpose of providing an independent assessment on
risk management, control, or governance processes for the organization. Examples may include
financial, performance, compliance, system security, and due diligence engagements.
Audit Committee
An audit committee assists the board of directors in discharging its responsibilities with respect to
the accounting policies, internal controls, and financial reporting of the entity.
Balanced Scorecard
A concept for measuring a company’s activities in terms of its vision, strategies, and performance
measures. It gives managers a comprehensive view of the performance of a business. It balances
a financial perspective with customer, internal process, and learning and growth perspectives.
Board
A board is an organization’s governing body, such as a board of directors, supervisory board, head
of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any
other designated body of the organization, including the audit committee, to whom the chief audit
executive may functionally report.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 13
Charter
The charter of the internal audit activity is a formal written document that defines the activity’s
purpose, authority, and responsibility. The charter should (a) establish the internal audit activity’s
position within the organization; (b) authorize access to records, personnel, and physical properties
relevant to the performance of engagements; and (c) define the scope of internal audit activities.
Chief Audit Executive (CAE)
Top position within the organization responsible for internal audit activities. Normally, this would be
the internal audit director. In the case where internal audit activities are obtained from outside
service providers, the chief audit executive is the person responsible for overseeing the service
contract and the overall quality assurance of these activities, reporting to senior management and
the board regarding internal audit activities, and follow-up of engagement results. The term also
includes such titles as general auditor, chief internal auditor, and inspector general.
Code of Ethics
The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the profession
and practice of internal auditing, and rules of conduct that describe behavior expected of internal
auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.
The purpose of the Code of Ethics is to promote an ethical culture in the global profession of
internal auditing.
Compliance
Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Conflict of Interest
Any relationship that is or appears to be not in the best interest of the organization. A conflict of
interest would prejudice an individual’s ability to perform his or her duties and responsibilities
objectively.
Consulting Services
Advisory and related client service activities, the nature and scope of which are agreed with the
client and which are intended to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor assuming management responsibility.
Examples include counsel, advice, facilitation, and training.
The Institute of Internal Auditors Research Foundation
14 A Global Summary of the Common Body of Knowledge 2006 ______________________
Continuous Monitoring
Continuous monitoring is an ongoing systematic process for acquiring, analyzing, and reporting on
business information to identify and respond to operational business risks.
Contract Audit Staff
Audit staff that has been hired to perform specific internal audit projects. Members of the contract
audit staff are not employed as permanent audit staff at the organization.
Control
Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes, and
directs the performance of sufficient actions to provide reasonable assurance that objectives and
goals will be achieved.
Control Environment
The attitude and actions of the board and management regarding the significance of control within
the organization. The control environment provides the discipline and structure for the achievement
of the primary objectives of the system of internal control. The control environment includes the
following elements:
• Integrity and ethical values
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resource policies and practices
• Competence of personnel
Control Processes
The policies, procedures, and activities that are part of a control framework, designed to ensure
that risks are contained within the risk tolerance established by the risk management process.
Control Self-assessment
CSA is a process through which internal control effectiveness is examined and assessed. The
objective is to provide reasonable assurance that all business objectives will be met.
Co-sourcing
Working with external professionals to meet requirements for the organization’s audit plan and
obtaining value-added solutions from the cooperative effort.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 15
Corporate Governance
The set of processes, customs, policies, laws, and institutions affecting the way a corporation is
directed, administered, or controlled.
Emerging Market
Is a term used to refer to markets in newly industrialized or developing countries with capital
markets at early stages of institutional development.
Engagement
A specific internal audit assignment, task, or review activity, such as an internal audit, control selfassessment review, fraud examination, or consultancy. An engagement may include multiple tasks
or activities designed to accomplish a specific set of related objectives.
Engagement Objectives
Board statements developed by internal auditors that define intended engagement accomplishments.
Engagement Work Program
A document that lists the procedures to be followed during an engagement, designed to achieve the
engagement plan.
Enterprise Risk Management (ERM)
A continuous process that establishes risk management objectives and develops tolerances and
limits for all the enterprise’s significant risks.
Environmental Sustainability
In compliance with International Standard for Environmental Management System (ISO 14001
certified).
External Quality Assurance Review
External assessment should be conducted at least once every five years by a qualified, independent
reviewer or review team from outside the organization.
External Service Provider
A person or firm, outside of the organization, who has special knowledge, skill, and experience in a
particular discipline.
The Institute of Internal Auditors Research Foundation
16 A Global Summary of the Common Body of Knowledge 2006 ______________________
Fraud
Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the application of threat of violence or of physical force. Frauds are perpetrated
by parties and organizations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.
Global Audit Information Network (GAIN)
The information network enables organizations to compare their audit department’s size, experience,
expertise, and other metrics against the aggregated averages of similar-sized organizations in their
industry.
Governance
The combination of processes and structures implemented by the board in order to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
Impairments
Impairments to individual objectivity and organizational independence may include personal conflict
of interest, scope limitations, restrictions on access to records, personnel, and properties, and
resource limitations (funding).
Independence
The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats
to objectivity must be managed at the individual auditor, engagement, functional, and organizational
levels.
Information Risk Assessment
Assessment of information threats and opportunities to ensure proper controls are in place to
minimize the risks to the organization’s information assets.
Internal Audit Activity or Internal Audit Function
A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an organization’s
operations. The internal audit activity helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 17
Internal Quality Assurance Review
Internal assessments include: ongoing reviews of the performance of the internal audit activity and
periodic reviews performed through self-assessment or by other persons within the organization
with knowledge of internal auditing practices and the Standards.
Knowledge Management System
A distributed system in organizations supporting creation, capture, storage, and dissemination of
expertise and information.
Management Effectiveness
The metrics used to evaluate management effectiveness include: leadership, delegation, motivation,
return on investment, return on assets, and return on equity.
Manager
A manager is normally an advanced senior rank position.
Managerial Accounting
The branch of accounting that uses both historical and estimated data in providing information that
management uses in conducting daily operations in planning future operations, and in developing
overall business strategies.
Objectivity
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner
that they have an honest belief in their work product and that no significant quality compromises
are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters
to that of others.
Partner
This is the highest professional rank in an accounting firm. By achieving this rank, a partner is
admitted as a co-owner of the firm.
Residual Risk
The risk remaining after management takes action to reduce the impact and likelihood of an adverse
event, including control activities in responding to a risk.
The Institute of Internal Auditors Research Foundation
18 A Global Summary of the Common Body of Knowledge 2006 ______________________
Risk
The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Risk Management
A process to identify, assess, manage, and control potential events or situations to provide reasonable
assurance regarding the achievement of the organization’s objectives.
Semi-government
The semi-government sector comprises the corporations, statuary boards, authorities, and state
banks under the central government.
Should
The use of the word “should” in the Standards represents a mandatory obligation.
Staff
The position of a staff accountant (also called assistant) is the entry-level position.
Standard
A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates
the requirements for performing a broad range of internal audit activities, and for evaluating internal
audit performance.
Total Quality Management (TQM)
Total Quality Management is a management approach that emphasizes superior quality in all aspects
of the company’s operations. It is an ongoing process that utilizes synergistic relationships to exercise
continuous improvement and self evaluation.
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 19
APPENDIX 1-B
CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or
Chapter
Group
Group 1
**Aruba
**Bahamas
**Barbados
**Bermuda
**Canada
**Jamaica
**Trinidad and
Tobago
**Puerto Rico
*United States
of America
Total
Group 2
*+Australia
*+New Zealand
Total
Group 3
**+South Africa
*+UK and Ireland
Total
Group 4
*China
*+Chinese Taiwan
*+Hong Kong,
China
*+Japan
*Korea
Total
Primary
Language(s)
Spoken
IIA
Members
9/30/06
English
English
English
English
French/English
English
English
8
59
70
73
5,255
327
169
4
3
17
5
430
17
13
50.0
5.1
24.3
6.9
8.2
5.2
7.7
386
54,686
17
3,139
4.4
5.7
61,033
3,645
6.0
English
English
2,602
486
3,088
177
38
215
6.8
7.8
7.0
English
English
4874
7185
12,059
464
271
735
9.5
3.8
6.1
Chinese
Chinese
English
2,248
3,144
375
62
239
6
2.8
7.6
1.6
Japanese
Korean
2,053
557
8,377
66
1
374
3.2
0.2
4.5
Spanish
English
Usable
Responses
12-15-06
Percentage
of Members
*House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership, and Organizations: The
GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage Publications), 2004.
**Classification by Team Americas in consultation with The IIA, world map, and CIA World Factbook, https://www.cia.gov/
cia/publications/factbook/fields/2145.html
+Responded to the Affiliate CBOK questionnaire.
The Institute of Internal Auditors Research Foundation
20 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 1-B (Cont.)
CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or
Chapter
Group
Group 5
**+Azerbaijan
**+Bulgaria
**+Cyprus
**Czech Republic
**Estonia
*+Greece
**Latvia
**+Lithuania
*Poland
**Romania
*+Russia-Moscow
*+Slovenia
*Ukraine
Total
Group 6
*+Austria
**+Belgium
*+Germany
*+Luxembourg
*+Netherlands
*Switzerland
Total
Primary
Language(s)
Spoken
IIA
Members
9/30/06
Usable
Responses
12-15-06
Percentage
of Members
Azari/Russian
Bulgarian
Greek/Turkish
Czech/English
Estonian
Greek
Latvian
Lithuanian
Polish
Romanian
Russian
Slovenian
Ukrainian
133
357
276
886
135
456
123
130
520
214
492
15
25
3,762
1
71
30
166
16
80
1
3
69
42
129
1
2
611
0.8
19.9
10.9
18.7
11.9
17.5
0.8
2.3
13.3
19.6
26.2
6.7
8
16.2
German
English/French/Dutch
German
French/English
Dutch
German/French
277
1,154
1,728
325
1,741
305
5,530
84
102
131
1
112
33
463
30.3
8.8
7.6
0.3
6.4
10.8
8.4
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 21
APPENDIX 1-B (Cont.)
CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or
Chapter
Group
Group 7
*+Argentina
*+Bolivia
*+Brazil
**Chile
*+Colombia
*Costa Rica
**+Dominican Republic
*Ecuador
*Guatemala
*+Mexico
**+Nicaragua
**Panama
**Paraguay
**+Peru
*+Venezuela
Total
Group 8
*+France
*+Israel
*+Italy
*Portugal
*+Spain
Total
Group 9
**Algeria
*Egypt
**+Lebanon
**Oman
**+Qatar
**Tunisia
*+Turkey
**United Arab Emirates
Total
Primary
Language(s)
Spoken
IIA
Members
9/30/06
Usable
Responses
12-15-06
Percentage
of Members
Spanish
Spanish
Portuguese
Spanish
Spanish
Spanish
Spanish
Spanish
Spanish
Spanish
Spanish
Spanish
Spanish
Spanish
Spanish
562
215
1,358
33
432
186
213
531
75
842
136
69
114
328
376
5,470
57
8
97
4
94
40
3
7
4
91
6
6
3
72
36
528
10.1
3.7
7.1
12.1
21.8
21.5
1.4
1.3
5.3
10.8
4.4
8.7
2.6
22.0
9.6
9.7
French
Hebrew
Italian
Portuguese
Spanish
2,937
1,028
2,531
375
1,556
8,427
235
4
456
84
249
1,028
8.0
0.4
18.0
22.4
16.0
12.2
French
Arabic/English
Arabic/English
Arabic/English
Arabic/English
Arabic/French
Turkish
English
45
61
105
176
233
306
554
349
1,829
4
4
13
5
8
2
80
16
132
8.9
6.6
12.4
2.8
3.4
0.7
14.4
4.6
7.2
The Institute of Internal Auditors Research Foundation
22 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 1-B (Cont.)
CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or
Chapter
Group
Group 10
*+Denmark
*+Finland
**Iceland
**+Norway
*+Sweden
Total
Group 11
**Bangladesh
*India
*Indonesia
*+Malaysia
**Pakistan - Karachi
**Pakistan –Islamabad
**Pakistan - Lahore
*+Philippines
**+Singapore
**+Sri Lanka
*+Thailand
Total
Group 12
**Botswana
**Cameroon
**+Congo-Kinshasa
**Ethiopia
**Ghana
**Kenya
**+Malawi
*Nigeria
**+Uganda
*Zambia
*Zimbabwe
Total
Primary
Language(s)
Spoken
Danish
Finnish
Icelandic
Norwegian
Swedish
English
English
Indonesian/English
English
English
English
English
English
English
Sinhala/English
Thai
English
French
French
English
English
English
English
English
English
English
English
IIA
Members
9/30/06
Usable
Responses
12-15-06
Percentage
of Members
390
584
100
662
542
2,278
3
43
3
45
52
146
0.8
7.4
3.0
6.8
9.6
6.4
116
2,795
654
2,150
172
186
339
1,280
1,343
50
1,446
10,531
1
57
11
60
3
3
1
5
74
6
29
250
0.9
2.0
1.7
2.8
1.7
1.61
0.3
0.4
5.5
12.0
2.0
2.4
134
161
37
288
57
589
169
48
117
63
557
2,220
1
1
1
16
2
4
1
4
13
2
3
48
0.8
0.6
2.7
5.7
3.5
0.7
0.6
8.3
11.1
3.2
0.5
2.2
The Institute of Internal Auditors Research Foundation
_____________________________________________________ Chapter 1: Introduction 23
APPENDIX 1-B (Cont.)
CLUSTERING OF GROUPS AND
NUMBER OF RESPONSES
Affiliate or
Chapter
Group
Group 13
Not Classified –
respondent did not
specify affiliate or
chapter
Primary
Language(s)
Spoken
IIA
Members
9/30/06
Usable
Responses
12-15-06
Percentage
of Members
1,191
Affiliates that did
not participate
Total Membership
Less members that were
not sent an invitation
to participate:
Membership of affiliates
that did not participate
Eleven affiliates with
only one response
(2,109 members –
11 respondents)
39% of U.S. members
who have opted not to
receive e-mail from
The IIA (54,686 x .39 =
21,328)
39% of Canadian
members who have opted
not to receive e-mail
from The IIA
(5,255 x .39 = 2,049)
Total estimated
membership that was
sent an invitation to
participate and estimated
response rate
3,131
127,735
9,366
7.3
9,366
9.5
(3,131)
(2,098)
(21,328)
(2.049)
99,129
The Institute of Internal Auditors Research Foundation
24 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 2
Chapter 2: A Worldwide Picture of the Internal Audit Activity .......................................... 25
Introduction........................................................................................................................... 25
Survey Demographics Summary .......................................................................................... 26
Compliance with Internal Auditing Standards ..................................................................... 29
Staffing and Professional Development................................................................................ 43
Internal Auditor Skills........................................................................................................... 44
Internal Auditor Competencies and Knowledge Areas......................................................... 48
Emerging Roles of the Internal Audit Activity..................................................................... 53
Summary ............................................................................................................................... 58
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 25
CHAPTER 2
A WORLDWIDE PICTURE OF THE
INTERNAL AUDIT ACTIVITY
Introduction
Who would have thought that internal auditors would be described by the media as rock stars?
The current demand for qualified internal auditors is greater than the supply. Business scandals
around the world have not only reminded organization fiduciaries and management of their
responsibilities in the areas of governance, control, and risk management, but have also resulted in
increased legislation and regulation. The internal audit activity (IAA) has become a necessary or
mandatory activity in organizations around the world. Some organizations are over 100 years old
with large, well established IAAs, while many younger companies are just starting to develop and
utilize their IAAs. Regardless of the size, type, or age of an organization, the role of internal
auditing is evolving into a value-added activity that helps an organization manage its risks and take
advantage of opportunities to improve. With the increase in scope of audit responsibility since
1999, the IAA must act to monitor the adequacy and effectiveness of management’s internal
control framework and contribute to the integrity of corporate governance, risk assessment, and
the financial, operating, and IT systems.
Since 1941, The IIA has grown tremendously. Between June 2003 and September 2006, The IIA’s
membership grew from 82,645 members to 127,735 members, a 54.6% increase in just over three
years. The November 2006 IIA Insight stated that there are members in 165 countries and territories.
Also, as of September 2006 there are 6,000 new Certified Internal Auditors (CIAs) for a total of
60,000 CIAs worldwide. There are 90 countries with CIA exam sites.
What do internal auditors really need to know to perform their jobs with due care and to add value
to their organizations? This CBOK 2006 research report summarizes the information gathered
from respondents around the world regarding the current state of the internal auditing profession.
It identifies the attributes of an effective IAA; internal auditor skills, competencies, and knowledge;
internal audit tools and techniques; and emerging roles of the IAA. This informs the profession and
those who benefit from its activities and services as well as serving as a basis for educating and
testing the competence of those who enter and want to succeed in the profession.
The Institute of Internal Auditors Research Foundation
26 A Global Summary of the Common Body of Knowledge 2006 ______________________
Since the CAE and Practitioner CBOK 2006 questionnaires were released in September 2006,
adherence to The IIA’s International Standards for the Professional Practice of Internal
Auditing (Standards) as of September 2006 provides the basis for this study. The overall purpose
of the CBOK 2006 project is to develop the most comprehensive database ever to capture a
current view of the global state of the internal audit profession. The database will be updated to
recognize the evolution of global internal audit practices. Future studies will build upon this baseline,
allowing for comparison, analysis, and trending.
The major topics covered in this chapter are a summary of the demographics of respondents and
their organizations, compliance with the Standards, current status of the IAA, staffing and
professional development, internal auditor skills, internal auditor competencies and knowledge,
internal audit tools and techniques, and the emerging roles of the IAA.
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those who participated in the survey answered all of the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of all respondents: both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.
These more detailed summaries of results may be provided for the five categories of respondents:
CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the
Other category consist primarily of other professional staff whose positions are not captured by
the traditional job titles included in the survey. They may be members of the IAA, employed by
service providers, or in organizations where their titles are less traditional but with duties within
internal auditing.
Survey Demographics Summary
The following is a brief summary of the demographics of the respondents and their organizations.
Detailed tables and a discussion of the demographics are presented in Chapter 3. Respondents’
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 27
represent the following staff levels: CAEs (26.5%), Audit Managers (22.8%), Audit Seniors/
Supervisors (25.2%), Audit Staff (18.2%), and Others (7.3%).
Duration of Respondents’ IIA and/or Affiliate Membership and Respondents’ Age
Survey results indicate that 58.6% of respondents have been members of The IIA for five years or
less, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or more
years. Although distribution of the original survey instrument was only to IIA members, 6.9% of
the respondents indicated they are not members of The IIA.
When asked about their age, respondents indicated 3.5% are 25 years old or under, 27.8% are
between 26 and 34 years old, 34.8% are between the ages of 35 and 44, and 24.2% are between
45 and 54 years old. Only 9.3% are 55-64 years old and .4% are older than 65. The largest
percentage of Audit Managers (41.5%) is between 35 and 44 years old.
Highest Level of Formal Education and Academic Major
Thirty-eight point one percent of the respondents have obtained their bachelor’s (undergraduate)
degree in business, and 28.9% have obtained a master’s (graduate) degree in business. Fourteen
point three percent have a bachelor’s degree in a non-business subject and 9.4% have a master’s
degree in a non-business field. There appears to be no pronounced relationship between the
respondent’s highest level of education and their current position in the IAA. It also appears that
for most respondents, a bachelor’s degree or comparable level of education is necessary to enter
the profession.
The top six academic majors of respondents are accounting (55.8%), general business/management
(27%), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%) (NOTE:
since respondents could mark all that apply, percentages exceed 100%). A higher percentage of
CAEs (60.0%) and Audit Managers (59.9%) have an accounting major than members of the Audit
Staff (45.0%).
Professional Qualification(s) and Area(s) of Professional Experience
There are many professional organizations that have qualifying tests and certifications for those
employed in accounting and auditing. Survey respondents were asked about their own qualifications.
More than one-third (39.4%) of the respondents have a specific certification in internal auditing
and about one-fourth (26.7%) of the respondents have a certification in public accounting/chartered
accountancy. A much smaller number of respondents have certifications in information systems
auditing (10.2%), management/general accounting (5.4%), and fraud examination (5.3%). Internal
The Institute of Internal Auditors Research Foundation
28 A Global Summary of the Common Body of Knowledge 2006 ______________________
auditing is the most common certification for respondents followed by public accounting/chartered
accountancy. The possession of additional qualifications appears more common as individuals
move up in the IAA.
The five areas in which respondents have the most business experience are internal auditing (6.1
years), management (5.4 years), accounting (5.3 years), other professional experience (4.9 years),
and finance (4.4 years). This pattern is consistent for those currently employed by service providers,
privately held (non-listed) companies, publicly traded (listed) companies, and public sector. Service
providers, for the purpose of this study, are defined as those who work on a contractual basis to aid
organizations with assurance and consulting engagements. The not-for-profit sector respondents
indicated less overall work experience.
Years of Existence of IAA and Years of CAE Experience
The largest numbers of respondents work for IAAs that have been in existence for 0-5 years
(28.4%) and another 21% of the respondents work for IAAs that have been in existence for 6-10
years. A total of 13.8% of respondents’ organizations have IAAs that have been in existence for
31 or more years. This is a very positive development for internal auditing as it shows that growth
has accelerated in the past 10 years. Given the corporate governance issues and regulatory
developments in recent years, this could be a reflection of the recognition by organizations and
their boards of the need for internal auditing.
When CAEs were asked about their years of experience as a CAE, more than half (56%) indicated
they had been a CAE for 5 years or less and one-fourth of CAE respondents have between 6 and
10 years of CAE experience. Nineteen percent of CAE respondents have more than 10 years of
experience in this position.
Organization Type, Service Providers, and Industry Classifications
When asked about their current employers, 38% of all respondents indicate that they work for a
publicly traded (listed) company, while 19.5% work for a privately held (non-listed) company.
Twenty-three percent of all respondents currently work in the public sector. Ten point five percent
of the respondents work for a service provider or as a consultant. Internal auditing is performed by
members of the IAA as well as by external service providers.
The survey population covered a broad range of industries. Since the respondents were asked to
select all industries that applied to their organization, the total of industries selected is greater than
100%. The top 10 industries indicated by respondents are: banking/financial services/credit union
(24.5%), other (13.9%), manufacturing (13.4%), financial, accounting, and/or business services
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 29
(11.1%), insurance (9.3%), utilities (7.9%), education (7.0%), communication/telecommunication
(7.0%), healthcare (6.4%), and retail/wholesale (6.2%).
Geographical Areas and Legislation Affecting Internal Auditing
Recognizing that organizations operate differently, in part based on the locations they service, data
was collected on geographical areas served by the respondents’ organizations. Of the respondents,
39.2% indicate that their employer operates on an international/multinational scale, while 29.1% of
employers operate on a national scale. The remaining 31.7% operate on a local, state/provincial, or
regional basis.
In the CBOK Affiliate questionnaire, affiliate leaders were asked about local and federal regulations
and legislation affecting the profession of internal auditing. Of the 46 affiliates that responded, 36
(78%) indicate that their countries have legislation or regulations that affect the internal auditing
profession in the public sector. In most of these affiliates, financial entities, banks, and insurance
companies are subject to legislation that prescribes the establishment of, or the role of, internal
auditing in an organization. The United States and Canada also have legislation affecting internal
auditing.
In 22 (61%) of the 36 affiliates where legislation or regulation affecting internal auditing exists,
The IIA affiliate had an influence on the final form of the legislation or regulation. Those IIA
affiliates that assisted in the development of the legislation or regulations took part in the discussions
or provided input through participation in committees, work groups, and conferences. IIA affiliates
also regularly issue their own opinions on drafts of local and national laws and regulations. The
publication of position papers and articles reflecting their members’ ideas and opinions is a common
method of participation in the evolution of local and national laws and regulations.
Compliance with Internal Auditing Standards
Most of the participants in this study indicate that their IAAs are using the Standards and Practice
Advisories. They also believe that the guidance provided to them by the Standards and Practice
Advisories is adequate. Standards 1300, Quality Assurance and Improvement Program, and 2600,
Resolution of Management’s Acceptance of Risk, received lower adequacy responses indicating
that more or clearer guidance may be appropriate in the fields of quality assurance and improvement
and resolution of management’s acceptance of risk. The respondents are using these two standards
to a lesser extent when compared to the other standards. Overall, the guidance provided by the
Attribute Standards is perceived by respondents to be better than that provided in the Performance
Standards.
The Institute of Internal Auditors Research Foundation
30 A Global Summary of the Common Body of Knowledge 2006 ______________________
Respondents at all staff levels indicate that 81.9% of their IAAs use the Standards in whole or in
part. In Figure 2-1, CAEs report the highest level of usage (85.1%) of the Standards by their IAA,
while all other respondents report usage between 72.2% and 84.3.
Figure 2-1
Organizations’ Use of the Standards in Whole or in Part by Staff Level
All Respondents (8,647) in Percentages
Percentage of Respondents
The most common reasons given by those respondents whose IAA does not adhere to the Standards
are:
•
•
•
Inadequate IAA staff (12.6%).
Management of organization does not think it adds value (12.2%).
Too time-consuming to comply with the Standards (12.2%).
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 31
•
•
Compliance not supported by management of organization (11.9%).
Superseded by local/government regulations/standards (10.7%).
Quality Assurance and Improvement Programs
To supplement the research on compliance with the Standards, respondents were asked specific
questions about their compliance with Standards 1300, 1311, and 1312 which require quality assurance
and improvement programs, internal quality assessments, and external quality assessments. Standard
1300 requires the CAE to “develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity and continuously monitors its effectiveness.”
The level of compliance is lowest for Standard 1300, Quality Assurance and Improvement Program.
Approximately one-third of the respondents currently have a quality assurance and improvement
program in accordance with Standard 1300. Approximately one-third of the respondents have had
an internal assessment. One-third has never had an internal assessment. Almost one quarter of the
respondents do not plan to have a quality assurance and improvement program in place within the
next 12 months in accordance with Standard 1300, although approximately one-third of the
respondents have such a program currently in place. Forty percent indicate that no external
assessment has been performed.
Less than 50% of the respondents indicate that their quality assessment and improvement programs
include certain activities to monitor the effectiveness of these programs as suggested by PA13001, Quality Assurance and Improvement Program. Monitoring activities most often include
engagement supervision and checklists to provide assurance that proper audit processes are followed.
Approximately 30% of the respondents indicate that compliance with The IIA’s Standards or
Code of Ethics are explicitly monitored as part of these activities.
According to Standard 1311, Internal Assessments, the IAA should adopt a process to monitor and
assess the overall effectiveness of the quality program. The process should include both internal
and external assessments. There is no formal requirement mentioned in the standard regarding the
frequency of the self-assessment, only that it be ongoing. The respondents were requested to
indicate when their IAAs were last subject to a formal internal assessment. Of those responding,
23.6% have had an internal review within the last 12 months and an additional 8.7% had an internal
review within the last five years. The CAE respondents indicated that 47.4% of their IAAs have
never had an internal assessment.
According to Standard 1312, External Assessments, the IAA should have an external assessment
at least once every five years by a qualified, independent reviewer or review team external to the
The Institute of Internal Auditors Research Foundation
32 A Global Summary of the Common Body of Knowledge 2006 ______________________
organization. All IAAs that existed on January 1, 2002, when this standard became effective
should have had an external assessment performed by January 1, 2007. Of all respondents, 39.7%
have never had an external assessment. When analyzing this response by staff level, 53.7% of
CAE respondents indicate that their organizations have not been subject to a formal external
quality assessment and are not in compliance with Standard 1312. Note in Figure 2-2 that 28.4% of
the respondents’ IAAs are five years old or less. This could be the reason why some of the IAAs
have not had an external assessment.
Compliance with The IIA’s Code of Ethics
As The IIA’s Code of Ethics must be followed by all those that provide internal auditing services,
affiliate leaders were asked whether they required their members to follow The IIA’s Code of
Ethics. Forty-six affiliate leaders responded to this question and all answered in the affirmative
except for one which adopted a local version. When the affiliate leaders were asked how they
handled ethical complaints against their members, the wide variety of responses ranged from the
use of an ethics or disciplinary committee to action being left to the affiliate’s full board of directors.
Current Status of the Internal Audit Activity
The IAA adds value in multiple ways. It helps the organization achieve its goals by providing
suggestions for improvements to vital systems, processes, and procedures. The IAA helps ensure
that controls are in place to provide safety and security for transactions and activities. Consulting
services assist management in planning for the future and addressing difficult strategic and operational
issues. The IAA is vital to the success and health of any organization operating today.
Some parts of the world are just starting to recognize the importance of internal auditing and
beginning to develop the internal auditing activity. Many IAAs are small or have been in existence
for less than five years. Newer IAAs and/or those with smaller audit staffs may not have sufficient
staff or personnel with all of the necessary skills and competencies to meet the needs of their
organizations. Depending upon priorities and availability of resources, some audits or audit skills
may need to be outsourced.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 33
Years That the IAA and the Organization Have Existed
To gain a perspective on the length of time respondents’ organizations have had IAAs, Figure 2-2
lists the number of years the respondents’ IAAs have been in existence. The largest number of
respondents work for IAAs that have been in existence for 0-5 years (28.4%). Another 21% of
the respondents work for IAAs that have been in existence for 6-10 years. Respondents indicate
that 13.8% work in IAAs that have been in existence for 31 or more years. Given the corporate
governance issues and regulatory developments in recent years, the large number of newer IAAs
could be a reflection of the recognition by organizations of the need for the IAA and the need to
conduct audits in these areas. A new IAA could also be the result of a corporate merger or
acquisition. Although a newer IAA may not be as developed or have the same level of experience
or expertise as a more mature one, a younger department does not necessarily equate to a weak or
unskilled department.
Figure 2-2
Number of Years the IAA Has Existed in the Organization
All Respondents (7,747) in Percentages
41+ Years
8.1%
0-5 Years
28.4%
31-40 Years
5.7%
21-30 Years
14.1%
6-10 Years
21.0%
11-20 Years
22.7%
The Institute of Internal Auditors Research Foundation
34 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 2-3 reports how long respondents’ organizations have been in existence. A separate correlation
test performed by the researchers confirms that there is a relationship between how long an
organization has been in existence and how long the organization has had an IAA. Older companies
tend to have established IAAs longer than younger companies.
Figure 2-3
Number of Years Organizations Have Existed
All Respondents (8,165) in Percentages
0-5 Years
7.2%
6-10 Years
10.5%
41+ Years
51.0%
11-20 Years
14.0%
21-30 Years
9.3%
31-40 Years
8.0%
IAA’s Relationships within the Organization
Relationship with the Audit/Oversight Committee
To maintain independence, the IAA should have a charter approved by the audit committee of its
governing board. An internal audit charter is required by The IIA’s Attribute Standard 1000, Purpose,
Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal Audit Charter. The
charter provides the power from which the IAA can insist that they have the authority to conduct
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 35
the audits deemed necessary. The survey confirms that this practice is generally the case in the
majority of IAAs with 72.3% of the respondents indicating their organization has an internal audit
charter. IAAs without a charter may be less empowered from the audit customers’ perspective.
The reporting relationships of the respondent CAEs are generally in accordance with the Standards
and Practice Advisories. There is also a high level of input by the audit committee in the appointment
and performance evaluation of CAEs. In the majority of cases, CAEs are reporting to the audit
committee of the board and/or to a member of senior management. The survey did not allow the
CAE to indicate a dual reporting relationship as recommended by The IIA. Dual reporting allows
the IAA to build organizational independence while also serving senior management.
Practice Advisory 2060-2, Relationship with the Audit Committee, defines the IAA’s and the audit
committee’s relationship. As noted in Table 2-1, CAEs confirm that an audit/oversight committee
exists in 72.6% of their organizations. The CAE’s relationship with the audit committee chairperson
is very important. Of the respondent CAEs with audit committees, 63.2% meet regularly with the
audit committee chair in addition to regular audit committee meetings. It is notable that of those
that have audit committees, 91.3% of CAEs believe they have appropriate access to the audit
committee. Public sector IAAs often do not have an audit committee structure in their organizations.
Table 2-1
CAE’s Relationship with Audit/Oversight Committee
CAE Respondents Percentage of Yes Responses
Question
Is there an audit/oversight
committee in your organization?
Does the CAE meet with the
audit/oversight committee
chairperson in addition to the
regularly scheduled meetings?
Does the CAE believe that
he/she has appropriate access
to the audit committee?
Total Respondents
Yes
Percent of
Total Responses
2,315
72.6
1,669
63.2
1,671
91.3
The Institute of Internal Auditors Research Foundation
36 A Global Summary of the Common Body of Knowledge 2006 ______________________
Organizations’ and CAEs’ Perceptions of the IAA
A set of general questions asked all respondents to rank their perceptions about how their IAA is
perceived by their organization. All respondents were asked to rank their level of agreement with
the statements in Table 2-2 on a scale of 1 to 5 from Strongly Disagree (1) to Strongly Agree (5).
The mean response for each question was calculated for the four levels of audit staff responding
to the survey.
Table 2-2
Relationship of IAA to the Organization
All Respondents in Means*
Statement
Your internal audit activity is an
independent objective assurance
and consulting activity.
Your internal audit activity adds
value.
Internal audit brings a systematic
approach to evaluate the
effectiveness of risk management.
Your internal audit activity brings
a systematic approach to evaluate
the effectiveness of internal controls.
Your internal audit activity brings a
systematic approach to evaluate the
effectiveness of governance
processes.
Your internal audit activity
proactively examines important
financial matters, risks, and
internal controls.
Your internal audit activity is an
integral part of the governance
process by providing reliable
information to management.
CAE
Audit Manager
(Mean of (Mean of 2,033
2,374
Responses)
Responses)
Audit Senior/
Audit Staff
Supervisor
(Mean of 1,626
(Mean of 2,251 Responses)
Responses)
4.45
4.34
4.25
4.10
4.41
4.32
4.26
4.20
4.03
3.99
3.98
3.95
4.35
4.27
4.21
4.11
3.80
3.73
3.71
3.74
4.10
4.05
3.96
3.88
4.10
4.04
3.97
3.91
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 37
Table 2-2 (Cont.)
Relationship of IAA to the Organization
All Respondents in Means*
Statement
The way our internal audit activity
adds value to the governance
process is through direct access
to the audit committee.
Your internal audit activity has
sufficient status in the organization
to be effective.
Independence is a key factor for
your internal audit activity to add
value.
Objectivity is a key factor for
your internal audit activity to add
value.
Your internal audit activity is
credible within your organization.
Compliance with The IIA’s
International Standards for the
Professional Practice of Internal
Auditing is a key factor for your
internal audit activity to add value
to the governance process.
Compliance with The IIA’s Code
of Ethics is a key factor for your
internal audit activity to add value
to the governance process.
CAE
Audit Manager
(Mean of (Mean of 2,033
2,374
Responses)
Responses)
Audit Senior/
Audit Staff
Supervisor
(Mean of 1,626
(Mean of 2,251 Responses)
Responses)
3.52
3.81
3.66
3.51
4.07
3.97
3.86
3.75
4.46
4.40
4.32
4.29
4.58
4.47
4.42
4.36
4.30
4.17
4.08
3.99
3.86
3.90
3.89
3.90
4.03
4.04
3.98
3.99
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
With the majority of means above 4.0, respondents, who are all members of the IAA giving their
opinion about how others see the IAA, indicate that they believe their organizations perceive that
IAAs are independent, objective, add value, and effectively evaluate internal controls. There is
less certainty among respondents concerning their perceptions about the effectiveness of the IAA’s
approach to risk management and evaluation of the effectiveness of governance processes. These
The Institute of Internal Auditors Research Foundation
38 A Global Summary of the Common Body of Knowledge 2006 ______________________
two areas are specifically addressed in the 1999 definition of internal auditing. Respondents’
perceptions indicate strong support for the IAA’s independence, objectivity, and credibility. While
the IAA appears to be highly credible within the organization, there is less agreement about
compliance with The IIA’s Standards and Code of Ethics.
Statements with means around 4.0 indicate respondents’ agreement that the IAA has an effective
approach to risk management; is proactive in looking at important financial matters, risks, and
internal controls; has sufficient status in the organization; and compliance with The IIA’s Code of
Ethics is a key factor for the IAA to add value to its organization.
The statements ranked under 4.0 but above 3.5 indicate respondents have less support for the
statements about effectiveness in the evaluation of corporate governance and compliance with the
Standards. Overall, the perceptions by the respondents provide a very positive view of the IAA
within their organizations.
Methods Used to Measure the Value Added by the IAA
The responses to the questions about the methods used to measure the value added to the organization
by the IAA show a variety of methods being used. These include self-assessment and assessment
by others in the organization. The measures used include acceptance of recommendations (51.4%),
auditee (customer) surveys (34.6%), and the number of management requests (26.8%). Reliance
by the external auditors on the IAA is also used as a value indicator (33.5%). No formal measurement
of value added exists in 32.6% of respondents’ IAAs.
Internal Audit Activity
Managing the IAA
Standard 2000 requires that the CAE, “should effectively manage the internal audit activity to
ensure it adds value to the organization.” These activities include administrative activities such as
developing an audit plan and assigning audit tasks. Performance Standard 2200 states, “Internal
auditors should develop and record a plan for each engagement, including the scope, objectives,
timing, and resource allocations.” Over 91.5% of all respondents believe that their IAA performs
these administrative tasks.
Creating the Audit Plan
Eighty-one point three percent of respondents follow Practice Advisories PA 2010-2, Linking the
Audit Plan to Risk and Exposures, and PA 2040-1, Policies and Procedures, indicating that most
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 39
IAAs use a proper planning process. Of the organizations served by the IAA, 73.3% have a
corporate ethics policy/code of conduct. Internal audit risk assessments are performed by 69.5%
of the respondents. In the IAA, 63.0% have an internal audit operating manual/policy statement.
These are all positive indicators of effective internal audit processes.
To comply with IIA Standard 2010, Planning, the IAA should create an audit plan using a riskbased technique. Respondents indicate that 95.6% of their IAAs create a plan for their audit
activities at least annually, while 36.4% plan or revise their intentions multiple times a year. The use
of risk-based methodology to determine the audit plan is required by IIA Performance Standard
2010 and elaborated in Practice Advisory PA 2010-1, Planning. Of CAE respondents, 86.7% use
risk-based techniques in audit planning. When preparing their audit plans, requests from management
are an additional consideration used by 73.1% of CAEs.
Scope of Work and Who Performs the Audits
The definition of internal auditing and Standard 2100 includes three broad areas of responsibility
for IAAs “to evaluate and contribute to the improvement of risk management, control, and governance
processes.” The respondents were asked what percentage of the audits their IAAs performed and
what percent are outsourced or done by other departments in the organization. The IAA performs
85.6% of the internal audits, 79.1% of the operational auditing, 56.3% of the investigations of fraud
and irregularities, and 56% of the financial audits. IAAs also perform 47.1% of the ethics audits
and 48.5% of the management effectiveness audits.
Other types of work performed include control framework monitoring and development (58.9%)
and compliance with corporate governance and regulatory code requirements (51.4%). Information
risk assessment (47.5%), internal control testing and evaluation engagements (70.8%), and enterprise
risk management (37.6%) are also performed by the IAA to determine what areas may need to be
made more effective and efficient.
The three largest audit areas that are outsourced/co-sourced outside the IAA are financial auditing
(27.2%), information technology department assessment (18.8%), and quality/ISO audits (14.1%).
The three areas where fewer audits are performed by the IAA are social and sustainability audits
(40%), quality/ISO audits (32.5%), and ethics audits (27.4).
Risk management work performed within organizations includes business viability assessments,
enterprise risk management support and information risk assessment. The majority of business
viability assessments are performed by other departments within the organization (51.6%). IAAs
perform 24.6% of these audits while 16.8% of the respondents report that these audits are not
performed at all. For enterprise risk management assessment activities, IAAs perform 37.6% of
The Institute of Internal Auditors Research Foundation
40 A Global Summary of the Common Body of Knowledge 2006 ______________________
these activities, other departments within the organization perform 43.6%, and 6.5% of these
activities are co-sourced or outsourced. In the area of information risk assessment, the IAA performs
47.5% of the activities and other departments perform 30.9%.
Practice Advisory 2120.A1-1, Assessing and Reporting on Control Processes, states that testing
“compliance with laws, regulations, and contracts” is part of the IAA’s study and evaluation of
internal controls. Two areas where the IAA performs compliance activities are compliance with
company privacy policies (43.1%) and health, safety, and environment (22.1%).
The definition of internal auditing includes consulting in its scope of acceptable audit activities.
Areas of consulting included in the study indicate that 11.3% of the activities for corporate takeovers/
mergers are performed by IAAs while 50.4% are handled by other departments in the organization.
The IAA provides 46.2% of the support for external auditors, while other departments provide
28.1% and co-sourced or outsourced work accounts for 14% of the activities required. Project
management activities are performed mainly by other departments (58.3%) with 27.7% of these
activities provided by the IAA. Both the IAA and other departments in the organization provide
39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
Performing the Engagement
The demands on the IAA and its staff are increasing as the significance and usefulness of the
work of the IAA become better known and valued. This can strain the resources of most IAAs as
they enhance their presence in the organization. The use of tools and techniques helps the auditor
successfully plan, monitor progress, document, analyze data, complete the audit, and determine the
magnitude of audit findings. The objective for this area of the study was to determine which tools
the IAA finds necessary for internal auditors to successfully perform their engagements.
The tools and techniques included in this survey were identified by reviewing the Standards and
Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK’s pilot
study. Based on this review, 16 tools and techniques were identified as being important for the IAA
and its staff when performing the audit. Some tools/techniques are in the area of audit administration
(planning or managing) while others relate to helping internal auditors perform their engagements
(analyzing data or statistical sampling). Respondents could not add to or amend the list that was
included in the CBOK 2006 survey. The respondents were asked to indicate which listed tools and
techniques their IAAs currently use or plan to use in the next three years by rating all the tools/
techniques listed on a five point scale: 1, Not Used, through 5, Extensively Used. Results are
shown in Table 2-3, indicating the ranking of response means by position in the IAA.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 41
The results in Table 2-3 show that that all respondents, regardless of their position, almost uniformly
rank the same three tools as most used by the IAA. Other electronic communications was the
highest ranked tool. Risk-based audit planning uniformly ranked second with a mean approximately
one-half a percentage point less than that of electronic communications. Other than electronic
communications (e.g., Internet, e-mail) and risk-based audit planning, only analytical review has a
mean above 3.00 for all respondents. These three tools match the core tasks of the IAA: planning,
documenting fieldwork, and communication. Documentation and communication can be very
labor intensive when completed without technological support. As such, it is appropriate that the
IAA would have first invested and developed tools in these areas.
Table 2-3
Extent the IAA Currently Uses Audit Tools and Techniques
All Respondents by Rank*
Tools/Techniques
Other electronic communication
(e.g., Internet, e-mail)
Risk-based audit planning
Analytical review
Electronic workpapers
Statistical sampling
Computer-assisted audit
techniques
Flowchart software
Benchmarking
Process mapping application
Control self-assessment
Data mining
Continuous/real-time auditing
The IIA’s quality assessment
review tools
Balanced scorecard or similar
framework
Total quality management
techniques
Process modeling software
Overall
CAE
Audit Audit Senior/
Manager Supervisor
Audit
Staff
Other
1
1
1
1
1
1
2
3
4
5
6
2
3
4
5
6
2
4
3
6
5
2
3/4
3/4
5
6
2
4
3
5
6
2
3
4
5
6
7
8
9
10
11
12
13
8
7
9
11
10
12
13
7
8
9
10
11
13
12
7
9/10
8
9/10
12
11
14
8/9
11
8/9
10
12
7
14
7/8
7/8
10
9
12
11
14
14
14
14
13
15
15
15
15
15
15
13
13
16
16
16
16
16
16
*In some cases the rankings were tied. For example, rankings of Benchmarking and Control self-assessment at the Audit
Senior/Supervisor level were tied.
The Institute of Internal Auditors Research Foundation
42 A Global Summary of the Common Body of Knowledge 2006 ______________________
Process modeling software is a tool that is generally not used (ranked 16 of 16) by the respondents.
Based on ranks and means, other tools and techniques not currently used by many respondents are
total quality management techniques, the balanced scorecard, the IIA’s quality assessment review
tools, continuous/real-time auditing, data mining, and control self-assessment.
Respondents were also asked to indicate their planned use of the listed tools and techniques in the
next three years. Results show that in the next three years a higher number of CAEs and Practitioners
will extensively use the listed tools and techniques, more than they presently do. Significant increases
in usage were indicated for risk-based audit planning and computer-assisted audit techniques.
Increased usage was also noted for The IIA’s quality assessment review tools, process modeling
software, the balanced scorecard or similar frameworks, continuous real-time auditing, data mining,
and control self-assessment.
These findings are very important since these are the tools and techniques suggested by the
Standards, practice advisories, and best practices.
Resolution of Major Differences
Practice Advisory 2410-1, Communication Criteria, suggests, “As part of the internal auditor’s
discussions with the engagement client, the internal auditor should try to obtain agreement on the
results of the engagement and on a plan of action to improve operations, as needed.” CAE
respondents were asked to indicate at what points in the audit process major differences are
resolved. Several categories could be selected by each respondent indicating major issue resolution
in multiple phases of the audit process. Of those responding, 44.5% usually resolve major differences
during audit fieldwork and 45.2% usually resolve them during the audit reporting phase. Thirty-two
point four percent sometimes resolve audit issues during planning, while 28.5% indicated that
resolution rarely happens during the planning stage.
Reporting of Findings
Standard 2440, Disseminating Results, states, “The chief audit executive should communicate
results to the appropriate parties.” The majority of the respondents agree that the responsibility of
reporting audit findings rests with the CAE. CAEs believe they should report the findings alone
(75.1%) or jointly with the client (10.3%), while Audit Managers indicate they should report the
findings alone (28.2%) or with the client (9.4%).
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 43
Monitoring Corrective Action
In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain a
system to monitor the disposition of results communicated to management.” Standard 2500.A1
goes on to require “a follow-up process to monitor and ensure that management actions have been
effectively implemented or that senior management has accepted the risk of not taking action.” Of
the respondents in varying positions in the IAA, 37.5% to 54.5% believe that both the internal
auditor and client together have the primary responsibility to monitor adoption of needed corrective
action. From 25.8% to 35.7% of the respondents indicated that the internal auditor has the primary
responsibility. The majority of respondents indicated that their organizations have some formal
monitoring system. With the exception of the Other respondents (8.5%), only 2.0% to 3.4% indicated
they had no formal follow-up procedures. Although these results indicate that this responsibility is
often shared with management, the Standards state that the CAE is responsible for monitoring
corrective action.
Staffing and Professional Development
Staffing
In most organizations, in-house internal auditors cover over 90% of the work. Publicly listed
companies average the highest in-house audits with 95.4% coverage. Despite the opportunity for
outsourcing and co-sourcing, most organizations are conducting their internal audits with in-house
staff. Consultants are the largest group of service providers for IAAs. Thirty-three percent of
CAEs indicated that their budget for co-sourcing and outsourcing will increase in the next three
years.
The survey responses indicate that most respondents’ IAAs are relatively small operations in
terms of staffing but that staff is skewed to more experienced internal auditors. In 44% of the
organizations, there are only two to five general Audit Staff members. The two main methods
CAEs use to cover staff vacancies are reduction in areas of coverage (30.7%) and co-sourcing
with internal audit service providers (28.7%).
The Institute of Internal Auditors Research Foundation
44 A Global Summary of the Common Body of Knowledge 2006 ______________________
Continuing Professional Development and Certification in Internal Auditing
The IIA requires 80 hours of continuing professional development (CPD) every two years. The
IIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to
“enhance their knowledge, skills, and other competencies through continuing professional
development.” Respondents were asked how many hours of formal training they received over the
last 36 months or while they have been working in their IAA if less than 3 years. Training includes,
but is not limited to, seminars, conferences, workshops, and in-house information sessions provided
by either the respondent’s organization or other organizations.
The range in hours of formal training reported is from none to more than 240 hours. There is an
expectation that all respondents would have taken at least 120 hours of CPD over the prior threeyear period. Of the CAEs, 48.2% achieved or exceeded 120 hours of CPD. Another 16.4% of the
CAEs attained the 80-119 hour level of CPD. The percentages of respondents at the other staff
levels that achieved 120 or more hours of formal training are: 49.1% for Audit Managers, 42.4%
for Audit Seniors/Supervisors, 35.5% for Audit Staff, and 34.1% for Others.
Compliance with the Standards mandates 40 hours of CPD annually. In some parts of the world,
due to the small size of the internal auditor population, it may be difficult to find the continuing
professional development needed to upgrade skills. There are many ways that IAAs can obtain
CPD for their staff even if funding or scarcity of local CPD courses are a concern. With the use
of the Internet, members can attend online conferencing events provided by The IIA, download
IIA position statements, and research online how to perform such activities as control self-assessment.
The IIA has monographs and other materials on multiple topics to aid in training internal auditors.
Of the respondents, 39.4% have a certification in internal auditing (e.g., CIA, MIIA), and about
one-fourth of the respondents have a certification in public accounting/chartered accountancy.
Possession of additional certification appears more common as individuals progress professionally
in the IAA.
Internal Auditor Skills
Since the scope of audit responsibilities outlined in the definition of internal auditing expanded in
1999, the types of audits and consulting activities performed by IAAs have increased. Skills used
by internal auditors have evolved and changed to meet the challenges of performing these new
types of audits.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 45
Standard 1220, Due Professional Care, requires internal auditors to “apply the care and skill expected
of a reasonably prudent and competent internal auditor.” The objective for this question is to
determine the behavioral and technical skills necessary for internal auditors to successfully perform
their jobs at their position in the IAA. Recognizing the evolutionary nature of the profession, the
following two sections summarize the skills internal auditors are currently expected to possess as
they perform their roles.
All respondents were provided a list of technical and behavioral skills developed from the Standards
and Practice Advisories, internal auditing literature, past CBOK studies, and the current CBOK
2006 pilot survey . Respondents were unable to amend or change the list of skills provided. CAEs
were asked to identify the five most important technical and behavioral skills they and their staff
need to possess in order to be successful at their position in the IAA. Practitioners were asked to
indicate the importance of the listed skills to perform their work at their current staff position by
ranking the skills on a scale of 1 (minimally important) to 5 (very important). As a guide when
answering the survey questions, respondents were given the following definition of technical skills:
“using terminology or subject matter in a particular field.” Behavioral skills were defined in the
survey as “actions towards others measured by commonly accepted standards and management
of one’s own actions.”
Technical Skills
CAEs believe that understanding the business and risk analysis are skills that are most important
for themselves. There is no individual technical skill that is highly rated by CAE respondents for all
staff levels in the IAA. Technical skills that are considered more important for the Audit Staff but
less critical for CAEs are identifying types of controls, use of information technology, statistical
sampling, and data collection and analysis. Other skills, such as forensic skill/fraud awareness, risk
analysis, and negotiating, are considered more important for CAEs and not as vital for the Audit
Staff or Audit Seniors/Supervisors.
As shown in Table 2-4, when reviewing the mean ranking of technical skills by Practitioners, the
consistency in rankings among the three traditional staff levels (Audit Manager, Audit Senior/
Supervisor, and Audit Staff) is very noticeable. The decreasing importance of certain skills as one
achieves higher levels in the IAA is indicated for some technical skills, but the direction of the
change is more significant than the magnitude of the decrease. Statistical sampling and data collection
and analysis have the largest changes between professional ranks.
The Institute of Internal Auditors Research Foundation
46 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 2-4
Importance to Respondent of Technical Skills to Perform Work
Practitioner Respondents by Means*
Technical Skills
Data collection and analysis
Financial analysis
Forensic skills/fraud awareness
Identifying types of controls
(e.g., preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality management
Understanding the business
Use of information technology
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
4.1
3.8
3.6
4.3
4.3
3.9
3.6
4.2
4.4
3.7
3.6
4.1
4.3
2.9
3.7
3.9
4.4
3.2
2.9
4.5
4.1
4.3
2.9
3.6
4.0
4.3
3.3
2.9
4.4
4.1
4.3
3.0
3.5
4.0
4.2
3.5
3.0
4.3
4.1
*The mean is the average response to: 1 = minimally important to 5 = very important.
Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
Behavioral Skills
The results show that CAEs and Practitioners almost uniformly consider confidentiality and objectivity
among the five most important behavioral skills. The CAEs’ responses for other behavioral skills
indicate a difference among the skills needed based on the professional levels analyzed (CAE,
Audit Manager, Audit Senior/Supervisor, and Audit Staff). While leadership is considered the most
important skill that CAEs should possess, CAEs indicate that for the Audit Staff, interpersonal
skills and being a team player are most important. From the CAE’s perspective, when viewing the
importance of behavioral skills across the array of hierarchical positions in the IAA, leadership,
governance and ethics sensitivity, and staff management show a trend of increasing importance.
As one progresses to higher levels of professional responsibility and status, being considered a
team player and being able to work independently decline in importance.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 47
Practitioners were asked to indicate the importance of the same 12 behavioral skills for performing
their work at their current position in the organization. Respondents indicated importance on a
scale of 1 (minimally important) to 5 (very important). Analysis broken up into three professional
levels (Audit Manager, Audit Senior/Supervisor, and Audit Staff) is shown in Table 2-5. As indicated
by a mean of 4.0 and above, practitioners consider almost all the behavioral skills listed to be
important to perform their work at their current position in the IAA.
Table 2-5
Importance of Behavioral Skills to Perform Work
Practitioner Respondents by Mean*
Behavioral Skills
Confidentiality
Facilitating
Governance and ethics sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Work well with all levels of management
Working independently
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
4.8
4.1
4.4
4.6
4.3
4.8
4.4
4.1
4.2
4.3
4.6
4.2
4.8
4.0
4.3
4.5
4.1
4.8
4.4
3.8
4.0
4.2
4.6
4.2
4.7
3.9
4.3
4.5
3.9
4.7
4.3
3.5
3.9
4.2
4.5
4.2
*The mean is the average response to: 1 = minimally important to 5 = very important.
Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
No one person can possess all the behavioral and technical skills needed by the IAA to perform the
different types of audits and consulting engagements necessary to fulfill all the needs of the
organization. Although many of the staff can be generalists, IAAs may need to hire specialists and/
or outsource audits as needed.
The Institute of Internal Auditors Research Foundation
48 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Auditor Competencies and Knowledge Areas
Competency and knowledge areas are essential for the success of an individual internal auditor,
the completion of an audit, and the overall success of the IAA. Standard 1210, Proficiency, requires
the “internal audit activity collectively should possess or obtain the knowledge…and other
competencies needed to perform its responsibilities.” Standard 1230, Continuing Professional
Development, indicates that these competencies and knowledge areas must be continually updated
and current. Internal auditors at all levels need to obtain and develop a range of competencies and
knowledge areas that enable them to perform their work effectively and enable the IAA to function
properly.
Competencies
Competencies range from generally applicable individual skills such as time management and
presentation skills to qualities that are specific to internal auditors such as the ability to promote the
IAA within the organization. Internal auditors also must have different competencies for satisfactory
performance at various hierarchical positions in the IAA. As a guide for respondents, competencies
were defined in the survey as “skills essential to perform certain tasks.” The importance of
competencies is highlighted since it is one of four principles in The IIA’s Code of Ethics. The Code
of Ethics states that competency is when “internal auditors apply the knowledge, skills, and
experience needed in the performance of internal auditing services.” Respondents were unable to
amend or add to the list of competencies that was given.
CAEs were asked to identify the five most important competencies they need to possess in order
to be successful as the leader of their IAA. They were also asked to identify the five most important
competencies that Audit Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform
their jobs.
As shown in Table 2-6, CAEs commonly indicated as their most important competency the ability
to promote the IAA within the organization. This is consistent with the Standards. Standard 2000,
Managing the Internal Audit Activity, states that the CAE “should effectively manage the internal
audit activity to ensure it adds value to the organization.” CAEs view the ability to be analytical and
communicate as the most important competencies for Audit Seniors/Supervisors and the Audit
Staff. Based on the CAEs’ responses, writing and analytical skills decline in importance as one
advances in positional responsibility and status.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 49
Table 2-6
Most Important Competencies by Staff Level
CAE Respondents (2,092 ) in Percentages
Competencies
Ability to promote the internal audit activity within
the organization
Analytical (ability to work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with professional changes in
opinions, standards, and regulations
Organization skills
Presentation skills
Problem identification and solution
Project planning and management
Report development
Time management
Training and developing staff
Understanding complex information systems
Writing skills
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
78.1
28.3
10.9
9.3
24.9
34.7
60.3
38.0
41.2
31.3
13.4
41.3
31.5
20.4
46.7
20.7
35.3
26.3
10.8
31.0
47.7
7.6
43.2
16.1
20.2
31.0
8.1
22.9
63.9
4.1
51.9
17.8
7.2
43.9
12.4
22.5
30.3
37.4
21.6
24.7
13.0
15.8
30.1
12.4
23.6
27.9
25.5
23.8
35.7
23.0
18.7
38.2
14.9
24.2
22.0
15.5
34.5
24.3
27.3
28.2
20.9
16.1
32.0
20.9
13.0
47.0
7.1
22.1
40.2
2.6
16.3
51.0
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
50 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 2-7
Importance of Competencies to Perform Work
Practitioner Respondents in Means*
Competencies
Ability to promote the internal audit activity
within the organization
Analytical (ability to work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with professional changes
in opinions, standards, and regulations
Organization skills
Presentation skills
Problem identification and solution
Project planning and management
Report development
Time management
Training and developing staff
Understanding complex information systems
Writing skills
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
4.32
4.15
4.11
4.52
4.03
4.61
4.33
4.27
4.48
2.59
4.05
4.53
3.89
4.59
4.29
4.24
4.43
2.54
4.01
4.45
3.72
4.54
4.25
4.13
4.36
2.66
4.02
4.15
4.13
4.50
4.13
4.31
4.26
4.06
3.79
4.49
4.13
4.03
4.48
4.02
4.27
4.25
3.74
3.73
4.47
4.13
4.02
4.44
3.84
4.19
4.21
3.56
3.65
4.39
*The mean is the average response to: 1 = minimally important to 5 = very important.
Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and
4,735.
Practitioners, when asked to indicate the importance of the eighteen competencies to their own job
performance at their current position in the organization, considered almost all of the competencies
equally important across the positional levels in the IAA. This is indicated by only marginal differences
across staff levels in the means on Table 2-7. CAEs appear to be viewing competencies appropriate
for a positional level from a department manager’s perspective, while Practitioners appear to view
a variety of competencies necessary for their success.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 51
Knowledge Areas
This section looks at 19 areas of knowledge to determine which are important to internal auditors
for the satisfactory performance of their job in the IAA. As indicated in Table 2-8, Practitioners
were asked to indicate the importance of these 19 areas of knowledge to perform their work at
their current position in their organization on a scale of 1 (minimally important) to 5 (very important).
They were unable to amend or add to the list. Knowledge of auditing is overwhelmingly ranked
first for Practitioner respondents at all levels, and Ethics is ranked second by all levels except for
Audit Seniors/Supervisors where it is ranked third. Other knowledge areas consistently ranked in
the top five for all Practitioner respondents are internal auditing standards, technical knowledge for
your industry, and fraud awareness. There is an overall consistency of means for knowledge areas
at all staff levels.
The Institute of Internal Auditors Research Foundation
52 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 2-8
Importance of Areas of Knowledge to Perform Work
Practitioner Respondents in Means*
Areas of Knowledge
Accounting
Auditing
Business law and government regulation
Business management
Changes to professional standards
Enterprise risk management
Ethics
Finance
Fraud awareness
Governance
Human resource management
Internal auditing standards
Information technology
Managerial accounting
Marketing
Organization culture
Organizational systems
Strategy and business policy
Technical knowledge for your industry
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
3.83
4.68
3.68
3.75
3.71
3.85
4.21
3.70
4.00
3.95
3.44
4.19
3.85
3.35
2.70
3.91
3.75
3.73
3.97
3.77
4.66
3.70
3.60
3.64
3.74
4.18
3.68
3.93
3.80
3.23
4.19
3.84
3.30
2.60
3.79
3.76
3.61
3.92
3.71
4.61
3.68
3.53
3.68
3.71
4.26
3.64
3.91
3.77
3.15
4.24
3.79
3.27
2.64
3.82
3.78
3.60
3.96
*The mean is the average response to: 1 = minimally important to 5 = very important.
Note: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and
4,751.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 53
Emerging Roles of the Internal Audit Activity
Changing Emphasis on Types of Audits
This section focuses on the anticipated changes in the demand for general types of audits that will
be performed by the IAA in the next three years. The definition of internal auditing in The IIA’s
1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,
acknowledges the importance of assurance services and consulting engagements in the areas of
risk management, governance, and controls. With this expansion of scope, audits are expected to
be performed by IAAs in these three areas. In order to assess the amount of staff, their required
competencies, and the skills needed in the near future, the profession needs to anticipate changes
in the demand for the IAA’s services. The IAA also must consider changes in their organizations’
risk maturity profiles and stakeholder requirements. Table 2-9 shows the opinions of all respondents
to the question about whether they perceive the general types of audits performed by the IAA will
increase, decrease, or stay the same over the next three years.
Table 2-9
Anticipated Changes in Types of Audits to Be Performed
Within the Next Three Years
All Respondents in Percentages
Activity
Risk management
Governance
Regulatory compliance
Operational auditing
Review of financial processes
Total
Increase
Responses
6,728
6,704
6,698
6,715
6,724
79.5
63.2
46.9
46.2
43.5
Decrease
Stay the
Same
Total
Percent
2.3
4.0
11.7
14.7
14.6
18.2
32.8
41.4
39.1
41.9
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
54 A Global Summary of the Common Body of Knowledge 2006 ______________________
Of respondents, 79.5% predict that the greatest increase in the type of audits performed in the next
three years will be for risk management and 63.2% predict an increase in governance audits. The
increase in these types of audits will need to be reflected in the IAA’s internal audit plan, resources
allocated, and in the audit staff’s competencies. For many of the respondents, reviews of financial
processes (43.5%), regulatory compliance (46.9%), and operational auditing (46.2%) show increases.
Some respondents anticipate that less time will be spent on operational audits (14.7%), review of
financial processes (14.6%), and regulatory compliance audits (11.7%).
IAAs’ Emerging Roles in Organizations’ Activities
To gain an understanding of what roles IAAs have and will have in various types of activities
performed within the organization, respondents were provided with a list of important tasks
performed by organizations. They were asked to indicate if their IAA currently has a role in the
area, if the IAA will likely have a role in the next three years, or if it is unlikely that the IAA will
have a role. Role was defined as being within the IAA’s scope of work. The list was created by
reviewing internal auditing literature and from the CBOK 2006 pilot survey. An overview of all
responses is shown in Table 2-10.
The respondents’ IAAs do some type of work in many of the areas listed. The four highest-rated
areas where respondents indicate that their IAAs currently perform audits are fraud prevention
(69% of respondents), risk management (66.6%), regulatory compliance assessment monitoring
(64%), and corporate governance (52.2%). Areas where respondents’ IAAs currently have less
developed roles are globalization (15.3%), environmental sustainability (14%), and emerging markets
(11.5%). For areas where there is no current IAA involvement, respondents indicate that 17.7% to
38.1% of their IAAs plan some engagements in the next three years. Areas where the IAA’s
current involvement is low and is expected to remain low are executive compensation (45.4%),
environmental sustainability (39.9%), emerging markets (39.5%), globalization (35.2%), intellectual
property and knowledge assessment (35.1%), and mergers and acquisitions (30.8%).
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 55
Table 2-10
Emerging Roles of the IAA
Total Responses in Percentages
Roles
Total
Currently Likely to Have Unlikely to
Not
Total
Respon- Have a Role a Role Within Have a Role Applicable
dents
the Next 3
Years
Alignment of strategy
and performance
measures (e.g., Balanced
Scorecard)
Benchmarking
Corporate governance
Corporate social
responsibility
Develop training and
education of organization
personnel (e.g., internal
controls, risk management,
regulatory requirements)
Disaster recovery
Evidential issues
Emerging markets
Environmental sustainability
Executive compensation
Fraud prevention/detection
Globalization
Intellectual property and
knowledge assessment
IT management assessment
Knowledge management
systems development review
Mergers and acquisitions
Project management
Provide training to the
audit committee
Regulatory compliance
assessment monitoring
Risk management
Strategic frameworks
6,500
23.1
35.2
30.1
11.6
100.0
6,476
6,511
6,415
28.6
52.2
23.6
35.7
31.2
31.6
26.0
11.4
33.8
9.7
5.2
11.0
100.0
100.0
100.0
6,522
46.6
34.4
15.3
3.7
100.0
6,490
6,385
6,426
6,436
6,429
6,530
6,431
6,391
34.0
39.8
11.5
14.0
16.0
69.0
15.3
19.2
26.1
23.9
22.5
24.7
17.7
22.9
21.1
28.4
29.0
23.5
39.5
39.9
45.4
5.7
35.2
35.1
10.9
12.8
26.5
21.4
20.9
2.4
28.4
17.3
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
6,453
6,387
46.1
26.1
32.2
38.1
16.8
26.9
4.9
8.9
100.0
100.0
6,437
6,410
6,436
18.4
39.8
31.2
23.7
27.6
34.4
30.8
25.1
21.7
27.1
7.5
12.7
100.0
100.0
100.0
6,442
64.0
23.0
9.2
3.8
100.0
6,509
6,407
66.6
27.0
25.5
36.8
5.6
27.7
2.3
8.5
100.0
100.0
The Institute of Internal Auditors Research Foundation
56 A Global Summary of the Common Body of Knowledge 2006 ______________________
Changing Legal Environment, Organization Systems, and Role of the IAA
Table 2-11 captures CAE and Audit Manager respondents’ agreement with statements about their
organizations and their IAA. The question asked if a statement currently applies, is likely to apply
within the next three years, or will not apply in the foreseeable future. The respondents indicate
that 61.2% of the IAAs currently reside in countries that have mandatory laws or regulations that
require organizations to have an IAA and 13.1% anticipate their countries will have such requirements
in the next three years. Corporate governance codes are complied with in 67.7% of the organizations
with 22.7% of the respondents’ organizations anticipating compliance with corporate governance
codes in the next three years. In 70.5% of the respondents’ organizations, there is an internal
control framework and 24.3% indicate that their organizations will have a framework in the next
three years. Assurance audits receive more emphasis than consulting services in 71.5% of the
organizations.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 57
Table 2-11
How Statements Apply to Your Organization
CAEs’ and Audit Managers’ Agreement with Statements in Percentages
Statement
Number of Currently Likely to
Will Not
Not
Total
Respondents Applies
Apply
Apply in the Applicable
Within the Foreseeable
Next 3
Future
Years
Internal auditing is required
by law or regulation where
the organization is based.
Internal auditors in the
organization have an
advisory role in strategy
development
The organization complies
with a corporate governance
code.
The organization has
implemented an internal
control framework.
The organization has
implemented a knowledge
management system
The internal audit activity
has provided training to
audit committee members.
The internal audit activity
assumes an important role
in the integrity of financial
reporting.
The internal audit activity
educates organization
personnel about internal
controls, corporate
governance, and compliance
issues.
The internal audit activity
places more emphasis on
assurance than consulting
services.
3,464
61.2
13.1
12.9
12.8
100
3,445
28.9
32.7
30.3
8.1
100
3,447
67.7
22.7
4.3
5.3
100
3,443
70.5
24.3
3.5
1.7
100
3,423
25.6
43.9
20.6
9.9
100
3,424
34.0
32.3
18.5
15.2
100
3,437
55.7
25.6
13.8
4.9
100
3,437
64.3
25.3
7.3
3.1
100
3,448
71.5
15.2
8.4
4.9
100
The Institute of Internal Auditors Research Foundation
58 A Global Summary of the Common Body of Knowledge 2006 ______________________
The IAAs (64.3% currently, 25.3% more in three years) educate the organizations’ personnel
about internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,
25.6% more in three years) have an important role in the integrity of their organizations’ financial
reporting. Internal auditors have growing advisory roles in strategy development (28.9% currently,
32.7% more in three years) and training of audit committee members (34% currently, 32.3% more
in three years). The top three statements that some respondents selected as will not apply in the
foreseeable future are that internal auditors have a role in strategy development (30.3%), in the
training of audit committee members (18.5%) and in the integrity of financial reporting (13.8%).
Summary
Compliance with The IIA’s International Standards for the Professional Practice of Internal
Auditing is essential if the responsibilities of internal auditors to their organizations are to be met.
Respondents strongly believed that their organizations comply overall with the Standards. Reasons
for not using the Standards related to organizational attributes, such as management’s perceptions
that the Standards do not add value, lack of adequate IAA staff, and that it is too time-consuming
to comply with them. IAAs should strive to fully comply with the Standards. It appears that
Standard 1300, Quality Assurance and Improvement Program, is a barrier to full compliance for
many organizations worldwide. Additional guidance with suggestions for less costly ways to comply
with this standard could result in more members fully complying with the Standards.
The CBOK 2006 database provides information about the evolving role of internal auditing as a
value-added activity that helps an organization manage its risks and take advantage of opportunities.
The profession of internal auditing is a rich resource for organizations as the IAA monitors the
adequacy and effectiveness of management’s internal control framework and contributes to the
integrity of corporate governance; risk assessment; and financial, operating, and IT systems. The
CBOK 2006 database identifies the attributes of an effective IAA; internal auditor skills,
competencies, and knowledge; internal audit tools and techniques; and the emerging roles of the
IAA. This database can be used to inform the business community about what resources and
services the internal auditor can provide and what skills and knowledge are needed by internal
auditing professionals. The database will be updated to document the evolution of global internal
audit practices. Future studies will build upon this baseline, allowing for comparison, analysis, and
trending.
The Institute of Internal Auditors Research Foundation
_______________________ Chapter 2: A Worldwide Picture of the Internal Audit Activity 59
References
1. Morton, Peter, The New York Stars, camagazine.com,
www.camagazine.com/index.cfm?ci_id=33982&la_id=1&print=true
2. Sams, Rachel, “New Accounting Laws Make Internal Auditors ‘Rock Stars,’” Baltimore
Business Journal, June 5, 2006,
baltimore.bizjournals.com/baltimore/stories/2006/06/05/story3.html
3. The Institute of Internal Auditors, “By the Numbers,” IIA Insight, Vol. 1/November 2006, pp.
8-9.
4. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: The Institute of Internal Auditors Research Foundation), 2005.
The Institute of Internal Auditors Research Foundation
60 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 3
Chapter 3: Survey Demographics............................................................................................ 61
Introduction........................................................................................................................... 61
Staff Levels of Respondents ................................................................................................. 63
IIA Membership.................................................................................................................... 64
Age of the Respondents ........................................................................................................ 67
Highest Level of Formal Education ...................................................................................... 70
Professional Qualifications ................................................................................................... 76
Areas of Professional Experience ......................................................................................... 80
Years of Existence of IAA and Years of CAE Experience................................................... 81
Types of Organizations ......................................................................................................... 86
Service Providers of Internal Audit Services........................................................................ 89
Age of Organizations ............................................................................................................ 90
Industry Classification(s) ...................................................................................................... 91
Geographical Area Served by Organization ......................................................................... 96
Appendix 3............................................................................................................................ 99
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 61
CHAPTER 3
SURVEY DEMOGRAPHICS
Introduction
The following is a summary of the demographics of the CBOK 2006 respondents and their
organizations. The total number of responses to the CAE and Practitioner questionnaires was
15,028. After consultation with an independent statistical expert, responses were determined to be
not useable if the reply was blank or the respondent did not answer enough questions on important
sections such as the use and application of the Standards. Upon completion of this process, 9,366
useable responses remained. This results in an overall 7.3% response from the 127,735 IIA members
on September 30, 2006. Due to some affiliates not participating and some members who have
opted not to receive e-mails from The IIA, the survey was sent to approximately 99,000 members
resulting in an estimated 9.5% response rate.
The overall purpose of the CBOK 2006 project is to develop the most comprehensive database
ever to capture a current view of the global state of the internal audit profession. The database will
be updated to recognize the evolution of global internal audit practices. Future studies will build
upon this baseline, allowing for comparison, analysis, and trending.
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those who participated in the survey answered all the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the internal
audit activity (IAA). These more detailed summaries of results may be provided for the five
The Institute of Internal Auditors Research Foundation
62 A Global Summary of the Common Body of Knowledge 2006 ______________________
categories of respondents: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and
Other. The respondents in the Other category consist primarily of other professional staff whose
positions are not captured by the traditional job titles included in the survey. A review of their
credentials indicates they may be members of the IAA, employed by service providers, or in
organizations where their titles are less traditional but with duties within internal auditing.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
For example, Table 3-2 is the total of all respondents for that question with a related Table 3-2-1
showing the responses by group. A table can have more than one related table, where the second
related table would be Table 3-2-2. Additional related tables may be located in Appendix 3 at the
end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of
its number. For example, Table 3-6-1-A is located in Appendix 3.
Included in this chapter is information about the respondents, their IAA, and their organizations in
the areas of:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Duration of respondent’s IIA membership.
Age.
Highest level of formal education.
Academic major(s).
Professional qualification(s).
Area(s) of professional experience.
Hierarchical position of the IAA.
Years of experience as CAE.
Years organizations have had an IAA.
Organization type.
Service providers.
Industry classifications.
Geographical area(s) served by respondent organizations.
Legislation affecting internal auditing.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 63
Staff Levels of Respondents
Respondents were asked about their position in their organization. As indicated in Figure 3-1,
26.5% of the respondents are CAEs, 22.8% are Audit Managers, and 25.2% are Audit Seniors/
Supervisors. These three highest positional levels combined represent 74.5% of respondents.
Members of the Audit Staff comprise 18.2% of the respondents and Others 7.3%. As indicated in
Table 3-5, the Other respondents have as many credentials or more credentials as those respondents
who identify themselves as Audit Seniors/Supervisors or Audit Staff.
Figure 3-1
Staff Level
All Respondents (8,935) in Percentages
Audit Staff
18.2%
Other
7.3%
Chief Audit
Executive
26.5%
Audit Senior/
Supervisor
25.2%
Audit Manager
22.8%
The Institute of Internal Auditors Research Foundation
64 A Global Summary of the Common Body of Knowledge 2006 ______________________
IIA Membership
Figure 3-2 shows that 58.6% of the respondents became members of The IIA within the last 5
years, 19.5% have been members for 6 to 10 years, and 15% have been members for 11 or more
years. This relatively high number of new members can be linked to the surge in importance of the
profession. In June 2003, IIA membership was 82,645. It grew to 127,735 in September 2006, a
54% increase in three years. D.L. Clemmons noted in The IIA’s November 2006 edition of IIA
Insight that, “Since 2005 The IIA’s strategic objectives have been to raise the profile of internal
auditing and The IIA itself through strong advocacy efforts, globalization, and service to
members...membership has risen 20 percent.” Although distribution of the original survey instrument
was only to IIA members, 6.9% of the respondents indicated they are not members of The IIA.
Figure 3-2
Number of Years as a Member of The IIA
All Respondents (8,874) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 65
Table 3-1 indicates that more than three-fourths (76.5%) of the Audit Staff respondents have been
members of The IIA for 5 years or less. Forty-six point six percent of CAEs have been members
for 5 years or less. Approximately one-fourth of the CAEs (24.3%) and Audit Managers (23.9%)
and only 16.7% of the Other respondents have been IIA members for 6 to 10 years. One-fourth of
CAEs (25.7%), 17.1 % of Audit Managers and 21.7% of the Other respondents have been members
for 11 or more years.
Table 3-1
Number of Years as a Member of The IIA
All Respondents in Percentages
Number
of
Years
CAE
Percent of
2,357
Respondents
Audit
Audit
Audit Staff
Other
Average
Managers Senior/Supervisor Percent of
Percent of Percent of
Percent of Percent of 2,240
1,617
642
8,874
2,018
Respondents
Respondents Respondents
Total
Respondents
Responses
5 or less
6 to 10
11 or
more
Not a
Member
Total
46.6
24.3
25.7
53.2
23.9
17.1
65.2
19.8
8.4
76.5
7.6
3.3
51.8
16.7
21.7
58.6
19.5
15.0
3.4
5.8
6.6
12.6
9.8
6.9
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
66 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-1-1 provides an overview of the duration of IIA membership in each of the 13 groups. The
number of relatively new IIA members (5 years or less) is higher than the overall average in
groups 9 (83.5%), 7 (80.6%), 5 (74.8%), 12 (74.5%), 4 (72.5%), and 8 (72.4%). These groups may
represent a large number of countries where the internal audit profession is relatively new. The
number of respondents with a longer membership history in The IIA (6 years or more) are in
groups 10 (51.4%), 2 (48.6%), 6 (43.9%), 1 (43.4%), and 3 (43.0%). These groups appear to
represent countries where the internal audit profession is more established.
Table 3-1-1
Number of Years as a Member of The IIA by Groups*
All Respondents in Percentages
Years
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
5 or less
6 to 10
11 or
more
Not a
Member
Total
56.6
20.4
23.0
51.4
19.2
29.4
57.0
25.6
17.4
72.5
23.4
4.1
74.8
23.4
1.8
56.1
25.0
18.9
80.6
14.8
4.6
72.4
19.6
8.0
83.5
10.2
6.3
48.6
31.3
20.1
68.2
20.2
11.3
74.5
14.9
10.6
18.5
5.1
3.4
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.4
0.0
73.0
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 67
Age of the Respondents
Figure 3-3 provides an overview of the age of the survey respondents. The figure indicates that
34.8% of the survey respondents are between the ages of 35 and 44, 27.8% are between 26 and
34 years old, and 24.2% are between 45 and 54 years old. Only 9.3% are 55-64 years old, 3.5%
are 25 years old or under, and as seen in Figure 3-3, 0.4% are older than 64.
Figure 3-3
Age of Respondents
All Respondents (7,356) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
68 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-2 breaks down the respondents’ age information into the 5 categories of survey respondents.
Based on this information, a positive relationship between the respondent’s age and position in the
IAA can be ascertained. More than half of the audit staff (52.4%) is younger than 35 years old,
while slightly more than half of the CAEs (50.4%) are older than 44 years old. The largest percentage
of Audit Managers (41.5%) are between 35 and 44 years old.
Table 3-2
Age of Respondents
All Respondents in Percentages
Number
of
Years
CAE
Percent of
1,944
Respondents
Audit
Manager
Percent of
1,653
Respondents
Audit Senior/ Audit Staff
Supervisor
Percent of
Percent of
1,376
1,848
Respondents
Respondents
25 or less
26 to 34
35 to 44
45 to 54
55 to 64
65 or
more
Total
0.4
11.0
38.2
34.5
15.1
0.8
0.5
25.8
41.5
23.6
8.5
0.1
3.3
39.2
32.1
18.9
6.2
0.3
100.0
100.0
100.0
Other
Percent of
535
Respondents
Average
Percent of
7,356
Total
Responses
11.2
41.2
26.4
16.3
4.8
0.1
4.7
20.2
33.8
27.3
12.5
1.5
3.5
27.8
34.8
24.2
9.3
0.4
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 69
Table 3-2-1 specifies the average age of the respondents in each of the 13 groups. Group 9
consists of relatively young respondents (35.2 years on average). Group 10 consists of relatively
older respondents (46.1 years on average). This compares with the overall average age for all
survey respondents of 40.5 years.
Table 3-2-1
Average Age of Respondents by Group*
All Respondents in Percentages
Group*
Average Age of the
Respondents
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
Total
41.6
42.9
37.4
39.9
38.2
42.6
39.9
40.8
35.2
46.1
38.8
37.3
39.8
40.5
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
70 A Global Summary of the Common Body of Knowledge 2006 ______________________
Highest Level of Formal Education
The survey asked about the educational background of the respondents. Figure 3-4 shows the
highest level of formal education indicated by the respondents. Of the respondents, 38.1% have
obtained their bachelor’s degree in business, and 28.9% have obtained a master’s degree in business.
Fourteen point three percent have a bachelor’s degree in a non-business subject and 9.4% have a
master’s degree in a non-business field.
Figure 3-4
Respondents’ Highest Level of Education
All Respondents (8,920) in Percentages
Diploma in Business
Doctoral Degree
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 71
2.4
9.0
32.8
12.1
36.1
5.1
2.1
100.0
1.5
9.7
30.9
14.0
37.7
4.1
2.8
100.0
0.6
9.5
27.4
15.4
40.3
4.0
4.2
100.0
0.9
9.4
21.4
16.8
40.3
7.0
1.5
100.0
3.4
9.7
33.4
13.1
33.3
5.6
2.7
100.0
1.6
9.4
28.9
14.3
38.1
5.0
Audit
Audit Senior/ Audit Staff
Other
Average
Managers
Supervisor
Percent of
Percent of Percent of
Percent of
Percent of
1,623
649
8,920
2,029
2,249
Respondents Respondents
Total
Respondents Respondents
Responses
2.5
100.0
CAE
Percent of
2,370
Respondents
Table 3-3
Respondents’ Highest Level of Education
All Respondents in Percentages
Table 3-3 presents an overview of the highest level of education for each of the 5 categories of
respondents surveyed. There appears to be no pronounced relationship between the respondents’
highest level of education and their current position in the IAA. It also appears that for most
respondents, a bachelor’s degree or comparable level of education is necessary to enter the
profession.
Level of
Education
Secondary/
High School
Bachelor’s/
Business
Bachelor’s/
Not Business
Major
Master’s/
Graduate/
Diploma in
Business
Master’s/
Graduate/
Diploma in
Other Fields
Doctoral
Degree
Other
Total
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
Table 3-3-1
Highest Level of Formal Education by Group*
All Respondents in Percentages
Level of
Education
1
Secondary/High
1.8
School
Bachelor’s/
49.3
Business
Bachelor’s/Not
13.0
Business Major
Master’s/Graduate/ 28.8
Diploma in Business
Master’s/Graduate/
5.3
Diploma in Other
Fields
Doctoral Degree
0.9
Other
0.9
Total
100.0
2
3
4
5
6
7
8
9
10
11
12
N/C**
4.7
11.2
1.9
13.9
7.2
0.4
10.3
1.5
6.9
1.2
0.0
5.5
41.5
33.8
56.3
11.5
15.5
33.6
31.6
26.7
22.8
23.2
41.7
35.3
13.6
16.6
14.1
4.6
3.7
26.3
16.5
31.3
8.3
20.3
12.5
17.4
28.5
24.7
19.3
40.9
48.3
21.8
27.7
23.7
44.7
34.2
41.6
20.1
8.4
7.0
5.4
20.6
14.2
14.2
10.8
15.3
12.4
12.6
2.1
13.8
0.5
2.8
100.0
0.8
5.9
100.0
0.8
2.2
100.0
3.6
4.9
100.0
7.0
4.1
100.0
0.8
1.9
2.9
1.2
100.0 100.0
1.5
0.0
100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
1.4
1.6
0.0
1.4
3.5
6.9
2.1
6.5
100.0 100.0 100.0 100.0
72 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-3-1 provides the educational profile of the respondents in each of the 13 groups. Several differences among
the groups can be highlighted. Bachelor’s degrees in business seem to be dominant in group 4 (56.3%), while
master’s degrees in business are more prevalent in groups 6 (48.3%), 10 (44.7%), and 5 (40.9%). Group 12, with
83.3% of respondents and group 1 with 78.1% of those responding have either a bachelor’s or master’s degree in
business. Group 9 is the only group to have less than 50.5% of respondents with a degree (bachelor’s or master’s) in
business.
_____________________________________________ Chapter 3: Survey Demographics 73
Academic Major(s)
Figure 3-5 lists the top six academic concentrations/majors indicated by survey respondents.
Accounting is the most popular academic major (55.8%) followed by general business/management
(27 %), finance (23.8%), economics (19.9%), auditing (17.8%), and internal auditing (12.7%).
Figure 3-5
Top Six Academic Majors
All Respondents in Percentages
Percentage of Respondents
Note: Since respondents were able to select all the majors that apply, percentages may not add up to 100%.
Table 3-4 on the following page provides additional information about respondents’ academic majors
by staff level. A higher percentage of the CAEs (60.0%) and Audit Managers (59.9%) have
accounting as a major than members of the Audit Staff (45.0%). Auditing as a major is more
common for Audit Managers (22.1%) and CAEs (19.8%) than for the Audit Staff (12.5%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
59.9
3.5
22.1
4.8
19.3
2.7
24.3
26.0
10.1
14.9
6.2
5.6
2.9
2.2
60.0
3.5
19.8
4.1
24.3
3.6
25.6
29.4
7.1
12.7
6.8
5.4
3.4
2.6
2.4
3.0
6.0
5.5
13.2
9.8
17.9
4.3
24.2
26.6
17.9
4.7
55.1
3.2
3.5
3.5
6.6
4.7
11.3
7.7
16.5
3.7
19.5
25.7
12.5
4.2
45.0
4.6
1.2
2.8
6.9
5.4
11.4
9.8
20.9
3.5
24.9
26.6
16.9
4.1
57.5
4.8
CAE
Audit
Audit
Audit Staff*
Other*
Percent of 2,374
Managers*
Senior/
Percent of 1,626 Percent of 651
Respondents Percent of 2,033
Supervisor*
Respondents
Respondents
Respondents
Percent of 2,251
Respondents
* Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Accounting
Arts or
Humanities
Auditing
Computer
Science
Economics
Engineering
Finance
General
Business/
Management
Information
Systems
Internal
Auditing
Law
Mathematics/
Statistics
Science or
Technical
Field
No Degree
Major
Table 3-4
Academic Major(s)
All Respondents in Percentages*
2.5
3.1
6.5
5.3
12.7
8.9
19.9
3.6
23.8
27.0
17.8
4.4
55.8
3.9
Average
Percent of
8,935 Total*
Responses
74 A Global Summary of the Common Body of Knowledge 2006 ______________________
_____________________________________________ Chapter 3: Survey Demographics 75
Table 3-4-1 shows the rankings of the top five academic majors for the groups. Accounting is the
most prevalent major in most groups, except for group 9 (2nd place), group 5 (3rd place), and
group 8 (3rd place). In six of the groups, a general business/management major is second. The
importance of a finance major varies among the groups. Three majors, accounting, general business/
management, and finance, appear in the top 5 of all groups. Auditing appears in the rankings of 11
of the groups. Despite the importance of technology, data management systems, and the accepted
use of computer auditing, a major in information systems only appears in the top 5 of group 1 (5th
place).
Table 3-4-1
Rankings of theTop Five Academic Major(s) by Group*
All Respondents
Major
Accounting
Auditing
Economics
Finance
General Business/
Management
Information Systems
Internal Auditing
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1
1
4
3
5
2
1
2
1
5
4
3
2
3
1
4
3
5
2
1
2
3
5
1
4
2
2
5
1
3
4
1
5
3
4
2
1
3
1
4
5
2
3
1
2
5
3
4
4
3
2
4
5
1
2
4
5
4
2
4
5
3
5
3
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
5
76 A Global Summary of the Common Body of Knowledge 2006 ______________________
Professional Qualifications
There are many professional organizations that have qualifying tests and certifications for individuals
employed in accounting and auditing. Survey respondents were asked about their own qualifications
and CAEs were asked about certification held by employees in their departments. The top five
areas of respondents’ professional certification are shown in Figure 3-6. More than one-third
(39.4%) of the respondents have a specific certification in internal auditing and about one-fourth
(26.7%) of the respondents have a certification in public accounting/chartered accountancy. Internal
auditing and public accounting are the most common areas for professional certification. A much
smaller number of respondents have certifications in information systems auditing (10.2%),
management/general accounting (5.4%), and fraud examination (5.3%).
Figure 3-6
Top Five Areas of Professional Certification(s)
All Respondents in Percentages*
Fraud Examination
Percentage of Respondents
*Since respondents were able to select all the certifications that apply, percentages may not add up to 100%.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
46.4
12.6
3.1
5.0
32.7
6.0
2.9
5.6
11.0
5.1
4.8
38.3
6.2
2.1
7.6
4.8
2.5
3.6
23.0
3.6
4.3
10.5
38.9
2.2
2.9
3.6
11.0
2.0
2.7
4.6
26.8
6.1
3.4
7.8
28.7
5.2
3.5
12.4
44.2
5.3
2.8
5.4
26.7
4.1
3.7
10.2
39.4
Audit
Audit Senior/ Audit Staff*
Other*
Average
Managers* Supervisor*
Percent of
Percent of Percent of
Percent of
Percent of
1,625
651
8,934
2,033
2,251
Respondents Respondents
Total*
Respondents Respondents
Responses
40.6
CAE
Percent of
2,374
Respondents
* Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Internal Auditing (such as CIA/
MIIA/PIIA)
Information Systems Auditing
(such as CISA/QiCA/CISM)
Government Auditing/Finance
(such as CIPFA/CGAP/CGFM)
Control Self-assessment (such
as CCSA)
Public Accounting/Chartered
Accountancy (such as CA/CPA
/ACCA/ACA)
Management/General
Accounting (such as CMA/
CIMA/CGA)
Accounting - Technician
Level (such as CAT/AAT)
Fraud Examination (such
as CFE)
Type of Professional
Qualification
Table 3-5
Professional Qualification(s)
All Respondents in Percentages*
Table 3-5 provides specifics about the professional qualifications of the 5 categories of respondents. Internal auditing
is the most common certification for respondents in all 5 categories followed by public accounting/chartered accountancy
certification. The possession of additional qualifications appears more common as individuals progress professionally
in the IAA. For example, more CAEs (40.6%) and Audit Managers (46.4%) have an internal auditing certification
than members of the Audit Staff (26.8%).
_____________________________________________ Chapter 3: Survey Demographics 77
3.7
2.0
0.4
4.2
0.8
0.3
1.2
3.1
0.4
0.5
1.3
1.7
1.1
0.4
0.7
1.8
2.7
Audit
Audit Senior/ Audit Staff*
Other*
Average
Managers* Supervisor*
Percent of
Percent of Percent of
Percent of
Percent of
1,625
651
8,934
2,033
2,251
Respondents Respondents
Total*
Respondents Respondents
Responses
5.0
CAE
Percent of
2,374
Respondents
* Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Financial Services Auditing
(such as CFSA/CIDA/CBA)
Fellowship (such as FCA/
FCCA/FCMA)
Certified Financial Analyst
(such as CFA)
Type of Professional
Qualification
Table 3-5
Professional Qualification(s)
All Respondents in Percentages*
78 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 79
Table 3-5-1 presents the rankings of the top five areas of professional qualifications for the groups.
In only 2 of the groups (groups 7 and 11) is certification in public accounting/chartered accountancy
more prevalent than internal auditing certification. The importance of certification in the areas of
internal auditing (1st place), public accounting (2nd place), and information systems auditing (3rd
place) is consistent for 75% of the groups.
Table 3-5-1
Rankings of the Top Five Professional Qualifications by Group*
All Respondents
Qualifications
Internal Auditing (such
as CIA/MIIA/PIIA)
Information Systems
Auditing (such as
CISA/QiCA/CISM)
Government Auditing/
Finance (such as
CIPFA/CGAP/CGFM)
Control Self-assessment
(such as CCSA
Public Accounting/
Chartered Accountancy
(such as CA/CPA/
ACCA/ACA)
Management/General
Accounting (such as
CMA/CIMA/CGA)
Accounting Technician Level (such
as CAT/AAT)
Fraud Examination
(such as CFE)
Financial Services
Auditing (such as
CFSA/CIDA/CBA)
Fellowship (such as
FCA/FCCA/FCMA)
1
2
3
4
5
6
7
8
9
10
11
1
1
1
1
1
1
2
1
1
1
2
1
1
3
3
3
3
5
3
4
5
3
2
3
3
5
3
2
2
4
4
2
2
4
5
5
4
3
2
2
1
4
5
5
4
4
5
2
2
3
1
4
5
4
5
3
5
12 N/C**
2
2
4
3
4
5
5
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
4
80 A Global Summary of the Common Body of Knowledge 2006 ______________________
Areas of Professional Experience
Table 3-6 lists the respondents’ average years of experience by business area. This data was
cross-tabulated with the respondents’ current business sector.
Table 3-6
Total Years of Professional Experience by Sector
All Respondents Average Responses
Type of
Experience
Accounting
Engineering
External
(Independent)
Auditing
Finance
Information
Technology
Internal Auditing
Management
Other Professional
Experience
Service
Provider
Private
Company
Publicly
Listed
Company
Governmental
Not-forProfit
5.6
2.3
5.4
6.0
3.7
4.5
5.5
2.8
3.1
5.9
3.6
5.6
3.6
0.3
1.1
5.3
2.5
3.9
4.7
4.4
5.1
5.3
5.1
5.5
4.7
4.4
2.2
1.7
4.4
4.3
5.4
5.2
4.2
6.4
6.1
5.3
6.7
6.0
4.8
7.2
6.4
6.2
4.9
3.4
3.8
6.1
5.4
4.9
The five areas in which respondents have the most business experience are:
•
•
•
•
•
Overall
Average
Response
Internal auditing (6.1 years).
Management (5.4 years).
Accounting (5.3 years).
Other professional experience (4.9 years).
Finance (4.4 years).
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 81
This pattern is consistent for those currently employed by service providers, private companies,
publicly listed companies, and governments. Service providers work on a contractual basis to assist
organizations with assurance and consulting engagements. The not-for-profit sector respondents
indicate less overall work experience.
In Appendix 3, Tables 3-6-1-A to 3-6-5-A provide an overview of the types of work experience for
each of the 5 categories of respondents tabulated by their current employer’s business sector.
While Table 3-6-1-A shows the same top five types of professional experience for CAEs as the
overall average for all respondents in Table 3-6, CAEs have relatively more experience in each of
the business areas.
For members of the Audit Staff, Table 3-6-4-A shows a different ranking for the top five types of
experience than the overall average for all respondents in Table 3-6. Audit Staff members appear
to have the most experience in professional areas other than those specified on the survey list. For
the Audit Staff, accounting is the second most common area of experience and internal auditing
and management are tied for third.
The respondents classified as Other in Table 3-6-5-A have significant years of experience in
accounting, internal auditing, and management. Other professional experience is also common for
these individuals. Such high levels of experience provides support that those respondents classified
as “Other” are qualified individuals working in less traditional environments.
Years of Existence of IAA and Years of CAE Experience
Figure 3-7 on the following page lists the number of years the respondents’ IAAs have been in
existence. The largest numbers of respondents work for IAAs that have been in existence for 05 years (28.4%) and another 21% of the respondents work for IAAs that have been in existence
for 6-10 years. A total of 13.8% of respondent’s organizations have IAAs that have been in
existence for 31 or more years. This is a positive development for internal auditing as it shows that
growth has accelerated in the past 10 years. Given the corporate governance issues and regulatory
developments in recent years, this could be a reflection of the recognition by organizations and
their boards of the need for internal audit.
The Institute of Internal Auditors Research Foundation
82 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 3-7
Number of Years the IAA Has Existed in the Organization
All Respondents (7,747) in Percentages
41+ Years
8.1%
0-5 Years
28.4%
31-40 Years
5.7%
21-30 Years
14.1%
6-10 Years
21.0%
11-20 Years
22.7%
A young department does not necessarily equate to an unskilled or weak department. Newer
IAAs may employ more experienced CAEs who start an audit activity based on their prior
experiences and knowledge.
Table 3-7 provides the number of years respondent organizations have had IAAs by groups. In
group 5, respondents indicate that 60.5% of their IAAs are 0-5 years old and another 22.5% are 610 years old. Respondents in the other groups indicate between 20% - 33.9% of the IAAs are
between 0-5 years old and an additional 16.1% - 33.1% indicate their IAAs are between 6-10
years old. A review of the countries in each group and historical events explain some of these
differences since in some areas of the world, economies are more developed than others. In
Appendix 3, Table 3-7-1-A shows the number of years respondent organizations have had IAAs
by industry.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 83
Table 3-7
Number of Years the IAA Has Existed by Groups*
All Respondents in Percentages
Group
Respondents
More
than
0-5
6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50
50
Years Years Years Years Years Years Years Years Years Years Years Total
1
3,025
23.8
16.1
10.9
12.6
9.2
8.9
3.1
4.8
.7
4.5
5.4
100.0
2
188
26.1
20.7
17.0
13.3
5.9
6.9
2.7
2.7
1.1
1.1
2.5
100.0
3
636
25.8
26.6
11.9
10.2
5.8
7.1
2.7
1.9
.5
4.2
3.3
100.0
4
347
25.6
33.1
15.9
13.3
3.2
3.5
1.2
2.0
.6
.8
.8
100.0
5
550
60.5
22.5
8.0
2.7
1.5
1.3
.0
1.1
.2
1.3
.9
100.0
6
423
23.6
18.0
10.4
7.6
8.0
11.6
3.1
2.6
.9
5.2
9.0
100.0
7
467
23.1
20.3
13.1
9.9
8.4
11.8
2.8
3.2
.6
2.6
4.2
100.0
8
910
32.7
25.3
14.3
11.1
5.5
3.7
1.9
1.3
.2
1.3
2.7
100.0
100.0
9
118
33.9
29.7
15.3
7.6
5.1
.8
.0
.0
.8
3.4
3.4
10
125
22.4
25.6
11.2
8.0
6.4
4.8
3.2
6.4
.0
3.2
8.8
100.0
11
226
28.8
24.3
11.9
10.2
5.8
8.4
1.3
4.0
.9
2.2
2.2
100.0
12
40
20.0
27.5
10.0
10.0
5.0
12.5
2.5
.0
7.5
2.5
2.5
100.0
N/C**
692
27.6
23.3
11.6
13.0
4.8
7.4
1.4
3.6
.6
3.3
3.4
100.0
Overall
7,747
Respondents
in Category
Overall
Percent in
Category
2,194
1,628
914
847
529
566
181
255
48
257
328
28.4
21.0
11.8
10.9
6.8
7.3
2.4
3.3
.6
3.3
4.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
100.0
84 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 3-8 summarizes the respondents’ years of experience as CAEs. More than half (56%)
indicated they have been a CAE for 5 years or less, 25% of CAE respondents have between 6 and
10 years of CAE experience, and 19% of CAE respondents have more than 10 years of experience
in this position.
Figure 3-8
Years of Experience as a CAE
CAE Respondents in Percentages
16 to 20 Years
6%
21 or More
Years
3%
11 to 15 Years
10%
5 Years or Less
56%
6 to 10 Years
25%
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 85
Figure 3-9 lists the average years of work experience for CAEs by groups. The overall average
number of years of experience as a CAE is 6.6 years. The CAEs in groups 5 (4.5 years) and 12
(4.7 years) have less experience as a CAE than their peers. The CAEs in groups 6 (8.2 years), 10
(8.1 years), and 11 (8.1 years) have relatively more experience as a CAE than the overall average.
Figure 3-9
Average Years of Experience as a CAE by Groups*
CAE Respondents
Average Years of Experience
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
86 A Global Summary of the Common Body of Knowledge 2006 ______________________
Types of Organizations
As indicated in Figure 3-10, when asked about their current employers, 38% of all respondents
indicate that they work for a publicly traded (listed) company, while 19.5% work for a privately
held (non-listed) company. Twenty-three percent of all respondents currently work in the public
sector and 10.5% work for a service provider or as a consultant. Internal auditing is performed by
members of the IAA as well as by external service providers and consultants.
Figure 3-10
Types of Organizations
All Participants (8,848) in Percentages
Service Provider / Consultant
10.5%
Publicly Traded (Listed) Company
38.0%
Privately Held (Non-listed) Company
19.5%
23.0%
Public Sector / Government
Not-for-Profit Organization
Other
6.2%
2.8%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 87
While Table 3-8 shows that sector representation is relatively consistent for all 5 categories of
respondents, only 44.5% of the Other respondents work in traditional public or private companies.
Publicly traded and private (non-listed) employers tend to represent approximately 53% to 60% of
the other four categories. The Other four respondent categories have the highest percentage
(17.3%) of respondents working for service providers. This is approximately double that of CAEs,
Senior/Supervisors, and Audit Staff members.
Table 3-8
Types of Organizations
All Respondents in Percentages
Type of
Organization
CAE
Percent of
2,356
Respondents
Audit
Managers
Percent of
2,016
Respondents
Audit
Audit Staff
Other
Overall
Senior/
Percent of
Percent of
Average
Supervisor
1,608
637 of
Percent of
Percent of Respondents Respondents
8,848
2,231
Total
Respondents
Responses
Service
Provider/
Consultant
Publicly
Traded
(Listed)
Company
Privately
Held
(Non-listed)
Company
Public Sector/
Government
Not-for-Profit
Organization
Other
Total
8.8
13.5
9.2
8.3
17.3
10.5
34.9
42.2
40.7
37.1
29.7
38.0
24.9
18.3
18.4
16.2
14.8
19.5
21.9
18.5
23.7
30.3
20.6
23.0
7.1
5.4
6.3
5.2
7.1
6.2
2.4
100.0
2.1
100.0
1.7
100.0
2.9
100.0
10.5
100.0
2.8
100.0
The Institute of Internal Auditors Research Foundation
88 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-8-1 summarizes information about the types of organizations represented within the groups.
Compared to the overall average of respondents working for service providers/consultants (shown
in Table 3-8 as 10.5%), group 4 (4.1%) is well below the overall average and group 11 (18.3%) is
significantly above the overall average. Publicly traded company representation is considerably
below the overall average of 38% in group 2 (24.9%), while much above the overall average in
groups 4 (68.8%) and 11 (49.3%). Privately held company representation is greatly above the
overall average of 19.5% in groups 9 (38.1%) and 8 (30.8%). Compared to the public sector
overall average of 23%, groups 4 (4.4%), 9 (10.3%), and 11 (12.9%) are much lower, and groups
2 (42.7%), 10 (35.4%), and 3 (35.3%) are well above the overall average. Not-for-profit organizations
are represented significantly below the overall average of 6.2% in groups 5 (1.9%) and 10 (2.1%),
but much above the overall average in group 12 (17.0%).
Table 3-8-1
Types of Organizations by Group*
All Respondents in Percentages
Type of
Organization
1
2
3
4
5
6
8
9
Service Provider/
Consultant
Publicly Traded
(Listed) Company
Privately Held
(Non-listed)
Company
Public Sector/
Government
Not-for-Profit
Organization
Other
Total
10.0
12.2
13.8
4.1
11.8
12.0 11.9
9.5
7.1
8.3 18.3 10.6
9.4
41.6
24.9
31.3
68.8
27.4
35.5 28.6 37.5 31.8
36.1 49.3 27.7
31.8
14.8
11.3
12.0
16.9
23.5
25.6 28.7 30.8 38.1
14.6 13.7 19.2
23.9
22.7
42.7
35.3
4.4
31.3
19.9 20.4 17.6 10.3
35.4 12.9 23.4
23.2
8.9
7.0
4.4
3.3
1.9
5.7
7
5.6
3.4
3.2
10
2.1
11
12
3.3 17.0
N/C**
5.3
2.0
1.9
3.2
2.5
4.1
1.3 4.8 1.2 9.5
3.5 2.5 2.1
6.4
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 89
Service Providers of Internal Audit Services
Internal auditing is performed by members of the IAA as well as by external service providers. As
shown in Figure 3-11, 14% of the survey respondents provide internal audit services to client
organizations. As some respondents did not answer all the questions, this percentage is close to but
not totally consistent with Figure 3-10, which indicates that 10.5% of respondents work for a
service provider or consulting company.
Figure 3-11
Service Provider of Internal Audit Services
All Respondents (8,774) in Percentages
Service
Provider
14.0%
In-house
Internal
Audit Activity
86.0%
The Institute of Internal Auditors Research Foundation
90 A Global Summary of the Common Body of Knowledge 2006 ______________________
Age of Organizations
Table 3-9 reports on how long respondents’ organizations have been in existence. A separate
correlation test performed by the researchers confirmed that there is a relationship between how
long an organization has been in existence and how long the organization has had an IAA.
Table 3-9
Number of Years Organizations Have Existed
All Respondents in Percentages
Number of Years
0-5
6-10
11-15
16-20
21-25
26-30
31-35
36-40
41-45
46-50
More than 50 years
Total
Total Responses
Percentage of Total
Respondents
590
856
648
496
321
442
299
355
165
461
3,532
8,165
7.2
10.5
7.9
6.1
3.9
5.4
3.7
4.3
2.0
5.6
43.4
100.0
In Appendix 3, Table 3-9-1-A lists the number of years the respondents’ organizations have existed
by group. Groups 1, 2, 6, and 10 have a large number of respondents (43.5% - 59.3%) working in
organizations that are more than 50 years old. Groups 4, 5, and 11 have respondents whose
organizations have greater than 24% of their organizations (24.1% - 29.4%) that are less than 11
years old. Respondents for group 12 indicate that none of their employer organizations are over 70
years old.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 91
Industry Classification(s)
The survey population covers a broad range of industries. Since the respondents were asked to
select all industries that applied to their organization, the total of the industries selected is greater
than 100%. Figure 3-12 on the following page classifies survey respondents by the industry in
which they work. The top 10 industries indicated by respondents are:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Banking/Financial Services/Credit Union (24.5%).
Other (13.9%).
Manufacturing (13.4%).
Financial, Accounting, and/or Business Services (11.1%).
Insurance (9.3%).
Utilities (7.9%).
Education (7.0%).
Communication/Telecommunication (7.0%).
Healthcare (6.4).
Retail/Wholesale (6.2%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
Percentage of Respondents
*Respondents were able to select all the classifications that apply, resulting in a total greater than 100%.
92 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 3-12
Industry Classification
All Respondents (8,934) in Percentages*
_____________________________________________ Chapter 3: Survey Demographics 93
Table 3-10 indicates that this pattern is basically consistent for all 5 categories of respondents.
Table 3-10
Industry Classification
All Respondents in Percentages
Industry
Classification
Agricultural/
Forestry
Banking/
Financial
Services/
Credit Union
Building and
Construction
Communication/
Telecommunication
Consumer
Goods
Education
Financial,
Accounting,
and/or Business
Services
Healthcare
Hospitality/
Leisure/Tourism
Insurance
Manufacturing
Mining and Oil
Nonprofessional
Services
CAE*
Percent of
2,374
Respondents
Audit
Audit Senior/ Audit Staff*
Other*
Average
Manager* Supervisor* Percent of Percent of Percent of
Percent of
Percent of
1,625
651
8,934
2,033
2,251
Respondents Respondents
Total
Respondents Respondents
Responses*
2.9
3.0
2.7
2.7
3.8
3.0
25.3
25.3
24.8
26.5
20.6
24.5
5.4
5.3
3.8
3.1
3.4
4.2
6.8
9.0
6.6
6.5
6.0
7.0
5.6
6.5
4.1
3.1
4.6
4.8
8.1
7.8
5.3
10.1
5.0
10.2
5.0
10.3
11.7
17.2
7.0
11.1
6.4
4.3
7.7
4.6
6.3
2.6
5.4
2.5
6.0
2.9
6.4
3.4
9.2
14.3
4.5
1.0
10.3
14.4
5.0
1.7
11.2
13.1
5.4
0.8
10.3
11.5
3.0
0.7
5.4
13.8
4.5
1.7
9.3
13.4
4.5
1.2
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
The Institute of Internal Auditors Research Foundation
94 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-10 (Cont.)
Industry Classification
All Respondents in Percentages
Industry
Classification
Pharmaceutical/
Chemical
Professional
Services
Real Estate
Retail/Wholesale
Technology
Trade Services
Transport and
Logistics
Utilities
Other
CAE*
Percent of
2,374
Respondents
Audit
Audit Senior/ Audit Staff*
Other*
Average
Manager* Supervisor* Percent of Percent of Percent of
Percent of
Percent of
1,625
651
8,934
2,033
2,251
Respondents Respondents
Total*
Respondents Respondents
Responses
3.4
3.7
2.5
1.9
3.1
2.9
4.7
4.9
3.6
3.2
5.8
4.4
4.0
6.7
5.5
2.6
7.0
4.1
8.8
6.1
2.7
5.9
2.8
6.4
4.3
1.6
5.3
2.4
4.3
3.9
1.3
5.5
2.5
4.6
5.2
1.7
4.8
3.2
6.2
5.0
2.0
5.7
7.5
14.2
8.4
12.1
8.3
12.5
7.6
14.8
7.8
16.1
7.9
13.9
*Note: Since respondents could mark all that apply, percentages may not add up to 100%.
Table 3-10-1 provides an overview of the industry representation in each of the groups. The largest
group of respondents overwhelmingly work in the manufacturing sector in groups 4 (46.8%) and
11 (31.3%). These are significantly larger percentages than the total respondents’ average for
manufacturing of 13.4% shown in Figure 3-12. The banking/financial services/credit union sector
is considerably above the total respondents’ average of 24.5% in groups 7 (37.9%) and 6 (36.7%)
but considerably below the average in group 4 (9.1%). The education sector is well represented in
group 2 (15.8%) which is well above the total respondents’ average of 7%. In groups 4 (3.8%) and
7 (5.3%), the financial, accounting, and/or business services industry is less prevalent than elsewhere
when compared with the total respondents’ average of 11.1%. The insurance industry has much
less representation in groups 11 (4.0%), 5 (4.9%), and 4 (5.9%) than the total respondents’ average
of 9.3%. In groups 4 (2.2%) and 9 (3%), organizations with employees in the utilities sector is
much lower than the average of 7.9% for all respondents.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 95
Table 3-10-1
Industry Classification by Group*
All Respondents in Percentages
Industry
Classification
1
2
3
4
5
6
7
8
9
10
11
12 N/C**
Agricultural/
Forestry
Banking/Financial
Services/Credit
Union
Building and
Construction
Communication/
Telecommunication
Consumer Goods
Education
Financial,
Accounting,
and/or Business
Services
Healthcare
Hospitality/
Leisure/Tourism
Insurance
Manufacturing
Mining and Oil
Non-professional
Services
Pharmaceutical/
Chemical
Professional
Services
Real Estate
Retail/Wholesale
Technology
Trade Services
Transport and
Logistics
Utilities
Other
2.6
5.1
4.9
0.8
3.3
2.2
5.9
1.6
1.5
4.1
2.4
8.3
1.6
22.2
20.5
22.3
9.1 25.0
36.7
25.3 21.3 22.9
21.1
3.3
8.4
5.3
3.0
5.6
2.4
4.6
6.1
7.4
5.4
9.1
5.8
3.8
8.1
10.8
6.1
15.8
11.2
3.4
9.4
15.0
3.2
2.2
3.8
4.3
3.3
9.1
3.9
3.7
8.9
8.7
3.4
13.0
5.6
7.8
4.9
1.3
2.2
3.6
2.8
6.7
1.5
11.3
11.8
3.4
0.6
10.7
9.3
5.6
5.1
8.6
8.4
6.8
1.5
5.9 4.9
46.8 11.7
2.7 8.1
1.3 0.5
10.4
10.6
1.9
0.7
2.0
1.9
2.2
1.9
3.1
5.0
4.4
4.2
4.6
1.4
5.6
0.0
3.0
4.4
9.3
4.5
4.8
2.8
2.8
6.1
2.4
2.3
4.1
5.2
4.2
3.7
3.0
7.0
5.2
0.9
4.0
3.7
8.4
6.1
2.8
9.8
3.3
7.2
4.9
2.3
7.5
1.9
4.8
4.0
2.7
3.2
2.6
6.9
2.8
3.3
6.4
2.6
4.3
3.7
0.9
7.1
4.0
7.6
4.2
4.4
4.9
3.4 4.6
4.1 12.9
5.3 3.8
3.0 5.3
9.6 4.6
8.9 4.0 4.2
4.8 9.2 2.1
4.8 14.1 2.1
1.4 7.2 0.0
7.5 9.6 16.7
2.9
4.2
3.0
1.4
4.2
7.7
13.3
10.2
23.3
5.4
20.3
2.2 12.2
6.2 14.5
5.8
13.0
9.7 12.1 3.0
11.0 10.7 15.2
5.5 6.4 4.2
15.8 12.9 12.5
4.8
9.0
37.9 27.3 30.3
6.6
4.5
8.3
6.2 10.4
2.1
2.9
10.0 13.1
5.3
8.9 10.4 10.4
5.2
8.9
5.5
5.3
5.6 14.4
1.7 2.3
8.2 9.1
4.8 13.7 2.1
8.2 8.0 12.5
10.3 14.1 16.7
3.4
3.2
6.7
5.1
2.3
3.2
3.9
4.6
7.6
7.0 13.3 10.6
12.1 9.1 13.6
9.1 4.6 6.1
1.5 1.5 0.0
5.5
3.4
4.2
2.1
2.5
1.7
15.1 4.0 6.3
13.7 31.3 6.3
4.8 7.2 10.4
1.4 1.6 2.1
5.7
10.6
1.9
1.2
Note: Since respondents could mark all that apply, percentages may not add up to 100%.
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
5.2
9.2
96 A Global Summary of the Common Body of Knowledge 2006 ______________________
Geographical Area Served by Organization
Recognizing that companies compete differently, in part based on the locations they serve, data
was collected on the geographical areas served by the respondents’ organizations. Their responses
are shown in Figure 3-13. Of the respondents, 39.2% of the respondents indicate that their employer
operates on an international/multinational scale, while 29.1% of employers operate on a national
scale. The remaining 31.7% operate on a local, state/provincial, or regional basis.
Figure 3-13
Geographical Area Served by the Organization
All Respondents (8,750) in Percentages
Percentage of Respondents
Table 3-11 indicates that the geographical regions served by the organizations employing the
respondents are fairly consistent. Table 3-11-1 provides more detail on the geographical area
served by the organizations for each of the 13 groups. Comparing these two tables, international/
multinational companies represent more than half of the respondents in groups 6 (58.6%) and 8
(53.4%) compared to the average percentage of 39.2% for all respondents. National companies
seem to be more prevalent than the total average percentage of 29.1% in groups 10 (42.6%) and
12 (41.2%), while group 6 (19.7%) is well under the average percentage. Companies serving
state/provincial regions are significantly above the average percentage response (10.9%) in group
2 (23.1%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
100.0
30.2
100.0
14.6
17.3
11.0
22.4
34.7
100.0
Local
State/Provincial
Regional
National
International/
Multinational
Total
39.8
100.0
13.5
8.2
5.1
33.4
3
42.2
100.0
19.4
3.2
9.1
26.1
4
35.7
100.0
6.8
14.4
8.5
34.6
5
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate Affiliate or Chapter membership.
9.4
23.1
4.3
33.0
1*
Area
2
100.0
100.0
9.4
10.3
9.3
27.3
43.7
Audit Senior/
Supervisor
Percent of
2,212
Respondents
100.0
11.1
11.9
8.2
32.9
35.9
58.6
100.0
4.8
7.9
9.0
19.7
6
46.2
100.0
7.2
1.9
7.8
36.9
7
53.4
100.0
2.3
0.8
6.0
37.5
8
7.4
2.5
12.3
37.7
9
45.3
100.0
5.0
4.3
2.8
42.6
10
100.0
16.6
11.6
8.7
28.4
34.7
13.0
2.2
4.6
41.2
12
36.0
100.0
13.2
6.6
9.3
34.9
N/C**
100.0
12.1
10.9
8.7
29.1
39.2
Average
Percent of
8,750 Total
Respondents
40.2 39.0
100.0 100.0
21.3
1.7
8.8
28.0
11
Other
Percent of
620
Respondents
40.1
100.0
Audit Staff
Percent of
1,588
Respondents
Table 3-11-1
Geographical Area Served by Group*
All Respondents in Percentages
8.9
8.9
6.8
29.7
45.7
14.6
11.8
10.7
27.0
35.9
Local
State/Provincial
Regional
National
International/
Multinational
Total
Audit Managers
Percent of
2,004
Respondents
CAE
Percent of
2,326
Respondents
Area
Table 3-11
Geographical Area Served by the Organization
All Respondents in Percentages
_____________________________________________ Chapter 3: Survey Demographics 97
98 A Global Summary of the Common Body of Knowledge 2006 ______________________
References
1. Clemmons, D.L., “2006 A year of growth and change,” IIA Insight, Vol. 1/November 2006, p. 5.
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 99
APPENDIX 3
Table 3-6-1-A
Total Years of Professional Experience by Sector
CAEs’ Average Responses
Type of
Experience
Service
Provider
Private
Company
Publicly
Listed
Company
Governmental
Not-forProfit
Average
Response
Accounting
Engineering
External
(Independent)
Auditing
Finance
Information
Technology
Internal Auditing
Management
Other Professional
Experience
7.3
5.0
7.1
6.9
4.9
6.2
6.8
3.8
4.4
6.9
4.6
7.5
4.5
1.0
1.8
6.5
3.9
5.4
6.1
5.8
6.8
6.1
6.8
4.9
6.1
4.2
2.7
3.5
5.7
4.9
6.9
6.9
5.2
8.1
7.5
6.7
8.3
7.2
5.4
8.9
8.2
6.7
7.1
5.2
4.4
7.9
7.0
5.7
Table 3-6-2-A
Total Years of Professional Experience by Sector
Audit Managers’ Average Response
Type of
Experience
Accounting
Engineering
External
(Independent)
Auditing
Finance
Information
Technology
Internal
Auditing
Management
Other
Professional
Experience
Service
Provider
Private
Company
Publicly Listed
Company
Governmental
Not-forProfit
Average
Response
6.0
1.9
4.9
6.2
3.3
4.8
5.7
3.5
3.0
5.7
4.7
5.4
4.0
0.5
1.0
5.5
2.8
3.8
4.7
4.4
5.0
5.8
4.7
7.1
4.6
5.8
1.7
1.8
4.1
5.0
5.9
7.4
7.8
8.0
4.8
6.8
5.0
3.4
6.1
4.7
6.5
4.7
6.2
6.9
3.9
3.6
5.5
4.7
The Institute of Internal Auditors Research Foundation
100 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 3-6-3-A
Total Years of Professional Experience by Sector
Audit Supervisors’/Seniors’ Average Response
Type of
Experience
Accounting
Engineering
External
(Independent)
Auditing
Finance
Information
Technology
Internal
Auditing
Management
Other
Professional
Experience
Service
Provider
Private
Company
Publicly Listed
Company
Governmental
Not-forProfit
Average
Response
4.7
1.8
4.1
5.0
4.6
3.5
4.6
3.7
3.2
5.6
3.7
4.7
2.7
0.3
1.3
4.5
2.8
3.4
4.2
4.6
3.7
5.0
4.2
5.7
4.0
4.1
1.8
1.7
3.6
4.2
3.3
5.4
5.5
6.9
4.2
5.1
4.5
3.2
5.1
4.7
4.7
4.8
6.0
4.3
2.1
3.3
4.5
4.1
Table 3-6-4-A
Total Years of Professional Experience by Sector
Audit Staffs’ Average Response
Type of
Experience
Accounting
Engineering
External
(Independent)
Auditing
Finance
Information
Technology
Internal
Auditing
Management
Other
Professional
Experience
Service
Provider
Private
Company
Publicly Listed
Company
Governmental
Not-forProfit
Average
Response
3.2
1.2
2.7
5.1
2.3
2.4
4.1
0.9
1.4
4.9
2.4
2.7
2.2
0.0
0.3
3.9
1.4
1.9
3.1
2.8
3.6
4.6
3.5
4.4
3.9
3.7
1.3
0.6
3.1
3.2
3.3
3.4
3.5
4.7
2.3
3.4
3.1
4.9
4.1
5.0
3.3
4.5
5.1
6.8
1.5
2.1
3.4
4.7
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 101
Table 3-6-5-A
Total Years of Professional Experience by Sector
Others’ Average Response
Type of
Experience
Accounting
Engineering
External
(Independent)
Auditing
Finance
Information
Technology
Internal
Auditing
Management
Other
Professional
Experience
Service
Provider
Private
Company
Publicly Listed
Company
Governmental
Not-forProfit
Average
Response
7.3
3.5
6.4
6.8
3.3
3.1
5.5
2.7
3.1
6.9
2.5
7.1
6.2
0
1.1
6.5
2.4
4.2
6.1
4.4
6.5
4.7
5.6
5.1
4.6
4.6
4.4
1.5
5.4
4.1
5.4
7.0
7.0
6.3
4.8
6.1
5.7
4.6
6.9
4.7
6.4
4.8
5.4
6.5
4.8
7.8
5.8
5.7
The Institute of Internal Auditors Research Foundation
Number of Respondents
Agricultural/Forestry
Banking/Financial Services/Credit Union
Building and Construction
Communication and Telecommunications
Consumer Goods
Education
Financial, Accounting, or Business
Services
Healthcare
Hospitality/Leisure/Tourism
Insurance
Manufacturing
Mining and Oil
Non-professional Services
Pharmaceutical/Chemical
Professional Services
Real Estate
Retail/Wholesale
Technology
Trade Services
Transport and Logistics
Utilities
Other
5.4
4.9
12.4
14.0
4.2
1.4
2,7
4.3
3.5
6.3
4.5
1.9
6.5
7.8
13.9
7.9
3.6
7.4
16.1
5.5
1.1
3.6
4.6
4.3
7.2
5.9
2.4
6.8
8.7
15.0
7.0
5.0
8.5
16.0
3.9
.7
2.9
5.4
2.8
7.2
5.9
2.9
7.0
5.8
13.1
914
3.1
26.7
4.5
7.4
4.8
6.3
9.8
2,191 1,628
2.6
3.1
17.4 21..9
5.8
4.8
8.8
9.4
5.8
5.8
5.1
5.8
10.2
10.4
6.7
3.2
12.3
13.1
5.8
1.4
3.3
3.4
3.8
5.9
5.0
1.8
5.0
7.4
12.6
847
2.2
27.3
5.1
5.4
5.3
7.7
7.8
4.7
1.7
11.7
8.5
3.2
.8
1.7
2.3
2.3
4.5
2.5
.9
4.3
7.0
11.2
529
1.9
27.8
1.7
6.2
2.5
6.4
7.9
5.7
1.9
10.4
8.3
5.7
.5
1.9
3.4
1.9
5.3
4.1
1.2
6.0
9.9
12.2
566
3.5
32.7
3.4
4.6
2.3
7.4
9.2
5.0
.6
7.7
9.4
1.1
1.7
3.9
2.2
2.2
3.3
3.3
2.2
6.6
8.8
14.9
181
2.8
26.5
2.2
6.6
3.3
9.9
9.4
5.5
3.5
12.2
12.9
3.9
1.2
4.3
3.1
4.3
11.0
4.7
2.7
7.1
10.6
10.6
255
3.5
34.9
5.5
6.7
5.5
9.0
9.8
2.1
2.1
6.3
8.3
6.3
4.2
2.1
0.0
4.2
12.5
0.0
0.0
2.1
8.3
10.4
48
4.2
41.7
6.3
0.0
2.1
8.3
6.3
4.3
1.6
8.9
12.8
4.3
.4
2.3
2.7
1.6
5.8
3.5
.8
4.7
13.2
8.9
257
3.5
37.7
3.1
3.5
3.5
5.4
8.9
5.2
1.8
10.7
11.6
2.4
1.2
2.7
3.0
3.0
8.5
5.8
2.1
3.4
9.5
11.9
328
2.4
44.5
3.4
4.9
4.3
4.0
9.8
0-5
6-10 11-15 16-20 21 -25 26-30 31-35 36-40 41-45 46-50 More
Years Years Years Years Years Years Years Years Years Years than 50
Years
Table 3-7-1-A
Number of Years the IAA Has Existed by Industry
All Respondents in Percentages
102 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
_____________________________________________ Chapter 3: Survey Demographics 103
Table 3-9-1-A
Number of Years Organizations Have Existed by Groups*
All Respondents in Percentages
Group
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
Total/
Overall
Respondents
in Category
Overall
Percent in
Category
Respondents
3,241
189
648
354
552
434
504
954
125
135
228
39
762
8,165
0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More Total
Years Years Years Years Years Years Years Years Years Years t h a n
50
Years
4.4
8.5
8.3
11.6
12.0
4.8
6.0
11.3
8.0
6.7
11.4
5.1
8.7
590
6.8 4.7
11.1 3.7
13.1 9.3
17.8 9.9
17.4 24.8
8.5 6.0
14.1 10.3
10.6 7.0
9.6 7.2
6.7 3.7
12.7 10.1
10.3 7.7
14.3 9.4
856 648
7.2 10.5
7.9
4.8 3.9
6.3 3.7
5.9 5.4
12.7 3.4
6.7 2.2
2.5 1.8
5.0 4.0
6.2 3.6
13.6 11.2
4.4 3.0
11.0 8.3
10.3 5.1
7.9 3.5
496
321
6.1
3.9
5.0
6.9
5.1
9.0
3.1
4.4
6.7
5.8
3.2
3.7
6.1
15.4
6.2
442
3.7
4.2
3.1
5.9
2.2
2.5
5.0
2.5
7.2
5.2
5.7
10.3
3.1
299
4.8
2.6
5.2
5.1
3.1
3.7
3.4
4.8
1.6
1.5
6.1
10.3
3.3
355
1.7
2.1
1.4
4.0
1.1
.9
3.6
1.5
5.6
3.7
4.8
7.7
1.8
165
5.7
7.4
5.7
3.7
4.3
8.5
6.5
5.6
8.0
2.2
4.8
0.0
5.4
461
5.4
3.7
4.3
2.0
5.6
*For a list of affiliate groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
54.5
43.5
37.5
16.9
23.1
56.4
35.4
41.1
24.8
59.2
18.8
17.8
36.4
3532
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
43.4 100.0
104 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 4
Chapter 4: The Professional Practices Framework ............................................................. 105
Introduction......................................................................................................................... 105
CBOK 2006 Survey Questions Related to the Standards................................................... 107
Use of the Standards in Whole or in Part ........................................................................... 108
Compliance with the Standards .......................................................................................... 110
Adequacy of the Guidance Provided by the Standards ...................................................... 115
Use of and Adequacy of the Guidance Provided by the Practice Advisories ..................... 118
Reasons for Not Complying with the Standards ................................................................ 121
Quality Assurance and Improvement Program................................................................... 128
Compliance with The IIA’s Code of Ethics........................................................................ 146
Appendix 4-A: The IIA’s Standards and Practice Advisories
as of September 2006 ................................................................................................... 147
Appendix 4-B...................................................................................................................... 165
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 105
CHAPTER 4
THE PROFESSIONAL PRACTICES
FRAMEWORK
Introduction
The Institute of Internal Auditors’ (IIA) (2005) Professional Practices Framework (PPF) consists
of the Definition of Internal Auditing, The IIA’s Code of Ethics, International Standards for the
Professional Practice of Internal Auditing (Standards), and Practice Advisories.” The IIA’s
Code of Ethics and the Standards are considered mandatory by The IIA for all those who provide
internal auditing services. Guidance regarding how the Standards might be applied is included in
Practice Advisories that are issued by The IIA’s Professional Issues Committee. The Practice
Advisories are endorsed by The IIA and are strongly recommended.
This chapter first summarizes the extent to which respondents use and are in compliance with The
IIA’s Standards and the related Practice Advisories as of September 2006, when the CBOK
questionnaires were distributed. Next, respondents’ opinions regarding the adequacy of the guidance
provided in the Standards and Practice Advisories is presented. Then there is a discussion of the
reasons why some respondents do not comply with the Standards. Another section reviews
respondents’ compliance with Standard 1300, Quality Assurance and Improvement Program. The
chapter concludes with a brief discussion about affiliate responses concerning their areas’
compliance with The IIA’s Code of Ethics. For reference, The IIA’s Standards, Practice Advisories,
and Glossary to the Standards as of September 2006 are included in Appendix 4-A located at the
end of this chapter. The Standards employ terms that have been given specific meanings that are
defined in the Glossary.
Diverse legal and cultural variations together with the purpose, size, and structure of organizations
may affect the practice of internal auditing. The IIA regards full compliance with the Standards as
essential for internal audit activities (IAAs) to meet their responsibilities to their organizations. If
internal auditors are prohibited by law or regulation from complying with certain parts of the
Standards, The IIA believes they should comply with all other parts of the Standards and make
appropriate disclosures.
The Institute of Internal Auditors Research Foundation
106 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Standards were developed to serve the following purposes:
•
•
•
•
Delineate basic principles that represent the practice of internal auditing as it should be.
Provide a framework for performing and promoting a broad range of value-added internal
audit activities.
Establish the basis for the evaluation of internal audit performance.
Foster improved organizational processes and operations.
The Standards are continuously reviewed to determine when a revision is necessary. The last
major revision occurred when the Board of Directors of The IIA voted to approve a new definition
of internal auditing in 1999 and to update the PPF. The IIA considered the new Standards mandatory
for all those that provide internal auditing services as of January 1, 2004. In December 2005, The
IIA’s Executive Committee approved a plan to revise The IIA’s current guidance structure.
The Standards consist of Attribute Standards, Performance Standards, and Implementation
Standards. The Attribute Standards address the characteristics of organizations and parties
performing internal audit services. The Performance Standards describe the nature of internal
audit services and provide quality criteria against which the performance of these services may be
evaluated. Implementation Standards expand on the Attribute and Performance Standards by
providing guidance on specific types of engagements for assurance and consulting. The Attribute
and Performance Standards apply to all internal audit activities and are divided into the following
categories:
Attribute Standards
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
Performance Standards
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 107
CBOK 2006 Survey Questions Related to the Standards
The main objective of the CBOK 2006 study is to develop a summary of the global practice of
internal auditing around the world. The questions included in the CBOK survey pertaining to the
Standards were developed to determine the following:
•
•
•
•
•
The extent to which internal auditors and their internal audit activities (IAAs) comply with
the Attribute Standards, Performance Standards, and Practice Advisories.
The level of compliance by internal auditors and their IAAs with individual Standards and
Practice Advisories.
Whether or not the guidance in the Standards is perceived by users to be adequate.
The reasons for noncompliance with the Standards.
Whether internal auditors and IAAs comply with the standards relating to quality assurance
and improvement program.
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those that participated in the survey answered all the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents:
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.
These more detailed summaries of results may be provided for the five categories of respondents:
CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the
Other category consist primarily of other professional staff whose position is not captured by the
traditional job titles included in the survey. A review of their credentials indicates they may be
members of the IAA, employed by service providers, or in organizations where their titles are less
traditional but with duties within internal auditing.
The Institute of Internal Auditors Research Foundation
108 A Global Summary of the Common Body of Knowledge 2006 ______________________
When relevant, results are given for each of the groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
For example, Table 4-14 is the total of all respondents for that question with a related Table 4-141 showing the responses by group. A table can have more than one related table, where the second
related table would be Table 4-14-2. Additional related tables may be located in Appendix 4-B at
the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end
of its number. For example, Table 4-3-1-A is located in Appendix 4-B.
Use of the Standards in Whole or in Part
All respondents were asked if their organizations use the Standards in whole or in part. Of the
9,366 potential respondents, 8,647 responded to this question. A total of 7,085 (81.9%) of those
responding noted that they use the Standards in whole or in part and 1,562 (18.1%) noted that they
do not comply with the Standards. Those respondents that do not use the Standards were told to
skip the questions on compliance and go directly to the questions asking why they do not use the
Standards.
Figure 4-1 shows the replies to this question by the respondents’ position in the IAA. While very
similar results are reported by the respondents in other positions in the department, the highest
incidence of use in whole or in part is reported by CAEs (85.1%) who should be in the best position
in the IAA to judge whether the Standards are being applied.
Figure 4-1
Organizations’ Use of the Standards in Whole or in Part by Staff Level
All Respondents (8,647) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 109
Use of the Standards by Industry in Whole or in Part
Table 4-1 provides a list of the respondents’ use of the Standards in whole or in part by industry
and by position in the IAA. The four industries where respondents indicate the most usage of the
Standards in whole or in part are:
•
•
•
•
Trade Services (88%).
Professional Services (87.1%).
Building and Construction (86.8%).
Utilities (86.7%).
The five industries where the respondents indicate the least usage of the Standards in whole or in
part are:
•
•
•
•
•
Pharmaceutical/Chemical (80.2%).
Real Estate (80.4%).
Non-professional Services (81.3%).
Manufacturing (82.2%).
Healthcare (82.2%).
Overall, there is a high level of usage of the Standards in whole or in part by all industries.
The Institute of Internal Auditors Research Foundation
110 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-1
Use of the Standards in Whole or in Part by Industry and Position in the IAA
All Respondents in Percentages
Industry
Number of CAE
Audit
Respondents
Manager
Agricultural/Forestry
Banking/Financial Services/
Credit Union
Building and Construction
Communication/
Telecommunication
Consumer Goods
Education
Financial, Accounting,
and/or Business Services
Healthcare
Hospitality/Leisure/Tourism
Insurance
Manufacturing
Mining and Oil
Non-professional Services
Pharmaceutical/Chemical
Professional Services
Real Estate
Retail/Wholesale
Technology
Trade Services
Transport and Logistics
Utilities
Other
Audit
Audit Other Average
Senior/
Staff
Supervisor
254
2,178
88.1
84.8
91.7
86.4
78.3
83.2
88.4
84.1
75.0
81.5
85.4
84.4
387
626
89.8
88.7
89.7
87.8
77.9
76.9
91.8
88.5
77.8
88.9
86.8
85.6
427
554
870
86.4
89.4
92.3
84.8
81.0
87.6
76.1
85.8
85.0
78.7
86.3
81.5
83.3
64.2
79.6
82.7
83.6
85.9
566
306
861
1,166
396
96
257
372
291
568
439
183
511
694
1,181
87.2
87.3
88.9
86.5
92.4
95.8
83.8
90.1
84.0
87.2
88.5
93.4
88.3
88.0
83.3
83.0
86.8
88.5
86.8
88.2
85.3
82.7
94.8
84.1
85.3
91.1
96.3
84.9
88.0
83.4
84.4
74.1
83.0
77.7
77.3
76.5
72.7
80.2
79.0
78.3
75.0
77.8
73.7
88.0
78.5
77.9
80.0
83.8
77.1
84.4
70.0
82.8
83.7
73.7
74.2
73.3
81.0
81.8
85.2
78.7
59.5
86.7
86.2
75.0
84.0
54.5
72.2
77.1
60.0
80.8
80.0
63.6
85.7
76.1
61.5
82.2
83.7
86.1
82.2
85.4
81.3
80.2
87.1
80.4
82.6
83.6
88.0
83.0
86.7
79.5
Compliance with the Standards
For those 7,085 respondents that indicate they use the Standards in whole or in part, the next
survey question asked if their organizations were in full compliance, partial compliance, not in
compliance, or they did not know their organizations’ level of compliance for each of the individual
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 111
standards. According to The IIA’s Tool 19, Standards Compliance Evaluation Summary, of the
Quality Assessment Manual, 5th Edition, the extent of compliance with the Standards is expressed
as either “generally conforms,” “partially conforms,” or “does not conform.” General conformance
(full compliance in the questionnaire) implies that the “relevant structures, policies, and procedures
of the activity, as well as the processes by which they are applied, comply with the requirements of
the individual Standard…in all material aspects.” Partial conformance (partial compliance in the
questionnaire) means the “activity is making good-faith efforts to comply with the requirements of
the individual Standard.” Does not conform (not in compliance in the questionnaire) means “the
activity is not aware of, is not making good-faith efforts to comply with, or is failing to achieve
many/all of the objectives of the individual Standard.”
For those that indicate their organizations use the Standards in whole or in part, Table 4-2 summarizes
all respondents’ input and compares the responses of the CAEs and Practitioners concerning
whether their IAAs fully comply, partially comply, or do not comply with an individual standard.
Eighty-five point five percent (85.5%) of the 7,085 respondents’ IAAs that noted standards usage
either fully comply (57.2%) or partially comply (28.3%) with the Standards. Of the respondents,
10.6% do not know whether their IAAs comply with any of the Standards.
Table 4-2*
Organizations Compliance Levels with the Standards
CAE, Practitioner, and All Respondents in Percentages
CAE
Full compliance
Partial compliance
Not in compliance
Do not know
Total
59.9
31.6
4.2
4.3
100.0
Practitioner
56.1
26.8
3.8
13.3
100.0
All Respondents
57.2
28.3
3.9
10.6
100.0
*Table 4-2 was compiled from Tables 4-3-1-A, 4-3-2-A and 4-3-3-A in Appendix 4-B.
The percentage of CAEs who do not know whether their IAAs comply with the Standards is
much lower (4.3%) than that of Practitioners (13.3%). This may be due to the CAEs’ position as
leader of the IAA providing them with more insight into the use of the Standards. It would appear
that CAEs have more direct access to judge the use of the Standards than other members of the
IAA.
The Institute of Internal Auditors Research Foundation
112 A Global Summary of the Common Body of Knowledge 2006 ______________________
As shown in Table 4-2, when asked about compliance to individual standards, 59.9% of CAE
respondents and 56.1% of Practitioner respondents say that they are in full compliance with the
Standards when in fact they are not. Table 4-3 shows that only 33.2% of CAE respondents and
43% of Practitioner respondents indicate they comply with Standard 1300. The IIA’s position is
that full compliance means full compliance with all the Standards.
Table 4-3 reveals that for CAE respondents, the four standards with the highest percentage of full
compliance are Standards 1100 (73.6%), 2400 (68.6%), 1000 (68.1%), and 1200 (67%). This
makes sense as three of the standards, 1100, Independence and Objectivity, 2400, Communicating
Results, 1000, Purpose, Authority, and Responsibility, are all direct responsibilities of CAEs. All
work, regardless of who performs it, should be done in accordance with Standard 1200, Proficiency
and Due Professional Care.
Table 4-3
Full or Partial Compliance with the Standards
CAE, Practitioner, and All Respondents in Percentages
Standard
1000 – Purpose, Authority, and
Responsibility
1100 – Independence and
Objectivity
1200 – Proficiency and Due
Professional Care
1300 – Quality Assurance and
Improvement Program
2000 – Managing the Internal
Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s
Acceptance of Risks
Overall Average
CAE
Practitioner
Full
Partial
All Respondents
Full
Partial
26.7
60.8
24.2
63.0
25.0
73.6
22.0
64.1
22.2
66.9
22.2
67.0
28.3
61.1
25.1
62.9
26.1
33.2
45.0
43.0
31.7
40.0
35.7
61.8
32.0
55.8
27.5
57.6
28.9
59.3
60.4
62.1
68.6
56.1
49.0
32.8
32.5
31.8
26.2
35.5
35.0
56.8
56.7
58.7
62.3
51.3
46.1
26.9
27.5
26.7
23.8
30.6
28.8
57.5
57.7
59.7
64.1
52.6
46.9
28.7
29.0
28.2
24.6
32.1
30.7
59.9
31.6
56.1
26.8
57.2
28.3
Full
Partial
68.1
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 113
The two standards with less than 50% full compliance according to CAE respondents are 2600,
Resolution of Management’s Acceptance of Risks (49.0%), and 1300, Quality Assurance and
Improvement Program (33.2%). Reasons for noncompliance with Standard 1300 are discussed in
more detail in a later section of this chapter. Standard 2600 requires CAEs and senior management
to discuss with the board any areas where the CAE feels that management has accepted residual
risk that is unacceptable to the organization. It involves skills requiring CAEs to analyze many
types of risks and reporting to the board disagreements with management over acceptable levels
of risk for the organization.
In Table 4-3, the order of the four highest standards (1100, 2400, 1000, 1200) for full compliance
are the same for the categories All Respondents and CAEs. For Practitioners, the four standards
with the highest percentages are the same, but the order differs, 1100 (64.1%), 2400 (62.3%), 1200
(61.1%), and 1000 (60.8%).
Standard 1000 (63% full compliance and 25% partial compliance for all respondents) requires that
the purpose, authority, and responsibility of the IAA be formally defined in an audit charter. Having
the internal audit charter accepted by the board and management should be one of the first actions
taken by a CAE when an IAA is established. The charter establishes the authority for IAAs to
perform the scope of work as outlined in the Standards. Standard 1100 (66.9% full compliance
and 22.2% partial compliance for all respondents), which deals with the independence and objectivity
of the IAA, shows the highest incidence of full compliance by the respondents.
Standard 2400 (64.1% full compliance and 24.6% partial compliance for all respondents) addresses
the required communication of the results of the work performed by the IAAs at the end of each
engagement. In Appendix 4-B, Tables 4-3-1-A (all respondents), 4-3-2-A (CAE), and 4-3-3-A
(Practitioner) contain additional details of respondents’ compliance with each individual standard.
These tables contain the respondents’ indication of full compliance, partial compliance, not in
compliance, and do not know for each category of the Standards.
Table 4-3-4-A to Table 4-3-6-A in Appendix 4-B lists by groups full compliance by IAAs for the
respondents, partial compliance for all respondents, and the percentages for not in compliance with
the Standards for all respondents. Refer to Appendix 1-B of this report for the list of groups.
Groups 1, 2, 3, 7, 8, and 11 indicate consistently high compliance with the Standards. Although
group 4 has consistently lower compliance with the Standards, it also has the highest partial
compliance of any group. Group 9 has the highest overall percentages for noncompliance with the
Standards. Standard 1300, Quality Assurance and Improvement Program, had the highest
percentages of noncompliance ranging from groups 1 and 2 with 9.1% to a high of 24.2% in group
12.
The Institute of Internal Auditors Research Foundation
114 A Global Summary of the Common Body of Knowledge 2006 ______________________
Compliance by Types of Organization
Table 4-4 shows the percentage of respondents by type of organization that indicate their organizations
are in full compliance with specific standards. Service provider/consultant respondents have the
highest level of full compliance with Standard 1300, Quality Assurance and Improvement Program
(49.6%), and with Standard 2600, Resolution of Management’s Acceptance of Risks (53.1%).
Publicly traded (listed) companies place a close second in full compliance for Standard 2600 (50.6%).
Table 4-4
Full Compliance to Standards by Type of Organization
Percentage of All Participants
Standard
Service
Provider/
Consultant
1000 – Purpose, Authority,
and Responsibility
1100 – Independence
and Objectivity
1200 – Proficiency and
Due Professional Care
1300 – Quality Assurance
and Improvement Program
2000 – Managing the
Internal Audit Activity
2100 – Nature of Work
2200 – Engagement
Planning
2300 – Performing the
Engagement
2400 – Communicating
Results
2500 – Monitoring Progress
2600 – Resolution of
Management’s
Acceptance of Risks
Publicly
Traded
(Listed)
Company
Privately
Held
(Nonlisted)
Company
Public
Not-forOther
Sector/
Profit
Government Organization
62.7
66.8
56.6
62.5
64.4
49.3
69.6
69.7
63.5
64.1
71.8
48.6
66.2
64.9
57.3
62.6
67.3
50.7
49.6
42.8
30.2
40.1
37.9
32.8
62.1
59.6
53.4
56.6
58.8
43.3
61.6
61.1
58.9
60.0
51.2
50.2
59.8
58.4
61.1
60.2
45.2
41.7
63.5
60.1
54.3
62.2
62.8
45.6
68.0
64.5
59.3
66.0
67.5
52.2
57.0
53.1
55.0
50.6
47.9
38.8
51.1
44.9
55.8
49.6
37.0
31.5
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 115
Adequacy of the Guidance Provided by the Standards
The development and issuance of the Standards is an ongoing process. The IIA’s Internal Auditing
Standards Board engages in extensive consultation and discussions prior to the issuance or revision
of the Standards. This includes worldwide solicitation of public comment through the exposure
draft process. Although this process should provide assurance that the guidance provided by the
Standards is supported by the profession, it is important to determine the views of current users
regarding the adequacy of the guidance provided. Respondents who indicated that they use the
Standards were asked to give their opinion about whether the guidance provided by individual
standards is adequate for their IAA to apply that standard or if more guidance is needed.
As presented in Table 4-5, an overall average of 83.2% of the respondents consider the guidance
provided by the Standards to be adequate. The four standards that received the highest percentage
for adequacy are 1100 (88.1%), Independence and Objectivity, 1200 (87%), Proficiency and Due
Professional Care, 1000 (86.2%) Purpose, Authority, and Responsibility, and 2400 (85.2%)
Communicating Results. These are the same four standards that have the highest compliance
indicated by respondents in Table 4-3. In Table 4-5 all but two standards are rated above 80% for
adequacy.
Table 4-5
Standards Guidance is Adequate
All Respondents in Percentages
Standard
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance
of Risks
Overall Average
Total
Number of
Respondents
Yes
No
Do Not
Use
Do Not
Know
5,857
6,015
5,994
5,968
5,970
5,916
5,950
5,931
5,941
5,903
5,908
86.2
88.1
87.0
77.3
83.7
82.2
83.6
83.8
85.2
81.8
76.0
1.2
1.7
1.7
5.1
3.1
3.2
3.3
3.6
3.1
4.1
5.6
2.7
1.7
2.3
6.3
3.3
3.5
3.2
3.0
2.6
4.0
5.3
9.9
8.5
9.0
11.3
9.9
11.1
9.9
9.6
9.1
10.1
13.1
83.2
3.2
5.7
9.3
The Institute of Internal Auditors Research Foundation
116 A Global Summary of the Common Body of Knowledge 2006 ______________________
Such a high percentage of positive responses indicates that the guidance provided meets the
expectations of the users of the Standards. The slightly lower response for Standards 1300 (77.3%),
Quality Assurance and Improvement Program, and 2600 (76%), Resolution of Management’s
Acceptance of Risk, in Figure 4-2 may indicate that more or clearer guidance may be appropriate
in the areas of quality assurance and improvement and resolution of management’s acceptance of
risk.
Figure 4-2
Standards Guidance is Adequate
All Respondents in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 117
Table 4-6 shows that a higher percentage of CAEs (overall average 89%) than Practitioners
(overall average 80.7%) regard the guidance provided by the Standards to be adequate. This may
be due to CAEs having more experience with the Standards.
Table 4-6
Adequacy of Guidance Provided by Each of the Standards
CAE, Practitioner, and All Respondents in Percentages
Standard
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance of Risks
Overall Average
CAE
Practitioner
All
Respondents
93.3
94.1
92.9
81.5
90.0
88.0
89.4
89.3
91.3
88.4
81.3
89.0
83.2
85.6
84.5
75.6
81.0
79.8
81.2
81.5
82.6
79.1
73.8
80.7
86.2
88.1
87.0
77.3
83.7
82.2
83.6
83.8
85.2
81.8
76.0
83.2
In Appendix 4-B, Tables 4-6-1-A (CAEs) and 4-6-2-A (Practitioners) list respondents’ responses
by standard indicating whether the guidance provided is adequate, not adequate, do not use, or do
not know. When asked about the adequacy of the guidance provided, a higher percentage of the
Practitioner respondents replied “Do Not Know” than CAEs. For all of the Standards, Practitioner
responses for “Do Not Know” range from 11.1% to 16.3%. In contrast, the CAE responses range
is from a low of 2.3% to a high of 5.3%. This data indicates that CAEs in this study appear to find
the guidance more adequate than do Practitioners.
In Appendix 4-B, Tables 4-6-3-A (all respondents by groups), 4-6-4-A (CAEs by groups), and 4-65-A (Practitioners by groups) show respondents’ answers by groups to the question about the
adequacy of guidance provided by the Standards. In the groups, CAEs consistently find the
Standards guidance to be more adequate than Practitioners. Table 4-6-3-A indicates that a significant
percentage of all respondents in all groups perceive the guidance provided by each of the Standards
The Institute of Internal Auditors Research Foundation
118 A Global Summary of the Common Body of Knowledge 2006 ______________________
to be adequate. On average, groups 7, 8, and 12 have the highest percentage of satisfaction with
the guidance provided, while groups 1, 2, and 9 have the lowest average percentage of satisfaction.
Table 4-6-6-A in Appendix 4-B provides a summary of all respondents by group who indicate that
the guidance provided by the Standards is not adequate. Indicating a range of 11.6% to 14.5% for
guidance is not adequate, group 9 has the highest level of dissatisfaction with Standards 2200 to
2500. With this group’s exception, the overall low percentages in this table support a high level of
satisfaction with the adequacy of the guidance provided.
Use of and Adequacy of the Guidance Provided by the Practice Advisories
Practice Advisories are continuously developed and issued. The purpose of the Practice Advisories
is to provide guidance on the application of the Standards. Compliance with Practice Advisories
is endorsed by The IIA and strongly recommended but not considered mandatory. The 7,085
respondents who use the Standards in whole or in part were asked whether their IAA uses the
Practice Advisories in the PPF and to indicate whether they regard the guidance to be adequate.
Figure 4-3 shows the percentages of all respondents to this question that use each of the Practice
Advisories.
Figure 4-3
Respondents That Use the Practice Advisories
All Respondents in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 119
Table 4-7 indicates that on average 85.8% of the respondents that use the Standards also use the
Practice Advisories. The Audit Staff (88.7%) report the highest overall use of the Practice Advisories.
Ninety percent or more of the Audit Staff indicate that they use the Practice Advisories for Standards
1000, 1100, 1200, and 2300.
Table 4-7
Respondents That Use the Practice Advisories
By Staff Level in Percentages
Practice Advisory
CAE
Audit
Manager
Audit
Audit
Senior/
Staff
Supervisor
Other
Average
1000 – Purpose, Authority, and
Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional
Care
1300 – Quality Assurance and
Improvement Program
2000 – Managing the Internal Audit
Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s
Acceptance of Risks
Average
88.8
88.2
84.8
90.1
84.7
87.3
89.3
88.6
88.5
88.4
86.3
85.1
90.7
90.2
86.9
86.1
88.3
87.7
82.7
82.8
80.5
86.5
79.2
82.3
87.7
87.2
83.7
89.7
84.1
86.5
86.4
87.4
87.8
88.6
87.5
81.4
85.9
87.1
86.9
87.2
85.3
82.2
83.8
84.5
85.2
84.6
82.3
78.4
89.7
89.4
90.0
87.5
88.4
83.6
83.8
84.1
84.9
83.4
83.0
79.0
85.9
86.5
87.0
86.3
85.3
80.9
86.9
86.3
83.6
88.7
83.6
85.8
In Appendix 4-B, Table 4-7-1-A shows the percentage of respondents who do not use the Practice
Advisories for all respondents. Groups 6, 1, 2, and 9 use the Practice Advisories the least.
The Institute of Internal Auditors Research Foundation
120 A Global Summary of the Common Body of Knowledge 2006 ______________________
The respondents were asked if they considered the guidance provided by the Practice Advisories
to be adequate. Table 4-8 shows that for all respondents the overall average satisfaction with
Practice Advisories is 82.5%. Standards 1300 (77.2%) and 2600 (75.4%) are the two standards
that received the lowest percent of satisfaction. This corresponds to the lower level of compliance
with these two Standards by all respondents in Table 4-3.
Table 4-8
Practice Advisory Guidance is Adequate
CAE, Practitioner, and All Respondents in Percentages
Practice Advisory
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance of Risks
Overall Average
CAE
Practitioner
All
Respondents
86.7
86.7
86.2
76.2
83.5
81.8
83.5
83.9
84.4
82.6
75.2
82.7
85.7
86.2
85.1
77.7
83.4
82.5
83.1
83.3
83.8
80.5
75.4
82.4
86.0
86.3
85.4
77.2
83.4
82.3
83.2
83.5
84.0
81.1
75.4
82.5
In Appendix 4-B, Tables 4-8-1-A (all respondents), 4-8-2-A (CAE), and 4-8-3-A (Practitioner)
show the respondents’ perception of the adequacy of the guidance provided by the Practice Advisories
and the percentages that do not use each individual Practice Advisory.
Table 4-8-4-A in Appendix 4-B shows all respondents’ perception of the adequacy of the guidance
provided by the Practice Advisories by groups. This group table also indicates less satisfaction
with the guidance provided to support for Standards 1300 and 2600. Respondents in groups 12, 7,
and 8 indicate the highest levels of satisfaction with the adequacy of the Practice Advisories.
While still indicating a high level of satisfaction with the guidance, groups 6 and 2 show the lowest
relative levels of satisfaction with the guidance provided by the Practice Advisories.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 121
Reasons for Not Complying with the Standards
All respondents were asked their reasons for not using the Standards in whole or in part. The
question listed possible reasons for noncompliance and allowed for individual comments.
Respondents could select more than one reason for noncompliance. Figure 4-4 shows the average
percentage for all respondents for the reasons provided in the question regarding why they do not
comply in whole or in part with the Standards.
Figure 4-4
Reasons for Not Complying in Whole or in Part with the Standards
All Respondents (8,159) in Percentages*
Percentage of Respondents
*Respondents who do not comply with the Standards could select more than one reason for noncompliance so the
totals could add to more than 100%.
The Institute of Internal Auditors Research Foundation
122 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-9 shows the reasons respondents selected for not using the Standards in whole or in part
by staff position.
Table 4-9
Reasons for Not Using the Standards in Whole or in Part
All Respondents by Staff Position in Percentages*
Reason
Standards or
Practice
Advisories are
too complex
Not
appropriate
for small
organizations
Too costly to
comply
Too timeconsuming
Superseded by
local/
government
regulations
or standards
Not
appropriate
for my
industry
Compliance
not supported
by management/board
Not perceived
as adding
value by
management/
board
Inadequate
IAA staff
Compliance
not expected
in my country
Other
Number
CAE
Audit
Audit Senior/ Audit Staff
Other
Average
Who
% of 2,263
Managers
Supervisor
% of 1,442
% of 569
% of 8,159
S e l e c t e d Respondents % of 1,845
% of 2,040 Respondents Respondents Respondents
Category
Respondents Respondents
473
7.1
5.5
5.4
4.4
6.2
5.8
846
16.4
8.5
7.4
7.1
11.4
10.4
765
13.3
8.9
7.9
6.2
8.6
9.4
992
16.1
12.1
11.4
8.6
8.1
12.2
875
10.3
10.0
12.6
9.6
11.1
10.7
342
4.4
3.3
4.1
4.7
5.3
4.2
970
11.9
12.0
12.6
11.0
11.1
11.9
996
13.6
11.4
13.5
9.9
10.5
12.2
1,026
14.4
11.9
11.7
11.6
13.2
12.6
467
5.9
5.3
6.6
4.9
5.3
5.7
983
11.4
12.7
12.8
8.7
17.9
12.0
*Respondents who do not comply with the Standards could select more than one reason for noncompliance so the
totals could add to more than 100%.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 123
There appears to be three primary causes for noncompliance. The first relates to practitioners’
experiences in application and implementation of guidance or constraints within the IAA. Specific
reasons related to this include the following:
•
•
•
•
•
Inadequate staff (12.6%)
Too time-consuming (12.2%)
Not appropriate for small organizations (10.4%)
Too costly to comply (9.4%)
Standards or Practice Advisories are too complex (5.8%)
The second primary cause concerns lack of support by the organization’s management and includes
the following specific reasons:
•
•
Not perceived as adding value by management/board (12.2%)
Compliance not supported by management/board (11.9%)
The third primary cause involves the regulations or standards in the respondents’ countries or
company, and includes the following reasons:
•
•
•
Superseded by local/government regulations or standards (10.7%)
Compliance not expected in my country (5.7%)
Not appropriate for my industry (4.2%)
This knowledge should aid The IIA in formulating future guidance and in marketing the profession.
The Institute of Internal Auditors Research Foundation
124 A Global Summary of the Common Body of Knowledge 2006 ______________________
Open-ended Question for Noncompliance
Respondents were provided with space to list other reasons why they did not comply with the
Standards in whole or in part. Of the 417 respondents who provided a written response to the
open-ended part of this question, most did not add any new reasons beyond those listed in Table 49, but expanded upon why they selected a particular reason. Table 4-10 categorizes these responses
and lists the percentages of the 417 respondents that gave a particular response. Because seven
respondents gave two reasons why they are not in full compliance with the Standards, there are a
total of 424 responses.
Table 4-10
Reasons for Not Complying with the Standards in Whole or in Part
From Open-ended Question for All Participants
Reasons for Noncompliance
Other standards are used (GAGAS/Yellow Book;
Own standards based on IIA’s; CICA; ISACA;
CIPFA; GAAS; INTOSAI)
Informal/partial use of the Standards
Do not have the knowledge to implement
Standards are not:
adequate/relevant/practical/accepted/value added
Working toward full implementation
Newly established IAA or newly appointed in position
Do not know
Management does not support
Not applicable as function is outsourced or
respondents not in internal audit department
Understaffed
Full compliance to the Standards
No IAA
Other
Number of
Respondents*
Percentage of
417
Respondents
94
22.5
57
54
41
13.7
12.9
9.8
40
36
23
21
13
9.6
8.6
5.5
5.0
3.1
10
5
4
26
2.4
1.2
1.0
6.2
*Since 7 of the 417 respondents provided two reasons for noncompliance with the Standards, there are 424 total
responses.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 125
One respondent suggests that the local affiliate should perform an awareness campaign in his
country for non-listed and small companies to show the need for IAAs to comply with the Standards.
Factors Affecting Compliance
To better understand why some respondents are not in full compliance with the Standards, three
factors were reviewed. First, since The IIA’s membership grew 54.6% from June 2003 to
September 2006, Table 4-11 compares the number of years respondents have been members of
The IIA to respondents’ compliance with the Standards in whole or in part. For those respondents
who are members of The IIA, the longer they have been members the more likely they are to
comply with the Standards in whole or in part.
Table 4-11
Compliance with the Standards in Whole or in Part
Compared to the
Number of Years as a Member of The IIA
All Respondents in Percentages
Number of Years as
Member of IIA
Number of
Respondents
Percentage of
Respondents in
Compliance in Whole
or in Part
5 or less
6 to 10
11 or more
Not a Member
Total/Overall Average
5,044
1,694
1,307
568
8,613
80.7
86.2
88.4
64.8
81.9
The Institute of Internal Auditors Research Foundation
126 A Global Summary of the Common Body of Knowledge 2006 ______________________
The second factor considered is the number of years an organization has had an IAA. Table 4-12
suggests a trend indicating that the longer an organization has had an internal audit department the
greater the IAA’s compliance with the Standards in whole or in part.
Table 4-12
Compliance with the Standards in Whole or in Part
Compared to the
Number of Years Organization has had an IAA
All Respondents in Percentages
Years Having an
IAA
0-5
6-10
11-15
16-20
21-25
26-30
31-35
36-40
41-45
46-50
More than 50
Number of
Respondents
2,147
1,586
902
835
523
561
180
250
48
254
323
Percentage of Respondent
in Compliance in Whole
or in Part
81.0
80.9
83.9
81.8
84.9
84.3
83.3
87.2
85.4
88.2
85.1
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 127
The final factor reviewed is the impact of the number of full-time staff in the IAA on compliance
with the Standards in whole of in part. Table 4-13 notes that with the exception of the 22-24 staff
level category, the trend is that the larger the IAA’s audit staff, the higher level of compliance to
the Standards in whole or in part.
Table 4 -13
Compliance with the Standards in Whole or in Part
Compared to the
Number of Full-Time Staff at Each Staff
CAE Respondents in Percentages
Number of Staff
1-3
4-6
7-9
10-12
13-15
16-18
19-21
22-24
25 or more
Total
Number of
Respondents
1,601
1,253
742
448
332
251
179
133
1,707
6,646
Percentage of
Respondents in
Compliance in Whole
or in Part
75.7
82.0
83.2
83.3
84.3
84.5
85.2
84.7
88.0
82.3
In summary, all three factors, the longer a respondent has been a member of The IIA, or an
organization has had an IAA, or the larger the number of staff in the IAA, positively affect the
level of compliance by the IAA with the Standards.
The Institute of Internal Auditors Research Foundation
128 A Global Summary of the Common Body of Knowledge 2006 ______________________
Quality Assurance and Improvement Program
Since Standard 1300, Quality Assurance and Improvement Program (QA&IP), relates to the
monitoring of IAA compliance with the Standards, the survey included specific questions relating
to internal and external assessments. One of the main objectives of the QA&IP Standard is to
encourage the assessment of, application, and conformance with the Standards. According to
Standard 1300, the CAE should develop and maintain a QA&IP that covers all aspects of the IAA
and continuously monitors its effectiveness. This program includes periodic internal assessments,
external quality assessments, and ongoing internal monitoring. Standard 1300 and the Practice
Advisories further recommend that this program:
•
•
•
•
Provide assurance that the IAA is in conformity with The IIA’s Standards.
Provide assurance that the IAA is in conformity with the IIA Code of Ethics.
Add value and improve the organization’s operations.
Include periodic internal and external quality assessments and ongoing internal monitoring.
Each part of the program should be designed to help the IAA provide this assurance and add value.
Standard 1300
Survey participants were asked whether or not their IAAs have QA&IPs in place in accordance
with Standard 1300. Standard 1330, Use of “Conducted in Accordance with the Standards,” states
that internal auditors are encouraged to report that their activities are conducted in accordance
with the Standards. It further stipulates that internal auditors may use this statement only if
assessment of their QA&IP demonstrates that the IAA is in compliance with the Standards. The
value of this statement is that it implies the credibility of the work performed by the IAA and that
the conclusions reached can be relied upon.
The average response to the question of whether the respondent’s IAA has a QA&IP in place in
accordance with Standard 1300 is reported in Figure 4-5. Of the total respondents, 32.8% say that
they have a QA&IP in place and thus can use the phrase “Conducted in Accordance with the
Standards” in reference to their audit engagements. A further 21.9% indicate that a QA&IP
would be put in place within the next 12 months. Some respondents (7.3%) have a quality assurance
program in place, but the program is not in accordance with Standard 1300. Of the respondents,
22.9% report that they do not have plans to put in place a QA&IP in the next 12 months.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 129
Figure 4-5
IAA Has a Quality Assurance and Improvement Program in
Accordance with Standard 1300
All Respondents (7,269) in Percentages
Percentage of Respondents
If an IAA is not in compliance with Standard 1300, then the IAA is not in full compliance with the
Standards. Of those responding, 38.8% of CAEs and 30.2% of all respondents indicate that they
either do not have plans to put a QA&IP in place or they have quality programs that are not in
accordance with Standard 1300. These organizations will not be able to report that they are in full
compliance with the Standards.
Table 4-14 presents the respondents’ answers to the question asking whether their IAAs have
QA&IPs in place in accordance with Standard 1300 by staff level. Of CAE respondents, 5.4%
say that they do not know whether their IAA has a QA&IP in accordance with Standard 1300.
The “do not know” option to this question was selected by 10.6% of Audit Managers, 18.0% of
The Institute of Internal Auditors Research Foundation
130 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Seniors/supervisors, and 26.7% of the Audit Staff respondents. As the quality assurance
program is the responsibility of the CAE, practitioners at less senior levels may not know how the
quality assurance requirements have been implemented. Yet, according to the Standards, quality
assurance should form a part of every activity at all levels of the IAA. All internal audit staff
should therefore be trained in the requirements of quality assurance and should be integrally involved
in the quality assessment and improvement programs of their IAAs.
Table 4-14
IAA Has a Quality Assurance and Improvement Program
in Accordance with Standard 1300
All Respondents by Staff Level in Percentages
QA&IP
Status
CAE
% of 2082
Respondents
Audit
Manager
% of 1687
Respondents
Audit
Audit Staff
Other
Average
Senior/
% of 1239
% of 441
% of 7269
Supervisor Respondents Respondents Respondents
% of 1820
Respondents
Currently in place
To be put in place
within the next
12 months
No plans to put in
place in the next
12 months
Quality assurance
program is not in
accordance with
Standard 1300
Do not know
Total
26.6
29.2
36.5
23.2
36.0
19.0
36.1
15.8
24.5
10.9
32.8
21.9
29.2
22.6
19.6
17.6
23.8
22.9
9.6
7.1
7.4
3.8
7.0
7.3
5.4
100.0
10.6
100.0
18.0
100.0
26.7
100.0
33.8
100.0
15.1
100.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 131
Table 4-14-1 shows compliance with Standard 1300 by groups. A noticeably higher than average
percentage (54.7%) of respondents in groups 3 (70.5%), 2 (61.6%), and 1 (61%) indicate that they
have a QA&IP in place or will put one in place within the next 12 months. The groups that have the
highest percentages of respondents indicating that they have no plans to put a QA&IP in place are
groups 12 (34.8%), 4 (34%), 8 (33.5%), and 11 (30.7%). Group 4 (20.7%) has the highest percentage
of respondents who do not know whether they have such a program in place.
Table 4-14-1
IAA Has a Quality Assessment and Improvement Program
in Accordance with Standard 1300 by Groups*
All Respondents in Percentages
Group
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
Overall
Average/
Total
Number of
Yes,
Respondents Currently
in Place
2,974
190
600
300
502
374
439
835
97
110
199
43
624
7,287
40.1
35.8
45.3
19.3
24.4
30.2
25.1
24.0
15.5
30.0
30.2
23.3
20.8
32.8
To Be Put in
Place Within
the Next 12
Months
No Plans
to Put in
Place in
the Next 12
Months
20.9
25.8
25.2
14.3
27.5
21.1
26.9
20.5
28.9
26.4
23.1
27.9
17.5
21.9
17.6
16.9
12.7
34.0
27.7
24.1
27.6
33.5
29.8
26.4
30.7
34.8
27.6
22.9
Program
Do Not
is Not in
Know
Accordance
with
Standard
1300
5.1
8.9
5.5
11.7
9.8
16.0
10.8
6.9
13.4
7.2
5.5
7.0
7.7
7.3
*For a list of groups, please see Appendix 1-B.
**N/C = Respondent did not indicate Affiliate or Chapter membership.
The Institute of Internal Auditors Research Foundation
16.3
12.6
11.3
20.7
10.6
8.6
9.6
15.1
12.4
10.0
10.5
7.0
26.4
15.1
Total
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
132 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Assessments
According to Standard 1311, Internal Assessments should include a process to monitor and assess
the overall effectiveness of the quality program. Internal assessments should include both:
•
•
Ongoing review of the performance of the IAA.
Periodic reviews performed through self-assessment or by other persons within the
organization with knowledge of internal auditing practices and the Standards.
The respondents were asked when their IAAs last had a formal internal quality assessment, periodic
or ongoing, in accordance with Standard 1311. Table 4-15 indicates, by staff level, when the IAA
was last subject to an internal quality assessment. On average, 23.6% of the respondents’ IAAs
have had an internal review within the last 12 months and a further 8.7% had a review within the
last 5 years. By the end of 2006, an average of 8.1% additional respondents anticipate their IAAs
will have had an internal quality assessment (note that the questionnaires were sent out in September
2006). On average, 35.3% of the respondents indicate that they have never had an internal
assessment. From predominantly lower staff levels and Other, on average 15.9% of the respondents
do not know if their IAA had a formal internal quality assessment.
Only 5.2% of the CAE’s indicated they did not know when their IAA was last subject to a formal
internal assessment, while 26.7% of the Audit Staff indicated they did not know. This may be
ascribed to a lack of knowledge at their level of responsibility. A higher percentage (47.4%) of
CAEs indicates that an internal quality assessment has never been done, which may be more
accurate as the CAE is normally the person responsible for organizing such reviews.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 133
Table 4-15
When IAA Was Last Subject to a Formal Internal Quality Assessment
in Accordance with Standard 1311
All Respondents by Staff Level in Percentages
Timing
Scheduled to
be completed
prior to
January 1,
2007, but not
yet completed
Within the
last 12 months
1-3 years ago
4-5 years ago
More than 5
years ago
Never
The internal
review was
not done in
accordance
with Standard
1311
Do not know
CAE
% of 2,083
Respondents
Audit
Manager
% of 1,678
Respondents
Audit
Audit Staff
Other
Average
Senior/
% of 1,240
% of 430
% of 7,249
Supervisor Respondents Respondents Respondents
% of 1,818
Respondents
8.7
8.3
8.4
7.5
4.7
8.1
21.0
27.9
24.0
24.4
15.3
23.6
6.5
1.2
1.5
8.1
1.4
1.3
8.9
1.2
1.1
6.0
1.6
1.0
7.7
0.7
1.2
7.4
1.3
1.2
47.4
8.5
32.5
7.4
30.3
6.6
26.1
6.7
35.3
3.7
35.3
7.2
5.2
13.1
19.5
26.7
31.4
15.9
The Institute of Internal Auditors Research Foundation
134 A Global Summary of the Common Body of Knowledge 2006 ______________________
The following compares the results in Table 4-14 (the IAA has a QA&IP in place) to the percentages
in Table 4-15 (the internal assessment is scheduled to be completed prior to January 1, 2007, or
completed a quality assessment within the last 12 months). The percentages are fairly close for
both tables. For example, Table 4-14 lists CAE respondents indicating that 26.6% have a QA&IP
in place, and Table 4-15 has a total of 29.7% CAE respondents having had a formal quality assessment
in accordance with Standard 1311 complete in the last 12 months or scheduled before January 1,
2007. For all respondents in this comparison, Table 4-14 had 32.8% of respondents having a QA&IP
in place, and Table 4-15 has a total of 31.7% completed within the last 12 months or scheduled to
be completed by January 1, 2007.
In Appendix 4-B, Table 4-15-1-A contains the status of the internal assessment by groups. For six
of the groups, more than 40% of respondents have never had an internal assessment. For groups
6, 8, and 12, more than 11% of the respondents have completed a quality assessment that was not
in accordance with Standard 1311. Only group 3 respondents indicate that 43.4% of their IAAs
have had an assessment in accordance with Standard 1311 in the last 5 years. Eleven point four
percent to 14.9% of the respondents in groups 3, 10, and 12 anticipate completing an assessment
prior to January 1, 2007.
Two factors should be considered when reviewing which respondents’ organizations have had an
internal quality assessment. The first is whether the length of time the IAA has been in existence
within the organization has any effect on compliance to Standard 1311. Table 4-16 compares the
length of time that respondents’ organizations have had an IAA with when or if they have had an
internal assessment. IAAs that have been in existence for 0 to 5 years have the highest percentage
(54.2%) of never having had an internal assessment. That percentage drops to 38% for those
organizations whose IAAs have been in existence for 6 to 10 years. It appears that, generally, the
longer the organization has had an IAA the more likely they are to have an internal assessment
program in place.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 135
Table 4-16
Years the IAA has Existed in an Organization Compared to
When the IAA had an Internal Assessment
All Respondents in Percentages
Years
IAA
Existed
0-5
6-10
11-15
16-20
21-25
26-30
31-35
36-40
41-45
46-50
More
than
50 years
Number of Scheduled Within 1-3
4-5 More Never
The
I Do
Total
Respondents
to Be
the Last Years Years Than
Internal Not Know
Completed
12
Ago Ago
5
Review Was
Prior to
Months
Years
Not Done in
January 1,
Ago
Accordance
2007, But
with
Not Yet
Standard
Completed
1311
1,857
1,364
774
727
727
465
145
208
38
198
266
7.7
7.7
8.4
10.0
9.0
8.8
8.3
7.7
13.2
6.1
9.4
14.8
21.8
25.2
23.4
30.4
31.0
31.7
35.1
39.5
31.8
36.1
4.0
6.2
7.4
10.6
10.1
9.7
11.7
13.0
5.3
12.1
10.2
0.5
1.1
1.8
2.6
2.9
1.1
1.4
0.5
5.3
3.0
1.1
0.2
1.2
1.4
2.3
1.3
1.5
0.7
1.4
.0
3.0
1.5
54.2
38.0
35.1
25.9
25.8
24.3
26.2
25.0
15.8
18.7
13.5
7.3
8.1
7.2
6.2
7.7
8.2
8.3
4.8
7.9
6.1
8.6
The Institute of Internal Auditors Research Foundation
11.3
15.9
13.5
19.0
12.8
15.4
11.7
12.5
13.2
19.2
19.6
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
136 A Global Summary of the Common Body of Knowledge 2006 ______________________
The second factor to consider is the number of audit staff in the IAA. Table 4-17 shows that for
staff levels of 1-3, respondents indicate that 58.2% of their IAAs have never had an internal
review. As the size of the IAA staff increases, fewer respondents’ IAAs have never had an
internal review with one exception (organizations with a staff size of 10-12). With a staff of 25 or
more only 14.2% indicated that their IAA had never had an internal review.
It appears that the number of years the IAA has existed and the number of staff in the IAA affect
whether an IAA has had an internal assessment program.
Table 4-17
Number of Audit Staff in the IAA Compared to
When the IAA had an Internal Assessment
All Respondents in Percentages
Number
of
Staff
1-3
4-6
7-9
10-12
13-15
16-18
19-21
22-24
25 or
more
Number of Scheduled Within 1-3
4-5 More Never
The
I Do
Total
Respondents
to Be
the Last Years Years Than
Internal Not Know
Completed
12
Ago Ago
5
Review Was
Prior to
Months
Years
Not Done in
January 1,
Ago
Accordance
2007, But
with
Not Yet
Standard
Completed
1311
1,859
1,319
775
451
351
265
186
137
1,561
5.9
8.6
7.7
8.2
12.3
12.5
8.6
12.4
9.5
11.5
18.0
26.1
23.5
25.4
27.2
30.6
34.3
39.4
4.1
6.7
8.1
9.1
9.7
7.5
9.1
10.9
10.4
1.0
1.1
1.8
1.3
1.1
.8
2.7
1.5
1.8
1.0
1.2
1.4
2.0
.9
1.5
.5
2.2
1.3
58.2
42.7
30.6
31.9
26.2
24.9
19.4
18.2
14.2
7.0
8.3
7.7
7.3
7.7
9.1
7.5
8.8
5.4
The Institute of Internal Auditors Research Foundation
11.3
13.4
16.6
16.7
16.7
16.5
21.6
11.7
18.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
_______________________________ Chapter 4: The Professional Practices Framework 137
External Assessments
According to Standard 1312, External Assessments, the IAA should have an external assessment
at least once every 5 years by a qualified, independent reviewer or review team from outside the
organization. All IAAs that existed on January 1, 2002, when this standard became effective
should have had an external assessment performed by January 1, 2007. For external reviews,
Practice Advisory 1312-1, External Assessments, recommends that an opinion on the IAA’s
compliance to the Standards based on a structured rating process be communicated to the CAE.
Figure 4-6 indicates when all respondents’ IAAs were last subject to an external quality assessment.
The average response for all respondents indicates that 39.7% of respondents’ IAAs have never
had an external assessment.
Figure 4-6
When the IAA was Last Subject to a Formal External Quality Assessment
in Accordance with Standard 1312
All Respondents (7,230) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
138 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-18 indicates by staff level when respondents’ IAAs were last subject to an external quality
assessment. Comparing the average response (39.7%) indicating the IAA has not had an external
review to the different levels of staff, 53.7% of the CAE respondents indicate their IAA has not
had an external review. This is probably more reflective of the actual status as the CAE is responsible
for arranging the external review. It appears that for 44.4% of those responding to this question,
their organizations have not been subject to a formal external quality assessment and are not in
compliance with Standard 1312 and are therefore not in full compliance with the Standards.
Table 4-18
When the IAA was Last Subject to a Formal External Quality Assessment
in Accordance with Standard 1312
All Respondents in Percentages
Timing
CAE
% of 2,073
Respondents
Audit
Manager
% of 1,674
Respondents
Audit
Audit Staff
Other
Average
Senior/
% of 1,241
% of 429 % of 7,230
Supervisor Respondents Respondents Respondents
% of 1,813
Respondents
Scheduled to
be completed
prior to
January 1, 2007,
but not yet
completed
Within the last
12 months
1-3 years ago
4-5 years ago
More than 5
years ago
Never
The external
review was not
done in
accordance
with Standard
1312
Do not know
7.7
8.7
7.4
7.2
4.4
7.6
13.8
16.9
17.9
19.1
14.5
16.5
6.9
2.2
1.7
11.2
1.8
2.1
12.0
2.4
1.7
8.8
1.9
1.2
7.5
1.6
1.2
9.5
2.1
1.7
53.7
7.7
38.6
4.9
33.4
4.2
28.7
2.4
35.0
2.3
39.7
5.0
6.3
15.8
21.0
30.7
33.5
17.9
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 139
Table 4-18-1 shows the results for external quality assessments for the groups. More than 40% of
the respondents in groups 3 (48.9%), 2 (42.2%), 10 (43.9%), and 1 (41.5%) indicate that their IAA
has had a formal external assessment in the last 5 years or will have one completed by January 1,
2007, in accordance with Standard 1312. More than 50% of respondents in groups 9 (59.6%), 12
(59.5%), 5 (54.5%), 4 (51.9%), and 8 (51.5%) noted that they have never had an external assessment.
Table 4-18-1
When the IAA was Last Subject to a Formal External Quality Assessment
in Accordance with Standard 1312 by Groups*
All Respondents in Percentages
Timing
Scheduled
to be
completed
prior to
January 1,
2007
Within the
last 12
months
1-3 years ago
4-5 years ago
More than 5
years ago
Never
Not done in
accordance with
Standard 1312
Do not know
Total percentage
Total number of
respondents
1
2
8.3
7.5
19.7
3
4
5
6
7
8
9
11.9
3.7
8.3
6.2
6.1
5.6
5.1 18.4
12.8
19.0
15.5
11.4
13.2
17.9
11.9
14.1 13.2
11.0
2.5
2.0
18.2
3.7
3.7
15.1
2.9
2.3
4.7
2.7
5.7
9.8
0.6
0.6
8.9
3.5
1.1
5.4
1.4
0.9
6.5
0.8
0.4
31.1
2.3
32.6
4.3
28.7
3.2
51.9
3.4
54.5
6.8
43.5
12.1
48.0
8.8
51.5
8.2
9.1
1.0
0.0
10
8.8
3.5
0.9
59.6 40.4
1.0 4.4
11
9.6
12
7.1
N/C**
4.0
16.2 14.3 12.6
5.1
1.5
0.5
4.8
0.0
2.4
6.3
1.3
1.1
39.6 59.5 48.0
7.7 4.8 7.2
23.1 17.2 16.9 12.4
8.0 11.5 11.5 15.1 10.1 10.4 19.8 7.1 19.5
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
2,956
187 596
297
499
372 442 827
99 114 197
42 621
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
140 A Global Summary of the Common Body of Knowledge 2006 ______________________
To determine if the length of time the IAA has been in existence within an organization has any
effect on compliance to Standard 1312, Table 4-19 compares the length of time that respondents’
organizations have had an IAA to when and if they have had an external assessment. IAAs that
have been in existence for 0 to 5 years have the highest percentage (61.2%) of never having had
an external assessment. The percentage for never having an external assessment drops to 40.4%
for those organizations whose IAAs have been in existence for 6 to 10 years. It appears that,
generally, the longer the organization has had an IAA the more likely they have had an external
assessment.
Table 4-19
Years the IAA has Existed in an Organization Compared to
When the IAA had an External Assessment
All Participants in Percentages
Years
Number
Scheduled
IAA
of
to Be
Been in Respondents Completed
Existence
Prior to
January 1,
2007,
But Not
Yet
Completed
0-5
6-10
11-15
16-20
21-25
26-30
31-35
36-40
41-45
46-50
More
than
50 years
1,853
1,365
770
723
449
462
142
210
39
196
266
5.8
8.6
7.8
7.9
8.7
8.4
7.7
11.0
23.1
6.1
9.8
Within 1-3
4-5
More Never
The
I Do Total
the Last Years Years Than
Internal
Not
12
Ago Ago
5
Review was Know
Months
Years
Not Done in
Ago
Accordance
with
Standard
1312
8.9
14.7
16.2
17.2
26.5
22.5
16.2
27.1
20.5
26.0
24.4
5.0
8.2
10.3
11.3
11.6
11.7
21.8
13.8
12.8
14.3
19.5
0.8
2.1
2.7
3.6
1.8
3.7
3.5
1.9
5.1
3.1
2.3
0.2
1.8
2.1
3.5
2.0
2.4
0.7
1.9
.0
3.1
2.6
61.2
40.4
40.6
29.6
30.3
27.3
28.9
27.1
15.4
23.0
16.9
The Institute of Internal Auditors Research Foundation
4.6
5.7
5.7
4.7
5.8
7.6
6.3
1.4
7.7
2.0
5.6
13.5
18.5
14.6
22.2
13.3
16.4
14.9
15.8
15.4
22.4
18.9
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
_______________________________ Chapter 4: The Professional Practices Framework 141
As shown in Table 4-20, the number of audit staff in the IAA was compared to whether the IAA
has had an external assessment. This factor appears to have a marked influence on the IAA
having an external assessment. IAAs that have an audit staff of 1-3 indicate that 60.4% never
have had an external assessment. This drops to 49% for a staff size of 4-6 and to 17.8% for IAAs
with an audit staff of 25 or more.
Table 4-20
Number of Audit Staff in the IAA Compared to
When the IAA had an External Assessment
All Participants in Percentages
Number
of
Staff
1-3
4-6
7-9
10-12
13-15
16-18
19-21
22-24
25 or
more
Number
Scheduled
of
to Be
Respondents Completed
Prior to
January 1,
2007,
But Not
Yet
Completed
1,854
1,311
770
448
352
265
187
137
1,559
5.1
7.8
8.4
6.0
9.9
9.4
6.4
13.1
10.1
Within 1-3
4-5 More Never
The
I Do Total
the Last Years Years Than
Internal
Not
12
Ago Ago
5
Review was Know
Months
Years
Not Done in
Ago
Accordance
with
Standard
1312
7.9
12.5
18.7
18.1
18.5
16.6
25.7
19.7
26.5
4.9
6.6
9.9
8.7
13.9
10.9
10.2
18.2
16.5
1.7
1.8
1.9
2.7
2.3
3.8
3.7
4.4
2.4
1.3
1.6
3.0
1.8
1.7
1.9
2.1
1.5
1.6
60.4
49.0
37.0
39.1
31.3
32.1
25.7
19.7
17.8
5.7
5.9
4.8
4.5
4.3
6.4
5.3
6.6
3.7
13.0
14.8
16.3
19.1
18.1
18.9
20.9
16.8
21.4
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
As with internal assessments, the length of time an IAA has been in existence and the number of
audit staff in the IAA affect whether IAAs have had an external assessment.
The Institute of Internal Auditors Research Foundation
142 A Global Summary of the Common Body of Knowledge 2006 ______________________
Quality Assurance and Improvement Program Activities
Respondents were asked what types of activities their IAAs used when performing internal and
external quality assessments. Practice Advisory 1300-1, Quality Assurance and Improvement
Program, states that the quality assurance and improvement program should include activities that
are designed to provide reasonable assurance of compliance with the Standards such as appropriate
supervision of the audit team.
The respondents were requested to indicate which of the listed activities they performed as part of
their internal audit quality assessment and improvement program. Figure 4-7 shows the responses
given by staff level. As respondents could mark more than one activity the total percentage may be
greater than 100%.
On average, the activities that are included most often are engagement supervision (42.7%),
checklists/manuals to provide assurance that proper audit processes are followed (40.6%), and
feedback from audit customers at the end of an audit (38.5%). The least used activities are
verification that the IAA is in compliance with the Standards (28.4%), review by external party
(20.4%), and compliance with non-IIA standards or codes (19.0%).
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 143
Figure 4-7
Activities Performed by IAAs as Part of a QA&IP
All Respondents (8,159) in Percentages
42.7%
Engagement supervision
Checklists/manuals to provide assurance
that proper audit processes
are followed
Feedback from audit customers at the
end of an audit
Internal audit professionals are in
compliance with The IIA's
Code of Ethics
40.6%
38.5%
31.1%
30.1%
Reviews by other members of IAA
Verification that the IAA is in
compliance with The Standards
28.4%
Review by external party
20.4%
Compliance with non-IIA standards or
codes
19.0%
Not applicable
13.4%
12.2%
Do not know
0%
10%
20%
30%
40%
50%
Percentage of Respondents
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
144 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-21 shows the responses for the types of activities performed as part of a QA&IP given by
staff level.
Table 4-21
Activities Performed by IAAs as Part of a QA&IP
All Respondents by Staff Level in Percentages
Activity
Engagement
supervision
Checklists/
manuals to
provide
assurance that
proper audit
processes are
followed
Feedback from
audit customers
at the end of an
audit
Internal audit
professionals are
in compliance
with The IIA’s
Code of Ethics
Reviews by
other members
of the IAA
Verification that
the IAA is in
compliance with
the Standards
CAE
% of 2,263
Respondents
Audit
Managers
% of 1,845
Respondents
Audit
Audit Staff
Other
Average
Senior/
% of 1,442
% of 569
% of
Supervisor Respondents Respondents 8,159
% of 2,040
ResponRespondents
dents
48.8
54.2
47.4
38.1
24.8
42.7
44.8
49.9
43.9
38.0
26.7
40.6
41.4
47.4
41.7
38.5
23.4
38.5
37.6
38.9
31.3
28.7
19.3
31.1
27.2
39.1
35.6
30.9
17.9
30.1
35.6
36.7
27.6
26.0
16.5
28.4
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 145
Table 4-21 (Cont.)
Activities Performed by IAAs as Part of a QA&IP
All Respondents by Staff Level in Percentages
Activity
Review by
external party
Compliance with
non-IIA
standards or
codes
Not applicable
Do not know
CAE
% of 2,263
Respondents
Audit
Managers
% of 1,845
Respondents
Audit
Audit Staff
Other
Average
Senior/
% of 1,442
% of 569
% of
Supervisor Respondents Respondents 8,159
% of 2,040
ResponRespondents
dents
21.3
25.4
22.2
18.0
15.1
20.4
19.4
23.1
21.9
17.5
13.5
19.0
16.4
3.4
11.8
8.2
10.9
11.9
10.1
17.5
17.8
20.0
13.4
12.2
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Table 4-21-1-A in Appendix 4-B analyzes the responses by groups for the types of activities
performed as part of a QA&IP. Consistently throughout the groups, engagement supervision (63.9%
to 32.1%), checklists/manuals (57.4% to 33.3%), and feedback from audit customers (55.3% to
31.1%) are the most used activities. Least utilized items by groups include review by external party
(34.0% to 12.6%) and reviews of compliance with non-IIA standards or codes (28.0% to 14.7%).
These results are consistent with the summary results in Table 4-21.
Education of key personnel (audit committees and management) to make them aware of the
importance of compliance and the value that may be derived from the quality assessment process
may help to increase compliance with Standard 1300.
The Institute of Internal Auditors Research Foundation
146 A Global Summary of the Common Body of Knowledge 2006 ______________________
Compliance with The IIA’s Code of Ethics
As part of the CBOK Affiliate survey, affiliates were asked whether they require their members to
follow The IIA’s Code of Ethics. Of the 46 affiliates responding to this question, all but one answered
in the affirmative. One affiliate has adopted a local version of a code of ethics. The affiliates were
then asked how they handled ethical complaints against their members. A wide variety of responses
were received. In a number of instances no complaints had ever been received so no process had
been put in place. In most cases, complaints were handled by an ethics or disciplinary committee,
while some actions were left to the affiliate’s board of directors. In two cases, investigations were
conducted in consultation with The IIA.
Summary
A large majority of the participants in this study indicate that their IAAs are using the Standards in
whole or in part. Compliance with the Standards is affected by the length of time an individual has
been a member of The IIA, the number of years an organization has had an IAA, and the number
of staff in the IAA. Compliance with Standard 1300 is influenced by the period of time an organization
has had an IAA and the size of the audit staff. A large majority of the respondents also believe that
the guidance provided by the Standards and most Practice Advisories is adequate. Standards
1300, Quality Assurance and Improvement Program, and 2600, Resolution of Management’s
Acceptance of Risks, have lower levels of usage and satisfaction with the adequacy of guidance
provided by the Standards. More or clearer guidance may be appropriate in these areas.
References
1. The Institute of Internal Auditors, A Vision for the Future: The Professional Practices
Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors),
1999.
2. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: The Institute of Internal Auditors), 2005.
3. The Institute of Internal Auditors, Quality Assessment Manual (Altamonte Springs, FL: The
Institute of Internal Auditors), February 2006.
4. The Institute of Internal Auditors, The Institute of Internal Auditors Executive Summary
(Altamonte Springs, FL: The Institute of Internal Auditors), September 13, 2006.
5. The Institute of Internal Auditors, IIA International Professional Practices Framework –
Exposure Document (Altamonte Springs, FL: The Institute of Internal Auditors), 2007.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 147
APPENDIX 4-A
THE IIA’S STANDARDS, PRACTICE ADVISORIES,
AND GLOSSARY TO THE STANDARDS
AS OF SEPTEMBER 20061
ATTRIBUTE STANDARDS
1000 – Purpose, Authority, and Responsibility
The purpose, authority, and responsibility of the internal audit activity should be formally defined in
a charter, consistent with the Standards, and approved by the board.
1000.A1 – The nature of assurance services provided to the organization should be defined
in the audit charter. If assurances are to be provided to parties outside the organization,
the nature of these assurances should also be defined in the charter.
1000.C1 – The nature of consulting services should be defined in the audit charter.
1100 – Independence and Objectivity
The internal audit activity should be independent, and internal auditors should be objective in
performing their work.
1110 – Organizational Independence
The chief audit executive should report to a level within the organization that allows the internal
audit activity to fulfill its responsibilities.
1110.A1 – The internal audit activity should be free from interference in determining the
scope of internal auditing, performing work, and communicating results.
1120 – Individual Objectivity
Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.
1130 – Impairments to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment
should be disclosed to appropriate parties. The nature of the disclosure will depend upon the
impairment.
1
Standards are always being updated as the profession evolves.
The Institute of Internal Auditors Research Foundation
148 A Global Summary of the Common Body of Knowledge 2006 ______________________
1130.A1 – Internal auditors should refrain from assessing specific operations for which
they were previously responsible. Objectivity is presumed to be impaired if an internal
auditor provides assurance services for an activity for which the internal auditor had
responsibility within the previous year.
1130.A2 – Assurance engagements for functions over which the chief audit executive
has responsibility should be overseen by a party outside the internal audit activity.
1130.C1 – Internal auditors may provide consulting services relating to operations for
which they had previous responsibilities.
1130.C2 – If internal auditors have potential impairments to independence or objectivity
relating to proposed consulting services, disclosure should be made to the engagement
client prior to accepting the engagement.
1200 – Proficiency and Due Professional Care
Engagements should be performed with proficiency and due professional care.
1210 – Proficiency
Internal auditors should possess the knowledge, skills, and other competencies needed to perform
their individual responsibilities. The internal audit activity collectively should possess or obtain
the knowledge, skills, and other competencies needed to perform its responsibilities.
1210.A1 – The chief audit executive should obtain competent advice and assistance if the
internal audit staff lacks the knowledge, skills, or other competencies needed to perform
all or part of the engagement.
1210.A2 – The internal auditor should have sufficient knowledge to identify the indicators
of fraud but is not expected to have the expertise of a person whose primary responsibility
is detecting and investigating fraud.
1210.A3 – Internal auditors should have knowledge of key information technology risks
and controls and available technology-based audit techniques to perform their assigned
work. However, not all internal auditors are expected to have the expertise of an internal
auditor whose primary responsibility is information technology auditing.
1210.C1 – The chief audit executive should decline the consulting engagement or obtain
competent advice and assistance if the internal audit staff lacks the knowledge, skills, or
other competencies needed to perform all or part of the engagement.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 149
1220 – Due Professional Care
Internal auditors should apply the care and skill expected of a reasonably prudent and competent
internal auditor. Due professional care does not imply infallibility.
1220.A1 – The internal auditor should exercise due professional care by considering the:
• Extent of work needed to achieve the engagement’s objectives.
• Relative complexity, materiality, or significance of matters to which assurance
procedures are applied.
• Adequacy and effectiveness of risk management, control, and governance processes.
• Probability of significant errors, irregularities, or noncompliance.
• Cost of assurance in relation to potential benefits.
1220.A2 – In exercising due professional care the internal auditor should consider the use
of computer-assisted audit tools and other data analysis techniques.
1220.A3 – The internal auditor should be alert to the significant risks that might affect
objectives, operations, or resources. However, assurance procedures alone, even when
performed with due professional care, do not guarantee that all significant risks will be
identified.
1220.C1 – The internal auditor should exercise due professional care during a consulting
engagement by considering the:
• Needs and expectations of clients, including the nature, timing, and communication of
engagement results.
• Relative complexity and extent of work needed to achieve the engagement’s objectives.
• Cost of the consulting engagement in relation to potential benefits.
1230 – Continuing Professional Development
Internal auditors should enhance their knowledge, skills, and other competencies through
continuing professional development.
1300 – Quality Assurance and Improvement Program
The chief audit executive should develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity and continuously monitors its effectiveness.
This program includes periodic internal and external quality assessments and ongoing internal
monitoring. Each part of the program should be designed to help the internal auditing activity add
value and improve the organization’s operations and to provide assurance that the internal audit
activity is in conformity with the Standards and the Code of Ethics.
The Institute of Internal Auditors Research Foundation
150 A Global Summary of the Common Body of Knowledge 2006 ______________________
1310 – Quality Program Assessments
The internal audit activity should adopt a process to monitor and assess the overall effectiveness
of the quality program. The process should include both internal and external assessments.
1311 – Internal Assessments
Internal assessments should include:
• Ongoing reviews of the performance of the internal audit activity; and
• Periodic reviews performed through self-assessment or by other persons within the
organization, with knowledge of internal audit practices and the Standards.
1312 – External Assessments
External assessments, such as quality assurance reviews, should be conducted at least
once every five years by a qualified, independent reviewer or review team from outside
the organization.
1320 – Reporting on the Quality Program
The chief audit executive should communicate the results of external assessments to the
board.
1330 – Use of “Conducted in Accordance with the Standards”
Internal auditors are encouraged to report that their activities are “conducted in accordance
with the International Standards for the Professional Practice of Internal Auditing.” However,
internal auditors may use the statement only if assessments of the quality improvement program
demonstrate that the internal audit activity is in compliance with the Standards.
1340 – Disclosure of Noncompliance
Although the internal audit activity should achieve full compliance with the Standards and
internal auditors with the Code of Ethics, there may be instances in which full compliance is
not achieved. When noncompliance impacts the overall scope or operation of the internal
audit activity, disclosure should be made to senior management and the board.
PERFORMANCE STANDARDS
2000 – Managing the Internal Audit Activity
The chief audit executive should effectively manage the internal audit activity to ensure it adds
value to the organization.
2010 – Planning
The chief audit executive should establish risk-based plans to determine the priorities of the
internal audit activity, consistent with the organization’s goals.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 151
2010.A1 – The internal audit activity’s plan of engagements should be based on a risk
assessment, undertaken at least annually. The input of senior management and the board
should be considered in this process.
2010.C1 – The chief audit executive should consider accepting proposed consulting
engagements based on the engagement’s potential to improve management of risks, add
value, and improve the organization’s operations. Those engagements that have been
accepted should be included in the plan.
2020 – Communication and Approval
The chief audit executive should communicate the internal audit activity’s plans and resource
requirements, including significant interim changes, to senior management and to the board for
review and approval. The chief audit executive should also communicate the impact of resource
limitations.
2030 – Resource Management
The chief audit executive should ensure that internal audit resources are appropriate, sufficient,
and effectively deployed to achieve the approved plan.
2040 – Policies and Procedures
The chief audit executive should establish policies and procedures to guide the internal audit
activity.
2050 – Coordination
The chief audit executive should share information and coordinate activities with other internal
and external providers of relevant assurance and consulting services to ensure proper coverage
and minimize duplication of efforts.
2060 – Reporting to the Board and Senior Management
The chief audit executive should report periodically to the board and senior management on
the internal audit activity’s purpose, authority, responsibility, and performance relative to its
plan. Reporting should also include significant risk exposures and control issues, corporate
governance issues, and other matters needed or requested by the board and senior management.
2100 – Nature of Work
The internal audit activity should evaluate and contribute to the improvement of risk management,
control, and governance processes using a systematic and disciplined approach.
The Institute of Internal Auditors Research Foundation
152 A Global Summary of the Common Body of Knowledge 2006 ______________________
2110 – Risk Management
The internal audit activity should assist the organization by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and control systems.
2110.A1 – The internal audit activity should monitor and evaluate the effectiveness of the
organization’s risk management system.
2110.A2 – The internal audit activity should evaluate risk exposures relating to the
organization’s governance, operations, and information systems regarding the:
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.
2110.C1 – During consulting engagements, internal auditors should address risk consistent
with the engagement’s objectives and be alert to the existence of other significant risks.
2110.C2 – Internal auditors should incorporate knowledge of risks gained from consulting
engagements into the process of identifying and evaluating significant risk exposures of
the organization.
2120 – Control
The internal audit activity should assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous improvement.
2120.A1 – Based on the results of the risk assessment, the internal audit activity should
evaluate the adequacy and effectiveness of controls encompassing the organization’s
governance, operations, and information systems. This should include:
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets.
• Compliance with laws, regulations, and contracts.
2120.A2 – Internal auditors should ascertain the extent to which operating and program
goals and objectives have been established and conform to those of the organization.
2120.A3 – Internal auditors should review operations and programs to ascertain the extent
to which results are consistent with established goals and objectives to determine whether
operations and programs are being implemented or performed as intended.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 153
2120.A4 – Adequate criteria are needed to evaluate controls. Internal auditors should
ascertain the extent to which management has established adequate criteria to determine
whether objectives and goals have been accomplished. If adequate, internal auditors
should use such criteria in their evaluation. If inadequate, internal auditors should work
with management to develop appropriate evaluation criteria.
2120.C1 – During consulting engagements, internal auditors should address controls
consistent with the engagement’s objectives and be alert to the existence of any significant
control weaknesses.
2120.C2 – Internal auditors should incorporate knowledge of controls gained from
consulting engagements into the process of identifying and evaluating significant risk
exposures of the organization.
2130 – Governance
The internal audit activity should assess and make appropriate recommendations for improving
the governance process in its accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Effectively communicating risk and control information to appropriate areas of the
organization.
• Effectively coordinating the activities of and communicating information among the board,
external and internal auditors, and management.
2130.A1 – The internal audit activity should evaluate the design, implementation, and
effectiveness of the organization’s ethics-related objectives, programs, and activities.
2130.C1 – Consulting engagement objectives should be consistent with the overall values
and goals of the organization.
2200 – Engagement Planning
Internal auditors should develop and record a plan for each engagement, including the scope,
objectives, timing, and resource allocations.
2201 – Planning Considerations
In planning the engagement, internal auditors should consider:
• The objectives of the activity being reviewed and the means by which the activity controls
its performance.
The Institute of Internal Auditors Research Foundation
154 A Global Summary of the Common Body of Knowledge 2006 ______________________
•
•
•
The significant risks to the activity, its objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level.
The adequacy and effectiveness of the activity’s risk management and control systems
compared to a relevant control framework or model.
The opportunities for making significant improvements to the activity’s risk management
and control systems.
2201.A1 – When planning an engagement for parties outside the organization, internal
auditors should establish a written understanding with them about objectives, scope,
respective responsibilities, and other expectations, including restrictions on distribution of
the results of the engagement and access to engagement records.
2201.C1 – Internal auditors should establish an understanding with consulting engagement
clients about objectives, scope, respective responsibilities, and other client expectations.
For significant engagements, this understanding should be documented.
2210 – Engagement Objectives
Objectives should be established for each engagement.
2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevant
to the activity under review. Engagement objectives should reflect the results of this
assessment.
2210.A2 – The internal auditor should consider the probability of significant errors,
irregularities, noncompliance, and other exposures when developing the engagement
objectives.
2210.C1 – Consulting engagement objectives should address risks, controls, and
governance processes to the extent agreed upon with the client.
2220 – Engagement Scope
The established scope should be sufficient to satisfy the objectives of the engagement.
2220.A1 – The scope of the engagement should include consideration of relevant systems,
records, personnel, and physical properties, including those under the control of third parties.
2220.A2 – If significant consulting opportunities arise during an assurance engagement, a
specific written understanding as to the objectives, scope, respective responsibilities, and
other expectations should be reached and the results of the consulting engagement
communicated in accordance with consulting standards.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 155
2220.C1 – In performing consulting engagements, internal auditors should ensure that the
scope of the engagement is sufficient to address the agreed-upon objectives. If internal
auditors develop reservations about the scope during the engagement, these reservations
should be discussed with the client to determine whether to continue with the engagement.
2230 – Engagement Resource Allocation
Internal auditors should determine appropriate resources to achieve engagement objectives.
Staffing should be based on an evaluation of the nature and complexity of each engagement,
time constraints, and available resources.
2240 – Engagement Work Program
Internal auditors should develop work programs that achieve the engagement objectives. These
work programs should be recorded.
2240.A1 – Work programs should establish the procedures for identifying, analyzing,
evaluating, and recording information during the engagement. The work program should
be approved prior to its implementation, and any adjustments approved promptly.
2240.C1 – Work programs for consulting engagements may vary in form and content
depending upon the nature of the engagement.
2300 – Performing the Engagement
Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the
engagement’s objectives.
2310 – Identifying Information
Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve
the engagement’s objectives.
2320 – Analysis and Evaluation
Internal auditors should base conclusions and engagement results on appropriate analyses
and evaluations.
2330 – Recording Information
Internal auditors should record relevant information to support the conclusions and engagement
results.
2330.A1 – The chief audit executive should control access to engagement records. The
chief audit executive should obtain the approval of senior management and/or legal counsel
prior to releasing such records to external parties, as appropriate.
The Institute of Internal Auditors Research Foundation
156 A Global Summary of the Common Body of Knowledge 2006 ______________________
2330.A2 – The chief audit executive should develop retention requirements for engagement
records. These retention requirements should be consistent with the organization’s guidelines
and any pertinent regulatory or other requirements.
2330.C1 – The chief audit executive should develop policies governing the custody and
retention of engagement records, as well as their release to internal and external parties.
These policies should be consistent with the organization’s guidelines and any pertinent
regulatory or other requirements.
2340 – Engagement Supervision
Engagements should be properly supervised to ensure objectives are achieved, quality is assured,
and staff is developed.
2400 – Communicating Results
Internal auditors should communicate the engagement results.
2410 – Criteria for Communicating
Communications should include the engagement’s objectives and scope as well as applicable
conclusions, recommendations, and action plans.
2410.A1 – Final communication of engagement results should, where appropriate, contain
the internal auditor’s overall opinion and or conclusions.
2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in
engagement communications.
2410.A3 – When releasing engagement results to parties outside the organization, the
communication should include limitations on distribution and use of the results.
2410.C1 – Communication of the progress and results of consulting engagements will
vary in form and content depending upon the nature of the engagement and the needs of
the client.
2420 – Quality of Communications
Communications should be accurate, objective, clear, concise, constructive, complete, and
timely.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 157
2421 – Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive
should communicate corrected information to all parties who received the original
communication.
2430 – Engagement Disclosure of Noncompliance with the Standards
When noncompliance with the Standards impacts a specific engagement, communication of
the results should disclose the:
• Standard(s) with which full compliance was not achieved,
• Reason(s) for noncompliance, and
• Impact of noncompliance on the engagement
2440 – Disseminating Results
The chief audit executive should communicate results to the appropriate parties.
2440.A1 – The chief audit executive is responsible for communicating the final results to
parties who can ensure that the results are given due consideration.
2440.A2 – If not otherwise mandated by legal, statutory, or regulatory requirements, prior
to releasing results to parties outside the organization, the chief executive should:
• Assess the potential risk to the organization.
• Consult with senior management and/or legal counsel as appropriate.
• Control dissemination by restricting the use of the results.
2440.C1 – The chief audit executive is responsible for communicating the final results of
consulting engagements to clients.
2440.C2 – During consulting engagements, risk management, control, and governance
issues may be identified. Whenever these issues are significant to the organization, they
should be communicated to senior management and the board.
2500 – Monitoring Progress
The chief audit executive should establish and maintain a system to monitor the disposition of
results communicated to management.
2500.A1 – The chief audit executive should establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action.
The Institute of Internal Auditors Research Foundation
158 A Global Summary of the Common Body of Knowledge 2006 ______________________
2500.C1 – The internal audit activity should monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
2600 – Resolution of Management’s Acceptance of Risks
When the chief audit executive believes that senior management has accepted a level of residual
risk that may be unacceptable to the organization, the chief audit executive should discuss the
matter with senior management. If the decision regarding residual risk is not resolved, the chief
audit executive and senior management should report the matter to the board for resolution.
Practice Advisories
Attribute Standards
PA 1000-1
Internal Audit Charter
PA 1000.C1-1
Principles Guiding the Performance of Consulting Activities of Internal Auditors
PA 1000.C1-2
Additional Considerations for Formal Consulting Engagements
PA 1100-1
Independence and Objectivity
PA 1110-1
Organizational Independence
PA 1110-2
Chief Audit Executive (CAE) Reporting Lines
PA 1110.A1-1
Disclosing Reasons for Information Requests
PA 1120-1
Individual Objectivity
PA 1130-1
Impairments to Independence or Objectivity
PA 1130.A1-1
Assessing Operations for Which Internal Auditors Were Previously Responsible
PA 1130.A1-2
Internal Auditing’s Responsibility for Other (Non-audit) Functions
PA 1200-1
Proficiency and Due Professional Care
PA 1210-1
Proficiency
PA 1210.A1-1
Obtaining Services to Support or Complement the Internal Audit Activity
PA 1210.A2-1
Identification of Fraud
PA 1210.A2-2
Responsibility for Fraud Detection
PA 1220-1
Due Professional Care
PA 1230-1
Continuing Professional Development
PA 1300-1
Quality Assurance and Improvement Program
PA 1310-1
Quality Program Assessments
PA 1311-1
Internal Assessments
PA 1312-1
External Assessments
PA 1312-2
External Assessments Self-assessment with Independent Validation
PA 1320-1
Reporting on the Quality Program
PA 1330-1
Use of “Conducted in Accordance with the Standards”
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 159
Performance Standards
PA 2000-1
Managing the Internal Audit Activity
PA 2010-1
Planning
PA 2010-2
Linking the Audit Plan to Risk and Exposures
PA 2020-1
Communication and Approval
PA 2030-1
Resource Management
PA 2040-1
Policies and Procedures
PA 2050-1
Coordination
PA 2050-2
Acquisition of External Audit Services
PA 2060-1
Reporting to Board and Senior Management
PA 2060-2
Relationship with the Audit Committee
PA 2100-1
Nature of Work
PA 2100-2
Information Security
PA 2100-3
Internal Auditing’s Role in the Risk Management Process
PA 2100-4
Internal Auditing’s Role in Organizations Without a Risk Management Process
PA 2100-5
Legal Considerations in Evaluating Regulatory Compliance Programs
PA 2100-6
Control and Audit Implications of E-commerce Activities
PA 2100-7
Internal Auditing’s Role in Identifying and Reporting Environmental Risks
PA 2100-8
Internal Auditing’s Role in Evaluating an Organization’s Privacy Framework
PA 2110-1
Assessing the Adequacy of Risk Management Processes
PA 2110-2
Internal Auditing’s Role in the Business Continuity Process
PA 2120.A1-1
Assessing and Reporting on Control Processes
PA 2120.A1-2
Using Control Self-assessment for Assessing the Adequacy of Control
Processes
PA 2120.A1-3
Internal Auditing’s Role in Quarterly Financial Reporting, Disclosures,
and Management Certifications
PA 2120.A1-4
Auditing the Financial Reporting Process
PA 2120.A4-1
Control Criteria
PA 2130-1
Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture
of an Organization
PA 2200-1
Engagement Planning
PA 2210-1
Engagement Objectives
PA 2210.A1-1
Risk Assessment in Engagement Planning
PA 2230-1
Engagement Resource Allocation
PA 2240-1
Engagement Work Program
PA 2240.A1-1
Approval of Work Programs
The Institute of Internal Auditors Research Foundation
160 A Global Summary of the Common Body of Knowledge 2006 ______________________
PA 2300-1
PA 2310-1
PA 2320-1
PA 2330-1
PA 2330.A1-1
PA 2330.A1-2
PA 2330.A2-1
PA 2340-1
PA 2400-1
PA 2410-1
PA 2420-1
PA 2440-1
PA 2440-2
PA 2440-3
PA 2500-1
PA 2500.A1-1
PA 2600-1
Internal Auditing’s Use of Personal Information in Conducting Audits
Identifying Information
Analysis and Evaluation
Recording Information
Control of Engagement Records
Legal Considerations in Granting Access to Engagement Records
Retention of Records
Engagement Supervision
Legal Considerations in Communicating Results
Communication Criteria
Quality of Communications
Recipients of Engagement Results
Communications Outside the Organization
Communicating Sensitive Information Within and Outside the Chain
of Command
Monitoring Progress
Follow-up Process
Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 161
GLOSSARY TO THE STANDARDS
Add Value
Value is provided by improving opportunities to achieve organizational objectives, identifying
operational improvement, and/or reducing risk exposure through both assurance and consulting
services.
Adequate Control
Present if management has planned and organized (designed) in a manner that provides reasonable
assurance that the organization’s risks have been managed effectively and that the organization’s
goals and objectives will be achieved efficiently and economically.
Assurance Services
An objective examination of evidence for the purpose of providing an independent assessment on
risk management, control, or governance processes for the organization. Examples may include
financial, performance, compliance, system security, and due diligence engagements.
Board
A board is an organization’s governing body, such as a board of directors, supervisory board, head
of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any
other designated body of the organization, including the audit committee, to whom the chief audit
executive may functionally report.
Charter
The charter of the internal audit activity is a formal written document that defines the activity’s
purpose, authority, and responsibility. The charter should (a) establish the internal audit activity’s
position within the organization; (b) authorize access to records, personnel, and physical properties
relevant to the performance of engagements; and (c) define the scope of internal audit activities.
Chief Audit Executive
Top position within the organization responsible for internal audit activities. Normally, this would be
the internal audit director. In the case where internal audit activities are obtained from outside
service providers, the chief audit executive is the person responsible for overseeing the service
contract and the overall quality assurance of these activities, reporting to senior management and
the board regarding internal audit activities, and follow-up of engagement results. The term also
includes such titles as general auditor, chief internal auditor, and inspector general.
The Institute of Internal Auditors Research Foundation
162 A Global Summary of the Common Body of Knowledge 2006 ______________________
Code of Ethics
The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession
and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal
auditors. The Code of Ethics applies to both parties and entities that provide internal audit services.
The purpose of the Code of Ethics is to promote an ethical culture in the global profession of
internal auditing.
Compliance
Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other
requirements.
Conflict of Interest
Any relationship that is or appears to be not in the best interest of the organization. A conflict of
interest would prejudice an individual’s ability to perform his or her duties and responsibilities
objectively.
Consulting Services
Advisory and related client service activities, the nature and scope of which are agreed with the
client and which are intended to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor assuming management responsibility.
Examples include counsel, advice, facilitation, and training.
Control
Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved. Management plans, organizes,
and directs the performance of sufficient actions to provide reasonable assurance that objectives
and goals will be achieved.
Control Environment
The attitude and actions of the board and management regarding the significance of control within
the organization. The control environment provides the discipline and structure for the achievement
of the primary objectives of the system of internal control. The control environment includes the
following elements:
• Integrity and ethical values.
• Management’s philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 163
Control Processes
The policies, procedures, and activities that are part of a control framework, designed to ensure
that risks are contained within the risk tolerances established by the risk management process.
Engagement
A specific internal audit assignment, task, or review activity, such as an internal audit, control selfassessment review, fraud examination, or consultancy. An engagement may include multiple tasks
or activities designed to accomplish a specific set of related objectives.
Engagement Objectives
Broad statements developed by internal auditors that define intended engagement accomplishments.
Engagement Work Program
A document that lists the procedures to be followed during an engagement, designed to achieve the
engagement plan.
External Service Provider
A person or firm, outside of the organization, who has special knowledge, skill, and experience in a
particular discipline.
Fraud
Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the application of threat of violence or of physical force. Frauds are perpetrated
by parties and organizations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.
Governance
The combination of processes and structures implemented by the board in order to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
Impairments
Impairments to individual objectivity and organizational independence may include personal conflicts
of interest, scope limitations, restrictions on access to records, personnel, and properties, and
resource limitations (funding).
Independence
The freedom from conditions that threaten objectivity or the appearance of objectivity. Such
threats to objectivity must be managed at the individual auditor, engagement, functional, and
organizational levels.
The Institute of Internal Auditors Research Foundation
164 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Audit Activity
A department, division, team of consultants, or other practitioner(s) that provides independent,
objective assurance and consulting services designed to add value and improve an organization’s
operations. The internal audit activity helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
Objectivity
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner
that they have an honest belief in their work product and that no significant quality compromises
are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters
to that of others.
Residual Risk
The risk remaining after management takes action to reduce the impact and likelihood of an adverse
event, including control activities in responding to a risk.
Risk
The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
Risk Management
A process to identify, assess, manage, and control potential events or situations to provide reasonable
assurance regarding the achievement of the organization’s objectives.
Should
The use of the word “should” in the Standards represents a mandatory obligation.
Standard
A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates
the requirements for performing a broad range of internal audit activities, and for evaluating internal
audit performance.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 165
APPENDIX 4-B
Table 4-3-1-A
IAA is in Full Compliance with the Standards
All Respondents in Percentages
Standard
Number of
Respondents
Full
Compliance
Partial
Compliance
Not in
Compliance
Do Not
Know
1000 – Purpose, Authority,
and Responsibility
1100 – Independence and
Objectivity
1200 – Proficiency and Due
Professional Care
1300 – Quality Assurance
and Improvement Program
2000 – Managing the
Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the
Engagement
2400 – Communicating
Results
2500 – Monitoring Progress
2600 – Resolution of
Management’s Acceptance
of Risks
5,947
63.0
25.0
2.2
9.8
5,953
66.9
22.2
2.7
8.2
5,923
62.9
26.1
2.0
9.0
5,896
40.0
35.7
12.1
12.2
5,900
57.6
28.9
3.3
10.2
5,844
5,886
5,881
57.5
57.7
59.7
28.7
29.0
28.2
2.3
2.9
1.9
11.5
10.4
10.2
5,896
64.1
24.6
2.0
9.3
5,873
5,873
52.6
46.9
32.1
30.7
4.4
7.4
10.9
15.0
The Institute of Internal Auditors Research Foundation
166 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-3-2-A
IAA is in Full Compliance with the Standards
CAE Respondents in Percentages
Standard
Number of
Respondents
Full
Compliance
Partial
Compliance
Not in
Compliance
Do Not
Know
1000 – Purpose, Authority,
and Responsibility
1100 – Independence and
Objectivity
1200 – Proficiency and Due
Professional Care
1300 – Quality Assurance
and Improvement Program
2000 – Managing the
Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the
Engagement
2400 – Communicating
Results
2500 – Monitoring Progress
2600 – Resolution of
Management’s Acceptance
of Risks
1,765
68.1
26.7
2.0
3.2
1,772
73.6
22.0
2.1
2.3
1,760
67.0
28.3
1.5
3.2
1,746
33.2
45.0
16.1
5.7
1,754
61.8
32.0
2.7
3.5
1,730
1,749
1,743
59.3
60.4
62.1
32.8
32.5
31.8
2.6
2.7
1.9
5.3
4.4
4.2
1,738
68.6
26.2
2.1
3.1
1,730
1,742
56.1
49.0
35.5
35.0
4.1
8.0
4.3
8.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 167
Table 4-3-3-A
IAA is in Full Compliance with the Standards
Practitioner Respondents in Percentages
Standard
Number of
Respondents
Full
Compliance
Partial
Compliance
Not in
Compliance
Do Not
Know
1000 – Purpose, Authority,
and Responsibility
1100 – Independence and
Objectivity
1200 – Proficiency and
Due Professional Care
1300 – Quality Assurance
and Improvement Program
2000 – Managing the
Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the
Engagement
2400 – Communicating
Results
2500 – Monitoring Progress
2600 – Resolution of
Management’s Acceptance
of Risks
4,169
60.8
24.2
2.3
12.7
4,167
64.1
22.2
2.9
10.8
4,149
61.1
25.1
2.1
11.7
4,136
43.0
31.7
10.4
14.9
4,132
55.8
27.5
3.6
13.1
4,101
4,123
4,124
56.8
56.7
58.7
26.9
27.5
26.7
2.2
2.9
1.9
14.1
13.0
12.7
4,144
62.3
23.8
2.0
11.9
4,130
4,117
51.3
46.1
30.6
28.8
4.5
7.0
13.6
18.1
The Institute of Internal Auditors Research Foundation
168 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-3-4-A
IAA is in Full Compliance with the Standards by Groups*
All Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
68.9
70.6
69.1
47.2
63.8
64.7
63.3
67.3
69.7
60.1
57.9
61.8
66.2
69.2
37.7
60.1
61.3
59.1
60.4
66.2
57.1
48.1
62.7
65.4
63.3
40.2
57.4
55.4
58.9
61.5
67.9
51.7
50.0
51.0
54.3
46.5
25.9
47.0
44.3
33.3
35.0
41.3
31.2
29.1
58.1
61.8
52.9
35.5
52.5
46.6
54.6
51.0
56.9
48.2
33.6
60.9
71.1
60.5
34.3
56.4
50.0
52.2
55.6
63.5
53.8
41.3
58.7
66.9
64.9
38.7
55.9
57.2
57.6
57.8
61.6
47.6
37.7
61.7
66.7
59.9
35.2
52.5
56.7
58.3
60.5
63.9
47.7
37.3
62.8
66.2
60.5
32.0
50.7
51.3
56.6
55.8
60.5
50.6
35.5
63.6
70.0
56.9
30.0
56.0
49.5
50.0
47.7
56.0
39.8
36.4
62.4
73.2
61.3
29.5
57.3
57.6
56.6
52.4
64.4
53.1
46.6
55.9
63.6
55.9
21.2
48.4
44.8
56.3
40.6
68.8
50.0
40.6
48.3
54.0
50.6
33.3
43.8
45.2
46.5
46.7
51.3
40.2
33.4
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-3-5-A
IAA Partially Complies with the Standards by Groups*
All Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
14.2
13.9
15.0
25.8
19.0
17.0
18.7
16.1
14.5
21.3
19.8
23.7
21.4
20.5
40.9
29.4
26.0
27.9
29.2
23.4
29.9
33.1
27.8
25.3
28.2
38.3
29.8
32.4
30.5
29.8
23.6
35.8
32.1
43.7
38.8
46.5
53.8
43.7
45.5
57.3
55.7
51.0
51.8
48.6
34.8
31.8
39.7
43.7
35.2
42.8
35.3
39.6
33.2
39.2
42.0
33.2
24.3
33.0
43.7
35.4
38.6
37.9
35.0
30.9
35.5
37.7
34.9
28.1
29.8
43.1
37.6
36.1
37.0
37.8
32.6
43.1
43.9
29.9
27.2
34.4
38.1
38.7
35.8
34.3
33.1
30.1
40.6
37.6
26.9
16.9
28.9
38.7
34.7
36.8
31.6
33.8
31.6
33.8
34.2
27.3
23.6
33.9
46.4
28.4
36.7
38.9
41.3
36.7
48.1
37.3
31.5
22.8
32.0
53.7
34.0
32.6
33.6
39.9
27.4
36.7
36.5
38.2
33.3
41.2
51.5
48.4
48.3
40.6
53.1
28.1
43.8
37.5
38.3
32.8
37.3
43.7
39.7
39.3
38.3
38.5
35.3
40.7
38.5
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 169
Table 4-3-6-A
IAA is Not in Compliance with the Standards by Groups*
All Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
1.1
1.6
1.1
9.1
1.5
1.2
1.9
1.2
1.2
2.4
3.1
3.9
3.2
1.3
9.1
1.3
1.3
1.9
0.6
0.6
0.6
4.5
2.1
3.7
1.9
12.9
5.4
3.1
3.4
1.7
1.7
5.2
7.4
1.6
4.1
3.7
14.2
4.0
3.3
3.7
2.8
3.6
8.1
9.7
2.6
3.1
3.1
12.6
5.8
2.9
4.3
3.6
5.1
6.3
13.3
2.0
1.6
1.6
15.3
3.9
3.4
3.3
2.0
1.0
4.0
8.0
3.4
3.6
3.7
14.3
4.2
3.9
3.4
1.7
3.6
6.8
13.2
4.0
3.1
2.1
18.2
4.4
2.4
3.8
2.3
2.4
6.4
10.9
5.1
11.7
5.3
16.0
8.0
6.6
5.3
3.9
2.6
7.8
21.1
1.8
0.0
3.7
14.5
4.6
4.6
2.8
2.8
0.9
5.6
10.0
0.7
0.0
1.3
12.1
3.3
2.1
3.5
1.4
2.7
4.1
8.8
5.9
3.0
2.9
24.2
3.2
3.4
0.0
6.3
0.0
6.3
18.8
3.8
5.5
2.9
11.9
5.4
3.9
3.6
3.9
2.7
7.3
10.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
170 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-6-1-A
Standards Guidance is Adequate
CAE Respondents in Percentages
Standard
1000 – Purpose, Authority, and
Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional
Care
1300 – Quality Assurance and
Improvement Program
2000 – Managing the Internal Audit
Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s
Acceptance of Risks
Overall Average
Number of
Respondents
Yes
No
Do Not
Use
Do Not
Know
1,791
93.3
1.1
2.7
2.9
1,775
1,767
94.1
92.9
2.1
1.7
1.5
2.5
2.3
2.9
1,761
81.5
6.1
8.7
3.7
1,755
90.0
3.6
3.3
3.1
1,738
1,752
1,744
1,751
1,732
1,729
88.0
89.4
89.3
91.3
88.4
81.3
3.7
3.3
3.9
3.2
4.0
6.5
3.9
4.2
3.7
2.9
4.1
6.9
4.4
3.1
3.1
2.6
3.5
5.3
89.0
3.6
4.0
3.4
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 171
Table 4-6-2-A
Standards Guidance is Adequate
Practitioner Responses in Percentages
Standard
1000 – Purpose, Authority, and
Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional
Care
1300 – Quality Assurance and
Improvement Program
2000 – Managing the Internal Audit
Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s
Acceptance of Risks
Overall Average
Number of
Respondents
Yes
No
Do Not
Use
Do Not
Know
4,266
83.2
1.3
2.7
12.8
4,240
4,227
85.6
84.5
1.6
1.7
1.7
2.2
11.1
11.6
4,207
75.6
4.7
5.3
14.4
4,215
81.0
2.9
3.3
12.8
4,178
4,198
4,187
4,190
4,171
4,179
79.8
81.2
81.5
82.6
79.1
73.8
2.9
3.3
3.5
3.1
4.1
5.2
3.3
2.8
2.7
2.4
3.9
4.7
14.0
12.7
12.3
11.9
12.9
16.3
80.7
3.1
3.2
13.0
The Institute of Internal Auditors Research Foundation
172 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-6-3-A
Standards Guidance is Adequate by Groups*
All Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
81.9
83.7
82.6
75.6
80.8
78.9
80.1
81.0
81.5
79.1
75.7
83.8
84.1
87.3
78.3
82.9
82.2
81.0
82.1
83.3
82.1
74.4
88.1
89.5
88.3
79.1
83.7
81.1
84.8
83.7
86.9
83.4
79.3
90.7
91.5
92.7
79.3
86.1
84.3
82.7
82.7
86.8
79.7
75.2
91.6
93.6
89.9
77.7
85.7
82.4
88.2
87.1
88.6
85.6
72.6
90.5
92.7
91.1
77.7
89.4
84.0
84.1
86.6
88.6
85.4
74.8
90.8
94.3
93.1
86.9
90.4
89.4
92.2
91.2
92.0
88.1
83.6
92.7
93.9
93.2
77.3
89.4
90.5
91.3
91.7
91.7
87.6
77.3
93.2
93.2
91.5
72.5
80.3
81.7
76.8
76.8
78.3
74.3
64.8
91.5
91.6
89.5
77.6
85.7
82.9
86.7
84.6
88.5
79.8
76.9
11
12
88.0 100.0
91.1 100.0
88.4 97.1
81.2 91.4
83.2 97.1
85.0 96.9
87.5 91.2
86.8 85.3
88.8 97.1
86.2 91.2
78.4 90.9
N/C**
81.5
85.2
83.8
72.9
78.1
78.9
78.8
78.2
80.3
75.9
69.8
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-6-4-A
Standards Guidance is Adequate by Groups*
CAE Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
92.2
92.4
91.9
82.5
90.6
88.2
89.0
89.6
90.6
89.1
84.7
92.9
91.2
98.6
83.8
92.6
92.6
87.0
89.7
91.2
89.6
79.1
96.8
96.7
95.2
86.9
91.8
86.9
87.4
88.2
90.9
86.9
83.6
96.1
96.1
97.4
87.0
90.8
90.5
89.3
89.3
92.1
86.5
81.1
92.4
96.5
91.1
75.7
88.2
80.6
90.3
88.8
93.1
91.5
69.0
94.9
96.6
94.9
76.7
92.2
84.8
84.3
87.7
93.9
89.6
80.7
91.9
96.0
92.8
89.5
88.5
91.6
92.6
89.7
92.7
89.5
84.4
95.5
95.9
92.7
74.9
91.6
91.0
93.0
92.5
93.0
90.0
80.9
9
10
11
12
N/C**
93.5 100.0
93.5 100.0
93.3 97.1
75.9 82.9
82.8 91.4
82.1 94.3
89.3 94.3
79.3 94.3
82.8 97.1
80.0 82.4
66.7 85.7
93.3
95.0
89.8
86.7
86.7
89.7
91.4
91.1
91.2
89.3
78.9
100.0
100.0
100.0
100.0
100.0
100.0
100.0
87.5
100.0
87.5
100.0
87.8
88.5
89.4
78.9
81.9
83.9
85.4
82.8
85.1
79.8
74.5
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 173
Table 4-6-5-A
Standards Guidance is Adequate by Groups*
Practitioner Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
77.9
80.4
79.1
73.0
77.0
75.3
76.6
77.7
78.0
75.2
72.3
76.7
78.7
78.7
74.2
75.6
74.2
76.4
76.1
77.3
76.4
70.8
85.5
87.3
86.1
76.9
81.3
79.3
84.0
82.3
85.7
82.3
78.0
88.6
89.8
90.4
76.5
84.3
81.8
80.6
79.4
84.1
77.4
72.7
91.0
91.8
89.1
78.6
84.1
83.2
86.9
85.9
86.0
82.1
74.2
87.9
90.4
88.8
78.1
87.8
83.5
83.9
85.8
85.4
82.8
71.2
90.3
93.7
93.2
86.0
91.0
88.6
92.0
91.7
91.7
87.6
83.3
91.3
93.0
93.5
78.5
88.2
90.3
90.5
91.4
91.1
86.4
75.5
93.0
92.9
90.2
70.0
78.6
81.4
68.3
75.0
75.0
70.0
63.4
87.3
87.5
85.9
75.0
82.9
77.1
82.9
79.7
84.1
78.6
72.5
11
12
84.7 100.0
88.7 100.0
87.5 96.3
77.7 88.9
81.1 96.2
82.1 95.8
85.1 88.5
84.2 84.6
87.4 96.2
84.4 92.3
78.1 88.0
N/C**
79.5
84.0
82.0
71.2
76.9
77.3
76.7
77.0
78.8
74.9
68.5
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Table 4-6-6-A
Standards Guidance is Not Adequate by Groups*
All Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
11
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
0.8
1.3
1.5
3.8
2.1
2.4
2.4
2.2
2.4
3.1
4.1
1.3
5.1
1.9
4.5
5.1
2.5
4.4
5.1
3.8
3.2
7.1
1.3
2.2
2.4
7.9
4.0
5.7
3.8
5.3
3.4
5.1
6.1
2.0
2.4
1.2
7.7
4.9
4.1
5.3
5.3
3.7
5.8
6.2
1.0
1.0
2.5
5.7
3.2
3.7
2.9
5.5
4.0
3.8
8.5
1.3
1.6
1.0
6.5
2.2
3.9
4.2
3.0
3.2
3.2
5.9
1.9
1.9
1.7
1.9
2.5
3.3
2.5
2.8
3.6
3.6
5.3
1.0
1.5
0.4
5.1
2.5
1.4
2.1
2.1
2.4
3.0
5.0
0.0
0.0
1.4
2.9
9.9
7.0
14.5
13.0
11.6
14.3
9.9
0.0
0.9
2.9
9.3
4.8
5.7
5.7
7.7
3.8
10.6
7.7
2.5
2.5
2.6
7.8
7.7
4.6
4.6
5.3
3.3
5.3
9.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
12
0.0
0.0
2.9
2.9
0.0
0.0
2.9
8.8
0.0
5.9
3.0
N/C**
3.2
3.5
3.2
8.2
4.7
4.3
5.6
6.6
4.7
7.3
8.7
174 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-7-1-A
IAA Does Not Use Practice Advisories by Groups*
All Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
15.2
14.6
15.2
17.5
15.6
16.4
15.7
15.4
15.4
16.4
18.2
11.5
12.3
13.8
18.0
15.3
17.0
19.0
17.5
15.6
16.1
24.5
10.6
11.0
11.0
12.6
12.1
11.6
12.4
11.6
11.1
13.3
14.4
8.7
7.3
7.7
15.9
7.2
9.6
10.0
10.1
7.9
9.4
20.2
7.3
7.0
8.1
16.8
10.0
11.8
8.4
7.9
9.7
11.1
21.2
17.1
16.0
18.6
20.6
18.9
22.2
20.8
18.7
16.7
18.3
27.1
10.0
7.1
7.9
16.0
10.5
8.6
8.1
8.7
9.1
12.8
15.9
7.6
6.7
7.5
20.1
9.3
9.3
7.1
7.1
7.4
11.0
20.3
12.5
14.3
13.1
27.0
14.5
11.1
12.9
11.1
12.9
12.7
28.3
12.2
10.2
11.1
16.9
10.2
11.4
12.4
11.4
11.4
13.8
18.2
7.3
7.3
7.5
15.8
8.9
9.0
7.4
6.6
7.4
8.3
11.1
3.4
3.4
6.9
13.8
3.4
3.4
3.4
6.9
3.4
3.4
13.8
13.3
11.6
11.6
16.9
14.2
16.4
15.8
15.6
14.5
16.6
19.9
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 175
Table 4-8-1-A
Practice Advisory Guidance is Adequate
All Respondents in Percentages
Practice Advisory
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement
Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance
of Risks
Overall Average
Number of
Respondents
Yes
No
Do Not
Use
4,801
4,792
4,779
4,759
86.0
86.3
85.4
77.2
1.7
2.2
2.4
5.5
12.3
11.5
12.2
17.3
4,755
4,735
4,748
4,739
4,747
4,731
4,733
83.4
82.3
83.2
83.5
84.0
81.1
75.4
3.4
3.8
3.7
3.7
3.4
4.5
5.8
13.1
13.9
13.1
12.8
12.6
14.4
18.8
82.5
3.7
13.8
The Institute of Internal Auditors Research Foundation
176 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-8-2-A
Practice Advisory Guidance is Adequate
CAE Respondents in Percentages
Practice Advisory
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement
Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance
of Risks
Overall Average
Number of
Respondents
Yes
No
Do Not
Use
1,455
1,442
1,433
1,427
86.7
86.7
86.2
76.2
2.1
2.6
2.4
6.5
11.2
10.7
11.4
17.3
1,427
1,420
1,425
1,422
1,422
1,417
1,416
83.5
81.8
83.5
83.9
84.4
82.6
75.2
4.2
4.6
3.9
3.9
4.2
4.9
6.2
12.3
13.6
12.6
12.2
11.4
12.5
18.6
82.7
4.2
13.1
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 177
Table 4-8-3-A
Practice Advisory Guidance is Adequate
Practitioner Respondents in Percentages
Practice Advisory
1000 – Purpose, Authority, and Responsibility
1100 – Independence and Objectivity
1200 – Proficiency and Due Professional Care
1300 – Quality Assurance and Improvement
Program
2000 – Managing the Internal Audit Activity
2100 – Nature of Work
2200 – Engagement Planning
2300 – Performing the Engagement
2400 – Communicating Results
2500 – Monitoring Progress
2600 – Resolution of Management’s Acceptance
of Risks
Overall Average
Number of
Respondents
Yes
No
Do Not
Use
3,356
3,350
3,346
3,332
85.7
86.2
85.1
77.7
1.6
2.0
2.4
4.9
12.7
11.8
12.5
17.4
3,328
3,315
3,323
3,317
3,323
3,314
3,317
83.4
82.5
83.1
83.3
83.8
80.5
75.4
3.0
3.4
3.5
3.6
3.0
4.4
5.6
13.6
14.1
13.4
13.1
13.2
15.1
19.0
82.4
3.4
14.2
The Institute of Internal Auditors Research Foundation
178 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-8-4-A
Practice Advisory Guidance is Adequate by Groups*
All Respondents in Percentages
Standard
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
1000
1100
1200
1300
2000
2100
2200
2300
2400
2500
2600
83.6
84.0
83.0
78.4
82.4
81.3
81.9
82.2
82.6
80.8
78.4
84.9
81.2
84.1
74.8
78.8
78.5
75.9
79.6
80.7
77.4
66.9
87.3
86.4
85.7
81.0
84.6
84.1
82.6
84.4
86.1
81.7
78.5
87.4
89.4
89.6
74.2
87.8
84.8
80.6
81.0
85.9
83.9
68.5
91.7
90.4
89.3
77.6
85.8
82.7
87.7
84.9
84.7
81.1
68.2
81.3
81.0
79.7
73.9
76.8
73.5
73.3
77.4
80.8
77.4
66.9
88.9
92.1
90.4
81.5
87.7
87.1
90.2
88.7
87.7
82.0
79.5
90.5
91.2
91.0
74.4
87.1
88.1
90.3
90.1
89.2
84.8
75.7
87.5
85.7
83.6
66.7
82.3
81.0
79.0
81.0
79.0
79.4
60.0
86.7
87.5
84.4
70.8
83.0
77.3
82.0
83.0
79.5
81.6
76.1
89.1
89.8
87.3
75.2
80.0
82.1
83.8
85.3
85.2
85.7
75.6
96.6
96.6
93.1
86.2
96.6
93.1
96.6
93.1
96.6
93.1
86.2
83.2
84.1
83.4
74.3
79.7
78.3
79.5
79.1
79.6
75.2
70.7
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 179
Table 4-15-1-A
When IAA was Last Subject to a Formal Internal Quality Assessment in
Accordance with Standard 1311 by Groups*
All Respondents in Percentages
Timing
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
To be
completed
prior to
January 1,
2007
Within the
last 12
months
1-3 years
ago
4-5 years
ago
More than
5 years ago
Never
Not done in
accordance
with
Standard
1311
Do not
know
Total
percentage
Total
respondents
9.2
7.4
11.4
6.1
7.8
3.5
6.5
7.2
4.0
14.9
7.6
14.3
6.1
25.5
21.6
30.2
16.4
22.2
25.1
24.8
21.1
18.2
20.3 23.0
16.7
16.5
8.5
8.9
10.9
4.7
5.0
6.7
8.2
5.5
7.1
7.0
5.6
4.8
5.2
1.4
4.2
2.3
1.3
0.8
0.9
0.9
0.7
2.0
2.6
0.0
0.0
0.8
1.4
4.2
1.0
3.0
0.6
0.8
0.5
0.7
1.0
0.0
0.0
0.0
1.3
28.5
3.7
27.9
5.3
22.9
5.9
52.8
2.7
47.0
8.4
41.2
11.6
39.5
9.8
43.3
16.9
53.5
6.1
33.3 36.2
7.0 9.2
45.2
11.9
44.3
8.4
21.8
20.5
15.4
13.0
8.2
10.2
9.8
4.6
8.1
14.9 18.4
7.1
17.4
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
100.0
2,967
190
599
299
500
371
440
830
99
114
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
196
42
619
180 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 4-21-1-A
Activities Performed by IAAs as Part of a Quality
Assessment and Improvement Program by Groups*
All Respondents in Percentages
Activity
Engagement
supervision
Checklists/
manuals to
provide
assurance
that proper
audit
processes
are followed
Feedback
from audit
customers at
the end of an
audit
Internal audit
professionals
are in
compliance
with The IIA’s
Code of
Ethics
Reviews by
other
members of
the IAA
1
2
3
4
5
46.0
43.7
53.7
32.1 37.8
44.8
48.5
51.6
41.6
55.3
34.6
33.9
6
7
8
9
52.4 63.9
44.7
38.4 38.5
52.1 48.8
53.4
42.9 40.4
33.0
36.9
38.8
45.4
10
11
12
N/C**
38.8
38.5 47.1
53.2
27.1
33.3
34.5
38.5 52.4
57.4
23.2
43.3 40.0
31.1
32.8
40.0 44.0
36.2
24.0
36.0 36.8
31.2 34.7
30.1
31.0
34.8 28.9
36.2
18.1
26.2 21.3
31.9 35.1
24.4
27.6
33.3 36.4
31.9
17.7
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 4: The Professional Practices Framework 181
Table 4-21-1-A (Cont.)
Activities Performed by IAAs as Part of a Quality
Assessment and Improvement Program by Groups*
All Respondents in Percentages
Activity
1
2
3
4
5
Verification
that the IAA
is in
compliance
with the
Standards
Review by
external
party
Compliance
with non-IIA
standards
or codes
Not
applicable
I do not
know
Total
number of
respondents
33.3
31.6
38.6
26.8 31.4
22.6
31.1
32.7
19.8
27.7
13.3
6
7
8
9
29.3 30.8
25.5
13.4 18.8
28.1 21.0
23.6
21.4 19.9
12.1
7.9
7.7 12.9
14.2
7.8
9.5
7.4
3,332
206
661
336
10
11
12
N/C**
24.1
37.0 29.3
31.9
14.0
12.6
14.7
19.3 22.2
34.0
11.3
19.0 28.0
15.7
15.5
14.8 14.7
23.4
13.2
11.7
9.8
18.1
20.7
8.1 12.9
23.4
9.2
4.9
4.0
2.9
9.2
4.3
10.4
5.8
0.0
7.7
574
420
490
945
116
135
225
47
1,057
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
182 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 5
Chapter 5: Current Status of the Internal Audit Activity ................................................... 183
Introduction......................................................................................................................... 183
The IAA’s Relationship within the Organization ............................................................... 184
Relationship with the Audit Committee.............................................................................. 191
External Relationships - Legislation Affecting Internal Auditing ...................................... 192
Organizations’ and CAEs’ Perceptions About the IAA...................................................... 194
Methods Used to Measure the Value Added by the IAA.................................................... 197
Internal Audit Activity........................................................................................................ 200
Managing the Internal Audit Activity................................................................................. 202
Creating the Audit Plan....................................................................................................... 204
Allocation of IAAs’ Time................................................................................................... 207
Performing the Engagement - The Use of Tools ................................................................ 214
Current Usage of Audit Tools and Techniques................................................................... 216
Predictive Changes in the Use of Audit Tools and Techniques
Over the Next Three Years........................................................................................... 227
Resolution of Major Differences ........................................................................................ 233
Reporting of Findings ......................................................................................................... 235
Monitoring Corrective Action............................................................................................. 237
Summary ............................................................................................................................. 239
Appendix 5.......................................................................................................................... 240
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 183
CHAPTER 5
CURRENT STATUS OF THE
INTERNAL AUDIT ACTIVITY
Introduction
This chapter summarizes the respondents’ perceptions about their internal audit activities’ (IAAs’)
relationships within the organization and how the IAA performs the steps in the audit process. The
chapter follows the outline of the audit process. The topics covered start with respondents’ IAAs
reporting relationships within their organizations, their relationships with their audit (oversight)
committees, and how IAAs measure the value they add to their organizations. This chapter then
addresses the IAA’s processes to perform an audit, including the management of the IAA; planning
and scope of work; the range of internal audit tasks; types of audits that are performed; and
allocation of audit time. The next section of this chapter reviews the tools that are currently used or
plan to be used by internal auditors to prepare audit plans and perform engagements. The final
section covers how respondents report audit findings and how issues are addressed and resolved.
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those that participated in the survey answered all the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.
These more detailed summaries of results may be provided for the five categories of respondents:
CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the
Other category consist primarily of other professional staff whose position is not captured by the
The Institute of Internal Auditors Research Foundation
184 A Global Summary of the Common Body of Knowledge 2006 ______________________
traditional job titles included in the survey. A review of their credentials indicates they may be
members of the IAA, employed by service providers, or in organizations where their titles are less
traditional but with duties within internal auditing.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of this report. Some tables have additional
details. For example, Table 5-17 is the total of all respondents for that question with a related Table
5-17-2 showing the responses by group. Additional related tables may be located in Appendix 5 at
the end of this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end
of its number. For example, Table 5-3-1-A is located in Appendix 5.
The IAA’s Relationships within the Organization
Reporting Relationships
For the IAA to remain independent, the CAE’s reporting status is very important. The IIA
recommends a dual reporting relationship where the CAE reports to the audit committee of the
board as well as to a senior management executive. Such matrix reporting allows the IAA to build
organizational independence while also serving management. Survey questions asked about reporting
relationships for the CAE.
The results of the survey indicate that the reporting status of CAEs was generally in accordance
with the International Standards for the Professional Practice of Internal Auditing (Standards)
Attribute Standard 1110, Organizational Independence. This standard requires the IAA to be
independent and internal auditors to be objective in performing their work. Practice Advisory 11102, Chief Audit Executive (CAE) Reporting Lines states “the CAE should report functionally to the
audit committee or its equivalent” and administratively to the chief executive officer of the
organization. The largest percentage of responding CAEs indicate that they report to the audit
committee.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 185
As detailed in Figure 5-1, 47.3% of CAEs report to the audit committee level and another 43.4%
report to the executive level of management. Only 5.1% report to a staff manager position.
Figure 5-1
CAE’s Reporting Status
CAE Respondents (2,367) in Percentages
Other
4.2%
Independent position
reporting to the
audit committee
of the board/
oversight board
47.3%
Staff position
reporting to a
staff manager
5.1%
Officer position
reporting to
executive
management/
high-level
government
official
20.6%
Manager position
reporting to
executive management/
high-level government
official
22.8%
The Institute of Internal Auditors Research Foundation
186 A Global Summary of the Common Body of Knowledge 2006 ______________________
To gain a better understanding of the factors that could influence the reporting level of the CAE,
Table 5-1 looks at reporting status by type of organization. The IIA believes that the CAE should
functionally report to the audit committee. It is apparent that this occurs in the majority of cases in
publicly listed and not-for-profit organizations. This is not the case in the public sector where there
is a tendency to report to either a line manager or a high government official. This could reflect
differences in the organizational configuration of public sector operations where the audit committee
structure is often absent.
Table 5-1
CAE’s Reporting Status by Type of Organization
CAE Respondents in Percentages
Type of
Organization
Not-forProfit
Organization
Publicly
Traded
(Listed)
Company
Privately
Held
(Non-listed)
Company
Other
Service
Provider/
Consultant
Public
Sector/
Government
Number of
Respondents
Independent
Position
Reporting to
the Audit
Committee of
the Board/
Oversight
Board
Officer
Managerial Staff Position Other Total
Position
Position
Reporting to a
Reporting to Reporting to Staff Manager
the Executive
Executive
Management/ Management/
High-level
High-level
Government Government
Official
Official
171
56.1
13.5
21.1
6.4
2.9
100.0
820
55.3
17.4
19.9
5.1
2.3
100.0
587
47.5
22.0
22.5
5.5
2.5
100.0
56
205
41.1
38.0
21.4
22.9
23.2
17.7
3.6
2.9
10.7
18.5
100.0
100.0
521
36.1
25.6
29.8
5.2
3.3
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 187
The high level of reporting status and the importance of the CAE’s relationship with the board is
reinforced by those involved in the CAE’s appointment and performance review. The responses
listed in Figure 5-2 indicate that 51.2% of the CAE respondents were appointed by the audit
committee, and the chairperson of the board was involved in nearly one-third of the CAE respondents’
appointments.
Figure 5-2
Position that Appoints CAE
CAE Respondents (2,359) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
There is evidence of involvement of the CEO in 54.4% of CAE respondents’ appointments. The
CFO had a role in the CAE respondent’s appointment 27.8% of the time. This level of involvement
by the board, the audit committee, and senior management in the appointment of the CAE reinforces
the overall high level of CAE reporting status and the importance of the CAE to the organization.
The Institute of Internal Auditors Research Foundation
188 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-2 shows, by group, information about the position that appoints the CAE (see Appendix 1B for a list of the groups). There are noticeable differences between the group results for CAEs
that are appointed by the audit committee chairperson in groups 1, 2, 3, 11, and 12 (61.6% to 68%)
and in groups 4 to 10 (26% to 38%).
Table 5-2
Position that Appoints CAE by Group*
CAE Respondents in Percentages
Position
1
Audit Committee/
Oversight Committee/
Committee Chairperson
Chief Executive Officer
Chairperson of the
Board
Chief Financial Officer
Another person
reporting to CFO
Other
2
3
4
5
6
7
8
9
10
11
12
N/C**
68.0 61.6 67.1 38.0 26.0 26.0 29.8 36.7 37.0 31.9 65.4 66.7
41.6
55.6 67.4 58.6 37.0 55.0 56.0 50.4 58.4 37.0 59.6 49.4 55.6
18.3 10.5 13.8 68.0 44.0 49.0 44.3 52.8 43.5 40.4 33.3 33.3
47.0
38.9
41.8 32.6 46.7
6.8 4.7 5.3
8.5 14.8 11.1
2.1 0.0 0.0
20.1
0.7
6.4
13.4
7.0 10.0 26.0 6.1 15.4 10.9
3.0 0.0 3.0 0.8 1.3 2.2
13.4 23.3 15.8 14.0 21.0 10.0 17.6
8.2
6.5
4.9
0.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
Tied to the discussion of the reporting level of CAEs within an organization is who undertakes the
performance review of the CAE. Despite the recommended dual reporting structure, evaluation is
primarily a management responsibility (Practice Advisory 1110-2). Board members and/or audit
committee members usually do not have sole responsibility for such functions for the CAE, although
their input in the evaluation process is valuable.
Figure 5-3 summarizes the CAEs’ responses indicating the level within an organization that performs
their evaluation. The audit committee’s involvement is most prevalent in the CAEs’ evaluation
(48.7%) with an almost equal input by the CEO (44.9%) and significant input by senior management
(31.2%). The chairperson of the board is involved with 16.4% of the CAEs’ evaluations while the
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 189
entire board is involved 16.1% of the time. As CAE respondents could indicate all those who
participated in their evaluation and the percentages in Figure 5-3 add up to well over 100.0%, it
appears that input from several high-level officials of an organization are combined to evaluate the
performance of the CAE.
Figure 5-3
Evaluation of CAEs’ Performance
CAE Respondents (2,359) in Percentages
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
190 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-3 shows group differences indicating who evaluates the CAE. Further analysis by type of
organization is provided in Table 5-3-1-A in Appendix 5. This table indicates that the audit committee
is most involved in publicly traded and not-for-profit organizations. The chief executive officer
takes the lead in privately held and public sector organizations.
Table 5-3
Evaluation of CAEs’ Performance by Group*
CAE Respondents in Percentages
Position
1
2
Board of Directors
Chairperson of the
Board
Chief Executive Officer
Audit Committee/
Oversight Committee/
Committee Chairperson
Senior Management
Auditee/Client at the
end of audit
Supervisor periodically
Peers/Subordinates
periodically
Not evaluated
7.1
6.5
5.8
4.7
3
4
5
6
7
8
9
10
11
12
N/C**
9.9 23.0 34.0 26.0 25.2 24.9 19.6 25.5 19.8 11.1
5.9 57.0 20.0 23.0 26.7 31.5 15.2 12.8 13.6 11.1
14.1
18.1
42.1 59.3 46.1 49.0 45.0 44.0 42.7 50.8 39.1 44.7 46.9 77.8
59.8 62.8 67.8 21.0 27.0 29.0 35.1 44.9 37.0 36.2 64.2 88.9
40.3
35.6
38.0 38.4 41.4 25.0 32.0 12.0 25.2 26.6 26.1 23.4 13.6 0.0
8.1 19.8 27.6 5.0 14.0 15.0 14.5 9.5 0.0 27.7 7.4 22.2
28.2
6.0
9.7 5.8 8.6
4.6 14.0 15.1
5.0 11.0 11.0
6.0 5.0 7.0
4.6
4.6
4.9
3.0
4.3 4.3
4.3 10.6
2.5 11.1
6.2 11.1
6.7
2.7
3.0
1.0
5.3
2.0
6.5 10.6
4.9
7.4
3.5
3.9
3.0 6.0
0.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 191
Relationship with the Audit Committee
Practice Advisory 2060-2, Relationship with the Audit Committee, governs the relationship of the
IAA and the audit committee. As noted in Table 5-4, CAEs confirm that an audit/oversight committee
exists in 72.6% of their organizations. The CAE’s relationship with the committee chairperson is
very important. Of respondent CAEs with audit committees, 63.2% meet regularly with their audit
committee chair in addition to attending regular audit committee meetings. It is notable that of
those that have audit/oversight committees, 91.3% of CAEs believe they have appropriate access
to the committee.
Table 5-4
CAE’s Relationship with Audit/Oversight Committee
CAE Respondents Percentage of Yes Responses
Question
Is there an audit/oversight committee
in your organization?
Does the CAE meet with the audit/
oversight committee chairperson in
addition to the regularly scheduled
meetings?
Does the CAE believe that he/she
has appropriate access to the audit/
oversight committee?
Total
Respondents
Yes
Percent of
Total
Responses
2,315
72.6
1,669
63.2
1,671
91.3
As indicated in Table 5-4-1-A in Appendix 5, CAE responses by groups have some major differences
relating to the CAE’s relationship with an audit committee. These differences appear to be primarily
related to the existence of the audit committee structure in some groups and not in others. CAEs in
groups 1, 2, 3, and 11 specify that 81.5% to 92.9% of their organizations have an audit committee,
compared to CAEs in the other groups who indicate that 38.7% to 69.5% of their organizations
have an audit committee. In group 12, all respondents have an audit committee.
The Institute of Internal Auditors Research Foundation
192 A Global Summary of the Common Body of Knowledge 2006 ______________________
For those CAEs that have an audit committee, Table 5-5 summarizes the number of audit committee
meetings held in the last fiscal year, the number of meetings CAEs were invited to attend, and the
number of meetings attended by the CAEs. The CAEs responding indicate that 96.9% of audit
committees met between 1 and 12 times per year. The majority of audit committees (82.7%) met
4 or more times per year. There is also a close correlation between the number of audit committee
meetings held, the number of meetings the CAEs were invited to attend, and the number of times
the CAEs actually attended the meetings.
Table 5-5
Audit/Oversight Committee Meetings During Last Fiscal Year
CAE Respondents in Percentages
Number of
Audit
Committee
Meetings
None
1
2
3
4
5
6
7
8
9
10
11
12
More than
12
Total
Meetings Held
Percent of 1,661 Total
Respondents
Meetings the CAE
was Invited to Attend
Percent of 1,657
Total Respondents
Meetings the CAE
Attended
Percent of 1,656
Total Respondents
1.8
5.9
9.6
35.5
10.2
11.8
2.6
6.1
1.4
4.3
1.3
6.4
8.0
4.8
7.4
8.6
31.6
9.4
9.7
2.5
5.1
1.3
3.2
0.8
4.8
7.9
4.7
7.9
8.8
31.6
9.6
9.0
2.8
5.0
1.3
3.5
1.3
4.0
3.1
100.0
2.8
100.0
2.6
100.0
External Relationships - Legislation Affecting Internal Auditing
In the CBOK Affiliate questionnaire, IIA affiliate leaders were asked about local and federal
regulations and legislation affecting the profession of internal auditing. Of the 46 affiliates that
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 193
responded, 78% indicate that their countries have legislation or regulations affecting the internal
auditing profession. Table 5-6 lists the 36 affiliates whose countries have laws and regulations
affecting internal auditing. The United States and Canada also have legislation affecting internal
auditing.
In a majority of the responding affiliates’ countries, legislation or regulations exist affecting internal
auditing in the public sector. In most of these affiliates, financial entities, banks, and insurance
companies are subjected to legislation that prescribes the establishment or the role of internal
auditing in an organization. In several affiliates (e.g., The Netherlands, Norway, South Africa, and
Spain), corporate governance requirements for listed companies strongly recommend the installation
of an IAA as part of their corporate governance structure. In other affiliates (e.g., France, Italy,
United Kingdom, and Ireland), it is recommended that all private companies, whether listed or not,
have an IAA. In a few affiliates (e.g., Belgium and Turkey), initiatives have been taken to create
a more formal legal framework for the internal audit profession.
Table 5-6
Countries with Legislation or Regulation
Affecting Internal Auditing
Argentina
Australia
Austria
Azerbaijan
Belgium
Bolivia
Bulgaria
Canada
Congo
Denmark
Dominican Republic
Finland
France
Germany
Israel
Italy
Japan
Lebanon
Lithuania
Luxembourg
Mexico
The Netherlands
Norway
Peru
Philippines
Russia
Singapore
Slovenia
South Africa
Spain
Sweden
Taiwan
Thailand
Turkey
Uganda
United Kingdom and Ireland
United States
Venezuela
The Institute of Internal Auditors Research Foundation
194 A Global Summary of the Common Body of Knowledge 2006 ______________________
In 61% (22 affiliates) of the 36 responding affiliates where legislation or regulation affecting internal
auditing exists, The IIA affiliate had an influence on the final form of the legislation or regulation.
Table 5-7 provides an overview of these 22 affiliates.
Table 5-7
Countries Where the IIA Affiliate Influenced
Legislation or Regulation Affecting Internal Auditing
Australia
Azerbaijan
Bulgaria
Denmark
Finland
France
Germany
Italy
Japan
Luxembourg
Mexico
The Netherlands
Norway
Philippines
Russia
South Africa
Spain
Sweden
Taiwan
Thailand
Turkey
United Kingdom and Ireland
Those IIA affiliates that assisted in the development of the legislation or regulations took part in the
discussions and provided input through participation and lobbying in committees, work groups, and
conferences. IIA affiliates also regularly issue their own opinions on drafts of local and national
laws and regulations. The publication of position papers and articles reflecting their members’
ideas and opinions is a common method of participation in the evolution of local and national laws
and regulations.
Organizations’ and CAEs’ Perceptions About the IAA
To gain an understanding of how the IAA is perceived within their organization, all respondents
were asked to rank their level of agreement with the statements in Table 5-8 on a scale of 1- 5,
from strongly disagree (1) to strongly agree (5). The mean response for each question was calculated
for the four IAA staff levels responding to the survey. With means mostly above 4.2 for all staff
levels, most auditees indicate their IAA is highly independent, objective, adds value, and effectively
evaluates internal controls. This is generally supported by the group results in Table 5-8-1-A located
in Appendix 5.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 195
Statements with means around 4.0 indicate respondents’ agreement that their IAAs have an effective
approach to risk management; are an integral part of the governance process; are credible within
the organization; are proactive in looking at important financial matters, risks, and internal controls;
have sufficient status in the organization; and that compliance with the IIA’s Code of Ethics is a
key factor for their IAAs to add value to their organizations.
The statements ranked under 4.0 but above 3.5 indicate respondents have less support for the
statements about effectiveness in the evaluation of corporate governance and compliance with
The IIA’s Standards. Overall, the perceptions by the respondents provide a very positive view
about the IAA within their organizations. In Table 5-8-1-A in Appendix 5, mean responses for
these statements for CAEs by groups show very similar results across all groups.
Table 5-8
Relationship of IAA to the Organization
All Respondents in Means*
Statement
CAE Mean
of 2,374
Respondents
Audit
Audit Senior/
Manager
Supervisor
Mean
Mean
of 2,033
of 2,251
Respondents Respondents
Audit Staff
Mean
of 1,626
Respondents
Your internal audit function is an
independent objective assurance
and consulting activity.
Your internal audit function adds
value.
Internal audit brings a systematic
approach to evaluate the
effectiveness of risk management.
Your internal audit function brings
a systematic approach to evaluate
the effectiveness of internal controls.
Your internal audit function brings a
systematic approach to evaluate the
effectiveness of governance
processes.
Your internal audit function
proactively examines important
financial matters, risks, and internal
controls.
4.45
4.34
4.25
4.10
4.41
4.32
4.26
4.20
4.03
3.99
3.98
3.95
4.35
4.27
4.21
4.11
3.80
3.73
3.71
3.74
4.10
4.05
3.96
3.88
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
The Institute of Internal Auditors Research Foundation
196 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-8 (Cont.)
Relationship of IAA to the Organization
All Respondents in Means*
Statement
Your internal audit function is an
integral part of the governance
process by providing reliable
information to management.
The way our internal audit function
adds value to the governance
process is through direct access to
the audit committee.
Your internal audit function has
sufficient status in the organization
to be effective.
Independence is a key factor for
your internal audit function to add
value.
Objectivity is a key factor for your
internal audit function to add value.
Your internal audit function is
credible within your organization.
Compliance with The IIA’s
International Standards for the
Professional Practice of Internal
Auditing is a key factor for your
internal audit activity to add value
to the governance process.
Compliance with The IIA’s Code
of Ethics is a key factor for your
internal audit function to add value
to the governance process.
CAE Mean
of 2,374
Respondents
Audit
Audit Senior/
Manager
Supervisor
Mean
Mean
of 2,033
of 2,251
Respondents Respondents
Audit Staff
Mean
of 1,626
Respondents
4.10
4.04
3.97
3.91
3.52
3.81
3.66
3.51
4.07
3.97
3.86
3.75
4.46
4.40
4.32
4.29
4.58
4.47
4.42
4.36
4.30
4.17
4.08
3.99
3.86
3.90
3.89
3.90
4.03
4.04
3.98
3.99
*The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 197
Methods Used to Measure the Value Added by the IAA
The IIA defines internal auditing as “an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations.” In The IIA’s Standards Glossary,
add value is defined as, “Value is provided by improving opportunities to achieve organizational
objectives, identifying operational improvement, and/or reducing risk exposure through both assurance
and consulting services.”
Figure 5-4 on the following page lists the methods used by the respondents’ organizations to measure
the value added by their IAAs. The measures include acceptance and implementation of
recommendations (51.4%), assessment by customer surveys from audited departments (34.6%),
and the number of management requests for internal assurance or consulting projects (26.8%).
Reliance by the external auditors on the IAA is also used as a value-added indicator (33.5%). No
formal measurement of value added was indicated in 32.6% of the 2,361 respondents.
As can be seen in Table 5-9, considerable differences exist between groups in the methods used to
evaluate the value added by IAAs. There are significant differences when relying on customer/
auditee surveys (10.9% - 57.9%), reliance by external auditors (9.7% - 77.8%), and the number of
major audit findings (4.3% - 66.7%). There was variation between groups where there is no
formal measurement of value added by IAAs’ services with a high of 47.5% for group 6.
The Institute of Internal Auditors Research Foundation
198 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 5-4
Methods Used to Measure Value Added by the IAA
CAE Respondents (2,361) in Percentages
internal audit activity
internal audit assurance or consulting
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
Method of
Evaluation
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
Customer/client
surveys from audited
departments
Recommendations
accepted/implemented
Cost savings and
improvements from
recommendations
implemented
Number of management
requests for internal
audit assurance or
consulting projects
Reliance by external
auditors on the internal
audit activity
Budget to actual audit hours
Cycle time from
entrance conference to
draft report
Number of major audit
findings
Other
No formal measurement
of value added
Total respondents by
group
37.5
50.0
57.9
32.0
26.0
24.4
33.6
23.0
10.9
55.3
32.9
44.4
32.0
46.9
52.3
55.3
59.2
53.7
34.4
62.6
56.3
60.9
31.9
64.6 100.0.0
58.0
30.1
27.9
17.8
49.5
31.1
17.5
34.4
21.7
30.4
17.0
42.7
66.7
36.0
28.0
44.2
34.9
21.4
21.5
14.4
26.7
23.7
32.6
12.8
39.0
77.8
23.3
37.7
46.5
50.7
9.7
16.4
32.5
30.5
33.2
10.9
34.0
34.1
77.8
26.7
17.9
10.8
30.2
12.8
25.7
13.8
8.7
3.9
12.4
5.6
18.8
12.5
22.9
11.5
9.9
10.2
26.1
15.2
19.1
14.9
14.6
13.4
33.3
11.1
12.7
12.7
15.2
19.8
18.4
44.7
37.3
15.0
29.8
18.4
37.0
4.3
30.5
66.7
29.3
11.1
34.5
11.6
24.4
17.1
27.6
3.9
35.0
18.6
27.1
7.5
47.5
4.6
31.3
9.9
32.6
8.7
26.1
8.5
31.9
9.8
23.2
11.1
11.1
11.3
30.0
914
86
152
103
177
160
131
304
46
47
82
9
150
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of percentages may be more than 100.
____________________________ Chapter 5: Current Status of the Internal Audit Activity 199
Table 5-9
Methods Used to Measure Value Added by the IAA by Group*
All Respondents by Group in Percentages
200 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Audit Activity
Governing Documents in the Organization
According to Standard 2130, Governance, the IAA “should assess and make appropriate
recommendations for improving the governance process.” Table 5-10 shows the types of documents
that support the establishment of corporate governance in an organization. Respondents report that
73.3% of their organizations have a corporate ethics policy/code of ethics/code of conduct and
66.3% have a long-term strategic plan. Only 53.2% of the respondents’ organizations have a
corporate governance code and 56.9% have an audit oversight/committee charter.
5,322
4,974
6,201
6,859
Number of Yes
Responses
56.9
53.2
66.3
73.3
Percent of
Respondents
Table 5-10
Documents that Exist in the Organization Supporting the
Establishment of Corporate Governance
All Respondents in Percentages
Documents
Corporate Ethics Policy/Code of Ethics/
Code of Conduct
Long-term Strategic Plan for the
Organization
Audit Oversight/Committee Charter
Corporate Governance Code
Note: The respondents were asked to mark all that apply so the total responses may be more than the total number of
respondents and the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 201
Figure 5-5 shows the type of documents that support the work and performance of the IAA. Each
is important to the success of the IAA. An internal audit charter is required by The IIA’s Attribute
Standard 1000, Purpose, Authority, and Responsibility, and Practice Advisory (PA) 1000-1, Internal
Audit Charter. Documented audit plans are expected to be in use. Compliance with Performance
Standard 2010, Planning, requires the CAE to “Establish risk-based plans to determine the priorities
of the IAA.”
Figure 5-5
Documents that Exist in the Organization Supporting the
Work and Performance of the IAA
All Respondents in Percentages
Audit Activity
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
The respondents indicate that 81.3% of their IAAs have an audit plan, 72.3% of their IAAs have
an internal audit charter, and 60.1% have a mission statement. A majority of respondents’ IAAs
(69.5%) use internal audit risk assessments to develop the audit plan. Respondents indicate that
63% of their IAAs have an internal audit operating manual/policy statement and 40.3% have an
audit plan that is longer than one year. These are all positive signs for effective internal audit
procedures.
The Institute of Internal Auditors Research Foundation
202 A Global Summary of the Common Body of Knowledge 2006 ______________________
Managing the Internal Audit Activity
To gather information about compliance with The IIA’s Standards, all respondents were asked
questions about who performed administrative tasks, quality assessments of the IAA, and technical
competency training for internal auditors. The questions required the respondent to indicate what
percentage of these activities are performed by the IAA, by service providers, or not performed at
all.
Performance Standard 2000 requires that the chief audit executive (CAE) “should effectively
manage the internal audit activity to ensure it adds value to the organization.” These activities
include administrative activities such as developing an audit plan and assigning audit tasks.
Performance Standard 2200 states that, “Internal auditors should develop and record a plan for
each engagement, including the scope, objectives, timing, and resource allocations.” The results in
Table 5-11 show that 91.5% of all respondents believe that their IAA performs the administrative
tasks appropriate for the department. The vast majority of IAA leadership takes charge of the
administrative responsibilities inherent in the IAA.
Table 5-11
Managing the Internal Audit Activity
Who Performs Audit Activities
All Respondents in Percentages
Activity
Administrative
(audit plan,
assign tasks)
Technical
competency
training for
auditors
Quality
assessment of
internal audit
activity
Total Number
of
Respondents
by Activity
IAA
Other
Co-Sourced OutNot
Total
Departments
sourced Performed Percent
in
by
Organization
Activity
7,750
91.5
3.6
2.3
1.2
1.4
100.0
8,746
44.4
14.1
6.6
21.3
13.6
100.0
8,212
37.0
13.5
5.3
17.4
26.8
100.0
Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same for
each activity.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 203
To continuously monitor the effectiveness of the IAA, Standard 1300 states, “The CAE should
develop and maintain a quality assurance and improvement program” (QA&IP). The QA&IP
should include both ongoing and periodic internal assessments that cover the entire spectrum of
audit and consulting work performed by the internal audit activity. The quality of the internal audit
activities are assessed by the IAA (37%), other departments (13.5%), or outsourced (17.4%).
About twenty-seven percent (26.8%) of the respondents do not perform quality assessments of
their internal audit activities. More details about respondents’ QA&IP programs can be found in
Chapter 4.
Standard 1210 requires that internal auditors “possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities.” To be certain that the audit staff has the necessary
skills, 44.4% of the IAAs provide technical competency training for auditors. Other departments
within the organization provide 14.1% of the training, and 27.9% of training is either co-sourced or
outsourced. Of the respondents, 13.6% indicate that no training for the audit staff is provided.
The Institute of Internal Auditors Research Foundation
204 A Global Summary of the Common Body of Knowledge 2006 ______________________
Creating the Audit Plan
In accordance with IIA Performance Standard 2010 on Planning, the CAE should plan what to
audit based on risk assessment. Figure 5-6 indicates that 95.6% of CAEs plan their audit activity at
least annually, including 36.4% who update their plan multiple times a year.
Figure 5-6
Percentage Frequency of Audit Plan Updating
CAE Respondents (2,305) in Percentages
No audit plan
3.2%
Every two years
0.7%
More than every
two years
0.5%
Multiple times
per year
36.4%
Every year
59.2%
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 205
Figure 5-7 lists the methods CAEs use to determine the audit plan. The use of risk-based methodology
required by Performance Standard 2010 and Practice Advisory PA 2010-1, Planning, is used by
86.7% of the respondents. This method is supplemented by 73.1% of respondents who include
requests from management. Audit planning is also influenced by consulting the previous year’s
plan (62.8%) and consultation with divisional or business heads (62.9%). Strong influence on the
audit plan can come from audit committee requests (55.5%) and compliance/regulatory requirements
(58.8%) as well.
Figure 5-7
How the Audit Plan is Established
CAE Respondents (2,288) in Percentages
Note: The respondents were asked to mark all that apply so the total percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
206 A Global Summary of the Common Body of Knowledge 2006 ______________________
As shown in Table 5-12, the groups’ CAEs show a consistently high percentage of reliance on riskbased methodology for audit planning, from a low of 75% to a high of 100%. Audit committee/
oversight committee requests are strongly supported in groups 1, 2, 3, 11, and 12, and there is high
reliance and compliance/regulatory requirements in groups 1, 2, 7, and 12. Requests from
management and review of previous year’s audit plan are also supported.
Table 5-12
How Audit Plan is Established by Groups*
CAE Respondents in Percentages
Method
1
Use of a risk-based
methodology
Consult previous
years audit plan
Consultation with
divisional or business
heads
Requests from
management
Audit committee/
oversight committee
requests
Compliance/regulatory
requirements
Requests from or
consultation with
external auditors
Other
Total number of
respondents
2
3
4
5
6
7
8
9
10
11
12
N/C**
89.1 94.2 94.6 87.3 85.1 89.8 82.0 77.2 75.0 93.6 91.3 100.0
78.7
62.0 61.6 59.2 80.4 60.6 65.6 60.9 59.9 56.8 53.2 66.3 88.9
68.1
73.1 87.2 78.9 42.2 52.6 49.7 46.1 54.1 40.9 80.9 57.5 44.4
49.6
78.8 81.4 72.8 53.9 74.9 71.3 64.1 73.5 68.2 59.6 67.5 88.9
62.4
65.7 81.4 68.0 36.3 28.0 38.9 37.5 51.0 47.7 51.1 71.3 77.8
48.9
66.2 67.4 58.5 43.1 39.4 59.2 65.6 55.1 52.3 34.0 55.0 77.8
56.0
40.8 58.1 50.3 22.5 16.6 47.1 22.7 23.1 9.1 38.3 35.0 33.3
30.5
8.9
9.3
878
86
7.5
7.8 14.9 12.1 15.6 7.5 11.4
147 102
175
157
128 294
44
8.5
6.3 22.2
7.1
47
80
141
9
*For a list of affiliate groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so that the total percent by group may be more than 100.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 207
Allocation of IAAs’ Time
The definition of internal auditing and Standard 2100, Nature of Work, includes three broad areas
of responsibility for IAAs to “evaluate and contribute to the improvement of risk management,
control, and governance processes.” The following summarizes the respondent’s responses about
the how IAAs’ time is allocated, the types of audits performed in the organization and who performs
them, and what tools are used by the IAA when performing their work. Audits are generally placed
in three categories, (1) general types of audits, (2) audits performed in the areas of risk management,
control, and governance processes, and (3) other audit activities.
In order to gauge the extent of various types of internal audit activities performed by the IAAs,
respondents were asked to estimate the time spent on compliance audits, consulting/advisory,
financial process audits, fraud investigations, governance audits, information technology audits,
operational, management audits, and other types of audits. Table 5-13 on the following page shows
the mean percentage of time spent for all respondents over a period of 6 years (3 years ago,
currently, and an estimate for 3 years from now).
The Institute of Internal Auditors Research Foundation
208 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-13
Average of IAAs’ Time Spent on Audits
for All Respondents in Mean Percentages
Activity
Mean
Percentage of
Time Spent 3
Years Ago
Mean
Percentage
of Current
Time Spent
Mean
Percentage of
Time Expected
to be Spent 3
Years from Now
Anticipated
Change in Mean
Percentage of
Time Spent from
2003 to 2009
Compliance audits (laws,
regulations, and policy)
Operational
Financial process audits
(including assistance to the
external auditor)
Consulting/advisory
Information technology audits
Other
Fraud investigations
(forensic accounting/auditing
Management audits
Governance audits (ethics,
control framework, regulatory,
linkage of strategy, and
company performance)
Total
23.4
22.4
19.9
-3.5
22.5
15.5
21.1
14.9
19.5
13.8
-3.0
-1.7
8.2
7.9
6.6
5.9
9.8
9.7
3.3
6.1
11.5
12.3
2.6
6.2
+3.3
+4.4
-4.0
+0.3
5.2
4.8
5.5
7.2
5.8
8.4
+0.6
+3.6
100.0
100.0
100.0
Note: Responses are in percentages and the mean percentage is the average response for that activity.
For the six-year period, while no one type of audit appears to dominate the work performed by
IAAs, respondents indicate that most of the IAAs’ time was, is, and will be spent on compliance
audits (23.4% past, 22.4% current, and 19.9% future). Time spent on operational auditing is a close
second with 22.5% in the past, 21.1% currently, and 19.5% in the future. The third largest type of
audit is financial with 15.5% of audit time three years ago, 14.9% currently, and 13.8% in the
future. As the time spent on those types of audits has been decreasing, the time spent on consulting,
governance, and information technology is increasing. This seems reasonable since the definition
of internal auditing changed to include consulting and governance in 1999.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 209
Types of Audits Performed
Table 5-14 lists types of audits and who performs them. The top four types of audits performed by
the IAA are internal auditing (85.6%), operational auditing (79.1%), investigations of fraud and
irregularities (56.3%), and financial auditing (56%). Other IAA engagements include ethics audits
(47.1%), management effectiveness audits (48.5%), and information technology department
assessments (45.4%). The three largest audit areas that are co-sourced or outsourced are financial
auditing (27.2%), information technology department assessment (18.8%), and quality/ISO audits
(14.1%). The three areas where audits are less likely to be performed by the IAA are social and
sustainability audits (40.0%), quality/ISO audits (32.6%), and ethics audits (27.4%).
The results in Table 5-13 indicate that IAAs anticipate spending most of their time on compliance
audits, operational audits, and financial process audits. Table 5-14 shows that operational audits
and financial auditing are most often performed by the IAA. The internal auditing category in
Table 5-14 presumes to include compliance auditing since that was not asked separately in this
survey question. The results for where the IAA’s time is spent and who performs these audit
activities appear to be consistent for the respondents. Fraud investigations, ethics audits, and
information technology department audits do not consume much IAA time in Table 5-13, but are in
the domain of many IAAs as indicated in Table 5-14.
The Institute of Internal Auditors Research Foundation
210 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-14
Types of Audits
Who Performs Audit Activities
All Respondents in Percentages
Type of Audit
Internal auditing
Operational audits
Investigations of
fraud and
irregularities
Financial auditing
Management
effectiveness
review/audit
Ethics audits
Information
technology
department
assessment
Social and
sustainability
audits
Quality/ISO audits
Total
IAA
Other
CoOutNot
Total
Number
Department in Sourced sourced Performed Percent
of Respondents
Organization
by Activity
by Activity
7,918
8,443
9,877
85.6
79.1
56.3
3.4
11.9
31.4
4.8
3.6
5.9
3.3
2.5
3.8
2.9
2.9
2.6
100.0
100.0
100.0
8,989
8,324
56.0
48.5
14.7
28.4
7.2
3.7
20.0
3.1
2.1
16.3
100.0
100.0
7,828
8,959
47.1
45.4
21.3
28.8
3.0
8.8
1.2
10.0
27.4
7.0
100.0
100.0
7,648
22.7
30.4
3.4
3.5
40.0
100.0
7,896
20.5
32.8
4.6
9.5
32.6
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 211
Risk, Controls, and Governance Audits
Practice Advisory 1311-1, Internal Assessments, states, “The CAE is responsible for establishing
an internal audit activity whose scope of work includes all the activities in the Standards and in the
definition of internal auditing,” which includes effectiveness of risk management, control, and
governance processes. Realizing that all audits have some elements of all three, the following
summarizes the type of audit activities performed in these three areas and who performs these
audits.
Effectiveness of Risk Management
The internal auditor has several responsibilities for the effectiveness of risk management within an
organization. Standard 2110, Risk Management, states that the IAA should “assist the organization
by identifying and evaluating significant exposures to risk and contributing to the improvement of
risk management and control systems.” Standard 2600, Resolution of Management’s Acceptance
of Risks, highlights the importance of the CAE discussing risks and other internal audit findings
with senior management. If the decision regarding residual risk is not resolved, the CAE should
report the matter to the board for resolution.
Table 5-15 shows the major audit activities performed in the risk, control, and governance areas.
Risk management work performed within organizations includes business viability assessments,
information risk assessment, and enterprise risk management. While the majority of business
viability assessments are performed by other departments within the organization (51.6%), IAAs
perform 24.6% of these audits and 16.8% of the respondents report that these audits are not
performed. In the area of information risk assessment, the IAA performs 47.5% of the activities
and other departments perform 30.9% and 15.2% of this work is co-sourced or outsourced. For
enterprise risk management activities, IAAs perform 37.6% of these assessment activities, other
departments within the organization perform 43.6%, and 6.5% of these activities are co-sourced or
outsourced.
The Institute of Internal Auditors Research Foundation
212 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-15
Who Performs Risk, Control, and Governance
Audit Activities
All Respondents in Percentages
Activity
Internal control
testing/systems
evaluation
Control framework
monitoring and
development
Compliance with
corporate
governance and
regulatory code
requirements
Information risk
assessment
Enterprise risk
management
Resource
management and
controls
Linkage of strategy
and company
performance
Business viability
assessments
Total
IAA
Other
CoOutNot
Total
Number
Department in Sourced sourced Performed Percent
of Respondents
Organization
by Activity
by Activity
9,366
70.8
17.0
6.3
4.2
1.7
100.0
8,772
58.9
28.6
4.6
1.5
6.4
100.0
9,181
51.4
35.3
5.0
2.0
6.3
100.0
9,282
47.5
30.9
8.2
7.0
6.4
100.0
8,679
37.6
43.6
5.0
1.5
12.3
100.0
8,096
32.1
47.9
3.6
2.0
14.4
100.0
8,266
26.3
55.8
3.8
1.6
12.5
100.0
7,742
24.6
51.6
4.5
2.5
16.8
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 213
Audits of Controls
Standard 2120, Control, states that the IAA should “assist the organization in maintaining effective
controls.” In Table 5-15, respondents indicate that 70.8% of the activities to test internal controls
and systems evaluation are done by the IAA. Other departments perform 17% of the same activities
and 10.5% of these activities are co-sourced or outsourced.
Corporate Governance
Standard 2130, Governance, requires IAAs to “assess and make appropriate recommendations for
improving the governance process.” Table 5-15 lists several governance audit activities performed
within organizations. The corporate governance activities performed by IAA includes control
framework monitoring and development (58.9%), compliance with corporate governance and
regulatory code requirements (51.4%), resource management and controls (32.1%), and linkage
of strategy and company performance (26.3%). Logically, other departments within organizations
are very active in compliance with corporate governance and regulatory code requirements (35.3%)
and in the areas of linkage of strategy and company performance (55.8%) and resource management
and controls (47.9%).
Compliance or Special Consulting Projects
Table 5-16 shows audit activities from the list provided to the respondents in the CBOK 2006
questionnaire that are compliance activities or special consulting projects. Practice Advisory
2120.A1-1, Assessing and Reporting on Control Processes, states that testing “compliance with
laws, regulations, and contracts” is part of the IAA’s study and evaluation of internal controls.
Two areas where the IAA performs compliance activities are compliance with company privacy
policies (43.1%) and health, safety, and environment (22.1%).
The definition of internal auditing includes consulting in its scope of acceptable audit activity. A
few areas of consulting included in the study indicate that 11.3% of the activities for corporate
takeovers/mergers are performed by IAAs while 50.4 % are handled by other departments in the
organization. The IAA provides 46.2% of the support for external auditors, other departments
provide 28.1% and co-sourced or outsourced work accounts for 14% of the activities required.
Project management activities are performed mainly by other departments (58.3%) with 27.7% of
these activities performed by the IAA. The IAA and other departments in the organization each
provide 39.6% of the activities for special projects with 15.4% being co-sourced or outsourced.
The Institute of Internal Auditors Research Foundation
214 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-16
Who Performs Other Audit Activities
All Respondents in Percentages
Activity
External audit
assistance
Compliance with
company privacy
policies
Special projects
Project
management
Health, safety,
and environment
Corporate
takeovers/mergers
Total
IAA
Other
CoOutNot
Total
Number
Department in Sourced sourced Performed Percent
of Respondents
Organization
by Activity
by Activity
8,421
46.2
28.1
5.1
8.9
11.7
100.0
8,584
43.1
42.1
4.0
1.6
9.2
100.0
10,414
8,542
39.6
27.7
39.6
58.3
8.3
5.1
7.1
2.8
5.4
6.1
100.0
100.0
8,083
22.1
57.3
4.2
3.0
13.4
100.0
7,796
11.3
50.4
4.9
3.8
29.6
100.0
Performing the Engagement – The Use of Tools
This section summarizes the use of 16 tools and techniques currently in place or planned to be used
by IAAs globally. The demands on the IAA and its staff are increasing as the significance and
usefulness of the work of the IAA become better known and valued throughout the organization.
Internal audit is designed to add value and improve an organization’s operations by bringing a
systematic, disciplined approach to evaluation, improvement, and effectiveness of risk management,
controls, and governance. As internal auditing resources may be constrained, the IAA must use
audit tools and techniques to use its time efficiently. The tools and techniques in the CBOK survey
were identified by reviewing the Standards and Practice Advisories, internal auditing literature,
past CBOK studies, and the CBOK 2006 pilot study. Based on this review, 16 tools and techniques
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 215
were identified as being important for the IAA. Respondents could not add to or amend the list that
was included in the CBOK 2006 survey. Some of the tools listed help with audit administration
(planning, managing, preparing working papers, etc.) while others relate to helping internal auditors
perform their engagements (analyzing data, statistical sampling, etc.). All the tools contribute to the
IAA adding value to the organization.
The selection of tools and techniques in this survey is supported by the Standards and Practice
Advisories. In the Standards and expanded upon in the Practice Advisories, certain tools are
emphasized:
•
Attribute Standard 1220, Due Professional Care, recommends that the internal auditor in
exercising due professional care should consider the use of computer-assisted audit tools
and other data analysis techniques.
•
Analytical review is supported in Practice Advisory 2100-10, Audit Sampling.
•
Risk-based audit planning is addressed in Standard 2010, Planning, which requires the
chief audit executive to establish risk-based plans to determine the priorities of the internal
audit activity, consistent with the organization’s goals.
•
Standard 2010.A1, Assurance Engagement, states that the IAA plan of engagements should
be based on a risk assessment, undertaken at least annually. This issue is also analyzed by
the Practice Advisory 2010-2, Linking the Audit Plan to Risk and Exposures.
•
Practice Advisory 2100-10, “Audit Sampling is defined as the application of audit procedures
to less than 100 percent of the population to enable the auditor to evaluate audit evidence
about some characteristics of the items selected to form or assist in forming a conclusion
concerning the population. Statistical sampling involves the use of techniques from which
mathematically constructed conclusions regarding the population can be drawn.”
•
Practice Advisory 1311-1, Internal Assessments, suggests that Periodic Assessment may
include benchmarking of the IAA practices and performance metrics against relevant best
practices of the internal auditing profession.
•
The balanced scorecard tool is mentioned in Practice Advisory 1311-2, Establishing Measures
(Quantitative Metrics and Qualitative Assessments) to Support Reviews of Internal Audit
The Institute of Internal Auditors Research Foundation
216 A Global Summary of the Common Body of Knowledge 2006 ______________________
Activity Performance. This Practice Advisory reflects recommended practices for
measuring the performance of internal auditing and it is related to Standard 1311, Internal
Assessments.
•
Practice Advisory 2120.A1-2, Using Control Self Assessment (CSA) for Assessing the
Adequacy of Control Processes, states that the CSA methodology can be used by managers
and internal auditors for assessing the adequacy of the organization’s risk management
and control processes. Internal auditors can utilize CSA programs for gathering relevant
information about risks and controls, for focusing the audit plan on high risk, unusual areas,
and to forge greater collaboration with operating managers and work teams.
•
Standard 1300, Quality Assurance and Improvement Program, requires the CAE to develop
and maintain a quality assurance and improvement program that covers all aspects of the
internal audit activity and continuously monitors its effectiveness. This program includes
periodic internal and external quality assessments and ongoing internal monitoring.
The respondents were asked to indicate which tools/techniques their IAAs currently use or plan to
use in the next three years by rating all the tools listed on a five point scale from 1, not used, to 5,
extensively used. Results are shown in means and/or in the frequency of respondents selecting a
tool/technique. Tables include responses by position, by response type, and/or by groups.
Current Usage of Audit Tools and Techniques
The use of various tools and techniques is fundamental for the effectiveness and efficiency of the
IAA in performing their engagements. The use of these tools/techniques helps the auditor successfully
plan, monitor progress, document, analyze data, complete the audit, and determine the magnitude
of audit findings. Table 5-17 indicates the extent that respondent IAAs currently use sixteen different
audit tools/techniques. The means listed in the table summarize the responses given by each staff
level of auditors: CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The
mean was calculated based on a scale of 1 (not used) to 5 (extensively used). An overall mean for
each item is also presented.
The results show that CAEs and Practitioners almost uniformly rank the tools/techniques currently
used by the IAA the same. Electronic communication (e.g., Internet, e-mail), risk-based audit
planning, analytical review, and electronic workpapers are currently the most utilized tools. Electronic
communication is overwhelmingly the highest ranked tool/technique for all respondents.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 217
Table 5-17
Extent the IAA Currently Uses Audit Tools/Techniques
All Respondents by Mean*
Tools/Techniques
Other electronic
communication
(e.g., Internet, e-mail)
Risk-based audit
planning
Analytical review
Electronic workpapers
Statistical sampling
Computer-assisted
audit techniques
Flowchart software
Benchmarking
Process mapping
application
Control self-assessment
Data mining
Continuous/real-time
auditing
The IIA’s quality
assessment review tools
Balanced scorecard or
similar framework
Total quality
management techniques
Process modeling software
Number of
Respondents
Overall
Mean
CAE
Audit
Manager
Audit
Audit Other
Senior/ Staff
Supervisor
6,629
4.08
3.98
4.15
4.19
4.13
3.64
6,596
3.56
3.57
3.63
3.58
3.54
3.08
6,619
6,566
6,522
6,567
3.21
3.19
2.77
2.67
3.12
2.99
2.64
2.54
3.21
3.28
2.69
2.73
3.28
3.28
2.83
2.73
3.23
3.38
3.00
2.73
3.05
2.90
2.76
2.68
6,526
6,494
6,496
2.42
2.41
2.36
2.31
2.37
2.22
2.51
2.44
2.39
2.45
2.42
2.43
2.46
2.42
2.46
2.41
2.41
2.39
6,497
6,385
6,483
2.30
2.26
2.21
2.09
2.18
2.06
2.27
2.26
2.12
2.42
2.29
2.30
2.54
2.37
2.47
2.40
2.18
2.22
6,409
2.06
1.93
2.13
2.07
2.18
2.09
6,417
2.02
1.85
2.06
2.09
2.13
2.07
6,366
1.97
1.79
1.98
2.00
2.19
2.11
6,352
1.69
1.51
1.66
1.78
1.88
1.87
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,
5 = Extensively Used.
Note: Since respondents were asked to mark all that apply, the total number of respondents may not be the same for
each audit tool/technique.
The Institute of Internal Auditors Research Foundation
218 A Global Summary of the Common Body of Knowledge 2006 ______________________
The tools/techniques that obtained the highest overall means from all respondents are:
1.
2.
3.
4.
5.
Other electronic communication (e.g., Internet, e-mail) (4.08).
Risk-based audit planning (3.56).
Analytical review (3.21).
Electronic workpapers (3.19).
Statistical sampling (2.77).
The tools/techniques that received the lowest overall mean responses are:
12.
13.
14.
15.
16.
Continuous/real-time auditing (2.21).
The IIA’s quality assessment review tools (2.06).
Balanced scorecard or similar framework (2.02).
Total quality management techniques (1.97).
Process modeling software (1.69).
As shown in Table 5-17-1-A, even in regions of the world where access to the Internet might not
be easily or readily available, it is generally ranked the highest. Electronic working papers and riskbased audit planning are uniformly ranked high by all respondents. Many of the remaining tools are
grouped in the 2.00 to 2.50 range, indicating moderate to average use.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 219
Table 5-18 shows the means in rank order of use by staff level of the respondents. Each ranking
goes from 1, the tool/technique with the highest mean, to 16, the tool/technique with the lowest
mean. The consistency in ranking by all staff levels about usage of tools and techniques by their
IAAs is evident.
Table 5-18
Extent the IAA Currently Uses Audit Tools/Techniques
All Respondents by Mean Rank
Tools/Techniques
Other electronic communication
(e.g., Internet, e-mail)
Risk-based audit planning
Analytical review
Electronic workpapers
Statistical sampling
Computer-assisted audit
techniques
Flowchart software
Benchmarking
Process mapping application
Control self-assessment
Data mining
Continuous/real-time auditing
The IIA’s quality assessment
review tools
Balanced scorecard or similar
framework
Total quality management
techniques
Process modeling software
Overall
Average
CAE
Audit
Manager
Audit Senior/
Supervisor
Audit
Staff
Other
1
1
1
1
1
1
2
3
4
5
6
2
3
4
5
6
2
4
3
6
5
2
3/4
3/4
5
6
2
4
3
5
6
2
3
4
5
6
7
8
9
10
11
12
13
8
7
9
11
10
12
13
7
8
9
10
11
13
12
7
9/10
8
9/10
12
11
14
8/9
11
8/9
10
12
7
14
7/8
7/8
10
9
12
11
14
14
14
14
13
15
15
15
15
15
15
13
13
16
16
16
16
16
16
Note: In some cases the rankings were tied. For example, rankings of Benchmarking and Control Self Assessment at
the Audit Senior/Supervisor level were tied.
The Institute of Internal Auditors Research Foundation
220 A Global Summary of the Common Body of Knowledge 2006 ______________________
Although the means are generally lower for CAEs than for other respondents, the comparison of
the overall means with the means and rankings for CAEs and other respondents does not show
any significant differences between the categories of respondents. The only major differences
between the means for the different staff levels relate to:
•
•
•
•
Continuous real-time auditing (2.06, ranked 12 for the CAE versus 2.47, ranked 7 for
Audit Staff).
Electronic working papers (2.99, ranked 4 for the CAE versus 3.38, ranked 3 for Audit
Staff).
Control self-assessment (2.09, ranked 11 for the CAE versus 2.54, ranked 10 for the Audit
Staff).
Statistical sampling (2.64, ranked 5 for the CAE versus 3.00, ranked 5 for Audit Staff).
The analysis of the means according to the 13 groups is provided in Table 5-17-1-A in Appendix 5.
There are noticeable differences for electronic workpapers (3.53 for group 8 and 1.97 for group
12), risk-based audit planning (3.91 for group 3, 3.86 for groups 2 and 10, and 2.53 for group 4), and
other electronic communication (4.38 for group 10; and 3.15 for group 12). Differences related to
access to electronic resources may be reflected in the results for some of the groups.
Table 5-17-2 shows the rankings by groups. Each ranking goes from 1, the tool/technique with the
highest mean in the group, to 16, the tool/technique with the lowest mean in the group. This
comparison shows that the degree of consensus on most tools and techniques among the different
groups is very high. This is the case for other electronic communications which ranks first or
second in each group. Process modeling software is always ranked between 13 and 16, analytical
review is always ranked between second and sixth and electronic workpapers is ranked between
third and seventh. The highest variability in this comparison, which indicates the lowest level of
consensus, relates to data mining (groups 7 and 9), continuous real-time auditing (groups 4 and 11),
control self-assessment (groups 4 and 12), and process mapping application (groups 8 and 10).
When analyzing the ranking information most groups are within two rankings of the overall ranking.
Exceptions are group 7 with 50% of their rankings more than two places away, group 10 with
37.5% of their rankings more than two places away, and groups 1, 4, and 12 have 31% of their
rankings more than two places away from the overall ranking.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 221
Table 5-17-2
Tools and Techniques Currently Used by Group*
All Respondents by Mean Rank**
Overall 1
Tools/Techniques**** Average
Other electronic
1
1
communication
(e.g., Internet, e-mail)
Risk-based audit
2
2
planning
Analytical review
3
5
Electronic workpapers
4
3
Statistical sampling
5
6
Computer-assisted
6
4
audit techniques
Flowchart software
7
8
Benchmarking
8
11
Process mapping
9
13
application
Control self10
12
assessment
Data mining
11
7
Continuous/real-time
12
9
auditing
The IIA’s quality
13
10
assessment review
tools
Balanced scorecard
14
15
or similar framework
Total quality
15
14
management
techniques
Process modeling
16
16
software
2
3
4
5
6
7
8
9
10
11 12 N/C***
2
2
1
1
1
2
1
1
1
1
1
1
1
1
6
2
2
1
2
2
2
2
2
2
4
5
7
3
5
3
6
4
2
3
7
9
4
3
6
5
4
3
6
5
6
3
5
4
4
3
7
6
3
5
7
4
4
3
9
5
3
5
6
4
5
7
4
3
4
3
6
5
11
8
10
13
7
12
11
10
8
9
11
7
13
8
7
11
14
7
11
10
5
11
10
12
12
6
14
13
7
10
14
6
9
11
12
9
6
8
4
10
10
8
8
8
7
8
13
8
9
12
11
10
12
5
8
13
9
11
16
9
9
13
6 13
9 10
11
14
11
10
10
7
13
9
14
12
12
10
14
13
8
9
12
13
14
15
16
15
14
15
12
15
11
15
15
15
15
14
13
14
16
12
16
14
15
12
8
14
16
16
15
16
15
13
15
16
16
16
16
16
*For a list of groups, please see Appendix 1-B.
**The ranking goes from 1 (the tool/technique with the highest mean in the group) to 16 (the tool/technique with the
lowest mean in the group).
***N/C = Respondents did not indicate affiliate or chapter membership.
****The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall means.
The Institute of Internal Auditors Research Foundation
222 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-19 summarizes how all respondents’ replies are distributed along the 5 options: not used;
moderately used; average use; very much used; and extensively used. The frequencies show the
extent to which the internal audit activity (IAA) currently uses the listed audit tools and techniques
when compared to the overall mean usage of all respondents’ IAAs. This table provides a more
detailed picture of overall usage of tools and techniques. Since some respondents’ organizations
and IAAs are much larger and older than others, they may use more audit tools and have more
resources to purchase and apply the listed tools and techniques.
Table 5-19
Extent the IAA Currently Uses the
Listed Audit Tools/Techniques
All Respondents by Mean and Frequency
Tools/Techniques
Number of Mean*
Respondents
Other electronic
communication
(e.g., Internet,
e-mail)
Risk-based audit
planning
Analytical review
Electronic workpapers
Statistical sampling
Computer-assisted
audit techniques
Flowchart software
Benchmarking
Process mapping
application
Control selfassessment
Data mining
Continuous/real-time
auditing
%
Not
Used
%
Moderately
Used
%
Average
Use
%
Very
Much
Used
%
Extensively
Used
6,643
4.08
2.7
6.9
16.7
27.5
46.2
6,611
3.56
8.0
13.6
21.3
28.8
28.3
6,634
6,580
6,536
6,581
3.21
3.19
2.77
2.67
6.5
19.8
18.0
22.3
20.5
15.6
25.9
25.4
31.1
17.2
27.5
25.0
29.6
20.9
18.8
17.5
12.3
26.5
9.8
9.8
6,540
6,505
6,510
2.42
2.41
2.36
31.7
24.9
36.1
24.8
30.9
21.4
21.6
26.6
20.9
13.5
13.7
13.9
8.4
3.9
7.7
6,511
2.30
34.1
26.0
21.1
13.0
5.8
6,399
6,497
2.26
2.21
36.1
39.0
25.4
23.8
20.8
19.7
12.1
12.4
5.6
5.1
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,
5 = Extensively Used.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 223
Table 5-19 (Cont.)
Extent the IAA Currently Uses the
Listed Audit Tools/Techniques
All Respondents by Mean and Frequency
Tools/Techniques
Number of Mean*
Respondents
The IIA’s quality
assessment review
tools
Balanced scorecard
or similar framework
Total quality
management techniques
Process modeling
software
%
Not
Used
%
Moderately
Used
%
Average
Use
%
Very
Much
Used
%
Extensively
Used
6,424
2.06
46.6
20.8
17.4
10.5
4.7
6,427
2.02
48.4
19.2
18.8
9.8
3.8
6,380
1.97
48.6
21.9
17.5
8.5
3.5
6,366
1.69
62.7
16.6
12.4
5.8
2.5
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,
5 = Extensively Used.
Extensively Used
The analysis of the usage frequencies reveals that some tools are used extensively for a significant
portion (more than 25%) by the respondents’ IAAs:
1. Other electronic communication (e-mail, Internet) (46.2%)
2. Risk-based audit plan (28.3%)
3. Electronic working papers (26.5%)
These particular tools match three core tasks of the IAA, planning, documenting field work, and
communication. The latter two tasks can be very labor intensive when completed without technology
support. For IAAs to have invested and developed tools in these areas seems appropriate.
The Institute of Internal Auditors Research Foundation
224 A Global Summary of the Common Body of Knowledge 2006 ______________________
The frequency of the extensively used category for these three tools and techniques shows their
importance to the IAAs. The use of these tools allows the IAA to function efficiently and effectively.
This is especially true for the use of electronic communication and electronic working papers
which help with audit administration. A risk-based audit plan also helps with the performance of the
audit. When available resources are limited, both financially and by number of staff, technology
allows the IAA to expand its scope.
These findings are consistent with those based on the mean scores for other electronic communication
and risk-based audit plan. As shown on the frequency distribution in Table 5-19, there is a difference
for analytical review, which has a relatively high overall mean (3.21) and ranking (3) but has a
lower percentage in the extensively used category (12.3%). Although electronic workpapers is
ranked fourth with a mean of 3.19, in the frequency distribution it is shown as having 26.5% of
respondents indicating extensively use. The use of a risk-based audit plan is in keeping with Standard
2010.A1, Planning, which states that the IAA’s “Plan of engagements should be based on a risk
assessment, undertaken at least annually.” This is supported elsewhere in the Standards and
Practice Advisories. Over 78% of respondents indicate that they extensively use, very much use,
or have average use of this technique.
In Appendix 5, Table 5-19-1-A shows extensively used responses for tools/techniques by auditor
position. This table reveals that there are usually lower frequencies for the response “extensively
used” for CAEs. This is consistent with the means analysis. This may be due to the increased
administrative work and outreach that CAEs do in their daily work. As the head of the department,
the CAE must be aware of the activities and audits undertaken, but be less involved in the daily
operating activities and the audit process. Standard 2030, Resource Management, states that the
CAE “should ensure that internal audit resources are appropriate, sufficient, and effectively deployed
to achieve the approved plan.” The most significant differences in this table are for electronic
communications (41.5% for the CAE, 50.6% for Audit Seniors/Supervisors), electronic workpapers
(21.1% for CAEs, Audit Staff 30.9%), and risk-based audit planning (29.6% for Audit Seniors/
Supervisors, Other 17%).
Not Used
The analysis of frequencies makes it possible to identify those tools that are currently not used at
all by respondents in auditing activities. According to Practice Advisory 1210-1, Proficiency, not
everyone in the IAA must be able to apply the tools and techniques required in performing
engagements. Rather, the IAA must collectively possess this ability. This means that all members
of the IAA should be aware of the use of various tools and techniques in the department, but each
staff member need not have a specific facility and ability to use the tool.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 225
An unusually high number of the listed tools and techniques are indicated as not being used at all
based on Table 5-19. This information can be very important for practitioners, consultants, standard
setters, software companies, and others servicing or involved with the internal audit profession.
More than one-fifth of the respondents do not use benchmarking (24.9%) or computer-assisted
audit techniques (22.3%). The least used tool is process modeling software which is not used by
62.7% of respondents. Many other tools are indicated as not being used by more than 30% of
respondents.
The percentage of respondents that do not currently use the listed tools and techniques that fall into
this category are:
•
•
•
•
•
•
•
•
•
Process modeling software (62.7% of respondents do not use this tool).
Total quality management techniques (48.6%).
The balanced scorecard or similar framework (48.4%).
The IIA’s quality assessment review tools (46.6%).
Continuous/real-time auditing (39.0%).
Data mining (36.1%).
Process mapping application (36.1%).
Control self-assessment (34.1%).
Flowchart software (31.7%).
Standard 1300, Quality Assurance and Improvement Program, requires the CAE to “develop and
maintain a quality assurance and improvement program…and continuously monitors its
effectiveness.” This program is “designed to help the internal audit activity add value and improve
the organization’s operations.” Many IAAs see value in implementing this standard. Low use of
The IIA’s quality assessment review (QAR) tools makes compliance with this standard and
contributing to the organization’s governance, risk management, and effectiveness more difficult.
In Chapter 4, 32.8% of respondents indicated that they currently have a quality assessment and
improvement program in place and 21.9% intend to put one in place in the next 12 months.
According to Practice Advisory 2100-6, Control and Audit Implications of E-commerce Activities,
when control self-assessment (CSA) is used by management to review controls, the IAA should
review the policies for authenticating transactions and evaluating controls. The use of electronic
systems and models is the most effective way to monitor and evaluate e-commerce activities. The
list of tools and techniques above indicates that many respondents do not use the listed tools and
techniques that would enable IAA staff to easily test systems and controls.
The Institute of Internal Auditors Research Foundation
226 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-19 further reveals that statistical sampling (indicated as not used by 18%) is often used in
a moderate or average way. This is in accordance with Practice Advisory 2100-10, Audit Sampling.
The use of benchmarking is similar. Some management techniques, such as total quality management
(48.6% not used) and the balanced scorecard (48.4% not used), are not generally used in internal
audit activities.
Control self-assessment (CSA) is not widely used by the IAA (34.1% not used), so that in most
organizations the involvement of management in self-evaluating the control activity might not be
fully exploited. However, it is important to distinguish between control self-assessment as an audit
technique for the internal auditor to complete an audit engagement and CSA as a management
practice implemented in an organization with or without the involvement of the IAA. Management
should self-assess their internal control on an ongoing basis as part of their managerial responsibilities
external to the IAA.
In Appendix 5, Table 5-19-2-A shows by frequency and positional level of the respondent the audit
tools and techniques that are not currently used by the IAA. The frequencies for the answer “not
used” are generally higher for CAE respondents than for Practitioners. Differences between the
frequencies for tools not used are markedly different for control self-assessment (40.8% CAE,
27.3% for Audit Staff), process modeling software (69.9% CAE, 55.3% Audit Staff), and total
quality management techniques (54.1% CAE, 41.6% Audit Staff).This continues the pattern
previously noted.
In Appendix 5, Table 5-19-3-A details the frequency for all 13 groups for the response “not currently
used.” Major differences include the use of electronic workpapers (66.7% in group 12 versus
7.8% in group 8), flowchart software (73.5% in group 12 versus 25.5% in group 1), and process
mapping application (62.5% in group 12 versus 22.5 in group 8). In group 12, for most tools/
techniques the frequency of the not used response is higher than in other groups. Other differences
among the groups indicate a general lack of consistency in the use of the listed tools and techniques
globally.
The groups’ means and frequencies highlight differences in the current practice globally among the
listed tools and techniques. Electronic communication and electronic working papers are extensively
used. Process modeling software is often not used by auditors (62.7%), while computer-assisted
audit techniques and flowchart software are moderately used. In some respondents’ organizations,
process mapping application and data mining are not used (frequency of 36.1% for each tool). This
is also true for continuous/real-time auditing (39.0% not used). Standard 1220, Due Professional
Care, recommends that the internal auditor exercise due professional care and consider the use of
computer-assisted audit tools and other data analysis techniques.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 227
Respondents by group indicate that auditing techniques such as analytical review and a risk-based
approach for audit planning are generally used and in many cases used extensively. Data suggests
that IAAs are focusing their resources and activities on critical areas and on the organization’s
primary business risks.
Predictive Changes in the Use of Audit Tools and Techniques Over the
Next Three Years
It is important to understand how the IAA plans to change the way it performs audits and how it
plans to become more effective and efficient as it adds value to its organization. Table 5-20 provides
an overall view of the extent to which respondents’ IAAs intend to use the listed tools and techniques
in the next three years. Again, respondents did not have an opportunity to list tools not mentioned
on the pre-established list. An overall mean response and means by respondents’ staff level are
provided.
Using the overall mean for all respondents, the top five means for tools where usage is expected to
increase are:
1.
2.
3.
4.
5.
Other electronic communication (e.g., Internet, e-mail) (4.16).
Risk-based audit planning (3.99).
Electronic workpapers (3.68).
Analytical review (3.42).
Computer-assisted audit techniques (CAAT) (3.37).
Respondents are consistent with their emphasis on the same tools and techniques as they are
currently using. The only change in the top five tools when compared to current use is with number
five. Statistical sampling (currently ranked sixth) has been replaced by computer-assisted audit
techniques which had been ranked sixth.
The Institute of Internal Auditors Research Foundation
228 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-20
Extent the IAA Plans to Use the
Listed Audit Tools/Techniques in the Next Three Years
All Respondents by Mean*
Tools/Techniques
Number of
Respondents
Mean
CAE
Audit
Manager
Audit
Audit Other
Senior/ Staff
Supervisor
Other electronic
communication (e.g.,
Internet, e-mail)
Risk-based audit planning
Electronic workpapers
Analytical review
Computer-assisted audit
techniques
Statistical sampling
Data mining
Control self-assessment
Benchmarking
Continuous/real-time
auditing
Flowchart software
The IIA’s quality
assessment review tools
Process mapping application
Total quality management
techniques
Balanced scorecard or
similar framework
Process modeling software
4,751
4.16
4.11
4.20
4.24
4.21
3.87
4,789
4,816
4,731
4,826
3.99
3.68
3.42
3.37
4.09
3.59
3.41
3.36
4.05
3.81
3.42
3.44
3.96
3.75
3.46
3.39
3.84
3.71
3.42
3.26
3.54
3.39
3.25
3.23
4,756
4,731
4,816
4,741
4,845
3.04
2.84
2.82
2.79
2.78
2.95
2.84
2.75
2.80
2.73
3.00
2.88
2.76
2.84
2.80
3.10
2.86
2.89
2.77
2.82
3.17
2.80
2.97
2.73
2.87
3.15
2.63
2.88
2.74
2.69
4,794
4,799
2.77
2.73
2.71
2.73
2.84
2.82
2.77
2.69
2.78
2.66
2.82
2.70
4,767
4,772
2.72
2.43
2.65
2.34
2.71
2.44
2.79
2.46
2.79
2.52
2.77
2.57
4,770
2.38
2.31
2.44
2.39
2.41
2.41
4,749
2.08
1.95
2.05
2.17
2.23
2.30
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,
5 = Extensively Used.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 229
In Appendix 5, Table 5-20-1-A shows groups’ means for use of tools and techniques in the next
three years. Again there is consistency globally when taking out the high and low outliers. There
are noticeable differences for total quality management between group 8 and group 12. Other tools
with a difference of more than 1.25 between groups include benchmarking, CAAT, continuous/
real-time auditing, data mining, risk-based audit planning, and statistical sampling.
By comparing the overall means from Table 5-20 and rankings from Table 5-21, with the means
and rankings for CAEs and other practitioners by staff level, there is a high level of consistency
between the staff levels. This reinforces the expectation that CAEs would adequately communicate
plans and expectations with all members of the IAA staff. The only major difference is for the
planned use of risk-based audit planning (4.09 for the CAE versus 3.54 for Other), but all positions
rank this technique as second most used or to be used.
The Institute of Internal Auditors Research Foundation
230 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-21
Extent the IAA Plans to Use the
Listed Audit Tools/Techniques in the Next Three Years
All Respondents by Rank*
Tools/Techniques
Other electronic
communication (e.g.,
Internet, e-mail)
Risk-based audit planning
Electronic workpapers
Analytical review
Computer-assisted audit
techniques
Statistical sampling
Data mining
Control self-assessment
Benchmarking
Continuous/real-time
auditing
Flowchart software
The IIA’s quality
assessment review tools
Process mapping application
Total quality management
techniques
Balanced scorecard or
similar framework
Process modeling software
Number of
Respondents
Overall
Average
CAE
Audit
Manager
Audit
Audit Other
Senior/ Staff
Supervisor
4,751
1
1
1
1
1
1
4,789
4,816
4,731
4,826
2
3
4
5
2
3
4
5
2
3
5
4
2
3
4
5
2
3
4
5
2
3
4
5
4,756
4,731
4,816
4,741
4,845
6
7
8
9
10
6
7
9
8
10/11
6
7
12
8/9
11
6
8
7
11/12
9
6
9
7
12
8
6
13
7
10
12
4,794
4,799
11
12
12
10/11
8/9
10
11/12
13
11
13
8
11
4,767
4,772
13
14
13
14
13
14/15
10
14/15
10
14
9
14
4,770
15
15
14/15
14/15
15
15
4,749
16
16
16
16
16
16
Note: In some cases the rankings were tied. For example, rankings of continuous/real-time auditing and The IIA’s
quality assessment review tools at the CAE level were tied.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 231
The frequency analysis provides another view of the extent the IAA plans to use the listed audit
tools/techniques in the next three years. Table 5-22 reports the frequencies for all respondents.
Table 5-22
Extent the IAA Plans to Use the Listed Audit Tools/Techniques
in the Next Three Years
All Respondents by Mean and Frequency
Tools/Techniques
Number of Mean*
Respondents
Other electronic
communication (e.g.,
Internet, e-mail)
Risk-based audit
planning
Electronic workpapers
Analytical review
Computer -assisted
audit techniques
Statistical sampling
Data mining
Control self-assessment
Benchmarking
Continuous/real-time
auditing
Flowchart software
The IIA’s quality
assessment review
tools
Process mapping
application
Total quality
management techniques
Balanced scorecard or
similar framework
Process modeling
software
%
Not
Used
%
Moderately
Used
%
Average
Use
%
Very
Much
Used
%
Extensively
Used
4,751
4.16
1.6
5.6
16.3
28.1
48.4
4,789
3.99
3.1
6.6
17.6
33.6
39.1
4,816
4,731
4,826
3.68
3.42
3.37
8.0
4.3
7.8
10.7
14.6
15.8
20.5
31.5
26.8
27.0
33.9
31.1
33.8
15.7
18.5
4,756
4,731
4,816
4,741
4,845
3.04
2.84
2.82
2.79
2.78
10.5
18.7
15.1
13.5
18.0
21.8
21.9
26.3
27.6
24.3
32.7
26.5
28.6
31.4
27.8
23.7
22.4
21.1
21.3
21.0
11.3
10.5
8.8
6.2
8.9
4,794
4,799
2.77
2.73
19.4
20.3
24.3
23.7
26.8
27.5
19.0
19.4
10.5
9.1
4,767
2.72
22.6
22.2
25.6
19.8
9.8
4,772
2.43
30.0
24.5
24.7
14.6
6.2
4,770
2.38
31.2
24.1
25.0
15.0
4.7
4,749
2.08
43.9
22.4
19.6
10.0
4.1
*The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used,
5 = Extensively Used.
The Institute of Internal Auditors Research Foundation
232 A Global Summary of the Common Body of Knowledge 2006 ______________________
Tools that Will Be Extensively Used
Generally, respondents expect that there will be an extensive use of a wide range of tools in the
next three years, usually more than at present. The results when comparing the overall frequency
in Table 5-22 with the results in Table 5-19 show several significant increases in the use of the
listed tools.
•
•
•
•
Risk-based audit planning (usage of 39.1% in the next three years versus 28.3% current
usage)
Computer-assisted audit techniques (18.5% in the next three years versus 9.8% currently)
Electronic workpapers (33.8% in the next three years versus 26.5% currently)
The IIA’s quality assessment review tools (9.1% in the next three years versus 4.7%
currently)
The general increase in the frequencies of the “extensively used” response is consistent for both
CAEs and Practitioners. There are slight differences between the two categories of respondents
when comparing the results in Table 5-19-1-A and Table 5-22-1-A:
•
•
Risk-based audit planning (12.9% increase for CAE versus 7.0% increase for Audit Staff)
Other electronic communication (8.3% increase for Other versus 0.7% increase for Audit
Manager)
Tools that Will Not be Used in the Next Three Years
Table 5-23 compares some of the results of Table 5-22-2-A in Appendix 5 that lists the tools that
will not be used in the next three years with Table 5-19-2-A in Appendix 5 that shows tools not
currently used. The decrease in the overall frequencies for all respondents (which means an
increase in the number of respondents who will use a certain tool) is particularly relevant for the
following tools and techniques.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 233
Table 5-23
Comparison of Audit Tools/Techniques Not Currently Used by the IAA
Now and in the Next Three Years
All Respondents Percentage
Tools and Techniques
Process modeling software
Balanced scorecard or similar
framework
IIA’s quality assessment
review tools
Continuous real-time auditing
Data mining
Control self-assessment (CSA)
Computer-assisted audit
techniques
Respondents
Indicating
Currently Not Used
Respondents Projecting That This
Tool Will Not Be Used in the Next
Three Years
62.7
48.4
43.9
31.2
46.6
20.3
39.0
36.1
34.1
22.3
18.0
18.7
15.1
7.8
These findings are important since they reveal that most CAEs and Practitioners in the near future
intend to use the tools and techniques suggested by the Standards, Practice Advisories, and best
practices even when they are currently not used today. The expected increase for the CSA tool as
well as for continuous/real-time auditing will contribute to making management more aware of and
responsible for the internal control system.
Resolution of Major Differences
Practice Advisory 2410-1, Communication Criteria, suggests “As part of the internal auditor’s
discussions with the engagement client, the internal auditor should try to obtain agreement on the
results of the engagement and on a plan of action to improve operations, as needed.” Respondents
were asked to indicate at what points in the audit process major differences are resolved. Each
category could be selected by each respondent since they may resolve major issues in several
phases of the audit process. Table 5-24 shows that 44.5% of the respondents usually resolve major
differences during fieldwork and 45.2% usually resolve them during audit reporting. Thirty-two
point four percent sometimes resolve audit issues during planning, and 28.5% indicated that resolution
rarely happens during the planning stage.
The Institute of Internal Auditors Research Foundation
234 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-24
When Are Major Audit Issues Resolved
for All Respondents by Percentage
When Resolved
Never
Rarely
Sometimes
Usually
Always
Total
During
Planning
% of 6,358
Respondents
During
Audit
Fieldwork
% of 6,710
Respondents
16.1
28.5
32.4
16.3
6.7
100.0
1.9
6.6
37.1
44.5
9.9
100.0
During Audit
Reporting
% of 6,760
Respondents
2.0
7.1
27.8
45.2
17.9
100.0
After the
Never*
Audit
% of 4,319
Report is Respondents
Issued
% of 6,398
Respondents
18.6
31.6
20.6
18.6
10.6
100.0
61.2
24.4
9.2
2.6
2.6
100.0
*The researchers presume this means that issues were never left unresolved throughout the process.
Approximately 23% of all respondents believed that audit issues are always or usually resolved
during planning; about half of them noted that audit issues are usually or always resolved during
audit fieldwork (54.4%); and about 63.1% of them thought that issues are resolved during audit
reporting. About 5.2% of these issues do not appear to ever be followed up. It seems that major
audit issues are resolved throughout the audit process but predominantly during fieldwork and the
audit reporting period.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 235
Reporting of Findings
Standard 2440, Disseminating Results, states, “The chief audit executive should communicate
results to the appropriate parties.” Figure 5-8 indicates that a majority of 58.8% of the respondents
agree that the responsibility of reporting audit findings rests with the CAE. The next staff level for
reporting results that respondents selected is the Audit Manager (19.6%).
Figure 5-8
Primary Responsibility for Reporting Findings to
Senior Management
All Respondents (7,119) in Percentages
No formal
reporting of
results
1.1%
Other
1.9%
Auditee/client
3.4%
Both internal
audit manager
and auditee/client
7.4%
CAE
58.8%
Both CAE and
auditee/client
7.8%
Internal audit
manager
19.6%
The Institute of Internal Auditors Research Foundation
236 A Global Summary of the Common Body of Knowledge 2006 ______________________
As shown in Table 5-25, CAEs believe they have the primary responsibility for reporting the audit
findings alone (75.1%) or jointly (10.3%) with the auditee/client, while Audit Managers indicate
they should report the findings alone (28.2%) or with the auditee/client (9.4%). Audit Senior/
Supervisor, Audit Staff, and Other concur with the Audit Manager respondents.
Table 5-25
Primary Responsibility for Reporting Findings to Senior Management
All Respondents in Percentages
Responsibility
Total
CAE
Audit
Audit
Audit Staff
Other
Overall
for Reporting Respondents Respondents Manager
Senior/
Respondents Respondents Average
Findings
by
% of Total Respondents Supervisor % of Total % of Total
%
Position
% of Total Respondents
% of Total
CAE
Internal audit
manager
Both chief
audit
executive
and auditee/
client
Both internal
audit
manager and
auditee/client
Auditee/
client
Other
No formal
reporting of
results
Total respondents/total
4,187
1,396
75.1
6.4
51.6
28.2
54.7
24.4
51.6
24.3
43.0
18.0
58.8
19.6
555
10.3
6.6
5.9
6.9
10.0
7.8
528
3.6
9.4
9.8
8.0
7.0
7.4
240
2.7
2.8
2.5
5.2
7.5
3.4
134
79
0.9
1.0
0.8
0.6
2.1
0.6
2.9
1.1
7.5
7.0
1.9
1.1
7,119
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 237
Monitoring Corrective Action
In Standard 2500, Monitoring Progress, “The chief audit executive should establish and maintain a
system to monitor the disposition of results communicated to management.” Standard 2500.A1
goes on to require that “a follow-up process to monitor and ensure that management actions have
been effectively implemented or that senior management has accepted the risk of not taking action.”
Figure 5-9 provides respondents’ beliefs about who has the primary responsibility for monitoring
corrective action on findings listed in audit reports. Fifty percent believe that both the internal
auditor and auditee/client have the primary responsibility for monitoring corrective action.
Figure 5-9
Primary Responsibility for Monitoring Corrective Action Taken
All Respondents (7,116) in Percentages
Other
1.9%
No formal
follow-up
3.1%
Auditee/client
13.7%
Both internal
auditor and
auditee/client
50.0%
Internal auditor
31.3%
The Institute of Internal Auditors Research Foundation
238 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 5-26, the majority of the respondents (37.5% to 54.5%) believe that both the internal
auditor and auditee/client together have the primary responsibility to monitor that needed corrective
action has been adopted. Between 25.8% and 35.7% of the respondents indicated that the internal
auditor has the primary responsibility. With the exception of the Other respondents (8.5%), only
2.0% to 3.4% indicated they had no formal follow-up procedures.
Table 5-26
Primary Responsibility for Monitoring Corrective Actions Taken
All Respondents in Percentages
Primary
Total
CAE
Audit
Audit
Audit Staff
Other
Overall
Responsibility Respondents Respondents Manager
Senior/
Respondents Respondents Average
by Position % of Total Respondents Supervisor % of Total % of Total
Total
% of Total Respondents
Percent
% of Total
Both internal
audit and
auditee/client
Internal auditor
Auditee/client
No formal
follow-up
Other
Total
respondents
3,560
54.5
51.8
47.9
46.9
37.5
50.0
2,226
974
219
28.0
14.0
2.0
30.4
13.7
2.8
34.3
12.5
3.4
35.7
12.9
3.0
25.8
19.2
8.5
31.3
13.7
3.1
137
7,116
1.5
100.0
1.3
100.0
1.9
100.0
1.5
100.0
9.0
100.0
1.9
100.0
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 239
Summary
The operation of the internal audit activity is complex and demanding. The chief audit executive
must manage both internal and external relationships, the administration and organization of the
activity, the plan and functioning of the audits performed, and resolve any issues that arise. The
Standards and Practice Advisories provide the guidance needed to accomplish these tasks, but
compliance may be challenging due to internal and external limitations placed upon the department.
The appointment procedures, performance evaluations, and reporting relationships for CAEs are
generally in accordance with Standard 1100, Independence and Objectivity, and 1110, Organizational
Independence. IAA independence is maintained by having board and senior management
involvement in the CAE’s hiring and performance evaluation. The matrix relationship and participation
of key constituents helps maintain independence and the IAA’s position in the organization.
Perceptions by CAE respondents provide a very positive view about the IAA within their
organizations, and the IAA is seen as highly credible. Many IAAs are relatively young but follow
the guidance included in the Standards and utilize the documents recommended by The IIA. Most
IAAs use a risk-based approach to engagement planning and allocate time in accordance with the
needs of the organization, focusing on the effectiveness of risk management, control, and governance
processes. CAEs and Practitioners almost uniformly rank the tools currently used by the IAA the
same, with electronic communication (e.g., Internet, e-mail), risk-based audit planning, analytical
review, and electronic workpapers as the most used tools. These tools are also expected to be the
most used in the next three years. Major audit issues are resolved throughout the audit process but
predominantly during fieldwork and the audit reporting period.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
13.3
22.6
10.9
23.8
9.9
25.5
811
583
515
206
171
55
16.4
10.5
11.7
11.5
20.4
19.4
47.3
48.0
30.6
50.5
49.9
41.4
47.3
55.6
31.6
34.8
44.4
64.6
25.5
29.2
29.1
29.9
27.1
36.7
3.6
11.7
20.4
12.8
9.4
9.5
5.5
7.6
9.7
7.2
7.0
9.0
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Publicly
Traded
(Listed)
Company
Privately
Held
(Non-listed)
Company
Public
Sector/
Government
Service
Provider/
Consultant
Not-forProfit
Organization
Other
1.8
4.1
12.1
7.4
3.6
5.2
3.6
9.4
8.7
5.0
2.4
1.5
Type of
Total Board of Chair
Chief
Audit
Senior
Auditee/ Supervisor
Peers/
Not
Organization/ Respon- Directors of the Executive Committee/ ManageClient
Periodically Subordinates Evaluated
Number of
dents
Board Officer Oversight
ment
at the End
Periodically
Respondents
Committee/
of Audit
Committee
Chairperson
Table 5-3-1-A
Evaluation of CAE’s Performance by Type of Organization
CAE Respondents in Percentages
APPENDIX 5
240 A Global Summary of the Common Body of Knowledge 2006 ______________________
____________________________ Chapter 5: Current Status of the Internal Audit Activity 241
Table 5-4-1-A
CAE’s Relationship with Audit/Oversight Committee by Group*
CAE Respondents - Percentage of Yes Responses
Question
Is there an audit/
oversight committee
in your organization?
Does the CAE meet
with the audit/
oversight committee
chairperson in
addition to the
regularly
scheduled
meetings?
Does the CAE
believe that he/she
has appropriate
access to the audit/
oversight committee?
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
85.2 92.9 91.4 53.5 38.7 49.7 51.2 69.5 65.8 54.3 81.5 100.0
65.5
64.1 75.6 75.5 70.6 62.3 43.4 67.2 48.8 69.2 44.0 77.3
77.8
59.6
93.9 91.0 92.0 90.0 88.2 85.5 88.1 88.1 89.3 92.0 93.9
88.9
84.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
3.96 4.19 4.44
3.15 3.98 4.33
3.91 4.08 4.67
4.39 4.45 5.00
4.61 4.51 4.78
3.70 3.87 3.80 3.27 3.09 2.78 3.33 3.51 3.48
4.07 4.21 4.03 3.90 4.09 4.26 4.27 4.00 4.00
4.43 4.55 4.38 4.32 4.30 4.62 4.67 4.55 4.49
4.56 4.64 4.64 4.38 4.51 4.75 4.73 4.64 4.56
12
4.19 4.37 4.22 3.88 4.04 3.97 4.11 3.99 4.09
11
3.80 4.13 4.22
10
4.16 4.18 4.10 4.16 3.87 4.12 4.34 3.98 3.98
9
3.85 3.95 4.22
8
3.84 4.05 3.96 3.65 3.80 3.58 3.90 3.66 3.70
7
4.13 4.40 4.67
6
4.41 4.51 4.42 3.93 4.23 4.47 4.40 4.34 4.13
5
4.43 4.37 5.00
3.80 4.13 4.56
4
4.46 4.55 4.30 4.12 4.35 4.40 4.51 4.40 4.39
3.99 4.23 4.08 3.80 4.02 4.00 4.19 4.10 4.05
3
4.57 4.44 4.78
2
4.45 4.57 4.44 4.21 4.41 4.64 4.63 4.43 4.31
1
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
***N/C = Respondents did not indicate affiliate or chapter membership.
Your internal audit function is an independent
objective assurance and consulting activity.
Your internal audit function adds value.
Internal audit brings a systematic approach to
evaluate the effectiveness of risk management.
Your internal audit function brings a systematic
approach to evaluate the effectiveness of
internal controls.
Your internal audit function brings a systematic
approach to evaluate the effectiveness of
governance processes.
Your internal audit function proactively
examines important financial matters, risks,
and internal controls.
Your internal audit function is an integral part
of the governance process by providing reliable
information to management.
The way our internal audit function adds value
to the governance process is through direct
access to the audit committee.
Your internal audit function has sufficient
status in the organization to be effective.
Independence is a key factor for your internal
audit function to add value.
Objectivity is a key factor for your internal
audit function to add value.
Statement
Table 5-8-1-A
Relationship of IAA to the Organization by Group*
CAE Respondents in Means**
4.41
4.38
3.89
3.34
3.90
4.02
3.62
4.15
4.28
4.00
4.27
N/C***
242 A Global Summary of the Common Body of Knowledge 2006 ______________________
7
8
9
10
11
12
4.22 4.13 4.78
6
3.99 4.04 4.11 3.99 4.11 3.99 4.42 3.91 4.20
5
3.98 3.91 4.56
4
3.74 3.85 3.99 3.99 4.01 3.83 4.27 3.79 4.07
3
4.28 4.33 4.33
2
4.35 4.45 4.22 4.05 4.19 4.52 4.51 4.16 4.24
1
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree.
***N/C = Respondents did not indicate affiliate or chapter membership.
Your internal audit function is credible within
your organization.
Compliance with The IIA’s International
Standards for the Professional Practice of
Internal Auditing is a key factor for your
internal audit function to add value to the
governance process.
Compliance with The IIA’s code of ethics is
a key factor for your internal audit function
to add value to the governance process.
Statement
Table 5-8-1-A (Cont.)
Relationship of IAA to the Organization by Group*
CAE Respondents in Means**
3.80
3.77
4.13
N/C***
____________________________ Chapter 5: Current Status of the Internal Audit Activity 243
The Institute of Internal Auditors Research Foundation
3.10
1.91
2.39
2.70
1.98
2.41
2.05
2.78
2.43
3.99
2.46
1.69
3.86
2.60
1.92
1.84
2.21
1.61
3.71
2.82
2.25
2.09
2
3.24
2.04
2.49
2.75
2.06
2.25
2.30
3.20
2.61
4.26
1
2.25
1.64
3.91
2.72
2.14
2.11
2.97
2.15
2.46
2.68
2.13
2.33
2.11
3.31
2.20
4.19
3
2.59
1.67
2.53
2.59
1.82
1.85
2.98
1.52
2.12
2.39
2.79
2.76
2.15
2.73
2.12
3.39
4
2.43
1.73
3.54
2.81
1.98
1.97
3.47
1.98
2.58
2.53
2.47
2.41
2.77
3.34
2.44
4.07
5
2.25
1.73
3.71
2.53
1.99
1.86
3.33
1.80
2.29
2.74
2.26
2.11
2.19
3.10
2.18
4.11
6
2.67
1.95
3.38
2.81
1.95
1.86
3.31
2.13
2.19
2.91
2.46
2.31
1.88
3.12
2.38
3.84
7
2.69
1.79
3.36
2.82
1.78
1.63
3.10
2.17
2.28
2.43
2.09
2.32
2.28
3.53
2.37
3.95
8
2.35
1.78
3.23
2.85
1.83
2.02
3.57
1.98
2.70
3.00
2.60
2.55
2.86
3.26
2.51
4.05
9
1.89
1.56
3.86
2.18
2.01
1.75
3.20
2.11
2.53
2.40
2.01
2.20
1.85
3.21
2.10
4.38
10
2.49
1.71
3.52
2.71
2.06
2.14
3.44
2.09
2.45
2.54
2.16
2.24
2.29
2.56
2.32
3.90
11
1.84
1.42
3.55
3.00
1.91
1.97
3.32
1.76
2.47
2.50
2.44
2.19
2.12
1.97
1.68
3.15
2.40
1.77
3.17
2.77
1.82
1.91
3.07
1.977
2.302
2.051
2.49
2.29
2.15
3.10
2.20
3.84
12 N/C***
*For a list of affiliate groups, please see Appendix 1-B.
**The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used.
***N/C = Respondents did not indicate affiliate or chapter membership.
Analytical review
Balanced scorecard or similar framework
Benchmarking
Computer-assisted audit techniques
Continuous/real-time auditing
Control self-assessment
Data mining
Electronic workpapers
Flowchart software
Other electronic communication
(e.g., Internet, e-mail)
Process mapping application
Process modeling software
Risk-based audit planning
Statistical sampling
The IIA’s quality assessment review tools
Total quality management techniques
Tools/Techniques
Table 5-17-1-A
Extent the IAA Currently Uses the Listed Audit Tools/Techniques by Group*
All Respondents by Means**
244 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 245
Table 5-19-1-A
Audit Tools/Techniques that are Currently Extensively Used
All Respondents by Frequency*
Tools/Techniques**
Mean
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
Other
Other electronic communication
(e.g., Internet, e-mail)
Risk-based audit planning
Electronic workpapers
Analytical review
Computer-assisted audit techniques
Statistical sampling
Flowchart software
Process mapping application
Control self-assessment
Data mining
Continuous/real-time auditing
The IIA’s quality assessment
review tools
Balanced scorecard or similar
framework
Benchmarking
Total quality management techniques
Process modeling software
46.3
41.5
49.5
50.6
48.5
31.7
28.3
26.5
12.4
9.8
9.7
8.3
7.7
5.7
5.6
5.1
4.6
28.1
21.1
10.8
6.9
7.2
6.2
5.8
3.8
4.5
3.0
3.5
28.8
28.4
11.5
10.2
8.1
8.6
8.0
5.3
5.2
4.3
5.2
29.6
30.1
13.5
11.0
10.7
9.3
9.1
6.2
5.6
5.9
4.4
29.5
30.9
15.0
12.5
15.3
10.7
9.2
9.0
8.0
8.2
6.4
17.0
18.4
12.8
11.1
9.8
8.1
6.4
7.3
6.1
7.0
4.9
3.9
1.9
4.1
4.4
6.0
4.9
3.9
3.5
2.5
3.6
2.3
1.1
2.8
3.6
2.2
4.4
3.4
3.0
5.1
5.9
4.2
5.4
4.3
4.1
*As this is a frequency for only the currently “Extensively Used” category, the rows will not add across to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
The Institute of Internal Auditors Research Foundation
246 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-19-2-A
Audit Tools/Techniques Currently Not Used
All Respondents by Frequency*
Tools/Techniques**
Process modeling software
Total quality management techniques
Balanced scorecard or similar
framework
The IIA’s quality assessment review
tools
Continuous/real-time auditing
Data mining
Process mapping application
Control self-assessment
Flowchart software
Benchmarking
Computer-assisted audit techniques
Electronic workpapers
Statistical sampling
Risk-based audit planning
Analytical review
Other electronic communication
(e.g., Internet, e-mail)
Mean
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
Other
62.7
48.6
48.4
69.9
54.1
52.9
64.0
48.3
46.9
58.7
47.8
46.2
55.3
41.6
46.2
55.7
42.2
46.6
46.6
49.8
43.8
47.5
43.5
46.0
39.0
36.1
36.1
34.1
31.7
24.9
22.3
19.8
18.0
8.0
6.5
2.7
42.9
38.0
40.1
40.8
33.9
23.8
23.7
22.3
19.6
6.6
5.4
2.9
42.5
34.6
35.1
35.1
27.1
23.0
19.8
18.2
19.3
7.2
5.7
2.6
34.8
35.5
34.3
30.5
31.3
26.4
21.1
19.3
16.8
7.9
5.9
1.6
31.9
34.5
33.7
27.3
34.1
26.4
24.4
17.1
14.7
9.6
8.3
2.3
42.7
39.6
33.7
30.2
33.9
28.4
24.9
23.6
18.7
16.1
12.5
7.7
*As this is a frequency for only the currently “Not Used” category, the rows will not add across to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the overall average.
The Institute of Internal Auditors Research Foundation
4.9
47.5
19.4
18.2
50.0
29.9
38.5
27.8
30.0
3.3
34.4
60.6
6.6
19.1
48.3
54.7
42.1
66.9
6.3
16.8
39.7
42.6
2
5.8
49.3
22.8
18.8
44.3
37.9
33.0
22.7
25.5
2.0
1
40.3
66.3
4.8
20.5
45.7
44.6
8.2
43.8
23.0
21.3
46.4
34.9
40.3
20.1
40.4
1.8
3
28.3
63.6
24.2
17.0
49.0
47.8
6.7
68.0
35.7
26.5
16.8
13.9
36.8
25.7
38.0
7.2
4
31.9
59.2
6.6
17.5
48.7
47.4
3.5
47.0
23.8
29.0
32.2
29.9
20.3
11.8
33.0
1.5
5
35.7
56.2
4.0
18.1
45.2
49.0
3.4
53.0
22.7
18.7
33.9
40.4
34.1
17.5
34.9
1.2
6
24.3
52.0
10.4
18.1
52.4
55.7
4.5
42.3
33.3
18.6
27.6
32.5
54.9
17.9
32.8
4.3
7
22.5
56.5
8.4
16.5
56.8
64.8
10.2
40.0
25.2
29.8
40.8
29.0
37.1
7.8
32.2
2.7
8
39.1
63.7
13.7
20.7
59.6
52.7
7.4
59.1
19.6
21.7
28.0
34.4
22.0
14.6
36.7
6.4
9
51.8
67.9
5.4
32.4
49.5
56.0
5.4
46.4
18.8
27.3
46.3
27.9
51.8
14.3
39.3
1.8
10
37.1
62.1
5.6
20.8
46.9
41.9
2.2
44.3
21.5
28.2
40.9
37.6
38.9
34.8
36.2
3.3
11
62.5
81.8
8.8
14.7
60.6
59.4
14.7
63.6
37.5
38.2
35.3
50.0
48.5
66.7
73.5
23.5
33.2
59.5
14.6
20.0
57.1
52.2
9.9
52.6
32.2
25.4
27.9
33.5
43.0
20.9
41.2
3.2
12 N/C***
*For a list of affiliate groups, please see Appendix 1-B.
**The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used.
***N/C = Respondents did not indicate affiliate or chapter membership.
Analytical review
Balanced scorecard or similar framework
Benchmarking
Computer-assisted audit techniques
Continuous/real-time auditing
Control self-assessment
Data mining
Electronic workpapers
Flowchart software
Other electronic communication
(e.g., Internet, e-mail)
Process mapping application
Process modeling software
Risk-based audit planning
Statistical sampling
The IIA’s quality assessment review tools
Total quality management techniques
Tools/Techniques
Table 5-19-3-A
Audit Tools/Techniques Currently Not Used by Group*
All Respondents by Mean**
____________________________ Chapter 5: Current Status of the Internal Audit Activity 247
The Institute of Internal Auditors Research Foundation
3.36
2.24
2.18
3.24
2.07
3.10
2.79
3.28
2.71
4.12
2.72
1.95
4.28
2.89
2.58
2.16
2.53
1.91
4.13
3.09
2.86
2.43
2
3.51
2.37
2.86
3.54
2.87
2.75
3.03
3.82
2.93
4.35
1
2.80
2.19
4.36
3.08
2.92
2.73
3.37
2.61
3.01
3.54
2.91
2.98
2.85
4.00
2.74
4.35
3
2.90
2.15
3.01
3.01
2.41
2.45
3.34
2.13
2.49
2.83
3.02
3.10
2.46
3.15
2.49
3.47
4
3.29
2.56
4.18
3.37
3.04
2.83
3.74
2.60
3.09
3.46
2.97
3.10
3.15
4.00
3.13
4.35
5
2.82
2.21
4.17
2.92
2.60
2.21
3.56
2.22
2.79
3.37
2.63
2.67
2.69
3.56
2.46
4.25
6
2.75
2.30
3.56
2.89
2.60
2.46
2.86
2.27
2.29
3.14
2.62
2.65
2.22
3.29
2.56
3.50
7
2.80
1.99
3.66
2.78
2.18
1.91
3.02
2.30
2.52
2.79
2.26
2.66
2.55
3.58
2.42
3.86
8
2.98
2.35
4.17
3.44
2.94
2.87
4.11
2.51
3.25
4.08
3.34
3.36
3.56
4.01
3.19
4.36
9
2.27
1.88
4.24
2.53
2.85
2.09
3.55
2.40
2.99
3.24
2.41
2.89
2.28
3.61
2.30
4.46
10
3.98
2.33
4.07
3.20
3.01
2.89
3.82
2.77
3.04
3.45
2.80
3.01
2.91
3.31
2.87
4.10
11
3.55
2.87
4.36
4.00
3.52
3.57
3.96
3.36
3.76
4.23
3.52
3.50
3.52
3.62
3.48
4.36
2.78
2.19
3.53
2.91
2.49
2.41
3.22
2.23
2.50
3.14
2.83
2.79
2.57
3.40
2.53
3.84
12 N/C***
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used.
***N/C = Respondents did not indicate affiliate or chapter membership.
Analytical review
Balanced scorecard or similar framework
Benchmarking
Computer-assisted audit techniques
Continuous/real-time auditing
Control self-assessment
Data mining
Electronic workpapers
Flowchart software
Other electronic communication
(e.g., Internet, e-mail)
Process mapping application
Process modeling software
Risk-based audit planning
Statistical sampling
The IIA’s quality assessment review tools
Total quality management techniques
Tools/Techniques
Table 5-20-1-A
Extent the IAA Plans to Use the Listed
Audit Tools/Technique in the Next Three Years by Group*
All Respondents by Mean**
248 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 5: Current Status of the Internal Audit Activity 249
Table 5-22-1-A
Audit Tools/Techniques that Will Be Extensively Used
in the Next Three Years
All Respondents by Frequency*
Tools/Techniques**
Other electronic communication
(e.g., Internet, e-mail)
Risk-based audit planning
Electronic workpapers
Computer-assisted audit techniques
Analytical review
Statistical sampling
Flowchart software
Data mining
Process mapping application
The IIA’s quality assessment
review tools
Continuous/real-time auditing
Control self-assessment
Benchmarking
Total quality management techniques
Balanced scorecard or similar
framework
Process modeling software
Mean
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
Other
48.5
45.2
50.2
51.7
51.5
40.0
39.1
33.9
18.5
15.7
11.4
10.5
10.4
9.8
9.0
41.0
29.6
16.7
14.8
9.5
8.8
9.4
7.8
8.2
41.2
37.6
20.4
14.5
10.9
11.1
10.6
9.1
10.4
38.1
36.9
19.6
16.6
12.3
10.4
10.8
11.4
8.6
36.5
36.8
18.0
18.7
15.0
13.3
12.3
12.7
8.8
27.2
26.9
17.9
15.1
13.0
12.4
10.6
12.2
12.4
8.9
8.8
6.2
6.2
4.7
7.4
7.2
6.4
4.7
3.3
8.2
7.9
5.2
6.6
4.4
10.0
9.4
6.6
6.3
4.9
11.8
12.8
7.3
7.9
7.8
10.6
11.1
5.4
10.9
5.3
4.1
2.0
3.8
5.6
5.9
8.1
*As this is a frequency for only the “Extensively Used in the Next Three Years” category, the rows will not add across
to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.
The Institute of Internal Auditors Research Foundation
250 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 5-22-2-A
Audit Tools/Techniques that Will Not Be Used in the Next Three Years
All Respondents by Frequency*
Tools/Techniques**
Process modeling software
Balanced scorecard or similar
framework
Total quality management techniques
Process mapping application
The IIA’s quality assessment
review tools
Flowchart software
Data mining
Continuous/real-time auditing
Control self-assessment
Benchmarking
Statistical sampling
Electronic workpapers
Computer-assisted audit techniques
Analytical review
Risk-based audit planning
Other electronic communication
(e.g., Internet, e-mail)
Overall
Average
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
Other
43.9
31.2
47.9
32.3
44.5
28.7
41.0
31.9
39.8
32.0
38.1
31.3
30.0
22.6
20.3
31.4
24.1
18.7
29.5
23.3
18.6
29.3
21.1
22.1
29.3
21.0
23.6
28.5
21.2
23.5
19.4
18.7
18.0
15.1
13.5
10.5
8.0
7.8
4.3
3.1
1.6
19.9
17.1
18.0
14.5
11.2
11.3
8.3
7.3
3.2
2.1
1.4
17.2
18.1
16.9
17.9
11.9
10.6
5.8
6.1
4.0
2.8
1.7
19.3
18.9
17.9
13.3
15.7
10.3
8.0
8.1
3.8
2.7
1.1
22.1
21.7
18.6
14.5
17.3
9.2
9.1
10.7
7.1
5.6
1.7
19.1
25.1
23.3
17.7
17.0
9.3
12.1
10.8
9.2
7.6
5.5
*As this is a frequency for only the “Will Not Be Used in the Next Three Years” category, the rows will not add across
to 100.
**The tools/techniques are presented in the table in a decreasing order, according to the ranking of the mean.
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 6
Chapter 6: Staffing and Professional Development ............................................................. 251
Introduction......................................................................................................................... 251
Staffing................................................................................................................................ 252
Service Providers ................................................................................................................ 259
Continuing Professional Development ............................................................................... 266
Summary ............................................................................................................................. 271
Appendix 6.......................................................................................................................... 272
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 251
CHAPTER 6
STAFFING AND PROFESSIONAL
DEVELOPMENT
Introduction
This chapter summarizes the respondents’ perceptions about staffing their internal audit activities
(IAA) and their staffs’ qualifications. The topics addressed include staffing of the IAA, service
providers, staff evaluation, number of staff with certifications, and continuing professional
development. The main objective of the CBOK 2006 study is to develop a summary of the global
practice of internal auditing around the world.
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those that participated in the survey answered all the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.
These more detailed summaries of results may be provided for the five categories of respondents:
CAEs, Audit Managers, Audit Seniors/Supervisors, Audit Staff, and Other. The respondents in the
Other category consist primarily of other professional staff whose position is not captured by the
traditional job titles included in the survey. A review of their credentials indicates they may be
members of the IAA, employed by service providers, or in organizations where their titles are less
traditional but with duties within internal auditing.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
The Institute of Internal Auditors Research Foundation
252 A Global Summary of the Common Body of Knowledge 2006 ______________________
For example, Table 6-1 has a related Table 6-1-1. Additional related tables may be located in
Appendix 6 at the end of this chapter. A table that is in the Appendix can be clearly identified by an
“A” at the end of its number. For example, Table 6-7-1-A is located in Appendix 6.
Staffing
Number of Staff in the IAA
Practice Advisory 2230-1 states, “The number and experience level of the internal auditing staff
required should be based on an evaluation of the nature and complexity of the engagement assignment,
time constraints, and available resources.” Several survey questions were asked to gain an
understanding of the type of staff, use of co-sourcing, and size of respondents’ IAAs. Table 6-1
lists CAE responses to the current number of audit staff by staff level in their IAAs. Of the 359
CAEs that responded to the use of external auditors as staff, 49.3% or 177 indicate they use this
source for audit staff and 255 of 438 CAE respondents use contract audit staff.
Table 6-1
Number of Full-time Staff at Each Staff Level in the IAA
CAE Respondents in Percentages
Number
CAEs
Audit
Audit
Audit Staff
External
Contract
at Each
% of
Managers
Seniors/
% of
Auditors
Audit Staff
Staff
2,184 CAE
% of
Supervisors
1,742 CAE (co-sourced) (co-sourced)
Level Respondents 1,173 CAE
% of
Respondents
% of
% of
Respondents
954 CAE
359 CAE
438 CAE
Respondents
Respondents Respondents
None
One
2-5
6-10
11 or
More
Total
Support
Staff
(Administrative,
Secretarial,
& Clerical)
Total of
936 CAE
Respondents
0.4
90.1
6.0
1.8
1.7
10.9
36.7
41.6
6.3
4.5
13.2
27.7
41.7
9.1
8.3
3.9
19.5
44.0
14.4
18.2
50.7
12.3
24.5
7.2
5.3
41.6
22.1
27.6
4.3
4.4
12.7
54.6
25.4
3.4
3.9
100.0
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 253
Table 6-1-1 shows that very few of the CAE respondents’ IAAs have part-time staff and those
tend to be at the audit staff level or with outsourced personnel.
Table 6-1-1
Number of Part-time Staff in the IAA
CAE Respondents in Percentages
Number
of Staff
CAE
% of
153 CAE
Respondents
Audit
Managers
% of
119 CAE
Respondents
Audit
Audit Staff
External
Contract
Seniors/
% of
Auditors
Audit Staff
Supervisors
231 CAE
(co-sourced) (co-sourced)
% of
Respondents
% of
% of
120 CAE
181 CAE
194 CAE
Respondents
Respondents Respondents
None
One
2-5
6-10
11 or
More
Total
51.6
39.2
6.5
2.0
0.7
70.6
19.3
8.4
0.8
0.9
65.0
21.7
12.5
0.0
0.8
31.2
37.7
26.8
2.2
2.1
42.0
19.3
32.6
3.3
2.8
42.3
29.4
22.7
2.1
3.5
39.8
53.4
4.9
0.5
1.4
100.0
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
Support
Staff
(Administrative,
Secretarial,
& Clerical)
% of
206 CAE
Respondents
254 A Global Summary of the Common Body of Knowledge 2006 ______________________
Many of the respondents’ IAAs have a fairly small number of staff members at each staff level.
Figure 6-1 reports that 24% of the respondents to this question indicate that their IAAs have 1-3
members of the audit staff. Another 18.9% have 4-6 staff members and an additional 11.1% have
7-9 staff members in their IAAs. Of the respondents, 25.8% have 25 or more staff members in
their IAA.
Figure 6-1
Number of Full-time Staff at Each Staff Level
All Respondents (6,646) in Percentages
1-3
24.0%
25 or more
25.8%
22-24
2.0%
4-6
18.9%
19-21
2.7%
16-18
3.8% 13-15
5.0%
10-12
6.7%
7-9
11.1%
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 255
Open Staff Positions
Several questions were asked about hiring practices for open positions and what methods are used
to make up for staff vacancies. As seen in Figure 6-2, special incentives to hire staff are not
generally used. Only 12.8% of CAEs’ organizations offer relocation expenses, 10.9% provide a
transportation allowance, and 8.4% give a signing bonus.
Figure 6-2
Special Incentives Offered to Hire Staff
CAE Respondents (2,367) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
256 A Global Summary of the Common Body of Knowledge 2006 ______________________
CAEs were also asked what methods are used to make up for staff vacancies. Figure 6-3 show
that 28.2% of CAE respondents replied that their IAAs have no vacancies. CAEs indicate that
the two most common methods used to cover staff vacancies are reduction in the areas of audit
coverage (30.7%) and co-sourcing from internal audit service providers (28.7%).
Figure 6-3
Methods Used to Make Up for Staff Vacancies
CAE Respondents (2,367) in Percentages
Percentage of Respondents
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 257
For groups, Table 6-2 points out that a reduction in coverage is a general strategy common to all
groups, whereas the use of co-sourcing is primarily practiced in groups 1, 2, 3, and 11. Groups 5
(39.7%) and 6 (39.1%) have the highest percentages of no vacancies. Groups 12 (11.1%) and 11
(14.8%) report the lowest levels of no vacancies and the highest level of reducing the areas of
audit coverage, 44.4% and 37% respectively, due to lack of staff.
Table 6-2
Methods Used to Make Up for Staff Vacancies
CAE Respondents in Percentages by Groups*
Methods
1
Facilitate control selfassessments in place
of audits
Reduce areas of
coverage
Increased use of audit
software
Borrowing staff from
other departments
Co-sourcing from
internal audit service
providers
No vacancies
Other methods
Respondents
2
3
4
5
6
7
8
9
10
11
12
N/C**
5.4 14.0 14.7 35.6 16.8 10.3 16.7 11.7 15.2 10.6 18.5 44.4
17.9
35.3 26.7 34.7 23.1 21.2 23.7 26.5 33.0 19.6 23.4 37.0 44.4
25.2
10.6 11.6 18.0 18.3 10.3 17.3 20.5 12.6 26.1
8.5 29.6 33.3
15.9
4.3 14.9 13.6 33.3
15.9
34.6 41.9 43.3 11.5 14.7 21.8 22.0 27.5 17.4 29.8 33.3 11.1
17.2
28.0 24.4 21.3 29.8 39.7 39.1 27.3 24.9 30.4 25.5 14.8 11.1
8.4 10.5 14.0 10.6 14.7 8.3 15.2 16.2 19.6 17.0 17.3 22.2
912
86 150 104 184 156 132 309
46
47
81
9
27.8
19.9
151
11.4 17.4 13.3 19.2 17.9 12.8
8.3 14.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Missing Skills
Standard 1210.A1, Proficiency, notes that, “The CAE should obtain competent advice and assistance
if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all
or part of the engagement.” Standard 1210.C1 goes on to state, “The CAE should decline the
consulting engagement or obtain competent advice and assistance if the internal audit staff lacks
the knowledge, skills, or other competencies needed to perform all or part of the engagement.”
The Institute of Internal Auditors Research Foundation
258 A Global Summary of the Common Body of Knowledge 2006 ______________________
Skill shortages are an issue that CAEs must often address in creative ways. Methods respondents
use to compensate for missing skill sets are indicated in Figure 6-4. In only 13.1% of the respondents’
IAAs are there no missing skill sets. The most typical techniques to address skill shortages are
through the use of co-sourcing/outsourcing (51.4%), reduction of areas of coverage (17.7%), and
borrowing staff from other departments (14.5%).
Figure 6-4
Methods Used to Compensate for Missing Skills
CAE Respondents (2,367) in Percentages
Percentage of Respondents
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 259
Service Providers
Respondents by Staff Level that are Service Providers
Respondents were asked if they work for a service provider or worked for an in-house IAA. As
shown in Figure 6-5, 86% indicate that they work within an organization and 14% of the respondents
indicate that they work for service providers.
Figure 6-5
Service Provider of Internal Audit Services
All Respondents (8,774) in Percentages
Service
Provider
14.0%
In-house
Internal
Audit Activity
86.0%
The Institute of Internal Auditors Research Foundation
260 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 6-3 shows by staff level if the respondents work for an in-house IAA or work for a service
provider.
Table 6-3
Staff Levels at In-house IAA or Service Provider
All Respondents in Percentages
Staff Level
of Respondent
Number of
Respondents
Percent of
Staff Level
Working
In-house
IAA
Percent of
Staff Level
Working for
a Service
Provider
Total
CAEs
Audit Managers
Audit Seniors/Supervisors
Audit Staff
Other
Total/Average
2,337
2,004
2,208
1,595
630
8,774
86.7
83.0
87.2
88.7
82.1
86.0
13.3
17.0
12.8
11.3
17.9
14.0
100.0
100.0
100.0
100.0
100.0
100.0
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 261
Outsourced IAA Activities
Figure 6-6 indicates the percentage of the IAAs’ activities that are performed by service providers.
Sixty-eight point eight percent of CAE respondents indicate that 10% or less of their IAAs’ audit
work is being co-sourced/outsourced. All respondents indicated some level of outsourcing/cosourcing.
Figure 6-6
IAA’s Audit Activities - Percentage Outsourced/Co-sourced
CAE Respondents (2,222) in Percentages
Percentage of Respondents
The Institute of Internal Auditors Research Foundation
262 A Global Summary of the Common Body of Knowledge 2006 ______________________
As described in Table 6-4, 33% of CAEs indicate that their budget for co-sourcing/outsourcing is
projected to increase in the next three years. It appears that most organizations are conducting
their internal audits with in-house audit staff.
Table 6-4
Anticipated Budget Changes for Outsourced/Co-sourced Activities
in the Next Three Years
CAE Respondents in Percentages
Change
Anticipated
Remain the same
Increase
Decrease
Total
Percent of
2,145 Respondents
55.7
33.0
11.3
100.0
Staff Evaluation
Table 6-5 summarizes how audit staff is evaluated. The audit staff is mainly evaluated by a supervisor
on a periodic basis (78.5%). Customer/auditee feedback is the second most commonly used method
for evaluation of audit staff performance (45.6%).
Table 6-5
Method of Staff Evaluation
CAE Respondents in Percentages
Methods of
Staff Evaluation
By supervisor periodically
Customer/auditee feedback
Peers/subordinates periodically
Other
Percent of
2,367 Respondents
78.5
45.6
23.4
15.5
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 263
Certifications
To ensure an adequate grounding of skills and abilities among the audit staff, it is important for
individuals in the IAA to be Certified Internal Auditors (CIA). Other certifications such as CGAP,
CCSA, CFSA, and CISA are also important to show the staff’s proficiency in specialized areas.
CAE respondents were asked about the types of certifications held by their staff. Figure 6-7
provides a listing of the staff certification profile from responding CAEs. A staff member could
have more than one certification. This table indicates that the audit staff has a wide range of
certifications. Public accounting is the most common (35.0%), followed by the CIA certification
(28.6%).
Figure 6-7
IAA Staff Members with Certifications
CAE Respondents (7,072) in Percentages
Percentage of Respondents
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
20.0
6.4
6.9
51.4
19.5
18.5
9.1
39.6
24.1
10.9
14.8
13.0
26.0
3
17.9
14.5
6.0
11.7
40.9
4
16.3
9.4
13.9
6.6
21.9
5
29.4
10.1
6.5
18.4
28.9
6
39.9
4.3
2.6
9.7
7.7
7
21.3
9.3
.6
9.2
17.7
8
26.4
8.0
1.3
19.1
28.8
9
34.8
8.1
5.4
13.7
28.7
10
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
45.3
31.0
Internal Auditing (such
as CIA/MIIA/PIIA)
Information Systems
Auditing (such as CISA/
QiCA/CISM)
Government Auditing/
Finance (such as CIPFA/
CGAP/CGFM)
Control Self-assessment
(such as CCSA)
Public Accounting/
Chartered Accountancy
(such as CA/CPA/
ACCA/ACA)
2
1
Type of Certificate
Table 6-6
IAA Staff Members With Certificates
CAE Respondents - Percentages by Groups*
30.8
5.0
0.0
13.4
23.8
11
29.8
6.67
5.0
15.5
19.3
12
31.95
6.00
8.25
10.83
27.08
N/C**
In Table 6-6, the types of certifications held by groups are listed. CAEs in groups 2 (45.3%) and 4 (40.9%) indicate
their staff have the highest percentages of CIAs. Distribution of the main certifications in Figure 6-7 are generally
consistent with the group distribution in Table 6-6. When the CAEs were asked if there is a need for additional
certifications beyond the CIA/MIIA/PIIA for audit managers, 40.9% of CAEs agreed it was necessary. Many CAEs
(40.4%) believe that they need other certifications in addition to the CIA/MIIA/PIIA designation.
264 A Global Summary of the Common Body of Knowledge 2006 ______________________
1
10.0
1.1
17.28
0.97
26.19 21.7
517 240
11.2
0.0
29.9
0.0
31.4
244
1.7
0.0
1.2
4.5
27.5
20.4
6.6
14.9
4
15.5
3
23.3
2
44.0
398
1.3
10.2
4.1
8.9
4.1
2.1
5
48.3
435
8.2
19.5
6.3
3.0
13.7
5.2
6
14.2
402
1.5
8.4
3.5
2.9
9.6
1.7
7
29.9
682
5.3
6.8
2.6
2.9
18.2
14.6
8
15.2
129
0.0
6.3
0.0
12.2
7.8
9.0
9
39.9
163
0.0
0.0
2.2
1.9
0.0
8.0
10
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: The respondents were asked to mark all that apply so the total of the percentages may be more than 100.
Management/General
17.2
Accounting (such as
CMA/CIMA/CGA)
Accounting - technician
2.2
level (such as CAT/AAT)
Fraud Examination
16.2
(such as CFE)
Financial Services
19.0
Auditing (such as
CFSA/CIDA/CBA)
Fellowship (such as
5.4
FCA/FCCA/FCMA)
Certified Financial
2.6
Analyst (such as CFA)
Other Certifications
23.7
Total Number of
3,095
Respondents Per Group
Type of Certificate
Table 6-6 (Cont.)
IAA Staff Members With Certificates
CAE Respondents - Percentages by Groups*
29.0
302
4.38
10.8
6.7
3.6
10.1
12.9
11
62.9
35
0.0
0.0
5.0
5.0
3.9
19.1
12
37.59
430
1.45
10.11
5.80
16.81
13.76
14.44
N/C**
_______________________________ Chapter 6: Staffing and Professional Development 265
The Institute of Internal Auditors Research Foundation
266 A Global Summary of the Common Body of Knowledge 2006 ______________________
Continuing Professional Development
The IIA requires 80 hours of continuing professional development (CPD) every two years. The
IIA Attribute Standard 1230, Continuing Professional Development, requires internal auditors to
“enhance their knowledge, skills, and other competencies through continuing professional
development.” Respondents were asked how many hours of formal training they received over the
last 36 months or while they have been working in their IAA if less than 3 years. Training includes,
but is not limited to, seminars, conferences, workshops, and in-house information sessions provided
by either the respondents’ organization or other organizations.
Hours of Training Over the Last 36 Months by Staff Level
Table 6-7 lists the number of hours of formal training by staff level taken by the respondents during
the 36-month period prior to responding to the CBOK 2006 survey. The range in hours of formal
training reported is from none to 240 or more hours. There is an expectation that all respondents
would have taken at least 120 hours of CPD over the prior three-year period. Of the CAEs, 48.2%
achieved or exceeded 120 hours of CPD. Another 16.4% of the CAEs attained the 80-119 hour
level of CPD. The percentages of respondents at the other staff levels that achieved 120 or more
hours of formal training are 49.1% for Audit Managers, 42.4% for Senior/Supervisors, 35.5% for
Audit Staff, and 34.1% for Others.
Table 6-7
Hours of Formal Training During the Last 36 Months or
While in IAA if Less Than 3 Years
All Respondents in Percentages
Number
of Hours
CAE
of 2,288
Respondents
Audit
Manager
of 1,947
Respondents
Audit Senior/
Supervisor
of 2,159
Respondents
Audit Staff
of 1,558
Respondents
Others
of 598
Respondents
None
1-39
40-79
80-119
120-159
160-199
200-239
240 or More
Total
0.9
11.6
22.9
1.2
11.2
21.7
1.2
13.2
24.5
2.2
19.1
25.4
7.4
19.4
23.9
16.4
23.9
4.9
6.5
12.9
100
16.8
24.8
5.8
6.3
12.2
100
18.7
20.6
5.1
5.6
11.1
100
17.8
16.9
3.1
4.6
10.9
100
15.2
16.7
4.7
3.0
9.7
100
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 267
In Appendix 6, Tables 6-7-1-A through 6-7-6-A provide more detailed data for the groups. The
tables show details about the hours of formal training received by all respondents within the last 36
months and then broken down by category of internal audit staff.
Hours of Training Compared to Years as a Member of IIA
Table 6-8 looks at whether the period of IIA membership has any affect on the amount of CPD
taken by respondents. It does appear that respondents who have been IIA members for a longer
period of time have taken more CPD in the 36 months prior to the survey. For respondents that
have been members for 11 or more years, 54.6% have taken 120 or more hours of CPD compared
to 50.3% of respondents who have been members for 6-10 years, and 39.4% of respondents who
have been members for 1-5 years.
Table 6-8
Comparing Hours of CPD During the Last 36 Months and
Years as a Member of The IIA
All Respondents in Percentages
Number of
Hours of
Formal
Training
None
1- 39
40-79
80-119
120-159
160-199
200-239
240 or More
Total
IIA Member
for 1-5 Years
of 5,014
Respondents
1.8
15.5
25.4
17.9
18.5
4.0
5.5
11.4
100.0
IIA Member
for 6-10 Years
of 1,657
Respondents
0.9
9.4
21.8
17.6
26.6
5.8
5.8
12.1
100.0
IIA Member
for 11 or More
Years of 1,266
Respondents
1.4
9.1
20.5
14.4
30.0
7.9
6.6
10.1
100.0
The Institute of Internal Auditors Research Foundation
268 A Global Summary of the Common Body of Knowledge 2006 ______________________
CIA/MIIA/PIIA Certification and Hours of CPD
Figure 6-8 summarizes the number of hours of CPD taken by respondents who have their CIA/
MIIA/PIIA certification. Of those that indicate that they are a CIA/MIIA/PIIA, 51% have taken
120 or more hours of CPD.
Figure 6-8
Number of Hours of Formal Training During the Last
36 Months for CIA/MIIA/PIIA Respondents
All Respondents (3,366) in Percentages
240 or more
hours
12.7%
None
1.1%
1-39 hours
9.9%
200-239 hours
6.2%
160-199 hours
6.0%
120-159 hours
26.1%
40-79 hours
21.4%
80-119 hours
16.6%
Hours of Training Required by Law/Statute
To further understand the factors impacting the amount of CPD taken by internal auditors,
respondents were asked how many hours of training over a 12-month period are required by law/
statute in the country where they work. The benchmark for a 24-month period is still the 80 hours
required by The IIA, but it is acknowledged that there could be some country specific variation. In
Table 6-9, the replies appear to be consistent across all levels of audit staff. Respondents that
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 269
indicate they do not have any law/statute requiring CPD in the countries where they work range
from 38.0% to 41.2%. Countries that have statutory requirements for 31-40 hours per year of
CPD range from 25.0% to 32.8%. A few countries require more than 40 hours of CPD annually.
The relatively high percentage of respondents that work in countries that have no or minimum
statutory CPD requirement, may help explain why many of the respondents in Table 6-7 indicate
that they have taken the equivalent of 119 hours or less of CPD in the past 36 months.
Table 6-9
Hours of Training Over a 12-Month Period Required by Law/Statute
All Respondents in Percentages
Number
of Hours
CAE
% of 2,028
Respondents
Audit
Manager
% of 1,687
Respondents
None
1-10
11-20
21-30
31-40
41-50
51-60
61-70
Over 70
Total
41.0
5.6
8.5
4.8
30.3
1.9
1.6
0.1
6.2
100.0
38.1
3.7
9.1
5.0
32.8
2.1
1.7
0.3
7.2
100.0
Audit Senior/
Supervisor
% of 1,832
Respondents
41.2
4.5
8.3
5.5
29.5
2.3
2.1
0.5
6.1
100.0
Audit Staff
% of 1,177
Respondents
38.0
9.0
8.0
5.0
25.0
3.0
1.0
1.0
10.0
100.0
Others
% of 513
Respondents
39.0
4.0
12.0
7.0
28.0
2.0
1.0
0.0
7.0
100.0
Frequency of Types of Training
The survey asked the CAEs to provide information on the frequency of training in several specific
areas for themselves and other members of the IAA. Respondents were asked to indicate whether
the training was more frequent than annually, annually, less frequently than annually, as needed, or
never. The detailed results are shown in Table 6-10. CAEs report that training on the Standards
and professional practices are most common with 46.3% receiving training annually or more
frequently than annually and 37.5% receiving training as needed. Another important training area
is basic/advanced technology, with 36.3% of the training being provided annually or more frequently
The Institute of Internal Auditors Research Foundation
270 A Global Summary of the Common Body of Knowledge 2006 ______________________
2,232
2,211
2,242
2,217
2,231
2,286
Number of
Respondents
9.4
6.7
8.8
9.5
13.0
18.5
More
Frequently
than
Annually
17.1
31.4
18.4
22.5
23.3
27.8
Annually
15.6
13.8
15.3
17.2
12.3
12.1
Less
Frequently
than
Annually
43.5
35.9
46.9
41.1
46.3
37.5
14.4
12.2
10.6
9.7
5.1
4.1
As
Never
Needed
100.0
100.0
100.0
100.0
100.0
100.0
Total
Table 6-10
Frequency of Types of Training
CAE Respondents in Percentages
and 46.3% being trained as necessary. This result is expected as the IAA seeks skill upgrades
when new technology becomes available.
Type of
Training
Standards and
professional
practices
Basic/advanced
technology
Anti-fraud
techniques
Ethics training
Communication
skills
Team-building
skills
The responses given to the question on ethics training could reflect the desire for improving corporate
governance or the need for more transparent business practices following many widely publicized
corporate collapses in recent years. It was reported that 38.1% of ethics training sessions took
place annually or more frequently and 35.9% as needed. It is interesting to note that 12.2% of
respondents indicate that ethics training is never provided, compared with 4.1% indicating no
training on the Standards and professional practices and 5.1% indicating no training on basic/
advanced technology.
The Institute of Internal Auditors Research Foundation
_______________________________ Chapter 6: Staffing and Professional Development 271
Summary
The majority (54%) of the CAE respondents’ IAAs have 9 or fewer staff and 25.8% of the IAAs
have 25 or more audit staff. A minority of respondents offer incentives to attract individuals for
open positions in the IAA. The respondents’ most used methods to compensate for missing skill
sets are to reduce the audit scope or to outsource the task. Over 25% of the respondents hold a
CIA/MIIA/PIIA designation. About half of the CAE respondents received 120 hours of CPD over
the 36 months prior to the CBOK 2006 survey.
The Institute of Internal Auditors Research Foundation
Table 6-7-1-A
Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years
All Respondents in Percentages by Groups*
The Institute of Internal Auditors Research Foundation
Number of Hours
None
1- 39
40-79
80-119
120- 159
160-199
200-239
240 or More
Total
1
2
3
4
5
6
7
8
9
1.1
1.0
2.9
1.1
1.8
0.7
1.6
1.9
3.3
9.7 13.1 14.2 35.2 10.2 13.6
8.4 16.8 23.6
23.5 21.4 27.9 26.4 18.5 25.4 16.7 28.1 25.2
16.9 21.8 15.2 16.8 18.9 18.3 14.9 18.7 15.4
30.1 19.4 15.3 10.5 15.7 19.2 16.7 14.6 12.2
6.1
3.9
4.9
2.6
6.5
4.5
4.5
3.1
4.1
5.9
9.2
4.9
2.0
5.8
4.9
9.6
4.6
6.5
6.7 10.2 14.7
5.4 22.6 13.4 27.6 12.2
9.7
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
10
11
12
N/C**
1.5
14.6
23.4
20.4
13.1
2.9
5.8
18.3
100.0
2.2
20.3
25.1
17.3
16.5
3.5
5.6
9.5
100.0
2.4
12.2
19.5
22.0
24.4
2.4
4.9
12.2
100.0
4.3
21.7
20.4
17.3
14.6
2.5
4.8
14.4
100.0
272 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 6
Number of Hours
The Institute of Internal Auditors Research Foundation
None
1-39
40-79
80-119
120-159
160-199
200-239
240 or More
Total
1
2
3
4
5
6
7
0.5
0.0
1.4
1.0
1.7
0.6
0.0
6.5 12.2
8.2 40.4
7.9 16.7
6.9
21.3 25.6 23.8 21.2 14.1 31.4 15.3
13.9 12.2 13.6 18.3 23.7 16.7 13.0
34.7 19.5 21.1
9.6 17.5 18.6 18.3
7.2
4.9
5.4
1.9
7.3
3.8
2.3
6.8 11.0
8.2
1.9
7.9
3.2
9.2
9.1 14.6 18.3
5.7 19.9
9.0 35.0
100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
8
9
10
1.3
4.8
2.3
15.2 19.0 11.6
30.7 26.2 23.3
20.5 16.7 18.6
14.9
9.5 14.0
1.7
2.4
2.3
4.0
4.8
9.3
11.7 16.6 18.6
100.0 100.0 100.0
11
12
0.0
15.6
28.6
13.0
20.8
2.6
10.4
9.0
100.0
0.0
0.0
14.3
57.1
0.0
0.0
14.3
14.3
100.0
N/C**
2.1
17.5
19.6
19.6
21.7
2.8
5.6
11.1
100.0
_______________________________ Chapter 6: Staffing and Professional Development 273
Table 6-7-2-A
Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years
CAE Respondents in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None
1-39
40-79
80-119
120-159
160-199
200-239
240 or More
Total
1
0.7
7.4
20.2
15.0
35.8
7.6
5.9
7.4
100.0
2
3
4
5
6
7
8
9
0.0
2.5
0.0
1.0
2.0
1.5
1.8
0.0
9.8 14.5 28.9
6.0
6.9
3.6 17.3 13.0
21.6 26.0 33.3 23.0 19.6 16.8 25.3 26.1
27.5 12.5 13.3 20.0 27.5 15.3 17.8 17.4
21.6 17.5 20.0 19.0 22.5 18.2 11.6 13.0
3.9
4.5
0.0
9.0
2.9
5.8
4.9
8.7
9.8
5.5
0.0
6.0
6.9
8.8
6.7 17.4
5.8 17.0
4.5 16.0 11.8 29.9 14.7
4.3
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
10
11
0.0
1.4
0.0 23.0
27.3 24.3
22.7 16.2
18.2 17.6
0.0
4.1
9.1
5.4
22.7
8.1
100.0 100.0
12
0.0
15.4
0.0
15.4
53.8
0.0
7.7
7.7
100.0
N/C**
2.0
22.3
18.9
20.3
12.2
3.4
5.4
15.5
100.0
274 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 6-7-3-A
Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years
Audit Manager Respondents in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None
1-39
40-79
80-119
120-159
160-199
200-239
240 or More
Total
1
2
3
4
5
6
7
8
9
0.8
0.0
1.6
0.0
0.0
0.0
2.3
2.0
6.5
9.2 15.2 17.4 28.8 11.9
7.8 10.5 16.8 29.0
25.4 15.2 33.7 27.4 20.3 31.4 16.3 22.8 29.0
18.9 30.4 17.9 21.9 16.1 15.7 17.4 17.8 19.4
28.3 17.4 10.3
8.2 16.1 15.7 15.7 20.8
6.5
5.6
4.3
4.9
6.8
5.6
7.8
5.8
3.0
0.0
6.2
6.6
3.3
2.7
3.5
3.9 11.1
4.6
6.5
5.6 10.9 10.9
4.2 26.5 17.7 20.9 12.2
3.1
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
10
11
0.0
2.4
14.3 19.0
25.0 21.4
21.4 26.2
7.1 14.3
3.6
2.4
7.1
2.4
21.5 11.9
100.0 100.0
12
N/C**
0.0
22.2
44.4
11.1
11.1
0.0
0.0
11.2
100.0
1.8
21.6
19.9
17.5
12.3
3.5
4.7
18.7
100.0
_______________________________ Chapter 6: Staffing and Professional Development 275
Table 6-7-4-A
Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years
Audit Senior/Supervisor Respondents in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None
1-39
40-79
80-119
120-159
160-199
200-239
240 or More
Total
1
2
3
4
5
6
7
8
9
1.3
6.3
3.3
2.2
5.0
0.0
0.0
0.5
0.0
16.3 12.5 15.8 40.2 14.9 20.0 10.0 17.1 38.1
27.0 31.3 30.0 27.2 16.8 11.7 20.0 32.1 14.3
20.8 25.0 17.5 10.9 11.9 13.3 12.5 19.2
9.5
22.1 18.8 12.5
9.8 11.9 20.0 20.0 13.0 14.3
3.4
0.0
4.2
1.1
5.0
3.3
2.5
3.6
9.5
4.7
6.1
4.2
2.2
6.9
8.3
5.0
4.1
0.0
4.4
0.0 12.5
6.4 27.6 23.4 30.0 10.4 14.3
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
10
11
3.2
4.2
12.9 29.2
25.8 16.7
19.4 25.0
19.4
8.3
6.5
4.2
0.0
0.0
12.8 12.4
100.0 100.0
12
0.0
0.0
28.6
28.6
14.3
0.0
0.0
28.5
100.0
N/C**
4.6
23.5
21.8
15.5
13.0
0.8
5.0
15.8
100.0
276 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 6-7-5-A
Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years
Audit Staff in Percentages by Groups*
Number of Hours
The Institute of Internal Auditors Research Foundation
None
1-39
40-79
80-119
120-159
160-199
200-239
240 or More
Total
1
2
3
4
5
6
7
8
9
5.5
9.1 15.4
2.8
2.3
0.0
6.9 10.0
0.0
14.1 27.3 15.4 27.8 13.6 29.6 20.7 24.0 16.7
25.9
0.0 17.9 27.8 25.0 22.2 20.7 30.0 33.3
15.7 27.3 12.8 22.2 20.5 14.8 10.3 12.0
0.0
22.7 18.2 15.4
8.3
9.1 18.5
3.4
8.0 50.0
5.9
0.0
7.7
2.8
4.5
3.7
3.4
2.0
0.0
3.1
9.1
0.0
2.8
2.3
3.7 13.8
2.0
0.0
7.1
9.0 15.4
5.5 22.7
7.5 20.8 12.0
0.0
100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0 100.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
10
11
0.0 14.3
53.8 21.4
7.7 35.7
23.1
7.1
0.0
7.1
0.0
7.1
0.0
0.0
15.4
7.3
100.0 100.0
12
N/C**
20.0
20.0
20.0
0.0
20.0
20.0
0.0
0.0
100.0
15.9
24.6
18.8
13.0
17.4
2.9
1.5
5.9
100.0
_______________________________ Chapter 6: Staffing and Professional Development 277
Table 6-7-6-A
Hours of Formal Training During Last 36 Months or While in IAA if Less Than 3 Years
Other Respondents in Percentages by Groups*
278 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 7
Chapter 7: Internal Audit Skills ............................................................................................ 279
Introduction......................................................................................................................... 279
Technical Skills................................................................................................................... 281
Behavioral Skills................................................................................................................. 289
Summary ............................................................................................................................. 299
Appendix 7.......................................................................................................................... 300
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 279
CHAPTER 7
INTERNAL AUDIT SKILLS
Introduction
Recognizing the evolutionary nature of the profession, this chapter summarizes the skills internal
auditors are expected to possess today while they perform as internal auditors in their IAA or for
client organizations. All respondents were provided with a list of technical and behavioral skills
developed from the International Standards for the Professional Practice of Internal Auditing
(Standards), Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK
2006 pilot study. Respondents were unable to amend or change the list of skills provided in the
CBOK 2006 survey. As a guide when answering the survey questions, respondents were given the
following definition of technical skills: “using terminology or subject matter in a particular field.”
Behavioral skills were defined in the survey as “actions toward others measured by commonly
accepted standards and management of one’s own actions.”
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those that participated in the survey answered all of the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.
These more detailed summaries of results may be provided for the four categories of respondents:
CAEs, Audit Managers, Audit Seniors/Supervisors, and Audit Staff.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
The Institute of Internal Auditors Research Foundation
280 A Global Summary of the Common Body of Knowledge 2006 ______________________
For example, Table 7-4 is the total of all respondents for that question with a related Table 7-4-1
showing the responses by group. A table can have more than one related table, where the second
related table would be 7-4-2. Additional related tables may be located in Appendix 7 at the end of
this chapter. A table that is in the Appendix can be clearly identified by an “A” at the end of its
number. For example, Table 7-1-1-A is located in Appendix 7.
The possession and use of certain behavioral and technical skills are necessary elements for
internal audit practitioners to achieve a high level of quality performance in their internal auditing
work. The Standards and Practice Advisories each indicate specific skills that are appropriate for
internal auditors to possess. Standard 1220, Due Professional Care, requires internal auditors to
“apply the care and skill expected of a reasonably prudent and competent internal auditor.” Standard
1210, Proficiency, states, “Internal auditors should possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities.” The standard continues, “The
internal audit activity collectively should possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.”
The possession and application of technical skills enable internal auditors to achieve a high level of
performance in their activities. The selection of technical skills in the survey is supported by the
Standards and Practice Advisories which emphasize certain technical skills:
•
•
•
•
•
Attribute Standard 1210.A2 – “The internal auditor should have sufficient knowledge to
identify the indicators of fraud...”
Attribute Standard 1210.A3 – “Internal auditors should have knowledge of key information
technology risks and controls...”
Performance Standard 2120.A1 – “...the internal audit activity should evaluate the adequacy
and effectiveness of controls...”
Performance Standard 2210.A1 – “Internal auditors should conduct a preliminary assessment
of the risks relevant to the activity under review…”
Performance Standard 2320 – “Internal auditors should base conclusions and engagement
results on appropriate analyses and evaluations.”
The objectives for this survey question were to understand the current skill framework of technical
and behavioral skills necessary for internal auditors to successfully perform their jobs in their
position within the internal audit activity (IAA). Figure 7-1 lists the technical and behavioral skills
included in CBOK 2006.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 281
Figure 7-1
Technical and Behavioral Skills
Technical
Skills
Behavioral
Skills
Data collection and analysis
Financial analysis
Forensic skills/fraud awareness
Identifying types of controls
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality management
Understanding business
Use of information technology
Confidentiality
Facilitating
Governance and ethics sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Working independently
Work well with all levels of management
Technical Skills
CAE Respondents
Chief audit executives (CAEs) were asked to identify the five most important technical and
behavioral skills they need to possess in order to be successful as the leader of their IAA. They
were also asked to identify the five most important technical and behavioral skills that the Audit
The Institute of Internal Auditors Research Foundation
282 A Global Summary of the Common Body of Knowledge 2006 ______________________
Managers, Audit Seniors/Supervisors, and Audit Staff each need to perform their jobs. The results
can be used to identify similarities among the CAEs’ responses.
Table 7-1 shows the CAEs’ selection of the five most important technical skills by staff level from
the 13 listed in the questionnaire. Understanding the business and risk analysis are skills that on
average get the highest scores. There is no individual technical skill that is highly rated by CAE
respondents for all staff levels in the IAA. The higher the percentages in Table 7-1 for each
technical skill the more CAEs agreed on the importance of that skill.
Table 7-1
Most Important Technical Skills by Staff Level
CAE Respondents (2,092) in Percentages
Technical Skills
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
Data collection and analysis
Financial analysis
Forensic skills/fraud awareness
Identifying types of controls
(e.g., preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality management
Understanding the business
Use of information technology
15.2
35.9
43.2
30.8
14.7
35.4
38.7
33.6
33.9
36.4
31.7
45.2
77.6
35.1
20.9
52.1
37.7
18.9
68.7
20.8
74.9
6.5
33.4
78.3
28.3
37.8
16.0
49.5
19.6
59.0
8.8
21.0
58.6
30.4
44.1
10.7
23.5
29.9
41.3
20.7
10.6
43.9
37.3
58.3
7.6
7.3
41.5
27.5
29.5
3.7
45.5
51.4
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 283
CAE
At the CAE position, high-level technical skills are vital for the IAA to be successful. For their own
category, the technical skills most commonly chosen as important are:
•
•
•
•
•
Understanding the business (78.3%).
Risk analysis (74.9%).
Negotiating (68.7%).
Forensic skills/fraud awareness (43.2%).
Interviewing (37.7%).
From the list provided, the CAEs indicate that understanding the business (78.3%), risk analysis
(74.9%), and negotiating (68.7%) are especially important technical skills they need to perform
their role in the IAA. These results are in accordance with Performance Standard 2010, Planning,
and its related Practice Advisories that require the CAE to establish a risk-based audit plan to
determine the priorities of the internal audit activity. As this is a high-level technical skill, it is
appropriate that it is not vital at lower staff levels. Forensic skills/fraud awareness skills were also
commonly chosen as important (43.2%). This seems appropriate as Standard 2210A.2 requires
the internal auditor to consider for all assurance engagements “the probability of significant errors,
irregularities, noncompliance, and other exposures when developing the engagement objectives.”
Audit Manager
For the Audit Manager category, the technical skills most commonly chosen as important by CAEs
are:
•
•
•
•
•
Risk analysis (59%).
Understanding the business (58.6%).
Negotiating (49.5%).
Forensic skills/fraud awareness (38.7%).
Interviewing (37.8%).
For Audit Managers, risk analysis (59%) and understanding the business (58.6%) are critical for
successful performance of duties. CAEs also identified negotiating (49.5%) as an important technical
skill for Audit Managers, although there is a more than 19% decrease in the importance of this skill
from the CAE level. The most commonly chosen technical skills are the same at both the CAE and
the Audit Manager level.
The Institute of Internal Auditors Research Foundation
284 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Senior/Supervisor
For the Audit Senior/Supervisor category, the technical skills that were most commonly chosen by
CAEs as important are:
•
•
•
•
•
Identifying types of controls (45.2%).
Interviewing (44.1%).
Understanding the business (43.9%).
Risk analysis (41.3%).
Use of information technology (37.3%).
Some technical skills become less important at the Audit Senior/Supervisor level than the Audit
Manager level. One example shown in Table 7-1 is forensic skill/fraud awareness, which decreases
from 38.7% at the Audit Manager level to 31.7% at the Audit Senior/Supervisor level. Another
decrease is found in risk analysis, which decreases from 59.0% at the Audit Manager level to
41.3% at the Audit Senior/Supervisor level. Understanding the business follows the same pattern,
decreasing from 58.6% at the Audit Manager level to 43.9% at the Audit Senior/Supervisor level.
There are also some technical skills that are newly identified as important by CAEs when they
considered the Audit Senior/Supervisor level. Identifying types of controls (45.2%) and the use of
information technology (37.3%) were chosen by CAEs as important to the Audit Senior/Supervisor
level.
Audit Staff
For the Audit Staff category, the technical skills that were most commonly chosen by CAEs as
important are:
•
•
•
•
•
Data collection and analysis (77.6%).
Interviewing (58.3%).
Identifying types of controls (52.1%).
Use of information technology (51.4%).
Understanding the business (45.5%).
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 285
CAE respondents indicate that the technical skills needed by each staff level change as they
progress to higher staff levels. For example, while 77.6% of the CAEs selected data collection and
analysis as an important technical skill for the Audit Staff, only 14.7% indicate that it is important
for Audit Managers, and 15.2% selected it as important for CAEs. For negotiating, 68.7 % feel
that it is important for CAEs and only 7.3% note that it is considered an important technical skill for
the Audit Staff.
Identifying types of controls was identified by CAEs as slightly increasing in importance from
45.2% at the Audit Senior/Supervisor level to 52.1% at the Audit Staff level. Interviewing also
shows an increase from 44.1% at the Audit Senior/Supervisor level to 58.3% at the Audit Staff
level. The use of information technology shows a relatively large increase from 37.3% at the Audit
Senior/Supervisor level to 51.4% at the Audit Staff level.
In Appendix 7, Tables 7–1-1-A (CAEs), 7-1-2-A (Audit Managers), 7-1-3-A (Audit Seniors/
Supervisors), and 7-1-4-A (Audit Staff) show CAE responses for technical skills broken out for
the 13 groups. Overall the tabulation by CAE by groups agrees with the top five technical skills for
each staff level. These results clearly indicate that the CAE respondents believe that the technical
skills appropriate for success in the IAA differ at various staff levels in the IAA.
Practitioner Respondents
While CAEs ranked the five most important technical skills for all staff levels including themselves,
the Practitioners were asked to indicate the importance of all thirteen technical skills to perform
their work at their current staff position. The practitioner respondents indicated importance of the
technical skill to them on a scale of 1 (minimally important) to 5 (very important). Table 7-2 divides
the mean responses into the three staff levels: Audit Manager, Audit Senior /Supervisor, and Audit
Staff. The results for technical skills show little variation by staff levels. The skills that consistently
get the highest mean scores from the Practitioner respondents are data collection and analysis,
identifying types of controls, interviewing, research skills, risk analysis, and understanding the
business. The higher the mean in Table 7-2 for each technical skill the more Practitioners agreed
on the importance of that skill.
The Institute of Internal Auditors Research Foundation
286 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 7-2
Importance to Respondent of Technical Skills to Perform Work
Practitioner Respondents by Means*
Technical Skills
Data collection and analysis
Financial analysis
Forensic skills/fraud awareness
Identifying types of controls
(e.g., preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality management
Understanding the business
Use of information technology
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
4.1
3.8
3.6
4.3
4.3
3.9
3.6
4.2
4.4
3.7
3.6
4.1
4.3
2.9
3.7
3.9
4.4
3.2
2.9
4.5
4.1
4.3
2.9
3.6
4.0
4.3
3.3
2.9
4.4
4.1
4.3
3.0
3.5
4.0
4.2
3.5
3.0
4.3
4.1
*The mean is the average response to: 1 = minimally important to 5 = very important.
Note: Not all respondents answered for all the skills. Total number of respondents was between 4,686 and 4,756.
The skills related to quality (ISO/quality knowledge and TQM) received the lowest ranking of all
the skills for all three professional levels in the IAA.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 287
In Table 7-2-1, the main differences that emerge by comparing group data are those skills that are
generally not considered as important by Practitioners: statistical sampling, total quality management,
and negotiating. Group 9 considers statistical sampling to be very important (mean of 3.9) while
group 10 has a much lower mean (2.8). Group 12 differs from the others for TQM with a mean of
3.4 which is very different than group 10’s mean of 2.4. Negotiating gets its highest score in groups
2, 3, and 7 (4.0) while group 10 gives this skill a much lower value (2.9).
Table 7-2-1
Importance to Respondent of Technical Skills to Perform Work by Groups*
Practitioner Respondents in Means**
Technical Skills
1
2
3
4
5
Data collection and
analysis
Financial analysis
Forensic skills/fraud
awareness
Identifying types of
controls (e.g.,
preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality
management
Understanding
business
Use of information
technology
4.2
4.0
4.2
4.4
3.8
3.6
3.5
3.4
3.8
3.5
4.3
4.4
4.4
2.8
3.5
4.0
4.2
3.2
2.9
6
7
8
9
10
11
12 N/C***
4.5 4.0
4.6
4.2
4.4
4.2
4.3
4.5
4.3
4.0
3.9
3.9 3.4
3.7 3.3
4.1
3.8
3.5
3.3
4.2
4.0
3.4
3.3
4.3
3.5
4.1
3.8
3.9
3.7
4.4
4.1
4.1 3.8
4.41 3.8
4.4
4.2
4.2
4.5
4.1
4.3
2.8
4.0
3.9
4.4
3.0
2.7
4.4
3.1
4.0
3.9
4.4
3.2
3.1
3.9
3.4
3.7
3.7
4.2
3.5
3.2
4.4
3.0
3.9
4.1
4.4
3.5
3.1
4.4
2.6
3.5
3.7
4.3
2.9
2.6
4.3
3.4
4.0
4.1
4.5
3.7
3.3
4.2
2.8
3.4
3.7
4.4
3.3
2.7
4.1
3.0
3.9
4.3
4.3
3.9
3.3
4.4
2.6
2.9
3.1
4.5
2.8
2.4
4.3
3.1
3.8
3.8
4.3
3.5
3.2
4.2
3.3
3.6
3.8
4.2
3.8
3.4
4.1
3.3
3.7
3.9
4.2
3.5
3.1
4.7
4.5
4.6
4.3
4.3 4.5
4.5
4.2
4.5
4.6
4.5
4.5
4.4
4.1
3.9
4.3
4.0
4.1 3.9
4.4
4.0
4.2
4.2
4.1
4.0
4.2
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
288 A Global Summary of the Common Body of Knowledge 2006 ______________________
To add to the understanding of the importance placed by the Practitioners on the different technical
skills by staff level, the data from Table 7-2 is displayed in rank order by staff level in Table 7-3. In
Table 7-3, the technical skills are ranked from 1 (most important) through 13 (least important).
There is a high level of consistency in the ranking of technical skills among the three staff levels
(Audit Manager, Audit Senior/Supervisor, and Audit Staff). The relative decreasing importance of
certain skills as one achieves higher staff levels in the IAA is only indicated for data collection and
analysis. There is only slightly more importance of risk analysis and identifying types of controls as
one achieves higher staff levels in the IAA.
Table 7-3
Rankings of Technical Skills by Staff Level
Practitioner Respondents by Rank
Technical Skills
Data collection and analysis
Financial analysis
Forensic skills/fraud awareness
Identifying types of controls
(e.g., preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality management
Understanding the business
Use of information technology
Audit
Manager
Audit Senior/
Supervisor
Audit
Staff
5/6
8
10
3/4
2/3/4
8
9/10
5
1
8
9
5/6
3/4
12/13
9
7
2
11
12/13
1
5/6
2/3/4
12/13
9/10
7
2/3/4
11
12/13
1
6
2/3
12/13
10/11
7
4
10/11
12/13
2/3
5/6
Note: In some cases the rankings are tied. For example, rankings of Data Collection and
Analysis and Use of Information Technology at the Audit Manager level are tied.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 289
Behavioral Skills
CAE Respondents
For an IAA to be successful, internal auditors must possess the appropriate level of skills that are
fundamental for performance of their work (Standard 1210, Proficiency). From the twelve behavioral
skills that were listed in the survey question, CAEs were asked to indicate the five most important
for various professional staff levels in the IAA. The results can be used to identify similarities
among the CAEs’ responses.
Table 7-4 provides an overall view of the skills that CAEs chose as important for those performing
internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and Audit Staff
levels in the IAA. Their responses are presented in percentages by frequency of response for
those that answered the question. The higher the percentages in Table 7-4 for each behavioral skill
the more CAEs agreed on the importance of that skill. CAEs selected confidentiality first or
second for all staff levels with a low of 53.2% for Audit Managers to a high of 73.4% for the Audit
Staff. CAEs also selected objectivity (45.7% to 73.7%) and interpersonal skills (44% to 67.4%) as
highly needed behavioral skills for all staff levels.
The Institute of Internal Auditors Research Foundation
290 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 7-4
Most Important Behavioral Skills by Staff Level
CAE Respondents (2,092) in Percentages
Behavioral Skills
Confidentiality
Facilitating
Governance and ethics sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Work well with all levels of management
Working independently
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
68.7
34.3
54.8
49.0
75.1
58.2
44.7
34.8
32.9
15.2
58.3
18.9
53.2
33.3
32.0
44.0
48.8
45.7
30.9
44.0
39.4
18.4
42.6
16.9
56.2
28.6
23.5
49.9
21.8
54.3
24.7
30.1
30.8
34.9
35.2
26.4
73.4
13.4
24.1
67.4
3.4
73.7
29.0
2.2
7.8
65.2
40.3
55.6
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The importance of objectivity and confidentiality is supported by many references in the Professional
Practices Framework. Objectivity and confidentiality are two of the four principles in The IIA’s
Code of Ethics. The IIA’s Code of Ethics states for objectivity, “Internal auditors exhibit the highest
level of professional objectivity in gathering, evaluating, and communicating information about the
activity or process being examined.” For confidentiality, The IIA’s Code of Ethics states, “Internal
auditors respect the value and ownership of information they receive and do not disclose information
without appropriate authority unless there is a legal or professional obligation to do so.” According
to the Code, internal auditors must be prudent in their use and protection of information acquired.
Information cannot be used for personal gain or in a way that would be against the law or hurt the
organization.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 291
The following discusses the CAE’s rankings by staff level based on Table 7-4.
CAE
The behavioral skills CAEs commonly chose as important at their level are:
•
•
•
•
•
Leadership (75.1%).
Confidentiality (68.7%).
Work well with all levels of management (58.3%).
Objectivity (58.2%).
Governance and ethics sensitivity (54.8%).
For CAEs, the importance of relationships and leadership skills instead of skills emphasizing their
own individual success is supported in Standards 2440, Disseminating Results, 2500, Monitoring
Progress, and 2600, Resolution of Management’s Acceptance of Risks. Each requires the CAE to
communicate with management and monitor progress. Practice Advisory 2340-1 states that the
CAE, “Is responsible for assuring that appropriate engagement supervision is provided.” CAEs did
not commonly choose as important behavioral skills such as team player (15.2%) and working
independently (18.9%).
Audit Manager
The most important behavioral skills that CAEs commonly believe Audit Managers should possess
at their level are:
•
•
•
•
•
•
Confidentiality (53.2%).
Leadership (48.8%).
Objectivity (45.7%).
Interpersonal skills (44.0%).
Staff management (44.0%).
Works well with all levels of management (42.6%).
The importance of staff management skills at higher levels in the IAA is consistent with Standard
2340, which states that “engagements should be properly supervised to ensure objectives are
achieved...” Based on Standard 2030, Resource Management, if they are managing the engagement
properly, they are ensuring that the staff is effectively deployed to achieve the approved plan.
Progression in hierarchical position in the IAA from Audit Staff to Audit Manager results in a
relative decrease in importance of the percentage ranking for confidentiality, objectivity, interpersonal
skills, and team player as shown by the percentages attributed to each.
The Institute of Internal Auditors Research Foundation
292 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Senior/Supervisor
For the Audit Senior/Supervisor level, the behavioral skills chosen by CAEs as important include:
•
•
•
•
•
Confidentiality (56.2%).
Objectivity (54.3%).
Interpersonal skills (49.9%).
Work well with all levels of management (35.2%).
Team player (34.9%).
Comparing four of the behavioral skills CAEs chose as important for the Audit Manager and Audit
Senior/Supervisor levels, confidentiality is important at all levels. This holds true when comparing
the Audit Manager (53.2%) and the Audit Senior/Supervisor (56.2%) levels. Objectivity is also
relatively close in importance at both levels (45.7% and 54.3%). Interpersonal skills show close
alignment for the Audit Manager (44.0%) and Audit Senior/Supervisor (49.9%) levels. Work well
with all levels of management is also commonly chosen as important by CAEs for both of these
levels (42.6% ad 35.2%).
Audit Staff
A comparison of the CAEs’ responses regarding the important behavioral skills related to the four
staff levels reveals some noticeable differences. For the Audit Staff, the most commonly chosen
behavioral skills CAEs believe they should possess are:
•
•
•
•
•
Objectivity (73.7%).
Confidentiality (73.4%).
Interpersonal skills (67.4%).
Team player (65.2%).
Working independently (55.6%).
Skills indicated by CAEs as not critical for Audit Staff members to possess at this point in their
internal auditing career are staff management (2.2%), leadership (3.4%), and team building (7.8%).
In Table 7-4, when comparing results for Audit Seniors/Supervisors and Audit Staff to those of
Audit Managers, CAE respondents’ choices show a trend of increasing importance for:
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 293
•
•
•
•
Leadership (3.4% to 48.8%).
Staff management (2.2% to 44.0%).
Team building (7.8% to 39.4%).
Facilitating (13.4% to 33.3%).
CAE Respondents by Staff Level for Groups
Tables 7-4-1 (CAEs), 7-4-2 (Audit Managers), 7-4-3 (Audit Seniors/Supervisors), and 7-4-4 (Audit
Staff) show the selections by CAEs by groups of the most commonly chosen behavioral skills.
Table 7-4-1 shows the behavioral skills CAEs by group chose as important for the performance of
their job. Variability of results relate predominantly to facilitating, works well with all levels of
management, governance and ethics sensitivity, and staff management.
Table 7-4-1
Most Important Behavioral Skills
for CAEs by Groups*
CAE Respondents in Percentages
Behavioral Skills
1
Confidentiality
Facilitating
Governance and ethics
sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Working independently
Work well with all levels
of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
65.2 66.7 67.9 74.4 72.7 71.5 81.6 75.9 62.5 50.0 72.5
32.2 34.6 32.1 33.7 52.1 38.7 28.9 37.2 30.0 14.3 24.6
48.0 59.3 53.7 73.3 50.3 54.7 69.3 63.5 65.0 40.5 68.1
62.5
50.0
75.0
61.1
33.6
52.7
52.6
78.4
52.0
45.8
26.1
28.4
8.2
10.9
64.0
37.5
75.0
75.0
37.5
12.5
37.5
12.5
25.0
50.0
40.5
60.3
57.3
37.4
28.2
31.3
17.6
26.7
47.3
59.3
75.3
56.8
60.5
29.6
33.3
13.6
19.8
65.4
53.0
88.1
53.7
63.4
36.6
32.8
13.4
12.7
59.7
54.7
64.0
65.1
36.0
30.2
45.3
20.9
36.0
47.7
50.9
66.7
70.3
40.0
58.8
41.2
27.9
29.1
69.1
40.9
72.3
59.1
38.7
43.8
24.8
10.2
19.7
56.9
46.5
78.9
64.9
44.7
33.3
33.3
37.7
25.4
48.2
39.8
75.6
64.7
42.5
51.5
44.4
22.2
25.6
41.0
35.0
80.0
65.0
32.5
27.5
37.5
7.5
25.0
55.0
45.2
57.1
54.8
38.1
28.6
19.0
9.5
19.0
76.2
59.4
78.3
65.2
46.4
33.3
29.0
17.4
21.7
65.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
294 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 7-4-2 for Audit Managers, CAEs in group 4 indicate that governance and ethics sensitivity
(60.5%) and leadership (69.8%) are commonly important for Audit Managers. Governance and
ethics sensitivity is one of the most important behavior skills for only 21.6% of the CAE respondents
belonging to group 1. Leadership is considered an important skill by CAEs for Audit Managers for
only 33.3% of respondents in group 10. A major difference between CAE respondents by group is
for facilitating, which is identified as much less important in group 10. Staff management skills are
commonly chosen as important by CAEs in group 3 (59.7%) but not by CAEs in group 10 (23.8%).
Table 7-4-2
Most Important Behavioral Skills
for Audit Manager by Groups*
CAE Respondents in Percentages
Behavioral Skills
1
Confidentiality
Facilitating
Governance and ethics
sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Working independently
Work well with all
levels of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
50.8 54.3 56.7 61.6 49.7 54.7 63.2 57.1 47.5 33.3 62.3 75.0
29.3 30.9 38.1 46.5 42.4 30.7 34.2 35.7 45.0 9.5 36.2 50.0
21.6 28.4 31.3 60.5 29.1 34.3 45.6 43.6 50.0 31.0 40.6 62.5
45.8
32.8
35.1
47.9
49.9
41.4
29.7
42.9
38.3
11.4
13.6
47.5
38.2
47.3
43.5
27.5
38.2
31.3
23.7
22.1
36.6
55.6
37.0
46.9
34.6
53.1
33.3
16.0
14.8
49.4
61.9
46.3
49.3
42.5
59.7
43.3
19.4
13.4
56.0
39.5
69.8
43.0
32.6
45.3
55.8
16.3
22.1
38.4
42.4
50.9
49.1
29.7
49.1
39.4
27.3
21.8
38.8
31.4
35.8
43.8
27.0
38.7
41.6
13.1
16.1
31.4
32.5
57.9
56.1
26.3
33.3
35.1
37.7
17.5
38.6
33.8
44.7
47.4
33.5
44.4
43.6
27.1
18.8
33.1
35.0
50.0
52.5
20.0
47.5
27.5
15.0
10.0
27.5
42.9
33.3
40.5
26.2
23.8
40.5
14.3
21.4
42.9
58.0
59.4
60.9
39.1
50.7
40.6
24.6
31.9
52.2
62.5
50.0
87.5
37.5
50.0
25.0
12.5
25.0
25.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 295
Table 7-4-3 highlights the CAEs’ responses for Audit Seniors/Supervisors. With the exception of
CAEs in groups 4, 5, and 12, there is remarkable consistency among CAEs in the groups. The main
differences are for staff management and leadership. For CAEs in group 4, these two skills are
considered quite important (53.5% and 46.5%) while group 5 indicates that these skills are not
important for Audit Seniors/Supervisors (13.9% and 7.9%). The percentages from Table 7-4 for
these two categories are respectively 30.1% and 21.8%. Another large difference relates to
facilitating where group 4 considers this much more important (57%) than group 10 (19%).
Table 7-4-3
Most Important Behavioral Skills
for Audit Seniors/Supervisors by Groups*
CAE Respondents in Percentages
Behavioral Skills
1
Confidentiality
Facilitating
Governance and ethics
sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Working independently
Work well with all
levels of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
52.5
24.3
14.7
53.1 63.4 57.0 56.4 61.3 68.4 61.7 65.0 40.5 59.4 87.5
27.2 25.4 57.0 35.2 31.4 31.6 26.3 37.5 19.0 42.0 37.5
22.2 22.4 41.9 33.3 27.7 39.5 28.2 47.5 14.3 29.0 25.0
45.0
25.2
21.4
52.6
20.9
52.0
22.1
32.1
33.3
29.1
23.9
38.0
61.7
14.8
51.9
30.9
32.1
29.6
27.2
22.2
40.7
46.6
28.2
55.0
22.9
22.9
33.6
34.4
29.0
24.4
63.4
17.9
54.5
35.8
41.0
29.9
43.3
31.3
50.0
57.0
46.5
40.7
34.9
53.5
46.5
27.9
25.6
39.5
42.4
7.9
53.3
30.3
13.9
17.0
32.1
30.3
27.3
38.0
17.5
62.8
20.4
31.4
24.8
38.0
38.0
31.4
37.7
36.8
57.9
21.1
23.7
31.6
56.1
18.4
30.7
42.5
19.9
58.6
21.8
26.7
28.9
41.4
26.7
29.7
47.5
27.5
60.0
20.0
37.5
42.5
45.0
15.0
37.5
47.6
21.4
40.5
28.6
16.7
16.7
28.6
19.0
40.5
62.3
27.5
62.3
27.5
29.0
33.3
44.9
37.7
33.3
87.5
25.0
100.0
50.0
37.5
25.0
50.0
25.0
25.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
296 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 7-4-4 (Audit Staff) there are uniformly low indicators of importance for staff management,
leadership, team building, and facilitating. Group 6 believes that working independently is important
for Audit Staff (70.8%) while group 7 considers this skill much less important (35.1%). Being a
team player is vital for CAEs in group 7 (72.8%) and much less important in group 9 (37.5%).
Whereas CAEs in group 9 believe that governance and ethics sensitivity is very important (45.0%)
for Audit Staff when compared to the average 24.1% in Table 7-4, CAEs in group 12 show the
lowest percentage for this skill (12.5%). CAEs’ range of percentages for objectivity is 100% for
group 12, 82.5% for group 7, and 52.3% for group 4. The percentage from Table 7-4 is 73.7%.
Works well with all levels of management ranges from a low of 12.5% in group 12 to a high of
52.3% in group 4.
Table 7-4-4
Most Important Behavioral Skills
for Audit Staff by Groups*
CAE Respondents in Percentages
Behavioral Skills
1
Confidentiality
Facilitating
Governance and ethics
sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Working independently
Work well with all
levels of management
2
3
4
5
6
7
8
9
10
11
12
N/C**
71.7 69.1 76.9 65.1 71.5 75.9 84.2 81.2 77.5 59.5 71.0 100.0 65.6
9.0 8.6 7.5 32.6 23.0 10.2 16.7 16.5 15.0 14.3 20.3
0.0 15.3
14.5 25.9 24.6 31.4 35.8 21.2 42.1 29.7 45.0 26.2 33.3 12.5 27.5
76.1
2.9
76.2
25.8
1.3
5.1
65.9
60.6
43.8
77.8
2.5
61.7
34.6
1.2
8.6
59.3
56.8
45.7
65.7
2.2
77.6
37.3
0.7
4.5
71.6
62.7
50.7
70.9
4.7
52.3
41.9
9.3
22.1
61.6
65.1
52.3
58.8
1.8
69.1
35.2
0.6
17.0
72.1
59.4
23.6
55.5
0.7
75.2
24.1
0.7
2.9
65.7
70.8
40.9
54.4
13.2
82.5
24.6
10.5
8.8
72.8
35.1
32.5
60.9
2.3
75.6
27.8
1.5
8.3
68.4
43.6
38.7
55.0
7.5
80.0
47.5
5.0
10.0
37.5
45.0
25.0
61.9
0.0
71.4
31.0
0.0
4.8
45.2
47.6
33.3
71.0 100.0 56.5
2.9
0.0 6.1
72.5 100.0 65.6
27.5 37.5 26.0
2.9
0.0 2.3
8.7
0.0 10.7
59.4 75.0 55.7
49.3 50.0 41.2
40.6 12.5 35.9
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five behavioral skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 297
Practitioner Respondents
Practitioners were asked to indicate the importance of each of the twelve behavioral skills to
perform their work at their current position in their organization. These respondents were asked to
use a scale of importance from 1 (minimally important) to 5 (very important). The data is divided
into the three staff levels: Audit Manager, Audit Senior/Supervisor, and Audit Staff. The higher the
mean in Table 7-5 for each behavioral skill the more Practitioners agreed on the importance of that
skill.
Practitioners consider almost all of the behavioral skills to be important with only marginal differences
in the means. The only skill categories with ratings below 4.0 are:
•
•
•
Staff management (the lowest score of all categories analyzed).
Facilitating (among the lowest scores given a skill by all respondents).
Leadership and team building (a mean lower than 4.0 only for the Audit Staff category).
Table 7-5
Importance of Behavioral Skills to Perform Work
Practitioner Respondents by Mean*
Behavioral Skills
Confidentiality
Facilitating
Governance and ethics sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Work well with all levels of management
Working independently
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
4.8
4.1
4.4
4.6
4.3
4.8
4.4
4.1
4.2
4.3
4.6
4.2
4.8
4.0
4.3
4.5
4.1
4.8
4.4
3.8
4.0
4.2
4.6
4.2
4.7
3.9
4.3
4.5
3.9
4.7
4.3
3.5
3.9
4.2
4.5
4.2
*The mean is the average response to: 1 = minimally important to 5 = very important.
Note: Not all respondents answered for all the skills. Total number of respondents is between 4,742 and 4,790.
The Institute of Internal Auditors Research Foundation
298 A Global Summary of the Common Body of Knowledge 2006 ______________________
The practitioner results highlight many similarities with the CAE respondents. Confidentiality and
objectivity are the skills that practitioners consider the most important for all professional levels.
This is consistent with Practice Advisory 1120-1, Individual Objectivity, which states, “Objectivity
is an independent mental attitude which internal auditors should maintain in performing
engagements.” Interpersonal skills and works well with all levels of management are also viewed
by respondents as very important to perform audit work.
Table 7-5-1 shows the means of the Practitioner responses by groups. The responses show that all
listed behavorial skills are considered important, regardless of where respondents reside.
Confidentiality and objectivity are the highest ranking skills for all groups. Considering the contents
of The IIA’s Code of Ethics and the Standards, the uniformity of this perception among practitioners
globally is very important. Almost universally the lowest rankings by Practitioner groups are for
staff management, facilitating, and leadership. Staff management has a mean of more than 4.0
only for groups 12 and 7. For the other groups, the mean varies from 3.4 for group 10 to 4.0 for
group 3. Regarding leadership, group 12 considers this behavioral skill to be very important (4.6) to
perform audit work, while groups 5 and 6 assign leadership a much lower value (3.7).
Table 7-5-1
Importance of Behavioral Skills to Perform Work by Groups*
Practitioner Respondents in Means**
Behavioral Skills
1
2
3
4
5
6
7
8
9
10
11
12 N/C***
Confidentiality
Facilitating
Governance and ethics
sensitivity
Interpersonal skills
Leadership
Objectivity
Relationship building
Staff management
Team building
Team player
Work well with all
levels of management
Working independently
4.8
4.1
4.3
4.7
4.1
4.4
4.8
3.9
4.4
4.6
3.8
4.2
4.7
4.1
4.2
4.8
3.8
4.1
4.9
4.3
4.6
4.7
3.9
4.2
4.7
4.1
4.2
4.7
3.5
4.3
4.7
4.0
4.1
4.9
4.0
4.4
4.7
4.0
4.3
4.6
4.3
4.7
4.5
3.9
4.1
4.3
4.4
4.7
4.3
4.8
4.5
3.7
4.0
4.2
4.3
4.6
4.2
4.8
4.5
4.0
4.1
4.2
4.3
4.5
4.0
4.7
4.2
3.8
4.1
4.1
4.1
4.5
3.7
4.7
4.2
3.7
4.0
4.2
4.1
4.3
3.7
4.7
4.0
3.5
3.7
4.0
4.3
4.5
4.4
4.8
4.2
4.2
4.3
4.5
3.9
4.3
3.8
4.7
4.2
3.8
4.0
4.2
3.7
4.3
4.1
4.7
4.3
3.9
4.0
4.1
4.4
4.3
3.8
4.8
4.1
3.4
3.7
4.0
4.3
4.5
4.2
4.5
4.2
3.9
4.1
4.2
4.3
4.7
4.6
4.8
4.5
4.5
4.5
4.4
4.4
4.4
4.0
4.7
4.2
3.8
4.0
4.2
4.1
4.7
4.7
4.7
4.3
4.5
4.5
4.6
4.4
4.4
4.6
4.5
4.6
4.4
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 299
Summary
For their own position, CAEs indicate understanding the business and risk analysis as important
technical skills for them to possess. CAEs indicate noticeable difference in technical skills needed
between the various staff levels. Technical skills that are considered more important by CAEs for
the Audit Staff but less vital for themselves are data collection and analysis, identifying types of
controls, and use of information technology. CAEs considered other technical skills, such as
understanding the business, risk analysis, and negotiating, to be more important for themselves but
not as important for the Audit Staff or Audit Seniors/Supervisors.
Practitioners uniformly indicate the need for most of the technical skills and behavioral skills at
their own staff level. Practitioners consider most technical and behavioral skills listed to be important
to perform their work at their current position in the IAA. The results show that the CAEs and
Practitioners almost uniformly consider confidentiality and objectivity to be important behavioral
skills.
The Institute of Internal Auditors Research Foundation
300 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 7
Table 7-1-1-A
Most Important Technical Skills
for CAEs by Groups*
CAE Respondents in Percentages
Technical Skills
1
Data collection and
analysis
Financial analysis
Forensic skills/fraud
awareness
Identifying types of
controls (e.g.,
preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality
management
Understanding the
business
Use of information
technology
2
11.1 13.6
3
4
5
6
7
8
9
10
11
12
N/C**
9.0 39.5 27.9 11.7 21.9 14.3 17.5 16.7 11.6 12.5
16.8
37.7 23.5 38.8 44.2 38.8 35.0 28.1 34.6 40.0 26.2 39.1 12.5
45.4 34.6 35.1 68.6 46.7 35.8 43.9 37.6 42.5 33.3 53.6 25.0
32.8
38.9
26.6 34.6 14.9 53.5 32.1 29.2 28.9 38.3 57.5 35.7 30.4 25.0
32.8
35.2
13.1
70.1
14.5
76.1
3.2
30.3
25.0
12.5
50.0
50.0
62.5
0.0
25.0
37.4
16.8
49.6
16.0
61.8
7.6
29.8
83.9 86.4 88.8 53.5 65.5 72.3 74.6 83.8 57.5 88.1 82.6 75.0
59.5
28.9 27.2 35.1 32.6 36.4 12.4 39.5 17.7 40.0 26.2 37.7 50.0
24.4
46.9
14.8
77.8
28.4
80.2
6.2
24.7
38.8
24.6
75.4
28.4
74.6
3.7
38.1
39.5
25.6
54.7
19.8
74.4
18.6
34.9
47.9
29.7
69.1
42.4
69.1
12.7
50.3
36.5
15.3
70.8
19.0
70.8
3.6
32.1
24.6
29.8
65.8
20.2
74.6
13.2
43.0
40.2
21.4
77.4
21.8
82.0
7.5
28.2
45.0
20.0
55.0
22.5
75.0
15.0
42.5
47.6
11.9
57.1
9.5
71.4
0.0
19.0
33.3
34.8
65.2
33.3
78.3
11.6
46.4
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 301
Table 7-1-2-A
Most Important Technical Skills
for Audit Managers by Groups*
CAE Respondents in Percentages
Technical Skills
1
Data collection and
analysis
Financial analysis
Forensic skills/fraud
awareness
Identifying types of
controls (e.g.,
preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality
management
Understanding
business
Use of information
technology
2
3
4
5
6
7
8
12.7 18.5 14.9 27.9 18.2 10.9 13.2 14.3
9
10
11
12
N/C**
7.5 21.4 20.3 12.5
14.5
36.0 19.8 35.8 59.3 39.4 27.0 24.6 32.3 40.0 28.6 47.8 25.0
41.9 33.3 42.5 47.7 33.9 32.8 41.2 34.6 32.5 33.3 44.9 50.0
39.7
30.5
29.9 40.7 35.1 48.8 33.9 27.0 36.8 38.7 45.0 23.8 36.2 37.5
32.1
35.0
9.3
48.1
15.8
59.2
6.2
16.5
50.0
12.5
62.5
25.0
37.5
0.0
37.5
39.7
19.1
38.2
17.6
48.9
9.2
18.3
61.7 65.4 76.9 46.5 50.9 51.1 52.6 60.2 45.0 64.3 63.8 50.0
44.3
33.2 28.4 31.3 25.6 37.0 14.6 32.5 22.6 40.0 23.8 47.8 37.5
28.2
45.7
12.3
54.3
21.0
60.5
6.2
13.6
42.5
16.4
59.0
22.4
72.4
8.2
17.9
47.7
32.6
60.5
18.6
64.0
9.3
48.8
38.8
26.1
50.9
30.3
49.7
7.9
34.5
34.3
16.1
46.7
17.5
51.1
10.9
16.1
23.7
27.2
49.1
28.1
64.9
14.9
24.6
42.5
17.7
50.8
21.1
60.9
12.0
18.8
47.5
15.0
45.0
10.0
65.0
15.0
37.5
35.7
4.8
28.6
14.3
47.6
4.8
16.7
40.6
30.4
60.9
31.9
69.6
18.8
31.9
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
302 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 7-1-3-A
Most Important Technical Skills for
Audit Seniors/Supervisors by Groups*
CAE Respondents in Percentages
Technical Skills
1
Data collection and
analysis
Financial analysis
Forensic skills/fraud
awareness
Identifying types of
controls (e.g.,
preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality
management
Understanding the
business
Use of information
technology
2
3
4
5
6
7
8
9
10
11
12
N/C**
34.8 37.0 41.8 44.2 32.1 30.7 33.3 29.7 40.0 23.8 34.8 62.5 26.0
35.2 22.2 42.5 46.5 38.8 35.8 42.1 33.8 37.5 26.2 50.7 25.0 33.6
33.1 28.4 29.9 38.4 28.5 29.9 36.8 26.7 40.0 23.8 43.5 50.0 27.5
43.8 46.9 55.2 55.8 37.0 41.6 53.5 45.5 45.0 33.3 56.5 37.5 39.7
42.6
3.9
20.6
27.4
35.3
18.4
6.0
42.0
4.9
24.7
29.6
40.7
14.8
4.9
53.0
3.0
24.6
20.1
57.5
20.9
11.2
50.0
40.7
41.9
38.4
55.8
20.9
36.0
33.9
22.4
15.8
37.6
33.3
20.6
12.7
52.6
6.6
36.5
30.7
38.7
21.9
6.6
36.8
24.6
21.1
42.1
54.4
32.5
19.3
48.5
10.5
23.7
36.1
48.1
22.2
10.2
32.5
20.0
27.5
30.0
35.0
20.0
17.5
42.9
4.8
23.8
11.9
40.5
4.8
7.1
52.2
24.6
33.3
26.1
42.0
34.8
17.4
37.5
25.0
25.0
12.5
37.5
37.5
12.5
42.7
13.7
19.1
25.2
42.7
19.8
15.3
45.5 45.7 56.7 47.7 27.3 43.8 40.4 38.7 52.5 61.9 50.7 37.5 39.7
37.9 33.3 46.3 30.2 35.2 23.4 47.4 36.5 55.0 28.6 50.7 50.0 31.3
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
_______________________________________________ Chapter 7: Internal Audit Skills 303
Table 7-1-4-A
Most Important Technical Skills for
Audit Staff by Groups*
CAE Respondents in Percentages
Technical Skills
1
Data collection and
analysis
Financial analysis
Forensic skills/fraud
awareness
Identifying types of
controls (e.g.,
preventative, detective)
Interviewing
ISO/quality knowledge
Negotiating
Research skills
Risk analysis
Statistical sampling
Total quality
management
Understanding the
business
Use of information
technology
2
3
4
5
6
7
8
9
10
11
12
N/C**
78.8 72.8 78.4 77.9 79.4 78.1 80.7 77.4 75.0 66.7 85.5 87.5
66.4
37.0 27.1 31.3 33.7 33.9 27.0 49.1 34.6 42.5 19.0 46.4 37.5
21.9 13.6 24.6 22.1 25.5 23.4 21.1 13.9 30.0 16.7 23.2 12.5
29.0
18.3
58.6 61.7 73.1 38.4 32.1 37.2 59.6 48.1 42.5 45.2 53.6 62.5
38.9
62.1
1.6
4.6
47.0
19.8
26.0
1.1
62.3 62.5
14.4 0.0
11.6 0.0
18.8 0.0
21.7 25.0
39.1 25.0
5.8 0.0
47.3
13.7
3.8
34.3
28.2
27.5
3.8
47.3 45.7 54.5 64.0 29.1 54.7 36.8 33.1 40.0 69.0 55.1 50.0
45.8
44.7 45.7 46.3 70.9 66.7 42.3 62.3 59.7 72.5 45.2 53.6 75.0
45.8
58.0
2.5
8.6
42.0
33.3
23.4
1.2
70.9
0.7
8.21
21.6
40.3
23.9
3.7
27.9
46.5
9.3
41.8
25.6
39.5
20.9
64.2
15.1
14.5
51.5
27.3
36.9
5.4
64.2
4.4
10.2
48.9
24.8
25.5
2.2
44.7
13.1
5.2
39.8
43.0
39.5
6.1
56.8
9.4
9.0
39.8
34.2
36.1
5.3
32.5
7.5
15.0
40.0
42.5
37.5
7.5
59.5
23.8
4.8
19.0
50.0
7.1
0.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select five technical skills from the provided list for each staff level.
The Institute of Internal Auditors Research Foundation
304 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 8
Chapter 8: Internal Auditor Competencies .......................................................................... 305
Introduction......................................................................................................................... 305
Competencies...................................................................................................................... 307
Areas of Knowledge ........................................................................................................... 323
Summary ............................................................................................................................. 331
Appendix 8.......................................................................................................................... 332
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 305
CHAPTER 8
INTERNAL AUDITOR COMPETENCIES
Introduction
Internal auditors at all levels need to obtain and develop a range of competencies and knowledge
that enable them to perform their work effectively and enable the internal audit activity (IAA) to
function properly. This chapter summarizes the fundamental competencies and the areas of knowledge
needed by practicing internal auditors today. Competencies range from generally applicable individual
competencies, such as time management and presentation competencies, to abilities such as being
able to work through an issue to find the root cause of a problem area. Internal auditors also must
have different competencies to be successful at a given staff position within the IAA. This chapter
addresses the range of internal audit competencies at the CAE, Audit Manager, Audit Senior/
Supervisor, and Audit Staff levels and areas of knowledge at all staff levels except CAE.
Certain competencies and knowledge are essential for the success of an individual internal auditor,
the audit process, and the overall success of the IAA. Standard 1210, Proficiency, states, “Internal
auditors should possess the knowledge, skills, and other competencies needed to perform their
individual responsibilities,” and Standard 1230, Continuing Professional Development, states, “Internal
auditors should enhance their knowledge, skills, and other competencies through continuing
professional development.” Internal auditors must continually update their competencies and
knowledge to remain current. The importance of competencies is also highlighted as one of four
principles in The IIA’s Code of Ethics.
Internal auditors at all staff levels need to obtain and develop a range of competencies and abilities
that enable them to perform their work effectively. These competencies range from generally
applicable individual competencies to qualities that are specific to internal auditors. Since Practice
Advisory 1210-1, Proficiency, requires that “The internal audit staff should collectively possess the
knowledge and skills essential to the practice of the profession within the organization,” each
individual internal auditor need not possess all competencies and abilities in each knowledge area.
It is the responsibility of the CAE to insure that the IAA collectively possesses or have access to
the needed competencies and abilities. When assigning staff to an audit, the CAE must consider
whether they are qualified and competent in the areas being audited. This implies that different
competencies and knowledge are appropriate for those in different staff levels in the IAA. An
assessment of auditor abilities and competencies within the IAA should be completed annually to
ensure the staff remains proficient and current, collectively and individually.
The Institute of Internal Auditors Research Foundation
306 A Global Summary of the Common Body of Knowledge 2006 ______________________
This chapter addresses respondents’ perception of the importance of a set of competencies and
knowledge areas to their job performance at their staff level in the IAA. Respondents were also
asked to determine those competencies that change in importance as one goes up the IAA hierarchy.
Table 8-1 lists the competencies and knowledge areas developed from The IIA’s Standards,
Practice Advisories, internal auditing literature, past CBOK studies, and the CBOK 2006 pilot
study. As a guide for respondents, competencies were defined in the survey as “competencies
essential to perform certain tasks.” Respondents could not amend or add to the list of competencies
or knowledge areas provided in the survey.
Table 8-1
Competencies and Knowledge Areas Included in the Survey
Competencies
Ability to promote the internal audit
activity within the organization
Analytical (ability to work through
an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with professional
changes in opinions, standards, and
regulations
Organization skills
Presentation skills
Problem identification and solution
Project planning and management
Report development
Time management
Training and developing staff
Understanding complex information
systems
Writing skills
Knowledge Areas
Accounting
Auditing
Business law and government regulation
Business management
Changes to professional standards
Enterprise risk management
Ethics
Finance
Fraud awareness
Governance
Human resource management
Information technology
Internal auditing standards
Managerial accounting
Marketing
Organization culture
Organizational systems
Strategy and business policy
Technical knowledge for your industry
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 307
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those that participated in the survey answered all of the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
Some participants’ responses are presented according to the respondents’ position in the IAA.
These more detailed summaries of results may be provided for the four categories of respondents:
CAEs, Audit Managers, Audit Senior/Supervisor, and Audit Staff.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of the report. For example, Table 8-2 is the total
of all respondents for that question with a related table 8-2-1 showing the responses by group. A
table can have more than one related table, where the second related table would be Table 8-2-2.
Additional related tables may be located in Appendix 8 at the end of this chapter. A table that is in
the Appendix can be clearly identified by an “A” at the end of its number. For example, Table 8-31-A is located in Appendix 8.
Competencies
CAE Respondents
Chief audit executives (CAEs) were asked to identify the five most important competencies they
need to possess in order to be successful as the leader of their IAA. They were also asked to
identify the five most important competencies that Audit Manager, Audit Senior/Supervisor, and
Audit Staff each need to perform their jobs. The results can be used to identify similarities among
the CAEs’ responses.
Successful completion of the IAA annual plan requires that the internal audit staff possess the
proper competencies crucial for the nature and extent of the activities performed at various levels
The Institute of Internal Auditors Research Foundation
308 A Global Summary of the Common Body of Knowledge 2006 ______________________
of responsibility. Practice Advisory 2030-1, Resource Management, suggests that CAEs select
“individuals who are qualified and competent regarding the areas being audited and in applying
internal auditing skills.” From the eighteen competencies that were listed in this question, CAEs
were asked to indicate the five most important for various professional staff levels in the IAA.
Table 8-2 provides an overall view of the skills that CAEs commonly chose as important for those
performing internal auditing activities at the CAE, Audit Manager, Audit Senior/Supervisor, and
Audit Staff levels. Their responses are presented in percentages by frequency of response. High
percentages in Table 8-2 indicate the competencies received strong common support from CAEs
regarding the importance of these competencies.
Table 8-2
Most Important Competencies by Staff Level
CAE Respondents (2,092 ) in Percentages
Ability to promote the internal audit activity within
the organization
Analytical (ability to work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with professional changes in
opinions, standards, and regulations
Organization skills
Presentation skills
Problem identification and solution
Project planning and management
Report development
Time management
Training and developing staff
Understanding complex information systems
Writing skills
CAE
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
78.1
28.3
10.9
9.3
24.9
34.7
60.3
38.0
41.2
31.3
13.4
41.3
31.5
20.4
46.7
20.7
35.3
26.3
10.8
31.0
47.7
7.6
43.2
16.1
20.2
31.0
8.1
22.9
63.9
4.1
51.9
17.8
7.2
43.9
12.4
22.5
30.3
37.4
21.6
24.7
13.0
15.8
30.1
12.4
23.6
27.9
25.5
23.8
35.7
23.0
18.7
38.2
14.9
24.2
22.0
15.5
34.5
24.3
27.3
28.2
20.9
16.1
32.0
20.9
13.0
47.0
7.1
22.1
40.2
2.6
16.3
51.0
Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff
level.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 309
CAEs identified communication as highly important for all staff levels. This supports Practice
Advisory 1210-1, Proficiency, which states, “Internal auditors should be skilled in oral and written
communication.” Foreign language skills was the only competency identified as being of low
importance for all staff levels.
The other 16 competencies show changing relative importance when going up or down the staff
levels of the IAA. This is in keeping with the intent of the Standards, which suggests that skills and
competencies vary in importance among the staff of the IAA.
Important Competencies Identified by CAEs for Staff Levels
As shown in Table 8-2, there is relative consistency in the identification of the most important
competencies for the Audit Staff and the Audit Senior/Supervisor levels. This is not the case for
the Audit Manager and CAE positions which have increasing oversight responsibility.
Keeping current with professional changes is important for all members of the IAA. Standard
1230, Continuing Professional Development, states that internal auditors “...enhance their knowledge,
skills, and other competencies through continuing professional development.” Despite the critical
nature of the acquisition of knowledge for the success of the IAA as a whole, this competency was
not commonly indicated by CAE respondents as one of the most important for any of the staff
levels.
CAE
When looking at Table 8-2, the two highest percentages for CAEs are the ability to promote the
IAA within the organization (78.1%) and communication (60.3%). This is consistent with Standard
2000, Managing the Internal Audit Activity, which states that the CAE “...should effectively manage
the internal audit activity to ensure it adds value to the organization.” Standard 2020, Communication
and Approval, states, “The chief audit executive should communicate the internal audit activity’s
plans…to senior management and to the board for review and approval.” Standard 2060, Reporting
to the Board and Senior Management, states, “The chief audit executive should report periodically
to the board and senior management on the internal audit activity’s purpose, authority, responsibility,
and performance relative to its plan. Reporting should also include significant risk exposures and
control issues, corporate governance issues, and other matters needed or requested by the board
and senior management.”
The Institute of Internal Auditors Research Foundation
310 A Global Summary of the Common Body of Knowledge 2006 ______________________
The major role the CAE respondents identified for themselves is to communicate and promote the
IAA to senior members of management and the board. CAE respondents commonly indicated the
most important competencies that they should possess are:
•
•
•
•
•
Ability to promote the IAA within the organization (78.1%).
Communication (60.3%).
Keeping up to date with professional changes in opinions, standards, and regulations (41.3%).
Conflict resolution (41.2%).
Conceptual thinking (38.0%).
While CAEs strongly support their perception of the most important competencies at their level,
the majority of the respondents also show that a wide range of other competencies are valued.
CAEs should also excel in presentation skills (37.4%) and change management (34.7%). CAEs
did not identify time management (15.8%), foreign language skills (13.4%), report development
(13.0%), and understanding complex information systems (12.4%) as important for someone in
their position to possess.
Audit Manager
CAE respondents identified the following competencies as most important for Audit Managers:
•
•
•
•
•
•
Communication (46.7%)
Training and developing staff (38.2%)
Project planning and management (35.7%)
Conflict resolution (35.3%)
Analytical (31.5%)
Keeping up to date with professional changes in opinions, the Standards, and regulations
(31.0%)
Communication skills are perceived by the CAE respondents as an essential part of the Audit
Manager’s skills. Competencies that CAEs did not identify as critical for Audit Managers are
change management (20.4%), time management (18.7%), understanding complex information
systems (14.9%), and foreign language skills (10.8%).
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 311
At the Audit Manager level, some skills learned at lower levels are mastered. As indicated in Table
8-2, skills for which CAE respondents believe relative importance diminishes from Audit Staff to
Audit Manager levels are:
•
•
•
•
Analytical (from 63.9% to 31.5%).
Writing skills (from 51.0% to 24.2%).
Problem identification and solution (from 47.0% to 23.8%).
Time management (from 40.2% to 18.7%).
Comparing data related to Audit Managers with those of Audit Staff, skills that show a trend of
increasing importance are:
•
•
•
•
Training and developing staff (2.6% to 38.2%).
Project planning and management (7.1% to 35.7%).
Conflict resolution (7.2% to 35.3%).
Ability to promote the IAA within the organization (9.3% to 28.3%).
Audit Senior/Supervisor
For the Audit Senior/Supervisor, CAEs commonly indicated that the most important competencies
were:
•
•
•
•
•
Analytical (47.7%).
Communication (43.2%).
Problem identification and solution (34.5%).
Writing skills (32.0%).
Critical thinking (31.0%).
Even though not commonly identified as one of the most important competencies for Audit Senior/
Supervisor, note that CAEs respondents gave higher percentages for report development (27.3%),
project planning (24.3%), and training and developing staff (20.9%) for the Audit Senior/Supervisor
level than for Audit Staff. Competencies that CAEs do not consider critical for Audit Senior/
Supervisor are presentation skills (15.5%), ability to promote the IAA (10.9%), foreign language
skills (8.1%), and change management (7.6%).
The Institute of Internal Auditors Research Foundation
312 A Global Summary of the Common Body of Knowledge 2006 ______________________
Audit Staff
In Table 8-2 the competency commonly indicated as the most important by CAEs for the Audit
Staff is analytical (ability to work through an issue) (63.9%). This supports Standard 2320, Analysis
and Evaluation, which states that internal auditors “base conclusions and engagement results on
appropriate analyses and evaluations.” The CAE respondents indicated the following as the most
important competencies for the Audit Staff level:
•
•
•
•
•
Analytical (63.9%)
Communication (51.9%)
Writing skills (51.0%)
Problem identification and solution (47.0%)
Critical thinking (43.9%)
Competencies that CAEs indicate are not as critical for Audit Staff members to possess at this
point in their internal auditing career are conflict resolution (7.2%), project planning and management
(7.1%), change management (4.1%), and training and developing staff (2.6%).
CAE Respondents by Staff Level for Groups
Tables 8-2-1 (CAE), 8-2-2 (Audit Manager), 8-2-3 (Audit Senior/Supervisor), and 8-2-4 (Audit
Staff) show CAE respondents’ percentages for the five most important competencies for the 13
groups.
Table 8-2-1 highlights the competencies CAEs value for their own job performance. Overwhelmingly,
CAEs in all groups find it critically important to be able to promote the IAA within the organization
and to have the ability to communicate in general. CAEs indicate variability in importance by group
on their competencies in change management, conceptual thinking, foreign language skills, report
development, and time management.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
21.0
37.0
64.2
45.7
37.0
32.1
2.5
37.0
22.2
39.5
23.5
23.5
7.4
12.3
27.2
9.9
24.7
21.0
28.1
67.0
37.0
37.5
31.1
2.6
40.4
20.9
44.3
13.7
20.0
8.1
10.4
24.9
8.4
27.0
25.4
9.0
7.5
9.0
26.9
28.4
26.9
39.6
14.9
53.7
60.4
41.0
38.8
26.9
2.2
38.8
20.1
88.8
3
18.6
15.1
24.4
31.4
44.2
38.4
38.4
30.2
36.0
33.7
52.3
24.4
40.7
30.2
31.4
52.3
39.5
80.2
4
27.9
21.2
21.2
33.9
41.2
33.9
50.9
41.8
31.5
26.7
49.1
58.2
53.3
33.9
32.7
41.8
33.9
80.6
5
13.1
5.1
2.2
10.2
25.5
13.1
33.6
19.7
14.6
34.3
48.9
43.8
42.3
24.8
13.9
29.2
19.7
80.3
6
23.7
26.3
26.3
18.4
35.1
36.0
34.2
24.6
27.2
53.5
55.3
32.5
39.5
35.1
38.6
53.5
37.7
80.7
7
19.5
13.9
20.7
22.6
38.7
32.0
46.6
30.5
35.3
44.4
62.0
32.0
51.1
31.2
25.9
45.5
26.3
82.3
8
20.0
20.0
22.5
22.5
35.0
35.0
27.5
40.0
37.5
40.0
45.0
37.5
42.5
37.5
27.5
35.0
20.0
80.0
9
19.0
7.1
4.8
2.4
33.3
11.9
31.0
47.6
26.2
4.8
76.2
16.7
14.3
40.5
11.9
31.0
35.7
64.3
10
27.5
20.3
20.3
20.3
33.3
30.4
31.9
39.1
29.0
53.6
60.9
55.1
47.8
46.4
14.5
46.4
27.5
72.5
11
17.6
18.3
0.0
15.3
16.8
23.7
17.6
26.0
29.0
19.1
28.2
48.9
29.8
36.6
26.0
12.2
38.9
25.2
71.0
N/C**
12.5
25.0
0.0
12.5
0.0
25.0
37.5
12.5
37.5
37.5
25.0
75.0
12.5
0.0
50.0
0.0
75.0
12
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
84.0
75.1
Ability to promote the
internal audit activity
within the organization
Analytical (ability to
work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with
professional changes
in opinions, standards,
and regulations
Organization skills
Presentation skills
Problem identification
and solution
Project planning and
management
Report development
Time management
Training and
developing staff
Understanding
complex information
systems
Writing skills
2
1
Competencies
Table 8-2-1
Most Important Competencies for CAE by Groups*
CAE Respondents in Percentage
______________________________________ Chapter 8: Internal Auditor Competencies 313
314 A Global Summary of the Common Body of Knowledge 2006 ______________________
In Table 8-2-2 for Audit Manager, CAE respondents selected communication, project planning and
management, and training and developing staff as the most important skills for this staff level.
While there is generally consistency among the CAE respondents within the groups about the
importance of most of the competencies for Audit Manager, there are some outliers that place less
weight on certain competencies. In group 10, CAEs’ percentage for training and staff development
is only 14.3% while the next lowest value was 25.0% for CAEs in group 12. CAEs in six other
groups have values of 40% or higher for training and staff development. CAEs in ten groups had
percentages of 30% or more for project planning and management, but CAEs in groups 12 (12.5%)
and 6 (21.2%) had far fewer CAEs selecting this competency as being important for Audit Manager.
CAEs in group 2 (11.1%) had fewer respondents selecting change management as important than
CAEs in groups 4 (50%) and 12 (62.5%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
32.1
30.9
11.1
53.1
32.1
23.5
18.5
2.5
25.9
19.8
21.0
24.7
39.5
28.4
16.0
48.1
14.8
25.9
27.8
14.7
48.5
31.6
23.4
16.2
1.7
26.1
23.3
23.9
18.8
36.1
22.7
13.7
40.2
11.6
29.1
2
23.6
1
26.1
15.7
25.4
11.2
48.5
35.1
26.9
31.3
26.1
20.9
56.7
35.8
29.9
19.4
0.7
35.8
33.6
39.6
3
17.4
18.6
20.9
32.6
47.7
43.0
53.5
30.2
29.1
50.0
58.1
57.0
26.7
24.4
29.1
40.7
45.3
33.7
4
19.4
14.5
23.0
30.3
30.3
40.0
40.6
25.5
26.7
21.8
39.4
38.8
26.1
25.5
20.0
31.5
36.4
23.6
5
12.4
8.8
13.1
10.2
32.1
21.2
24.8
19.0
13.9
14.6
37.2
28.5
25.5
24.1
10.2
25.5
23.4
26.3
6
24.6
28.1
30.7
28.1
41.2
36.8
23.7
26.3
28.1
29.8
41.2
36.8
32.5
25.4
24.6
45.6
39.5
40.4
7
20.7
17.3
28.2
24.8
31.2
38.0
32.3
25.2
33.5
27.1
44.4
39.5
28.2
26.3
24.1
38.0
31.2
31.2
8
15.0
12.5
15.0
22.5
35.0
45.0
32.5
20.0
25.0
25.0
32.5
42.5
30.0
30.0
17.5
32.5
17.5
32.5
9
23.8
9.5
4.8
4.8
14.3
31.0
14.3
23.8
23.8
14.3
50.0
14.3
31.0
4.8
9.5
26.2
38.1
28.6
10
30.4
21.7
26.1
31.9
52.2
33.3
33.3
47.8
33.3
21.7
53.6
47.8
34.8
30.4
15.9
36.2
44.9
29.0
11
20.6
22.1
0.0
19.8
21.4
32.8
31.3
29.0
28.2
25.2
22.1
42.7
36.6
27.5
20.6
16.8
29.8
33.6
29.0
N/C**
25.0
25.0
0.0
25.0
12.5
12.5
0.0
37.5
62.5
50.0
37.5
12.5
37.5
0.0
25.0
37.5
37.5
12
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
Ability to promote the
internal audit activity
within the organization
Analytical (ability to
work through an issue)
Change management
Communication
Conflict resolution
Critical thinking
Conceptual thinking
Foreign language skills
Keeping up to date
with professional
changes in opinions,
standards, and
regulations
Organization skills
Presentation skills
Problem identification
and solution
Project planning and
management
Report development
Time management
Training and
developing staff
Understanding
complex information
systems
Writing skills
Competencies
Table 8-2-2
Most Important Competencies for Audit Manager by Groups*
CAE Respondents in Percentages
______________________________________ Chapter 8: Internal Auditor Competencies 315
316 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 8-2-3 highlights the CAE respondents’ group results for Audit Senior/Supervisor. There is
relative consistency among the CAEs’ selections of the most important and least important
competencies for this staff level. CAEs in group 12 did not support the importance of change
management, foreign language skills, presentation skills, or writing skills (00.0%). CAEs in group 4
consider project planning and management to be very important (40.7%), but only 9.1% CAEs in
group 5 selected this competency to be one of the top five competencies. CAEs in group 3 believe
that writing skills are important (41.0%), but CAEs in group 4 believe they are less significant for
the Audit Senior/Supervisor (17.4%). CAEs in group 7 believe that keeping up to date with
professional changes in opinions, standards, and regulations is fundamental (42.1%), but CAEs in
group 10 believe that this element is not critical for the Audit Senior/Supervisor (14.3%).
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
8.6
51.9
4.9
43.2
14.8
22.2
11.1
1.2
16.0
18.5
13.6
37.0
29.6
23.5
30.9
24.7
14.8
32.1
46.2
4.8
44.6
17.5
31.5
12.8
1.7
14.5
24.1
10.3
31.4
26.6
25.3
25.3
22.2
11.4
36.5
2
8.1
1
41.0
17.2
35.8
38.8
25.4
31.3
17.9
14.2
42.5
2.2
51.5
20.1
20.9
10.4
1.5
21.6
56.7
16.4
3
17.4
20.9
23.3
40.7
38.4
40.7
29.1
29.1
52.3
25.6
53.5
32.6
25.6
25.6
20.9
36.0
57.0
23.3
4
26.1
18.2
24.2
24.8
13.3
9.1
16.4
15.2
33.3
10.3
40.6
17.0
30.3
13.9
12.1
27.9
43.0
6.7
5
29.2
20.4
14.6
23.4
11.7
24.1
21.9
18.2
27.7
5.8
38.7
21.9
38.0
21.2
11.7
25.5
51.8
5.8
6
31.6
21.1
40.4
28.9
29.8
21.9
23.7
22.8
36.8
15.8
37.7
28.1
36.8
19.3
14.0
42.1
51.8
18.4
7
26.7
21.1
37.6
31.6
13.9
20.3
21.1
20.3
34.2
9.0
32.0
22.9
37.2
22.2
20.7
33.8
44.0
9.0
8
22.5
22.5
27.5
35.0
27.5
20.0
20.0
17.5
37.5
17.5
42.5
25.0
27.5
27.5
17.5
37.5
47.5
22.5
9
23.8
4.8
19.0
9.5
11.9
14.3
9.5
14.3
33.3
7.1
42.9
14.3
33.3
7.1
7.1
14.3
54.8
14.3
10
39.1
23.2
27.5
44.9
24.6
30.4
30.4
30.4
46.4
10.1
59.4
29.0
21.7
21.7
10.1
27.5
49.3
15.9
11
17.6
29.0
0.0
23.7
23.7
18.3
19.8
19.1
16.8
32.1
5.3
45.0
16.8
29.8
18.3
8.4
19.1
39.7
16.0
N/C**
25.0
25.0
12.5
25.0
12.5
12.5
0.0
37.5
0.0
62.5
50.0
12.5
12.5
0.0
37.5
75.0
25.0
12
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
Ability to promote the
internal audit activity
within the organization
Analytical (ability to
work through an issue)
Change management
Communication
Conflict resolution
Critical thinking
Conceptual thinking
Foreign language skills
Keeping up to date
with professional
changes in opinions,
standards, and
regulations
Organization skills
Presentation skills
Problem identification
and solution
Project planning and
management
Report development
Time management
Training and developing
staff
Understanding complex
information systems
Writing skills
Competencies
Table 8-2-3
Most Important Competencies for Audit Senior/Supervisor by Groups*
CAE Respondents in Percentages
______________________________________ Chapter 8: Internal Auditor Competencies 317
318 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 8-2-4 shows that for Audit Staff there are uniformly low percentages for training and
developing staff, project planning and management, change management, and conflict resolution.
CAE respondents consider analytical ability and communication to be by far the most important
competencies for the Audit Staff in all groups.
There is variability among the CAE respondents among some groups for some competencies.
Foreign language skills vary from a low of 3.2% in group 1 to a high of 29.1% for group 4. Group
6 believes that critical thinking is very important for Audit Staff (58.4 %) while group 4 considers
this much less important (19.8%). Keeping up to date with professional changes in opinions,
standards, and regulations is considered vital by responding CAEs in group 7 (51.8%) and significantly
less important for group 1 (10.4%). While responding CAEs in Group 4 believe that presentation
skills are very important (50.0%) for Audit Staff, no CAEs in group 12 selected this competency as
important. The range of percentages for responding CAEs for report development is 8.0% for
group 6 to 59.3% for group 4.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
7.4
67.9
1.2
53.1
14.8
2.5
38.3
3.7
17.3
16.0
9.9
59.3
11.1
17.3
50.6
0.0
9.9
55.6
68.4
2.6
58.1
13.7
5.9
47.4
3.2
10.4
33.3
7.1
51.5
7.2
13.4
46.2
1.1
9.6
53.7
2
6.6
1
58.2
11.9
17.9
58.2
1.5
11.2
13.4
10.4
52.2
1.5
61.9
9.0
6.7
34.3
5.2
25.4
70.9
16.4
3
47.7
34.9
59.3
50.0
11.6
9.3
18.6
50.0
51.2
10.5
45.3
29.1
11.6
19.8
29.1
38.4
41.9
10.5
4
57.0
20.0
26.7
25.5
3.0
4.8
6.7
16.4
41.8
6.7
61.2
13.9
12.7
39.4
21.8
30.9
66.1
4.8
5
45.3
24.8
8.0
29.9
1.5
5.1
13.9
6.6
44.5
4.4
46.0
19.7
9.5
58.4
23.4
27.7
65.7
8.0
6
54.4
24.6
30.7
29.8
3.5
7.0
15.8
16.7
39.5
8.8
41.2
30.7
7.9
45.6
14.9
51.8
59.6
15.8
7
46.2
19.9
36.5
35.3
4.1
6.0
12.4
15.0
37.6
6.4
30.1
29.3
7.9
49.2
27.8
30.8
57.5
9.0
8
42.5
30.0
37.5
35.0
5.0
5.0
17.5
15.0
47.5
7.5
57.5
25.0
10.0
30.0
22.5
37.5
70.0
27.5
9
38.1
14.3
19.0
11.9
2.4
9.5
2.4
23.8
42.9
2.4
57.1
11.9
2.4
50.0
9.5
23.8
71.4
9.5
10
53.6
18.8
23.2
42.0
5.8
5.8
21.7
15.9
47.8
1.4
58.0
18.8
7.2
33.3
14.5
20.3
59.4
13.0
11
37.5
25.0
37.5
50.0
0.0
0.0
0.0
0.0
25.0
0.0
62.5
25.0
12.5
37.5
12.5
12.5
50.0
25.0
12
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Note: Each CAE respondent was able to select the five most important competencies from the provided list for each staff level.
Ability to promote the
internal audit activity
within the organization
Analytical (ability to
work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with
professional changes in
opinions, standards, and
regulations
Organization skills
Presentation skills
Problem identification
and solution
Project planning and
management
Report development
Time management
Training and
developing staff
Understanding complex
information systems
Writing skills
Competencies
Table 8-2-4
Most Important Competencies for Audit Staff Members by Groups*
CAE Respondents in Percentages
37.4
20.6
26.0
29.8
3.1
6.9
9.9
19.8
39.7
2.3
47.3
14.5
4.6
37.4
11.5
26.0
51.1
12.2
N/C**
______________________________________ Chapter 8: Internal Auditor Competencies 319
320 A Global Summary of the Common Body of Knowledge 2006 ______________________
Practitioner Respondents
The Practitioners were asked to indicate the importance of each of the eighteen competencies to
performing their jobs at their current position in their organization. The scale used to determine the
level of importance was 1 (minimally important) to 5 (very important). Table 8-3 shows the mean
responses by Practitioners for the eighteen competencies.
Table 8-3
Importance of Competencies to Perform Work
Practitioner Respondents in Means*
Competencies
Ability to promote the internal audit activity
within the organization
Analytical (ability to work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with professional changes
in opinions, standards, and regulations
Organization skills
Presentation skills
Problem identification and solution
Project planning and management
Report development
Time management
Training and developing staff
Understanding complex information systems
Writing skills
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
4.32
4.15
4.11
4.52
4.03
4.61
4.33
4.27
4.48
2.59
4.05
4.53
3.89
4.59
4.29
4.24
4.43
2.54
4.01
4.45
3.72
4.54
4.25
4.13
4.36
2.66
4.02
4.15
4.13
4.50
4.13
4.31
4.26
4.06
3.79
4.49
4.13
4.03
4.48
4.02
4.27
4.25
3.74
3.73
4.47
4.13
4.02
4.44
3.84
4.19
4.21
3.56
3.65
4.39
*The mean is the average response to: 1 = minimally important to 5 = very important.
Note: Not all respondents answered for all the competencies. Total number of respondents was between 4,693 and
4,735.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 321
As indicated by only marginal differences in the means, Practitioners consider almost all of the
competencies equally important across the positional levels in the IAA. The only categories which
show some change between the Audit Staff level and the Audit Manager level are:
•
•
•
•
Ability to promote the IAA within the organization (4.11 to 4.32).
Project planning and management (3.84 to 4.13).
Change management (3.72 to 4.03).
Training and developing staff (3.56 to 4.06).
The competency categories for all levels with the most means below 4.0 are:
•
•
•
•
•
Foreign language skills (the lowest score of all categories analyzed with means between
2.54 and 2.66).
Understanding complex information systems (second lowest mean for all levels but still
somewhat important with means of 3.65 to 3.79).
Training and developing staff (a mean higher than 4.0 only for the Audit Manager category).
Change management (a mean higher than 4.0 only for the Audit Manager category).
Project planning and management (a mean higher than 4.0 for the Audit Senior /Supervisor
and Audit Manager categories).
Table 8-4 shows the ranking of the competency means for Practitioners. The consistent rankings
among the Audit Manager, Audit Senior/Supervisor, and Audit Staff levels are striking. Practitioners
indicate that many of the competencies are equally important across the hierarchical scale in the
IAA with only marginal differences in the ranks. The results highlight some similarities with the
responses of the CAE group. Communication is the most important for all professional levels. This
is consistent with Standard 2420, Quality of Communication, which states, “Communications should
be accurate, objective, clear, concise, constructive, complete, and timely.” This standard applies
for all internal auditors. The foreign language skills competency is indicated by respondents as the
least important for all Practitioners at all staff levels.
The Institute of Internal Auditors Research Foundation
322 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 8-4
Rankings of the Competencies by Staff Level
Practitioner Respondents by Rank
Competencies
Ability to promote the internal audit activity
within the organization
Analytical (ability to work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with professional changes
in opinions, standards, and regulations
Organization skills
Presentation skills
Problem identification and solution
Project planning and management
Report development
Time management
Training and developing staff
Understanding complex information systems
Writing skills
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
7
10
11
2
16
1
6
9
5
18
15
2
15
1
6
9
5
18
14
2
15
1
6
9/10
5
18
12/13
11
12/13
3
12/13
8
10
14
17
4
11
12
3
13
7
8
16
17
4
9/10
12/13
3
14
8
7
17
16
4
Note: In some cases the rankings were tied. For example, rankings of conflict resolution and organization skills at the
Audit Staff level were tied.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 323
CAEs and Practitioners seem to approach the competencies differently. CAEs appear to be viewing
competencies appropriate for a positional level from a department manager’s perspective, while
Practitioners appear to view the need for a variety of competencies necessary for their success.
For Audit Managers especially, the difference between the CAE and the Audit Manager responses
is noticeable for the following competencies: training and development, project planning, writing
skills, problem identification and solution, and keeping up to date with professional changes in
opinions, standards, and regulations. The differences for the Audit Manager level may be reflective
of the transition from more operational duties to managerial duties. (CAEs and Practitioners were
asked to rank the same list of competencies but their methods differed. CAEs indicated the five
most important competencies for each audit staff level, while Practitioners ranked each competency
as it related to the competency’s importance for themselves to do their job.)
Practitioner Rankings by Groups
In Appendix 8, Tables 8-3-1-A (Audit Manager), 8-3-2-A (Audit Senior/Supervisor), and 8-3-3-A
(Audit Staff) show Practitioner responses for competencies broken out for the 13 groups. Foreign
language skills are universally the lowest ranked competency. For all groups, analytical ability,
communication, and problem identification and solution are the only abilities to receive means
above 4.0 for all three staff levels. For the three staff levels, understanding complex information
systems has a mean of more than 4.0 for only seven groups. In general after taking out the very
high and very low outliers among the groups, the responses show the perception that many skills
are important to the respondents regardless of where they reside. Considering the contents of The
IIA’s Code of Ethics and the Standards, the uniformity of this perception among practitioners
globally is very important. These tables indicate that the findings are relatively consistent between
the groups for the three staff levels.
Areas of Knowledge
Standard 1210, Proficiency states, “Internal auditors should possess the knowledge …needed to
perform their individual responsibilities.” Practice Advisory 1210-1, Proficiency, states, “Proficiency
means the ability to apply knowledge to situations likely to be encountered and to deal with them
without extensive recourse to technical research and assistance.” This section looks at 19 areas of
knowledge to determine which are important to internal auditors for the satisfactory performance
of their job at staff positions in the IAA.
The Institute of Internal Auditors Research Foundation
324 A Global Summary of the Common Body of Knowledge 2006 ______________________
Certain areas of knowledge are emphasized in the Standards and expanded upon in the Practice
Advisories:
•
•
•
•
•
Attribute Standard 1210 – “Internal auditors should possess the knowledge, skills, and
other competencies needed to perform their individual responsibilities.”
Attribute Standard 1210.A1 – “The chief audit executive should obtain competent advice
and assistance if the internal audit staff lacks the knowledge…needed to perform all or
part of the engagement.”
Practice Advisory 1210-1 – “An appreciation is required of the fundamentals of subjects
such as accounting, economics, commercial law, taxation, finance, quantitative methods,
and information technology.”
Practice Advisory 1210-1 – “Proficiency in accounting principles and techniques is required
of auditors who work extensively with financial records and reports.”
Practice Advisory 1210-1 – “An understanding of management principles is required.”
The areas of knowledge for this question were identified by reviewing the Standards and Practice
Advisories, internal auditing literature, past CBOK studies, and the current CBOK 2006 pilot
study. Based on this review, nineteen areas of knowledge were identified as being important for
internal auditors. The Practitioner Questionnaire asked respondents to indicate the importance of
these nineteen areas of knowledge to perform their work at their current position in their organization
on a scale of 1 (minimally important) to 5 (very important). Respondents were unable to amend or
add to the list. Table 8-5 shows an analysis of the three professional levels Audit Manager, Audit
Senior/Supervisor, and Audit Staff. Tables 8-5-1 (Audit Manager), 8-5-2 (Audit Senior/Supervisor),
and 8-5-3 (Audit Staff) list the areas of knowledge in descending order by mean.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 325
Table 8-5
Importance of Areas of Knowledge to Perform Work
Practitioner Respondents in Means*
Areas of Knowledge
Accounting
Auditing
Business law and government regulation
Business management
Changes to professional standards
Enterprise risk management
Ethics
Finance
Fraud awareness
Governance
Human resource management
Information technology
Internal auditing standards
Managerial accounting
Marketing
Organization culture
Organizational systems
Strategy and business policy
Technical knowledge for your industry
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
3.83
4.68
3.68
3.75
3.71
3.85
4.21
3.70
4.00
3.95
3.44
3.85
4.19
3.35
2.70
3.91
3.75
3.73
3.97
3.77
4.66
3.70
3.60
3.64
3.74
4.18
3.68
3.93
3.80
3.23
3.84
4.19
3.30
2.60
3.79
3.76
3.61
3.92
3.71
4.61
3.68
3.53
3.68
3.71
4.26
3.64
3.91
3.77
3.15
3.79
4.24
3.27
2.64
3.82
3.78
3.60
3.96
*The mean is the average response to: 1 = minimally important to 5 = very important.
NOTE: Not all respondents answered for all the knowledge areas. Total number of respondents was between 4,711 and
4,751.
The means in Table 8-5 and the rankings in Table 8-6 indicate that knowledge of auditing is
overwhelmingly ranked first for all Practitioner respondents (4.61 to 4.68 for the Audit Staff through
Audit Manager). Ethics is ranked second (4.21 to 4.26) by all levels except for Audit Senior/
Supervisor (4.18, ranked 3). Areas of knowledge consistently ranked in the top five for all Practitioner
respondents are internal auditing standards, which is ranked second or third by all staff levels,
technical knowledge for your industry (3.92 to 3.97), and fraud awareness (3.91 to 4.00), which
are ranked either fourth or fifth for all Practitioner respondents.
The Institute of Internal Auditors Research Foundation
326 A Global Summary of the Common Body of Knowledge 2006 ______________________
There is unanimity in the ranking of the least important areas of knowledge for all Practitioner
respondents. Marketing at 19 is ranked the lowest (2.60 to 2.70), and human resource management
(3.15 to 3.44) and managerial accounting (3.27 to 3.35) are ranked either 18 or 17 for all respondents.
For the other areas of knowledge listed, Practitioner rankings vary.
Table 8-6
Importance of Areas of Knowledge to Perform Work
Practitioner Respondents by Staff Level
Areas of Knowledge
Accounting
Auditing
Business law and government regulation
Business management
Changes to professional standards
Enterprise risk management
Ethics
Finance
Fraud awareness
Governance
Human resource management
Information technology
Internal auditing standards
Managerial accounting
Marketing
Organization culture
Organizational systems
Strategy and business policy
Technical knowledge for your industry
Audit
Manager
Audit
Senior/
Supervisor
Audit
Staff
10
1
16
11
14
8
2
15
4
6
17
9
3
18
19
7
12
13
5
9
1
12
16
14
11
3
13
4
7
18
6
2
17
19
8
10
15
5
10
1
12
16
13
11
2
14
5
9
18
7
3
17
19
6
8
15
4
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 327
Audit Manager
Looking at Table 8-5-1, the five most important areas of knowledge that Audit Managers indicate
they should possess are:
1.
2.
3.
4.
5.
Auditing (4.68).
Ethics (4.21).
Internal auditing standards (4.19).
Fraud awareness (4.00).
Technical knowledge for your industry (3.97).
Table 8-5-1
Importance of Areas of Knowledge to Perform Work as Audit Manager
Practitioner Respondents in Means*
Areas of Knowledge
Auditing
Ethics
Internal auditing standards
Fraud awareness
Technical knowledge for your industry
Governance
Organization culture
Enterprise risk management
Information technology
Accounting
Business management
Organizational systems
Strategy and business policy
Changes to professional standards
Finance
Business law and government regulation
Human resource management
Managerial accounting
Marketing
Audit Manager
4.68
4.21
4.19
4.00
3.97
3.95
3.91
3.85
3.85
3.83
3.75
3.75
3.73
3.71
3.70
3.68
3.44
3.35
2.70
*The mean is the average response to: 1 = minimally important to 5 = very important.
Practitioners indicated that progression in hierarchical position in the IAA from Audit Staff to Audit
Manager results in no significant change in areas of knowledge that are fundamental to internal
The Institute of Internal Auditors Research Foundation
328 A Global Summary of the Common Body of Knowledge 2006 ______________________
auditors’ success. The focus on business management, enterprise risk management, and governance
does gain more importance. Marginally less crucial are business law and government regulation,
information technology, and organizational systems.
Audit Senior/Supervisor
Table 8-5-2 reveals that Audit Seniors/Supervisors indicate that the five most important areas of
knowledge fundamental to their job performance are:
1.
2.
3.
4.
5.
Auditing (4.66).
Internal auditing standards (4.19).
Ethics (4.18).
Fraud awareness (3.93).
Technical knowledge for your industry (3.92).
Table 8-5-2
Importance of Areas of Knowledge to Perform Work as
Audit Senior/Supervisor
Practitioner Respondents in Means*
Areas of Knowledge
Auditing
Internal auditing standards
Ethics
Fraud awareness
Technical knowledge for your industry
Information technology
Governance
Organization culture
Accounting
Organizational systems
Enterprise risk management
Business law and government regulation
Finance
Changes to professional standards
Strategy and business policy
Business management
Managerial accounting
Human resource management
Marketing
Audit Manager/Supervisor
4.66
4.19
4.18
3.93
3.92
3.84
3.80
3.79
3.77
3.76
3.74
3.70
3.68
3.64
3.61
3.60
3.30
3.23
2.60
*The mean is the average response to: 1 = minimally important to 5 = very important.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 329
There is no area of knowledge that becomes more significant for this level than for the Audit Staff.
Audit Staff
Table 8-5-3 shows the five most important areas of knowledge that the Audit Staff believes are
fundamental for their job performance are:
1.
2.
3.
4.
5.
Auditing (4.61).
Ethics (4.26).
Internal auditing standards (4.24).
Technical knowledge for your industry (3.96).
Fraud awareness (3.91).
Table 8-5-3
Importance of Areas of Knowledge to Perform Work as Audit Staff
Practitioner Respondents in Means*
Areas of Knowledge
Auditing
Ethics
Internal auditing standards
Technical knowledge for your industry
Fraud awareness
Organization culture
Information technology
Organizational systems
Governance
Accounting
Enterprise risk management
Business law and government regulation
Changes to professional standards
Finance
Strategy and business policy
Business management
Managerial accounting
Human resource management
Marketing
Audit Staff
4.61
4.26
4.24
3.96
3.91
3.82
3.79
3.78
3.77
3.71
3.71
3.68
3.68
3.64
3.60
3.53
3.27
3.15
2.64
*The mean is the average response to: 1 = minimally important to 5 = very important.
The Institute of Internal Auditors Research Foundation
330 A Global Summary of the Common Body of Knowledge 2006 ______________________
Group Means for Areas of Knowledge
Tables 8-5-4-A (Audit Manager), 8-5-5-A (Audit Senior/Supervisor), and 8-5-6-A (Audit Staff)
show Practitioner mean responses for areas of knowledge broken out for the 13 groups. When
analyzed by groups there is evidence of a wide divergence of opinion for many knowledge areas.
There is a high level of consistency once very high and low rated knowledge areas by individual
groups are removed.
For Audit Managers in Table 8-5-4-A, auditing receives the highest means. Internal auditing standards
has means of 4.00 and above for all but one group and ethics is above 4.00 for all but two groups.
Group means for the Audit Senior/Supervisor level in Table 8-5-5-A are very similar to those of the
Audit Staff for the high and low ranking areas of knowledge. The other areas of knowledge means
are relatively close together for most of the groups.
For the Audit Staff (Table 8-5-6-A), auditing is critical for all groups with all means above 4.24.
Ethics (9 groups) and internal auditing standards (8 groups) receive rankings above 4.0 for the
majority of the groups. The low rankings continue to be low for human resource management,
managerial accounting, and marketing. Group 12 was the only group whose means for enterprise
risk management, ethics, organizational systems, and strategy and business policy are all 5.00,
indicating the respondents in this group believe that these knowledge areas are of the highest
importance for that group’s respondents.
The Institute of Internal Auditors Research Foundation
______________________________________ Chapter 8: Internal Auditor Competencies 331
Summary
The results show that the CAEs and Practitioners consider communication as the most important
competency for all members of the IAA. The CAE respondents believe that ability to promote the
IAA within the organization is overwhelmingly the most important competency that the CAE
should possess. The top two competencies deemed most important by the CAE for the Audit Staff
and Audit Senior/Supervisor are analytical and communication. The CAEs’ responses indicate a
difference among the competencies needed based on staff levels (Audit Staff, Audit Senior/
Supervisor, Audit Manager, CAE) while the Practitioner responses at each staff level generally
indicate that for their current position the competencies are equally important.
When viewing the importance of competencies across the array of hierarchical positions in the
IAA from CAE to the Audit Staff, the ability to promote the IAA within the organization, change
management, conflict resolution and training, and developing staff show a trend of increasing
importance at higher staff levels. Problem identification, time management, and writing competencies
noticeably decline in importance as an internal auditor advances to higher staff levels.
Areas of knowledge important to the respondents’ job performance were only ranked by Practitioners
and did not include CAEs in the rankings. They indicated that for all Practitioner levels, auditing is
the most important knowledge area followed by ethics and internal auditing standards. Fraud
awareness and technical knowledge of the respondents’ industry are the only other competencies
with rankings in the top five for all Practitioner respondents. There are no noticeable differences
based on comparisons of members of the audit staff and those at the Audit Senior/Supervisor level.
At the manager level, enterprise risk management marginally increases in importance. There is an
overall consistency of rankings of the knowledge areas by Practitioner respondents for all staff
levels.
When comparing the data for the 13 groups, differences relate to only a few competencies and
knowledge areas.
The Institute of Internal Auditors Research Foundation
The Institute of Internal Auditors Research Foundation
4.36
4.60
4.09
4.72
4.19
4.47
4.45
1.62
3.70
4.07
4.17
4.52
4.11
4.50
4.37
3.98
4.09
4.60
4.58
4.06
4.70
4.32
4.57
4.41
1.77
3.91
4.21
4.15
4.52
4.28
4.35
4.33
4.03
3.71
4.56
2
4.20
1
4.59
3.77
4.35
4.43
4.15
4.09
4.14
4.16
4.55
4.22
4.69
4.38
4.50
4.40
2.02
4.16
4.54
4.46
3
3.79
3.54
3.87
3.77
3.86
3.74
3.62
4.00
4.36
3.56
4.28
4.05
3.79
3.77
3.38
3.87
4.28
4.18
4
4.58
3.70
4.36
4.29
4.00
4.06
4.08
4.05
4.45
3.77
4.49
4.29
4.42
4.38
3.65
4.08
4.50
4.41
5
4.36
3.75
3.64
3.82
3.81
3.81
3.93
3.88
4.45
3.77
4.43
3.95
4.41
4.34
3.61
4.02
4.56
4.29
6
4.53
4.25
4.52
4.39
4.44
4.23
4.35
4.16
4.53
4.34
4.62
4.48
4.48
4.35
3.90
4.48
4.66
4.75
7
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
Ability to promote the
internal audit activity
within the organization
Analytical (ability to
work through an issue)
Change management
Communication
Conflict resolution
Critical thinking
Conceptual thinking
Foreign language skills
Keeping up to date with
professional changes in
opinions, standards,
and regulations
Organization skills
Presentation skills
Problem identification
and solution
Project planning and
management
Report development
Time management
Training and
developing staff
Understanding
complex information
systems
Writing Skills
Competencies
4.67
4.61
4.31
4.33
4.50
4.39
4.33
4.39
4.50
4.89
4.33
4.53
4.56
4.72
4.72
4.00
4.56
4.72
4.83
9
3.68
4.30
4.17
4.06
3.90
4.20
4.11
4.49
3.94
4.51
4.21
4.39
4.05
3.59
4.15
4.32
4.33
8
4.33
3.75
4.25
3.81
3.60
4.00
3.94
4.25
4.44
3.81
4.50
3.88
4.44
4.38
3.69
4.33
4.50
4.06
10
4.52
3.90
4.38
4.44
4.00
4.13
4.00
4.28
4.42
3.96
4.54
4.21
4.40
4.33
3.00
4.10
4.37
4.14
11
4.92
4.33
4.67
4.83
4.50
4.42
4.33
4.50
4.58
4.42
4.75
4.58
4.92
4.50
3.25
4.50
4.67
4.83
12
Table 8-3-1-A
Importance of Competencies to Perform Work for Audit Manager by Groups*
Practitioner Respondents in Means**
APPENDIX 8
4.28
3.81
4.33
4.00
4.04
3.92
4.03
4.00
4.45
3.93
4.44
4.11
4.34
4.23
3.14
4.09
4.40
4.27
N/C***
332 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
4.08
4.71
3.89
4.79
4.39
4.16
4.53
1.55
3.71
4.26
3.97
4.66
4.08
4.47
4.37
3.68
3.61
4.55
4.58
3.95
4.67
4.39
4.31
4.53
1.81
3.86
4.23
4.11
4.51
4.17
4.28
4.34
3.65
3.64
4.53
2
4.06
1
4.57
3.98
4.43
4.43
3.82
4.04
4.14
3.93
4.56
4.09
4.72
4.26
4.33
4.45
1.90
4.18
4.57
4.24
3
3.90
3.67
4.02
3.78
3.71
3.76
3.48
3.94
4.24
3.76
4.48
3.80
4.18
3.88
3.36
4.22
4.36
4.28
4
4.59
3.55
4.24
4.19
3.77
3.91
4.10
4.04
4.52
3.70
4.56
4.38
4.36
4.34
3.46
4.06
4.56
4.18
5
4.41
3.71
3.41
3.66
3.28
3.43
3.83
3.76
4.34
3.41
4.32
4.32
3.72
4.43
3.66
4.04
4.57
4.15
6
4.58
4.09
4.56
4.41
4.16
4.07
4.33
4.04
4.50
4.24
4.56
4.31
4.35
4.52
3.61
4.40
4.60
4.48
7
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
Ability to promote the
internal audit activity
within the organization
Analytical (ability to
work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with
professional changes in
opinions, standards,
and regulations
Organization skills
Presentation skills
Problem identification
and solution
Project planning and
management
Report development
Time management
Training and
developing staff
Understanding complex
information systems
Writing Skills
Competencies
4.29
3.65
4.38
4.14
3.79
3.80
4.01
3.99
4.41
3.76
4.36
4.05
4.08
4.27
3.29
4.05
4.29
4.04
8
4.32
3.95
4.50
3.90
3.41
3.86
3.73
3.95
4.14
3.68
4.14
4.05
4.00
4.24
3.36
3.73
4.55
4.36
9
4.36
3.68
4.00
3.80
3.56
4.20
3.71
4.12
4.56
3.36
4.58
4.08
3.76
4.40
3.68
4.17
4.56
4.24
10
4.41
3.79
4.26
4.35
3.79
4.03
3.74
4.03
4.45
3.82
4.52
4.24
4.09
4.35
2.88
3.97
4.50
4.09
11
4.29
3.43
4.83
4.57
4.29
4.00
4.57
4.00
5.00
3.43
4.86
4.71
4.00
4.43
2.43
4.00
5.00
4.71
12
4.33
3.90
4.20
4.14
3.94
3.91
4.11
3.89
4.44
3.79
4.53
4.19
4.23
4.33
3.22
4.16
4.42
4.28
N/C***
8-3-2-A
Importance of Competencies to Perform Work for Audit Senior/Supervisor by Groups*
Practitioner Respondents in Means**
______________________________________ Chapter 8: Internal Auditor Competencies 333
The Institute of Internal Auditors Research Foundation
4.17
4.17
3.83
4.42
4.25
4.00
4.42
1.50
4.00
4.42
3.92
4.58
3.42
4.33
4.33
3.25
3.33
4.17
4.53
3.75
4.65
4.39
4.20
4.54
1.90
3.82
4.28
4.01
4.45
3.96
4.21
4.39
3.35
3.51
4.49
2
4.01
1
4.46
3.81
4.38
4.45
3.43
3.89
4.22
3.97
4.53
3.85
4.74
4.29
4.26
4.44
2.27
4.30
4.49
4.33
3
3.90
3.81
4.10
4.13
3.99
3.89
3.86
4.13
4.57
3.70
4.56
4.09
4.27
3.93
3.36
4.34
4.53
4.30
4
4.54
3.69
3.99
4.11
3.56
3.81
4.04
4.07
4.45
3.60
4.45
4.27
4.02
4.16
3.60
4.28
4.54
4.11
5
4.24
3.51
3.72
3.69
3.30
3.49
3.84
3.80
4.31
3.20
4.40
4.04
3.76
4.36
3.33
3.89
4.30
3.89
6
4.58
4.06
4.84
4.52
4.10
3.84
4.29
4.19
4.68
4.29
4.77
4.55
4.58
4.68
3.48
4.55
4.77
4.42
7
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
Ability to promote the
internal audit activity
within the organization
Analytical (ability to
work through an issue)
Change management
Communication
Conceptual thinking
Conflict resolution
Critical thinking
Foreign language skills
Keeping up to date with
professional changes in
opinions, standards,
and regulations
Organization skills
Presentation skills
Problem identification
and solution
Project planning and
management
Report development
Time management
Training and
developing staff
Understanding
complex information
systems
Writing Skills
Competencies
4.24
3.53
4.17
4.02
3.80
3.75
4.08
4.12
4.41
3.61
4.30
3.96
3.90
4.15
3.21
3.99
4.16
3.99
8
4.23
3.92
4.46
4.54
4.23
4.15
4.31
4.15
4.62
4.00
4.38
4.31
4.23
4.23
4.00
4.38
4.38
4.62
9
4.24
3.56
3.84
3.52
3.16
3.56
3.63
3.84
4.05
3.16
4.28
3.92
3.36
4.48
3.48
3.52
4.29
3.88
10
4.41
3.35
3.88
3.82
3.47
3.59
3.71
3.82
4.18
3.59
4.00
3.82
3.94
3.94
2.29
3.76
4.12
3.82
11
Table 8-3-3-A
Importance of Competencies to Perform Work for the Audit Staff by Groups*
Practitioner Respondents in Means **
5.00
5.00
5.00
5.00
5.00
3.67
4.67
4.67
4.67
4.00
4.67
5.00
4.00
4.33
3.33
5.00
4.67
5.00
12
4.41
3.90
4.26
4.06
3.76
3.72
4.03
3.96
4.35
3.87
4.50
4.22
4.25
4.27
3.13
4.16
4.48
4.25
N/C***
334 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
3.84
3.40
4.07
4.04
3.38
3.85
4.26
3.32
3.57
3.68
3.17
2.53
3.89
3.93
3.68
4.02
3.64
3.61
3.54
4.26
3.52
4.01
3.81
3.25
3.79
4.15
3.05
2.45
3.92
3.65
3.63
3.99
4.02
3.80
4.27
3.28
2.86
3.92
3.99
4.02
4.11
4.16
3.70
3.94
4.21
3.52
3.85
3.85
3.67
4.61
3.73
3
3.72
3.64
4.00
3.45
3.16
3.49
3.45
3.64
4.03
4.21
3.69
3.82
3.79
3.21
3.61
3.79
3.95
4.42
3.68
4
3.92
3.83
4.20
3.55
2.95
3.82
3.71
3.65
3.95
3.95
4.00
3.99
3.97
3.57
3.81
3.52
3.81
4.67
3.79
5
3.40
3.88
4.04
3.40
2.58
3.80
3.86
3.69
3.94
3.76
3.58
3.71
3.79
3.28
3.66
3.52
3.65
4.58
3.53
6
4.16
4.36
4.67
4.04
3.30
4.07
3.93
3.99
4.35
4.67
4.25
4.36
4.30
3.96
4.19
4.18
4.20
4.84
4.29
7
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
3.34
4.53
3.70
3.84
4.70
3.48
Accounting
Auditing
Business law and
government regulation
Business management
Changes to professional
standards
Enterprise risk management
Ethics
Finance
Fraud awareness
Governance
Human resource
management
Information technology
Internal auditing standards
Managerial accounting
Marketing
Organization culture
Organizational systems
Strategy and business
policy
Technical knowledge
for your industry
2
1
Areas of Knowledge
4.03
3.74
4.05
3.53
2.61
3.94
3.61
3.57
4.00
4.09
3.71
3.90
3.97
3.59
3.67
3.59
3.67
4.68
3.69
8
4.44
4.44
4.72
4.17
3.67
4.22
4.33
4.33
4.44
4.56
4.44
4.33
4.17
3.94
3.94
4.17
4.44
4.89
4.17
9
3.50
3.94
4.06
3.31
2.40
3.50
3.75
4.06
4.20
4.38
3.63
3.81
4.25
3.63
4.06
3.63
3.44
4.88
4.00
10
4.00
4.06
4.29
3.69
2.92
3.81
3.77
3.83
3.98
4.09
4.11
4.13
4.09
3.55
3.85
4.02
4.17
4.69
4.06
11
4.33
4.42
4.67
4.00
3.58
4.42
4.40
4.50
4.33
4.50
4.08
4.17
4.17
3.75
4.27
4.33
4.25
4.92
4.42
12
Table 8-5-4-A
Importance of Areas of Knowledge to Perform Work for Audit Manager by Groups*
Practitioner Respondents in Means**
3.90
3.87
4.23
3.69
3.00
3.84
3.90
3.77
4.00
4.33
3.75
4.10
3.84
3.58
3.83
3.83
3.96
4.72
3.86
N/C***
______________________________________ Chapter 8: Internal Auditor Competencies 335
The Institute of Internal Auditors Research Foundation
3.68
3.50
3.79
4.11
3.49
3.82
4.08
3.42
3.71
4.16
3.08
2.37
4.03
4.03
3.84
3.92
3.58
3.60
3.51
4.30
3.58
3.95
3.76
3.08
3.78
4.22
3.13
2.41
3.80
3.70
3.57
3.97
3.99
3.86
4.26
3.22
2.68
3.96
4.15
3.89
3.86
4.10
3.71
3.95
4.16
3.41
3.63
3.76
3.45
4.73
3.77
3
4.20
4.08
4.00
3.69
3.16
3.62
3.63
3.88
4.10
4.06
3.88
3.94
3.63
3.31
3.71
3.92
3.94
4.53
3.79
4
3.73
3.57
4.15
3.41
2.68
3.54
3.68
3.42
3.82
3.95
3.97
3.90
3.61
3.26
3.54
3.52
3.78
4.56
3.79
5
3.50
3.88
3.93
3.16
2.29
3.51
3.67
3.51
3.93
3.78
3.26
3.64
3.57
3.05
3.49
3.46
3.53
4.42
3.51
6
4.08
4.22
4.55
3.92
3.23
4.09
3.90
3.89
4.16
4.62
4.04
4.27
4.06
3.70
3.94
4.06
4.20
4.80
4.16
7
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
3.55
4.76
3.71
3.77
4.67
3.55
Accounting
Auditing
Business law and
government regulation
Business management
Changes to professional
standards
Enterprise risk management
Ethics
Finance
Fraud awareness
Governance
Human resource
management
Information technology
Internal auditing standards
Managerial accounting
Marketing
Organization culture
Organizational systems
Strategy and business
policy
Technical knowledge
for your industry
2
1
Areas of Knowledge
3.97
3.71
3.92
3.28
2.55
3.79
3.66
3.33
3.94
3.85
3.55
3.66
3.65
3.15
3.43
3.48
3.46
4.56
3.62
8
4.17
4.08
3.38
2.64
3.76
3.64
3.76
3.54
3.55
3.92
4.24
3.76
3.64
3.88
3.16
3.67
3.28
3.76
4.60
3.80
10
3.55
3.82
3.23
2.45
3.68
3.64
3.50
3.55
4.09
3.59
3.86
3.55
3.09
3.27
3.41
4.27
4.77
3.77
9
3.76
3.79
4.09
3.18
2.59
3.47
3.59
3.65
3.62
3.82
3.73
3.76
3.85
3.06
3.68
3.62
3.97
4.65
3.53
11
4.43
4.00
4.29
3.57
2.71
4.29
4.43
4.57
4.29
4.29
4.00
4.14
3.57
3.43
3.86
4.00
4.71
4.71
3.57
12
3.83
4.09
4.26
3.61
2.88
3.72
3.79
3.54
3.85
4.16
3.91
4.07
3.87
3.48
3.62
3.76
4.02
4.68
4.02
N/C***
Table 8-5-5-A
Importance of Areas of Knowledge to Perform Work for Audit Senior/Supervisor by Groups*
Practitioner Respondents in Means**
336 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
3.25
3.75
3.42
4.42
3.42
3.67
3.92
3.17
3.58
4.00
2.92
2.25
4.08
3.92
3.50
4.00
3.46
3.65
3.42
4.40
3.54
3.95
3.73
2.95
3.69
4.29
3.05
2.44
3.83
3.71
3.51
3.98
4.13
3.88
4.52
3.24
2.66
3.94
4.16
4.10
3.96
4.29
3.89
3.93
4.16
3.18
3.56
4.02
3.56
4.75
3.76
3
4.21
3.97
4.16
3.96
3.24
3.74
3.68
3.91
4.17
4.31
4.09
4.17
3.80
3.46
3.87
4.04
4.06
4.56
4.09
4
3.83
3.96
4.37
3.55
2.86
3.59
3.72
3.43
4.06
4.06
3.93
3.71
3.72
3.38
3.59
3.73
3.85
4.72
3.56
5
3.02
3.42
3.80
3.02
2.16
3.58
3.69
3.41
3.80
3.77
3.18
3.53
3.53
2.80
3.44
3.11
3.36
4.24
3.31
6
4.23
4.35
4.68
3.74
3.27
4.13
4.10
4.32
4.03
4.55
4.03
4.45
4.13
3.65
4.03
4.00
4.10
4.90
4.03
7
*For a list of groups, please see Appendix 1-B.
**The mean is the average response to: 1 = minimally important to 5 = very important.
***N/C = Respondents did not indicate affiliate or chapter membership.
3.17
4.75
3.75
3.71
4.62
3.58
Accounting
Auditing
Business law and
government regulation
Business management
Changes to professional
standards
Enterprise risk management
Ethics
Finance
Fraud awareness
Governance
Human resource
management
Information technology
Internal auditing standards
Managerial accounting
Marketing
Organization culture
Organizational systems
Strategy and business
policy
Technical knowledge for
your industry
2
1
Areas of Knowledge
4.14
3.59
3.94
3.14
2.53
3.71
3.56
3.17
3.71
4.01
3.31
3.60
3.53
3.07
3.29
3.42
3.48
4.57
3.61
8
3.75
4.00
4.67
3.92
3.67
4.08
4.00
4.00
4.17
4.75
4.50
4.33
4.09
4.00
4.25
4.33
4.50
4.92
4.25
9
3.36
3.88
3.80
2.92
2.00
4.13
3.84
3.96
3.56
3.88
2.84
3.28
3.88
2.84
3.48
3.08
3.12
4.40
3.72
10
3.47
3.59
3.59
3.38
2.76
3.59
3.82
3.18
3.35
3.88
3.76
3.76
3.76
3.06
3.53
3.12
3.71
4.29
3.53
11
4.67
4.67
4.33
4.33
2.67
4.67
5.00
5.00
5.00
5.00
4.33
4.67
3.67
4.00
3.33
4.00
4.33
4.33
4.00
12
Table 8-5-6-A
Importance of Areas of Knowledge to Perform Work for the Audit Staff by Groups*
Practitioner Respondents in Means**
3.96
4.04
4.34
3.53
2.91
3.88
3.91
3.73
3.87
4.26
3.85
4.18
3.85
3.45
3.65
3.82
3.86
4.57
3.87
N/C***
______________________________________ Chapter 8: Internal Auditor Competencies 337
338 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 9
Chapter 9: Emerging Roles of Internal Audit Activities ..................................................... 339
Introduction......................................................................................................................... 339
Years That the IAA and Organizations Have Existed ........................................................ 340
Changing Emphasis on Types of Audits............................................................................. 344
Emerging Roles in Organizations’ Activities ..................................................................... 346
Organizational Environment and Key Activities of the IAA.............................................. 352
Summary ............................................................................................................................. 357
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 339
CHAPTER 9
EMERGING ROLES OF
INTERNAL AUDIT ACTIVITIES
Introduction
To examine the emerging role of the internal audit activity (IAA) in the organization, this chapter
starts with a discussion of the length of time organizations have had IAAs and the number of years
the organizations have been in existence. The next section reports on the general types of audits
being performed currently by IAAs and the expected changes in emphasis over the next three
years. Another section examines the range of special audit activities respondents’ IAAs perform
now and how that is expected to change in the next three years. The last section looks at the
respondents’ organizations and the IAA’s current role in the organization as well as how the
organization’s environment and the IIA’s role will evolve over the next three years.
The number of respondents answering a specific question will often differ from the 9,366 total
respondents in this study. This is due to the following reasons:
•
•
Not all of those that participated in the survey answered all the questions asked. Results
are shown and discussed only for those respondents who answered a particular survey
question.
Not all questions were asked of all respondents.
o Some questions were asked only of CAEs (those in the highest position within the
organization responsible for internal audit activities).
o Some questions were asked only of Practitioners (all other internal auditors who are
not CAEs).
o Some questions were asked of both CAEs and Practitioners.
When relevant, results are given for each of the 13 groups. The groups are explained in Chapter 1.
For a list of groups, please refer to Appendix 1-B of the report. Some tables have additional details.
For example, Table 9-4 is the total of all respondents for that question with a related Table 9-4-1
showing the responses by group. A table can have more than one related table, where the second
related table would be 9-4-2.
The Institute of Internal Auditors Research Foundation
340 A Global Summary of the Common Body of Knowledge 2006 ______________________
Years That the IAA and Organizations Have Existed
Before looking at the roles and expected roles of the IAAs, one needs to gain a perspective of the
length of time respondents’ organizations have had IAAs and the years their organizations have
been in existence. Figure 9-1 lists the number of years the respondents’ IAAs have been in existence.
The largest numbers of respondents work for IAAs that have been in existence for only 0-5 years
(28.4%). Another 21% of the respondents work for IAAs that have been in existence for 6-10
years. This shows that many of the respondents’ IAAs (49.4%) are just starting to develop in their
organizations. Only 13.8% of the respondents work in IAAs that have been in existence for 31 or
more years.
Figure 9-1
Number of Years the IAA Has Existed in the Organization
All Respondents (7,747) in Percentages
41+ Years
8.1%
0-5 Years
28.4%
31-40 Years
5.7%
21-30 Years
14.1%
6-10 Years
21.0%
11-20 Years
22.7%
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 341
Table 9-1 provides the number of years respondent organizations have had IAAs by groups. The
groups are listed on the inside back cover of this report. In group 5 respondents indicate that 60.5%
of their IAAs are 0-5 years old and another 22.5% are 6-10 years old. Respondents in the other
groups indicate between 20% - 33.9% of the IAAs are between 0-5 years old and an additional
16.1% - 33.1% indicate their IAAs are between 6-10 years old. A review of the countries in each
group and historical events explain some of these differences since in some areas of the world,
economies are more developed than others.
Table 9-1
Number of Years the IAA Has Existed by Groups*
All Respondents in Percentages
Group
Respondents
More
than
0-5
6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50
50
Years Years Years Years Years Years Years Years Years Years Years Total
1
3,025
23.8
16.1
10.9
12.6
9.2
8.9
3.1
4.8
.7
4.5
5.4
100.0
2
188
26.1
20.7
17.0
13.3
5.9
6.9
2.7
2.7
1.1
1.1
2.5
100.0
3
636
25.8
26.6
11.9
10.2
5.8
7.1
2.7
1.9
.5
4.2
3.3
100.0
4
347
25.6
33.1
15.9
13.3
3.2
3.5
1.2
2.0
.6
.8
.8
100.0
5
550
60.5
22.5
8.0
2.7
1.5
1.3
.0
1.1
.2
1.3
.9
100.0
6
423
23.6
18.0
10.4
7.6
8.0
11.6
3.1
2.6
.9
5.2
9.0
100.0
7
467
23.1
20.3
13.1
9.9
8.4
11.8
2.8
3.2
.6
2.6
4.2
100.0
8
910
32.7
25.3
14.3
11.1
5.5
3.7
1.9
1.3
.2
1.3
2.7
100.0
9
118
33.9
29.7
15.3
7.6
5.1
.8
.0
.0
.8
3.4
3.4
100.0
10
125
22.4
25.6
11.2
8.0
6.4
4.8
3.2
6.4
.0
3.2
8.8
100.0
11
226
28.8
24.3
11.9
10.2
5.8
8.4
1.3
4.0
.9
2.2
2.2
100.0
12
40
20.0
27.5
10.0
10.0
5.0
12.5
2.5
.0
7.5
2.5
2.5
100.0
N/C**
692
27.6
23.3
11.6
13.0
4.8
7.4
1.4
3.6
.6
3.3
3.4
100.0
Overall
7,747
Respondents
in Category
Overall
Percent in
Category
2,194
1,628
914
847
529
566
181
255
48
257
328
28.4
21.0
11.8
10.9
6.8
7.3
2.4
3.3
.6
3.3
4.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
100.0
342 A Global Summary of the Common Body of Knowledge 2006 ______________________
Figure 9-2 reports on how long respondents’ organizations have been in existence. A correlation
test performed by the researchers showed a relationship between how long the organizations have
been in existence and how long the organizations have had an IAA. It appears that older companies
tend to have established IAAs longer than younger companies.
Figure 9-2
Number of Years Organizations Have Existed
All Respondents (8,165) in Percentages
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 343
Table 9-2 lists the length of time respondents’ organizations have been in existence by the 13
groups. Groups 1, 6, and 10 have a large number of respondents (54.5% - 59.2%) working in
organizations that are more than 50 years old and only 11.2% - 13.4% with organizations that are
10 or less years old. While for respondents in groups 4, 5, and 11, greater than 24% of their
organizations (24.1% - 29.4%) are 10 years old or less.
Table 9-2
Number of Years Organizations Have Existed by Groups*
All Respondents in Percentages
Group
1
2
3
4
5
6
7
8
9
10
11
12
N/C**
Total/
Overall
Respondents
in Category
Overall
Percent in
Category
Respondents
3,241
189
648
354
552
434
504
954
125
135
228
39
762
8,165
0-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50 More Total
Years Years Years Years Years Years Years Years Years Years t h a n
50
Years
4.4
8.5
8.3
11.6
12.0
4.8
6.0
11.3
8.0
6.7
11.4
5.1
8.7
590
7.2
6.8 4.7
11.1 3.7
13.1 9.3
17.8 9.9
17.4 24.8
8.5 6.0
14.1 10.3
10.6 7.0
9.6 7.2
6.7 3.7
12.7 10.1
10.3 7.7
14.3 9.4
856 648
10.5
7.9
4.8 3.9
6.3 3.7
5.9 5.4
12.7 3.4
6.7 2.2
2.5 1.8
5.0 4.0
6.2 3.6
13.6 11.2
4.4 3.0
11.0 8.3
10.3 5.1
7.9 3.5
496
321
6.1
3.9
5.0
6.9
5.1
9.0
3.1
4.4
6.7
5.8
3.2
3.7
6.1
15.4
6.2
442
3.7
4.2
3.1
5.9
2.2
2.5
5.0
2.5
7.2
5.2
5.7
10.3
3.1
299
4.8
2.6
5.2
5.1
3.1
3.7
3.4
4.8
1.6
1.5
6.1
10.3
3.3
355
1.7
2.1
1.4
4.0
1.1
.9
3.6
1.5
5.6
3.7
4.8
7.7
1.8
165
5.7
7.4
5.7
3.7
4.3
8.5
6.5
5.6
8.0
2.2
4.8
.0
5.4
461
54.5
43.5
37.5
16.9
23.1
56.4
35.4
41.1
24.8
59.2
18.8
17.8
36.4
3532
5.4
3.7
4.3
2.0
5.6
43.4 100.0
*For a list of affiliate groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
344 A Global Summary of the Common Body of Knowledge 2006 ______________________
Changing Emphasis on Types of Audits
This section focuses on the anticipated change in demand for the general types of audits that will
be performed by the IAA in the next three years. The definition of internal auditing in The IIA’s
1999 report, A Vision for the Future: Professional Practices Framework for Internal Auditing,
acknowledges the importance of assurance services and consulting in the areas of risk management,
governance, and controls. With this expansion of scope, it was expected that the audits performed
by IAAs would include these three areas. In order to assess staffing needs, required competencies,
and the skills necessary in the near future, the profession needs to anticipate changes in the demand
for their services. Table 9-3 shows the estimates of all respondents to the question about whether
they anticipate the general types of audits performed by their IAA will increase, decrease, or stay
the same over the next three years.
Table 9-3
Anticipated Changes in Types of Audits to Be Performed
Within the Next Three Years
All Respondents in Percentages
Activity
Risk management
Governance
Regulatory compliance
Operational auditing
Review of financial processes
Total
Increase
Responses
6,728
6,704
6,698
6,715
6,724
79.5
63.2
46.9
46.2
43.5
Decrease
Stay the
Same
Total
Percent
2.3
4.0
11.7
14.7
14.6
18.2
32.8
41.4
39.1
41.9
100.0
100.0
100.0
100.0
100.0
Respondents predict that the greatest increase in the types of audits performed in the next three
years will be in risk management (79.5%) and governance (63.2%) audits. The projected increases
for these types of audits will need to be reflected in the IAA’s internal audit plan, the resources
allocated to the IAA, and in the audit staff’s competencies. For many of the respondents, regulatory
compliance (46.9%), operational auditing (46.2%), and reviews of financial processes (43.5%)
show material increases as well. Some respondents do anticipate that less time will be spent on
operational audits (14.7%), the review of financial processes (14.6%), and regulatory compliance
audits (11.7%).
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 345
As IAAs around the world are evolving at different rates, this study also looked at the expected
changes in the types of audits to be performed by IAAs by groups. Table 9-3-1 presents predicted
increases in the types of audits for all respondents by group, Table 9-3-2 presents the decreases
anticipated by group, and Table 9-3-3 shows predictions of no change by group. The respondents
in all groups agreed that the performance of risk management and governance audits should increase
the most in the next three years.
Table 9-3-1
Anticipated Changes in Types of Audits to Be Performed
Within the Next Three Years - Increased Role
All Respondents in Percentages
Activity
1
Review of financial
processes
Risk management
Governance
Regulatory compliance
Operational auditing
2
3
4
5
6
7
8
9
10
11
12 N/C**
45.0 30.0 44.0 41.2 48.0 35.9 44.5 37.2 55.9 40.9 47.2 70.6
46.0
74.5
55.9
46.4
47.9
80.7
63.9
51.1
50.1
75.0
67.0
46.0
48.0
84.0
76.0
50.0
45.0
88.5
72.2
40.8
51.9
83.6
61.0
41.2
44.6
77.2
64.5
44.6
44.7
89.0
75.9
54.7
44.5
82.6
64.6
47.2
38.3
87.9
79.4
52.2
59.1
79.1
52.6
25.0
30.7
83.9
77.2
49.2
45.8
100.0
85.3
64.7
67.7
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Table 9-3-2
Anticipated Changes in Types of Audits to Be Performed
Within the Next Three Years - Decreased Role
All Respondents in Percentages
Activity
1
Review of financial
processes
Risk management
Governance
Regulatory compliance
Operational auditing
2
3
4
5
6
7
8
9
10
11
10.1 21.0 16.0 21.4 21.0 17.9 17.7 19.1 15.1 20.9 15.7
1.7 5.0 3.0
3.7 2.0 2.0
10.4 13.0 12.0
12.3 14.0 18.0
12 N/C**
8.8
12.1
0.4 6.3 2.2 1.0 1.8 2.2 2.6 3.3 0.0
2.3 12.1 3.7 3.7 2.7 4.4 4.4 2.8 2.9
11.6 23.1 10.2 7.1 11.2 16.3 21.4 14.5 14.7
13.3 24.1 15.4 17.7 14.7 10.8 14.0 17.3 11.8
2.7
4.6
9.6
14.0
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
346 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 9-3-3
Anticipated Changes in Types of Audits to Be Performed
Within the Next Three Years - Stay the Same
All Respondents in Percentages
Activity
1
Review of financial
processes
Risk management
Governance
Regulatory compliance
Operational auditing
2
3
4
5
6
7
8
9
10
11
12 N/C**
44.9 49.0 40.0 37.5 31.1 46.2 37.8 43.7 29.0 38.7 37.1 20.6
41.9
23.8
40.4
43.2
39.8
16.6
31.6
39.3
35.9
20.0
30.0
41.0
39.0
14.0
22.0
38.0
37.0
11.2
25.6
47.6
34.8
10.2
26.9
35.8
31.3
20.6
31.8
45.2
39.9
10.1
20.4
38.2
37.8
15.7 9.9 18.3 12.8 0.0
32.8 16.3 43.0 20.0 11.8
41.6 31.5 53.6 36.3 20.6
47.0 30.1 55.3 36.9 20.6
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Emerging Roles in Organizations’ Activities
To gain an understanding of what roles IAAs have and will have in various types of activities and
functions performed within an organization, respondents were provided with a list of important
tasks performed by organizations. They were asked to indicate if their IAA currently has a role in
the area, if the IAA is likely to have a role in the next three years, or if it is unlikely for the IAA to
have a role. Role was defined as being within the IAA’s scope of work. The list was developed
from a review of internal auditing literature and the CBOK 2006 pilot survey. An overview of all
responses is shown in Table 9-4.
The respondents’ IAAs all do some work in the areas listed. The four highest ranked areas where
respondents indicate that their IAAs currently perform audits are fraud prevention/detection (69%),
risk management (66.6%), regulatory compliance assessment monitoring (64%), and corporate
governance (52.2%). Areas where respondents’ IAAs currently have less of a role are emerging
markets (11.5%), environmental sustainability (14%), and globalization (15.3%). For most of the
audit areas that are not currently being audited, respondents indicated that 17.7% to 38.1% of their
IAAs plan to do audit work in those areas over the next three years. Currently 23.6% have a role
in corporate social responsibility and an additional 31.6% of the respondents are likely to have a
role in the next three years. Areas where more than a third of the respondents indicate they are
unlikely to be involved are executive compensation (45.4%), environmental sustainability (39.9%),
emerging markets (39.5%), globalization (35.2%), and intellectual property and knowledge assessment
(35.1%).
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 347
Table 9-4
Emerging Roles of the IAA - Total Responses in Percentages
Roles
Total
Currently Likely to Have Unlikely to
Not
Total
Respon- Have a Role a Role Within Have a Role Applicable
dents
the Next 3
Years
Alignment of strategy
and performance
measures (e.g., Balanced
Scorecard)
Benchmarking
Corporate governance
Corporate social
responsibility
Develop training and
education of organization
personnel (e.g., internal
controls, risk management,
regulatory requirements)
Disaster recovery
Evidential issues
Emerging markets
Environmental sustainability
Executive compensation
Fraud prevention/detection
Globalization
Intellectual property and
knowledge assessment
IT management assessment
Knowledge management
systems development review
Mergers and acquisitions
Project management
Provide training to the
audit committee
Regulatory compliance
assessment monitoring
Risk management
Strategic frameworks
6,500
23.1
35.2
30.1
11.6
100.0
6,476
6,511
6,415
28.6
52.2
23.6
35.7
31.2
31.6
26.0
11.4
33.8
9.7
5.2
11.0
100.0
100.0
100.0
6,522
46.6
34.4
15.3
3.7
100.0
6,490
6,385
6,426
6,436
6,429
6,530
6,431
6,391
34.0
39.8
11.5
14.0
16.0
69.0
15.3
19.2
26.1
23.9
22.5
24.7
17.7
22.9
21.1
28.4
29.0
23.5
39.5
39.9
45.4
5.7
35.2
35.1
10.9
12.8
26.5
21.4
20.9
2.4
28.4
17.3
100.0
100.0
100.0
100.0
100.0
100.0
100.0
100.0
6,453
6,387
46.1
26.1
32.2
38.1
16.8
26.9
4.9
8.9
100.0
100.0
6,437
6,410
6,436
18.4
39.8
31.2
23.7
27.6
34.4
30.8
25.1
21.7
27.1
7.5
12.7
100.0
100.0
100.0
6,442
64.0
23.0
9.2
3.8
100.0
6,509
6,407
66.6
27.0
25.5
36.8
5.6
27.7
2.3
8.5
100.0
100.0
The Institute of Internal Auditors Research Foundation
348 A Global Summary of the Common Body of Knowledge 2006 ______________________
Tables 9-4-1 and 9-4-2 show the total results by group for the question about roles and work areas
that respondent IAAs’ currently have or are likely to have in the next three years. The respondents’
group data shows many variations in the roles the IAAs currently have and are likely to have in
three years. Approximately 80% of the groups’ respondents indicate that they are currently involved
or will be involved in the next three years in corporate governance, fraud prevention, IT management
assessment, regulatory compliance, and risk management. The group data indicates that
approximately 50% to 59% of the IAAs have or will have a role in alignment of strategy and
performance measures.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 349
Table 9-4-1
Emerging Roles of the IAA - Currently Have a Role by Groups*
All Respondents in Percentages
Roles
1
Alignment of strategy and
performance measures
(e.g., Balanced Scorecard)
Benchmarking
Corporate governance
Corporate social
responsibility
Develop training and
education of organization
personnel (e.g., internal
controls, risk management,
regulatory requirements)
Disaster recovery
Evidential issues
Emerging markets
Environmental
sustainability
Executive compensation
Fraud prevention/
detection
Globalization
Intellectual property and
knowledge assessment
IT management assessment
Knowledge management
systems development
review
Mergers and acquisitions
Project management
Provide training to the
audit committee
Regulatory compliance
assessment monitoring
Risk management
Strategic frameworks
2
3
4
5
6
7
8
9
10
11
12 N/C**
22.8 19.1 32.6
11.6 17.6 16.6 34.4 22.7 18.9 26.4 28.2 25.7 22.0
30.6 26.6 34.9
56.5 70.7 75.2
26.4 15.5 30.7
16.0 26.6 22.2 26.3 26.8 35.2 29.1 33.0 36.4 25.6
25.7 37.6 47.2 47.4 52.9 40.0 48.2 60.7 62.9 35.7
15.4 15.2 11.1 31.6 22.7 25.3 17.4 20.2 30.3 20.7
48.7 44.6 51.0
40.5 39.8 30.5 52.5 50.8 41.1 31.8 50.6 64.7 42.5
45.2 41.3 47.8
40.8 36.3 41.5
11.9 10.4 15.0
13.1 9.3 20.6
17.7 18.9 21.6 24.6 20.3
29.2 43.6 35.6 55.2 35.3
5.9 8.0 10.1 13.1 11.1
12.9 11.8 7.9 18.6 13.4
19.8 9.8 17.2
75.1 71.7 73.4
8.2 13.1 7.4 18.2 11.6 11.1 19.8 14.5 21.2 14.3
52.7 56.9 64.7 69.2 64.8 72.8 65.8 63.2 82.9 60.7
14.4 7.7 18.1
22.3 18.7 24.7
13.4 12.9 12.5 29.0 12.9 15.6 23.9 19.0 14.7 15.2
10.6 16.6 10.7 23.2 14.9 16.7 24.1 17.5 14.3 14.7
48.7 47.8 48.0
31.4 27.6 34.2
26.0 37.2 45.0 62.7 46.8 42.7 51.8 36.9 48.6 37.9
12.4 18.5 20.6 28.4 16.8 26.7 23.6 23.1 17.6 21.4
20.6 12.7 19.9
44.4 45.3 50.4
40.2 29.4 39.5
8.2 12.1 19.1 23.8 20.0 23.3 14.5 12.7 8.6 13.5
32.0 30.2 40.6 36.2 33.4 28.1 42.2 30.5 41.2 31.7
16.1 15.1 13.2 31.7 26.8 19.1 24.8 23.1 31.4 23.3
63.9 64.8 58.4
61.4 60.8 67.2 70.3 75.7 56.7 54.5 55.2 57.1 57.1
69.5 76.9 79.6
29.2 29.1 39.0
46.4 57.7 62.7 67.7 68.8 56.0 67.9 67.1 76.5 52.9
15.2 20.5 13.5 39.8 19.2 22.4 31.2 22.4 47.1 25.3
26.4
40.0
10.0
12.4
22.7
24.5
15.5
18.2
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
29.3
34.5
11.5
11.5
37.1
56.3
12.5
17.6
21.4
38.5
12.1
17.3
350 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 9-4-2
Emerging Roles of the IAA - Likely to Have a Role in
Next Three Years by Groups*
All Respondents in Percentages
Roles
1
Alignment of strategy and
performance measures
(e.g., Balanced Scorecard)
Benchmarking
Corporate governance
Corporate social
responsibility
Develop training and
education of organization
personnel (e.g., internal
controls, risk management,
regulatory requirements)
Disaster recovery
Evidential issues
Emerging markets
Environmental
sustainability
Executive compensation
Fraud prevention/
detection
Globalization
Intellectual property and
knowledge assessment
IT management assessment
Knowledge management
systems development
review
Mergers and acquisitions
Project management
Provide training to the
audit committee
Regulatory compliance
assessment monitoring
Risk management
Strategic frameworks
2
3
4
5
6
7
8
9
10
11
12 N/C**
31.0 36.1 37.7 41.7 41.9 26.5 43.3 37.3
46.7 20.0 41.8 54.3 39.6
32.2 35.3 36.2 36.7 44.8 33.9 44.3 35.1
25.8 22.8 20.1 49.4 39.8 33.4 39.3 34.0
23.9 36.5 36.5 39.0 30.5 29.7 41.4 39.9
44.3 27.3 42.6 42.4 37.9
50.0 25.5 33.1 28.6 40.9
39.1 31.2 42.2 42.4 38.0
31.8 32.6 31.3 40.5 41.4 35.8 36.9 31.6
44.4 44.5 36.8 32.4 39.5
24.7
22.4
19.1
17.9
46.2
27.8
26.7
33.7
27.2
24.2
18.1
26.2
25.2
26.6
27.4
32.8
24.6
29.2
23.8
28.1
27.7
25.8
24.7
24.5
20.8
20.3
16.3
21.2
37.4
25.8
35.6
37.5
21.9
21.1
20.9
29.3
19.1
19.1
12.7
20.0
39.1
35.1
37.9
38.5
40.0
34.4
43.8
55.9
27.2
25.1
25.2
27.3
14.5 10.4 21.3 17.3 20.6 11.5 30.5 17.3
18.9 19.0 17.5 38.9 32.0 25.1 25.3 23.4
15.6 15.3 30.1 30.3 21.6
21.7 21.6 28.7 8.6 30.1
13.9 19.1 21.2 42.4 24.6 16.6 33.8 21.3
23.3 39.6 32.4 38.4 32.5 20.5 37.6 24.0
22.2 15.6 37.4 35.3 31.4
41.1 16.7 49.1 51.4 33.3
27.5 31.9 32.2 41.5 43.9 31.2 29.2 32.6
31.3 43.1 39.1 45.0 47.8 36.4 45.1 42.0
44.9 24.5 42.0 42.9 39.4
46.7 33.6 46.8 64.7 41.8
21.8 17.7 20.1 23.5 25.8 20.9 28.5 25.0
23.2 26.3 28.4 37.9 37.5 27.4 30.7 25.7
30.0 41.1 36.5 39.2 36.0 31.1 41.9 34.4
32.2 20.0 32.4 42.9 28.1
36.0 25.7 32.2 41.2 33.1
43.8 32.1 48.6 51.4 38.4
20.8 21.4 27.7 28.6 25.7 22.0 22.6 16.4
36.7 19.1 32.0 31.4 29.8
22.2 18.1 15.8 46.8 31.6 28.3 25.5 23.5
33.2 37.4 37.7 44.4 41.4 33.1 40.3 35.4
38.5 22.0 28.9 17.6 37.1
54.1 25.7 48.3 41.2 43.3
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 351
Table 9-4-3 summarizes the areas where respondents think the IAA would not have a role in the
next three years. The areas that most groups agree that the IAA will not have a role in the
foreseeable future are emerging markets, environmental sustainability, executive compensation,
and intellectual property and knowledge assessment.
Table 9-4-3
Emerging Roles of the IAA – Not Likely to Have a Role in
Next Three Years by Groups*
All Respondents in Percentages
Roles
1
Alignment of strategy and
performance measures
(e.g., Balanced Scorecard)
Benchmarking
Corporate governance
Corporate social
responsibility
Develop training and
education of organization
personnel (e.g., internal
controls, risk management,
regulatory requirements)
Disaster recovery
Evidential issues
Emerging markets
Environmental
sustainability
Executive compensation
Fraud prevention/detection
Globalization
Intellectual property and
knowledge assessment
IT management assessment
Knowledge management
systems development
review
Mergers and acquisitions
Project management
Provide training to the
audit committee
Regulatory compliance
assessment monitoring
Risk management
Strategic frameworks
2
3
4
5
6
7
8
9
10
11
12 N/C**
34.7 34.4 24.2 31.3 25.1 41.9 12.2 28.9 18.9 41.8 22.0 11.4 26.3
28.5 31.5 23.4 35.5 17.3 33.3 16.2 26.6 11.4 34.5 18.8 3.0 22.9
12.9 6.0 3.4 20.8 13.8 13.5 6.9 8.3 6.7 12.7 3.9 5.7 15.3
38.7 38.1 26.5 33.6 36.7 46.2 19.0 25.1 26.4 45.9 30.6 21.2 29.2
16.0 19.0 15.0 13.3 14.3 28.5
25.4
25.4
44.0
46.5
29.9
28.6
48.9
49.2
23.2
21.3
33.3
31.7
40.0
26.2
45.7
38.3
28.2
18.4
32.4
33.3
41.8
31.8
43.5
46.8
7.8 13.6 10.0 18.2 10.9
23.6
10.3
30.4
26.5
38.4
22.7
37.5
35.2
19.8
21.1
43.3
38.2
50.0
45.5
41.8
50.9
0.0 14.3
25.9 11.4 29.3
19.5 3.1 21.3
35.1 25.0 31.1
37.4 11.8 30.9
49.1 59.6 44.1 45.5 41.4 50.1 30.0 44.7 47.8 46.8 41.6 30.3 37.1
4.0 7.1 7.0 6.1 7.6 8.4 3.3 7.9 4.3 12.6 4.0 5.7 6.2
37.7 42.6 32.9 29.0 30.0 40.1 24.9 36.9 46.7 37.6 34.5 35.3 29.7
36.7 31.3 30.7 36.5 29.8 44.9 24.5 40.4 28.9 50.0 24.0 14.3 34.0
19.5 17.6 15.9 22.5 11.0 18.8 3.8 15.4 9.0 20.9 17.0
28.4 23.8 22.1 28.7 22.7 34.0 19.6 30.3 22.2 34.5 24.3
2.9 16.8
8.8 25.4
29.6 30.4 30.4 40.8 28.3 36.8 27.2 32.1 28.9 36.4 39.9 25.7 28.6
26.0 22.3 18.7 20.2 21.7 27.9 24.0 31.4 22.5 25.7 30.5 5.9 22.7
20.1 25.0 19.2 27.5 23.0 32.8 13.6 23.7 22.5 25.7 22.0 11.4 22.4
11.0 12.1 11.4
8.9
8.2
7.6
3.8
4.0
4.4 19.1 11.6
6.2 3.3 3.4 4.9 6.6 7.9 2.5 5.5 3.3 10.1 3.5
30.1 25.8 19.0 29.2 25.2 45.2 12.9 33.4 17.6 37.6 20.7
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
The Institute of Internal Auditors Research Foundation
2.9
8.4
0.0 6.8
2.9 21.5
352 A Global Summary of the Common Body of Knowledge 2006 ______________________
Organizational Environment and Key Activities of the IAA
This final section of the chapter captures CAE and Audit Manager respondents’ agreement with
statements about their organizations and their IAA’s role in the organization. The survey asked if a
statement currently applies, is likely to apply within the next three years, or will not apply in the
foreseeable future. As listed in Table 9-5, 61.2% of the respondents indicate that their countries
currently have laws or regulations that require organizations to have an IAA and an additional
13.1% anticipate having such requirements in the next three years. Corporate governance codes
are complied with in 67.7% of the organizations with 22.7% of the respondents’ organizations
likely to comply with a corporate governance code in the next three years. In 70.5% of the
respondents’ organizations, there is an internal control framework and 24.3% indicate that their
organizations will have a framework in the next three years.
Assurance audits receive more emphasis than consulting services in 71.5% of the organizations.
The IAAs (64.3% currently, 25.3% more in three years) educate their organizations’ personnel
about internal control, corporate governance, and compliance issues. Many IAAs (55.7% currently,
25.6% more in three years) have an important role in the integrity of their organizations’ financial
reporting. Internal auditors anticipate having a growing advisory involvement in the development of
strategy (28.9% currently, 32.7% in the next three years) while 30.3% noted they would not have
an advisory role in strategy development in the foreseeable future. Providing training to audit
committee members (34% currently, 32.3% in the next three years) is also anticipated to increase.
Implementation of a knowledge management system is expected to escalate (25.6% currently,
43.9% in the next three years) while 20.6% indicate their organizations will not apply a knowledge
management system in the foreseeable future.
The Institute of Internal Auditors Research Foundation
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 353
Table 9-5
How Statements Apply to Your Organization
CAEs’ and Audit Managers’ Agreement with Statements in Percentages
Statement
Number of Currently Likely to
Will Not
Not
Total
Respondents Applies
Apply
Apply in the Applicable
Within the Foreseeable
Next 3
Future
Years
Internal auditing is required
by law or regulation where
the organization is based.
Internal auditors in the
organization have an
advisory role in strategy
development.
The organization complies
with a corporate governance
code.
The organization has
implemented an internal
control framework.
The organization has
implemented a knowledge
management system.
The internal audit activity
has provided training to
audit committee members.
The internal audit activity
assumes an important role
in the integrity of financial
reporting.
The internal audit activity
educates organization
personnel about internal
controls, corporate
governance, and compliance
issues.
The internal audit activity
places more emphasis on
assurance than consulting
services.
3,464
61.2
13.1
12.9
12.8
100.0
3,445
28.9
32.7
30.3
8.1
100.0
3,447
67.7
22.7
4.3
5.3
100.0
3,443
70.5
24.3
3.5
1.7
100.0
3,423
25.6
43.9
20.6
9.9
100.0
3,424
34.0
32.3
18.5
15.2
100.0
3,437
55.7
25.6
13.8
4.9
100.0
3,437
64.3
25.3
7.3
3.1
100.0
3,448
71.5
15.2
8.4
4.9
100.0
The Institute of Internal Auditors Research Foundation
354 A Global Summary of the Common Body of Knowledge 2006 ______________________
Tables 9-5-1 and 9-5-2 provide information by groups for CAE and Audit Manager respondents’
current agreement with these statements and the likelihood of application in the next three years.
The group tables show that the majority (48.0% up to 84.2%) live in countries that have or likely
will have laws and regulations in the next three years requiring organizations to have internal
auditors. Most organizations within the groups have (49.1% to 78.8%) or likely will adopt (16.8%
to 45.3%) an internal control framework in the next three years projecting coverage of over 90%
of the respondents’ IAAs. Most respondents within the groups agree that the IAA does or will
assume an important role in the integrity of financial reporting, educates organization personnel
about internal controls, corporate governance and compliance issues, and places more emphasis
on assurance than internal controls and consulting services. In most groups, the advisory role the
IAA has in the organization’s strategy development (currently 17.5% - 39.5% with group 12 at
60%) will likely significantly increase in the next three years.
The Institute of Internal Auditors Research Foundation
1
2
3
4
5
Internal auditing is required
58.0
48.0 67.7 80.0
64.7
by law or regulation where
the organization is based.
Internal auditors in the
29.7
30.3 33.8 39.5
22.8
organization have an advisory
role in strategy development.
The organization complies
73.8
72.4 79.6 55.5
60.3
with a corporate governance
code.
The organization has
70.4
71.3 73.2 78.8
61.2
implemented an internal
control framework.
The organization has
22.9
27.9 32.4 30.5
25.2
implemented a knowledge
management system.
The internal audit activity
46.9
35.8 43.4 17.4
14.5
has provided training to
audit committee members.
The internal audit activity
64.1
62.3 58.4 42.4
39.5
assumes an important role
in the integrity of financial
reporting.
The internal audit activity
73.1
68.0 71.3 47.1
50.2
educates organization
personnel about internal
controls, corporate
governance, and compliance
issues.
The internal audit activity
75.2
72.4 81.6 65.0
60.9
places more emphasis on
assurance than consulting
services.
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Statement
65.7
35.5
55.7
78.4
26.5
34.0
58.1
66.2
71.2
17.5
54.8
59.2
19.3
13.0
45.2
42.7
68.8
7
60.6
6
The Institute of Internal Auditors Research Foundation
67.1
62.9
46.7
24.0
26.2
77.5
66.9
22.9
62.4
8
58.2
45.5
54.7
21.2
46.3
65.5
53.7
37.0
52.7
9
62.3
43.4
39.6
20.8
25.0
49.1
54.7
20.8
54.7
10
69.3
65.8
62.8
21.9
33.9
77.9
71.9
33.9
66.4
11
12
78.9
60.0
50.0
15.0
26.3
63.2
55.0
60.0
84.2
Table 9-5-1
How Statements Currently Apply to Respondents’ Organizations by Groups*
CAE and Audit Manager Agreement with Statements in Percentages
66.8
53.2
47.5
23.0
23.9
65.5
56.6
28.4
58.8
N/C**
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 355
1
2
3
4
5
Internal auditing is required by
9.6
16.3
13.1 13.3
15.1
law or regulation where the
organization is based.
Internal auditors in the
28.6
24.6
32.7 32.8
41.8
organization have an advisory
role in strategy development.
The organization complies
16.8
22.8
17.3 40.3
28.4
with a corporate governance
code.
The organization has
23.2
23.8
23.6 18.6
32.8
implemented an internal
control framework.
The organization has
37.4
49.2
49.6 47.5
49.1
implemented a knowledge
management system.
The internal audit activity
27.9
34.1
31.3 46.1
32.0
has provided training to
audit committee members.
The internal audit activity
20.9
19.7
27.4 37.3
29.4
assumes an important role
in the integrity of financial
reporting.
The internal audit activity
20.1
23.8
20.9 35.5
32.3
educates organization
personnel about internal
controls, corporate
governance, and compliance
issues.
The internal audit activity
11.9
19.5
9.9 28.3
20.6
places more emphasis on
assurance than consulting
services.
*For a list of groups, please see Appendix 1-B.
**N/C = Respondents did not indicate affiliate or chapter membership.
Statement
13.0
43.9
33.5
19.7
51.2
39.6
31.2
26.8
18.6
31.6
27.9
32.5
43.5
27.5
27.9
30.6
14.4
7
13.0
6
The Institute of Internal Auditors Research Foundation
12.6
26.6
30.5
30.2
45.3
20.2
22.8
33.8
15.4
8
29.1
43.6
34.0
51.9
44.4
27.3
44.4
44.4
32.7
9
22.6
30.2
18.9
30.2
46.2
45.3
24.5
17.0
11.3
10
21.1
26.3
27.4
48.2
47.0
16.8
21.1
42.6
15.5
11
15.8
35.0
40.0
75.0
63.2
31.6
40.0
35.0
10.5
12
21.8
34.7
26.2
38.7
53.2
29.5
29.2
36.7
20.8
N/C**
Table 9-5-2
How Statements are Likely to Apply to Respondents’ Organizations Within the Next 3 Years by Groups*
CAE and Audit Manager Agreement with Statements in Percentages
356 A Global Summary of the Common Body of Knowledge 2006 ______________________
____________________________ Chapter 9: Emerging Roles of Internal Audit Activities 357
Summary
Internal auditing has evolved significantly from its origins in the early 20th century. The results of
CBOK demonstrate that internal auditing will continue to evolve in the future by incorporating new
responsibilities and having an impact on more areas of the organization.
It is especially interesting to note that respondents indicated their IAA’s responsibilities increasing
in all of the major types of audits that are currently being performed, some by large amounts. For
example, risk management is expected to increase 79.5% over the next three years. Furthermore,
it does not appear that any of the current types of audits performed will decrease in any significant
way over the next three years.
As the profession evolves, emerging roles to monitor include alignment of strategy and performance
measures, benchmarking, knowledge management, systems development review, and strategic
frameworks. Each of these was indicated by respondents as having an increase of more than 35%
over the next three years.
Executive compensation stood out in the CBOK results as clearly showing that IAAs do not
currently and most likely will not have a role in the future. Respondents indicate that 16% of IAAs
currently have a role and 17.7% are likely to have a role in the next three years. This is compared
with 45.4% of respondents who indicate that their IAA is unlikely to have a role in the next three
years in this activity.
The Institute of Internal Auditors Research Foundation
358 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Institute of Internal Auditors Research Foundation
A Global Summary of the Common Body of Knowledge 2006
CONTENTS
Chapter 10
Chapter 10: Research Method and Literature Review ........................................................ 359
Research Method ................................................................................................................ 359
Project Teams ............................................................................................................... 359
Pilot Test and Literature Review.................................................................................. 361
CBOK 2006 Questionnaires ......................................................................................... 363
Clustering for Groups................................................................................................... 364
Literature Review................................................................................................................ 367
Introduction .................................................................................................................. 367
Prior IIA CBOK Studies............................................................................................... 367
North American Literature Review on Internal Auditing ............................................ 372
Summary ............................................................................................................................. 379
Asia Pacific Literature Review on Internal Auditing.......................................................... 380
European Literature Review on Internal Auditing.............................................................. 390
South African Literature Review on Internal Auditing ...................................................... 398
Appendix 10-A: Pre-scope Questionnaire for CBOK......................................................... 406
Appendix 10-B: Topical Areas That Are Addressed in Past and Current
IIA CBOK Studies........................................................................................................ 418
Appendix 10-C: CBOK 2006 CAE and Practitioner Questionnaire................................... 421
Disclosure
Copyright © 2007 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior
written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results through its publication of this
document. When legal or accounting issues arise, professional assistance should be sought and retained.
The IIA’s International Professional Practices Framework for Internal Auditing (IPPF) comprises the full
range of existing and developing practice guidance for the profession. The IPPF provides guidance to
internal auditors globally and paves the way to world-class internal auditing. The mission of The IIA
Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating, and promoting
research and knowledge resources to enhance the development and effectiveness of the internal auditing
profession.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 359
CHAPTER 10
RESEARCH METHOD
AND LITERATURE REVIEW
This chapter reviews the research method used to gather the data for the Common Body of
Knowledge (CBOK) 2006 study and provides a literature review prepared by each of the research
teams listed below summarizing the past studies reviewed prior to preparing the CBOK
questionnaires.
RESEARCH METHOD
Project Teams
The research team was comprised of three international teams that were selected from the responses
to the CBOK request for proposals. Table 10-1 lists the members of the three CBOK 2006 teams.
Based on the location of the selected research teams, the international affiliates and chapters were
broken down into three broad geographical areas.
The Institute of Internal Auditors Research Foundation
360 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 10-1
Research Teams
Teams
Lead Team
• Priscilla A.Burnaby (Bentley College, United States) –
Project Coordinator and Team Coordinator
• Mohammad J. Abdolmohammadi (Bentley College,
United States)
• Susan Hass (Simmons College, United States)
• Rob Melville (Cass Business School, England) –
Team Coordinator
• Marco Allegrini and Giuseppe D’Onza
(University of Pisa, Italy)
• Leen Paape (Erasmus University, Netherlands)
• Gerrit Sarens (University of Ghent, Belgium)
• Marinda M. Marais (University of South Africa)
• Elmarie Sadler (University of South Africa)
• Houdini Fourie (Tshwane University of
Technology, South Africa)
• Barry J. Cooper (Deakin University, Australia) –
Team Coordinator
• Philomena Leung (Deakin University, Australia)
General Areas
of Responsibilities
North, Central, and
South America and
the Caribbean
Europe and Africa
Asia and Pacific
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 361
Pilot Test and Literature Review1
The pre-scope questionnaire sent to practitioners for their input was developed after reviewing the
Professional Practices Framework (The IIA, 2004) and performing a literature review of current
internal auditing studies around the world. A summary of the literature review is included in the
second part of this chapter. The objective of the pilot survey was to determine what practitioners
believed should be included in the CBOK 2006 questionnaires. Based upon discussions with
knowledgeable internal auditors, key stakeholders at The IIA, and the literature review, the following
topics were selected for inclusion in the pilot survey:
•
•
•
•
•
•
•
•
•
Audit methods, tools, and techniques
Auditor skill sets
Certification and professional development
Emerging trends in internal auditing
Evaluation of staff
Internal auditing standards from the Professional Practices Framework
Percentage of time spent on different types of audits in 2005
Role of the board of directors and audit committee
Specific areas of knowledge required of internal auditors
To collect data from a small representative group of experienced internal auditors, the pre-scope
questionnaire was sent to a number of internal auditors in various regions of the world by each of
the three global teams. The respondents were asked to indicate which items listed on the prescope questionnaire should be included or excluded from the CBOK 2006 study. Each topic on the
pilot questionnaire was followed by a request for the respondents to add related areas and questions
that they thought should be included in the final questionnaire.
Sixty-three responses were received from nine countries. Table 10-2 indicates the number of
responses from each country. Appendix 10-A contains the pre-scope questionnaire and a summary
of the responses, including the respondents’ suggestions for additional areas to be included in
CBOK 2006. A majority of participants agreed with the inclusion in the study of most of the topics
in the pre-scope questionnaire and provided insights into other topics that should be included.
These areas were priorities for inclusion in the final CBOK questionnaires.
1
The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue of
Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of
MAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A
review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK
2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby,
“The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
The Institute of Internal Auditors Research Foundation
362 A Global Summary of the Common Body of Knowledge 2006 ______________________
Table 10-2
Summary of Pilot Test Respondents by Countries
Countries
Asia
Australia
New Zealand
Malaysia
Europe
Belgium
France
Italy
South Africa
U.K./Ireland
USA
Total
Respondents
11
5
2
9
2
6
1
13
14
63
To include current practices and explore emerging practices in the profession, CBOK 2006
incorporated several topics that were not included in prior CBOK studies. This was based on the
literature review and the results of the pilot survey. Appendix 10-B lists topical areas covered in
past CBOK studies and those that were covered in CBOK 2006. CBOK 2006 used The IIA’s
International Standards for the Professional Practice of Internal Auditing (Standards) as of
September 2006, the date of the study, as the basis for the focus of the study. The Standards
contain the expanded scope in The IIA’s definition of internal auditing, which includes governance,
risk management, and internal control engagements for the internal audit activity (IAA).
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 363
CBOK 2006 Questionnaires
Due to the need expressed by The IIA’s CBOK Steering Committee to limit the members’ response
time to 40 minutes, it was decided to create three separate CBOK questionnaires as follows:
1. Affiliates: The IIA is fortunate to have numerous Affiliate organizations around the world that
provide services to their geographic area in cooperation with IIA headquarters. This questionnaire
asked affiliate leaders questions about regulatory and cultural differences affecting the application
of ethics and the Standards in their area. One questionnaire was sent to each participating
affiliate.
2. Chief Audit Executives (CAEs): The Standards define the CAE as the highest position
within the organization responsible for the internal audit activity (IAA). Data on the status of
the IAA within the organization, application of the Standards, skills needed at each staff level,
and emerging audit roles were collected from CAEs worldwide.
3. Practitioners: For purposes of this study, Practitioners are all other internal auditors that are
not CAEs. Data about the application of the Standards, how an audit is performed, skill sets
needed, and the emerging roles of IAA were collected from internal auditors worldwide.
The three detailed questionnaires developed by the CBOK 2006 teams were subjected to close
scrutiny by The IIA CBOK 2006 Steering Committee. Once the final questions were selected, the
questionnaires were reviewed by a statistical expert and a small group of internal auditors worldwide
to ensure completeness and validity. Based on their comments, the final questionnaires were
developed and translated from English into 16 languages (Spanish, French, German, Russian, Czech,
Turkish, Simplified Chinese, Japanese, Traditional Chinese, Indonesian, Arabic, Polish, Bulgarian,
Italian, Portuguese, and Swedish). In September 2006, the CAE and Practitioner questionnaires
were distributed electronically to The IIA membership by participating affiliates, chapters, and
United States members that allow The IIA to send them e-mails using the survey software Peruses.
The Affiliate questionnaire was distributed by The IIA in December 2006. As some of the questions
for the CAE and Practitioner questionnaires were the same, the questionnaires were combined for
translation. Please see Appendix 10-C for the combined CAE and Practitioner questionnaire. A
guide for which questions were asked of all participants or either the CAE or the Practitioner is
provided in the first two pages of Appendix 10-C.
The Institute of Internal Auditors Research Foundation
364 A Global Summary of the Common Body of Knowledge 2006 ______________________
Number of Responses
As of September 2006, The IIA had approximately 127,700 members. As listed in Table 10-3, the
membership was made up of 143 chapters in the United States, 11 chapters in Canada, 9 chapters
in the Caribbean, and 94 affiliates. The total number of responses to the CAE and Practitioner
questionnaires was 15,028. After the responses that were deemed not usable were deleted from
the database, 9,366 usable responses remained resulting in a 7.3% overall response rate. Due to
some Affiliates not participating and some members who have opted not to receive e-mails from
The IIA, the survey was sent to approximately 99,000 members resulting in an estimated 9.5%
response rate. The respondents represent 91 countries as one of the participating countries has
two affiliates.
Table 10-3
Number of Participating Chapters and Affiliates
Area
U.S.A.
Canada
Caribbean
IIA Affiliates
*Number of
Chapters/Affiliates
1 or More Usable
Responses from
Chapters/Affiliates
143
11
9
94
133
11
7
83
Number of Affiliates
that Returned CBOK
Affiliate
Questionnaire
Not Applicable
Not Applicable
Not Applicable
46
*Tallied from The IIA’s Web site
Responses were determined to not be useable if the reply was empty or the respondent did not
answer enough questions to be considered for inclusion. A total of 133 United States’ chapters, all
of the Canadian chapters, and 7 of the Caribbean chapters participated in CBOK 2006. Eightythree affiliates had at least one usable CAE or Practitioner response. The number of respondents
for the United States, Canada, and the Caribbean and for each participating affiliate is summarized
in Appendix 1-B of Chapter 1 in this research report. Forty-six affiliates returned the CBOK
Affiliate questionnaire by the January 15, 2007, cutoff date for inclusion (noted by a + sign in
Appendix 1-B in Chapter 1).
Clustering for Groups
As data was collected from numerous affiliates and chapters, a methodology was needed to combine
them into groups for comparison of responses. Clustering literature was reviewed for plausible
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 365
ways to combine affiliates and chapters by cultural classification. Pioneer work for cultural
classification was performed by Hofstede (1980), who argued that the four dimensions of Power
Distance, Individualism, Masculinity, and Uncertainty Avoidance influence work environments.
Based on these dimensions, Hofstede (1983) classified fifty countries into different cultural zones.
In 2004, House et al. expanded Hofstede’s dimensions and the number of countries classified into
cultural zones. House et al. (2004) used nine dimensions to classify 62 countries into various
categories. Table 10-4 defines and lists the dimensions used by Hofstede (1983) and House et al.
(2004).
Table 10-4
Cultural Classification Criteria
No.
Criterion
1*
Uncertainty
Avoidance
2*
3**
4**
5***
6***
7@
8@
9@
Definition +
The extent to which members of an organization or society strive to avoid
uncertainty by relying on established social norms, rituals, and bureaucratic
practices.
Power
The degree to which members of an organization or society expect and agree
Distance
that power should be stratified and concentrated at higher levels of an
organization or government.
Institutional
The degree to which organizational and societal institutional practices
Collectivism
encourage and reward collective distribution of resources and collective
action.
In-group
The degree to which individuals express pride, loyalty, and cohesiveness in
Collectivism
their organizations or families.
Gender
The degree to which an organization or society minimizes gender role
Egalitarianism differences while promoting gender equality.
Assertiveness The degree to which individuals in organizations or societies are assertive,
confrontational, and aggressive in social relationships.
Future
The degree to which individuals in organizations or societies engage in
Orientation
future-oriented behaviors such as planning, investing in the future, and
delaying individual or collective gratification.
Performance
The degree to which an organization or society encourages and rewards
Orientation
group members for performance improvement and excellence.
Human
The degree to which individuals in organizations or societies encourage and
Orientation
reward individuals for being fair, altruistic, friendly, generous, caring, and
kind to others.
+Definitions are from House and Javidan (2004, 11-13).
*These two criteria are the same as those of Hofstede’s (1980).
**These two criteria are based on Hofstede’s (1980) Individualism.
***These two criteria are based on Hofstede’s (1980) Masculinity.
@
House et al. (2004) added these based on literature other than Hofstede (1980).
The Institute of Internal Auditors Research Foundation
366 A Global Summary of the Common Body of Knowledge 2006 ______________________
Since The IIA has affiliates in over 100 countries, the House et al. (2004) classification of 62
societies was insufficient for complete classification of the CBOK 2006 participants. By using
additional information from the Central Intelligence Agency World Fact Book (2006), affiliate
language, geographical location, and discussions with The IIA staff and leadership, the affiliates
and chapters were classified into 12 groups. Respondents who did not indicate membership in a
specific affiliate or chapter were clustered into a 13th group that was included in statistical summaries
for the aggregate results but not in affiliate or chapter cultural cluster results. Please refer to
Appendix 1-B of this report for the groups used for the analysis of responses for CBOK 2006.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 367
LITERATURE REVIEW
Introduction
The objective of the literature review for CBOK 2006 was to provide a summary of published
articles, studies on special topics, and research projects about the practice of internal auditing
around the world as determined by the research teams around the world. Each research team
prepared a literature review for the countries in their area of the world.
Prior IIA CBOK Studies2
Overview
The IIA has sponsored four prior CBOK studies. Appendix 10-C lists the topical areas covered in
these studies and identifies topical areas covered in the CBOK 2006 study. The past four CBOK
studies are summarized in the following section. Table 10-5 compares the number of participating
countries and usable questionnaire responses used in each CBOK study.
Table 10-5
Comparison of CBOK’s Number of Countries and Number of Respondents
CBOK
Number
Year
Number of
Countries
Number of Usable
Respondents
I
II
III
IV
V
1972
1985
1991
1999
2006
1
2
2
21
91
75
340
1,163
136
9,366
2
The CBOK review and the Team America’s literature review were published in a special CBOK 2006 issue of
Managerial Auditing Journal (MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of
MAJ, this section uses portions of the following article: Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A
review of prior common body of knowledge (CBOK) studies in internal auditing and an overview of the global CBOK
2006,” Managerial Auditing Journal 21 (8), 2006, pp. 811-821. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby,
“The Americas literature review on internal auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
The Institute of Internal Auditors Research Foundation
368 A Global Summary of the Common Body of Knowledge 2006 ______________________
CBOK I in 1972
The objective of CBOK I (Gobeil, 1972) was to define the CBOK for the profession of internal
auditing. The survey was conducted only in the United States. The report was based on a sample
of 100 internal auditors from which there were 75 responses. The questionnaires were distributed
to The IIA’s international officers, directors, and the chairs and committee members of all
international committees. It attempted to define and interpret three areas. The first area was to
establish the knowledge that internal auditors should possess to be considered professionally proficient.
The second area of interest was the knowledge required for candidates sitting for the Certified
Internal Auditor (CIA) exam. The final area was the type of knowledge that should be the focus of
continuing professional development and training.
The study outlined three different levels of knowledge required in the three different subject matters
(Gobeil, 1972), namely:
•
•
•
Appreciation of the broad nature and fundamentals involved in, and an ability to recognize
the existence of special features and problems in, various business transactions, and
determination of what further study or research must be undertaken under various
conditions.
A sound appreciation of the broad aspects of practices and procedures and an awareness
of the problems related to more detailed aspects thereof. It also included the ability to
apply such broad knowledge to situations likely to be encouraged, to recognize the more
detailed aspects which must be considered, and to carry out research and studies necessary
to come to a reasonable solution.
A sound understanding of principles, practices, and procedures and the ability to apply
such knowledge to situations likely to be encountered in order to deal with all aspects
without extensive recourse to technical research and assistance.
CBOK II in 1985
The objective of CBOK II (Barrett et al., 1985) was to establish the structure of the CBOK for
practicing internal auditors. This study included responses from the United States and Canada.
The researchers first reviewed how the medical, legal, military, religious, accounting, and auditing
professions determined their CBOK. Then they conducted interviews with directors and managers
of large international audit departments in Canada and the United States. Based on this background
the researchers developed and distributed questionnaires to approximately 900 individuals of whom
340 returned usable responses.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 369
The researchers identified three key areas of CBOK: knowledge of relevant disciplines; skills
needed to perform appropriate internal auditing tasks; and experiences necessary to be professionally
qualified, proficient, and a competent internal auditor. Barrett et al. (1985) presented three broad
conclusions. First, senior internal auditors should have a firm grasp of the core academic disciplines
of auditing and computer systems and a working knowledge of communications and accounting.
Second, at the bottom of the importance scale of knowledge is marketing. Finally, entry-level
internal auditors are expected to possess as much knowledge but fewer skills as senior-level
auditors, and senior-level (not entry-level) auditors are expected to become professionally certified.
CBOK III in 1991
Albrecht et al. (1992) sent questionnaires to internal auditors in Canada and the United States. Of
the 1,247 returned questionnaires, 1,163 responses were usable. The research method used by the
authors was the most elaborate of the CBOK studies to date. It included:
•
•
•
•
•
Review of current internal audit literature.
Interviews with content experts in the subject areas identified by the literature review.
Development of the initial questionnaire.
One-day meetings with selected groups of internal audit practitioners in various cities.
Distribution of the CBOK questionnaire to practicing internal auditors and analysis of the
data.
This study contributed to the literature in several significant ways. It identified the competencies
and knowledge that was required for internal auditors to practice at varying levels of experience.
It also identified the most appropriate setting (formal education, professional development seminars,
or on-the-job experience) where the competency should be acquired. The researchers included
the following in their findings:
•
•
•
•
The knowledge included in the CBOK
The levels at which internal auditors should possess various knowledge elements of the
CBOK
The kind of knowledge that should be included on the CIA examination
The kind of knowledge that should be included in professional development and training
seminars for internal auditors
The authors found that a major demographic factor causing responses to the CBOK questionnaire
to vary was the position level of the respondent. As auditors move from staff auditor to senior, to
manager, and finally to director, there are changes in what the respondents perceived should be the
required CBOK.
The Institute of Internal Auditors Research Foundation
370 A Global Summary of the Common Body of Knowledge 2006 ______________________
CFIA in 1999 (CBOK IV)
The next CBOK project, known as the Competency Framework for Internal Auditing (CFIA),
was undertaken by a group of researchers in Australia. The study resulted in the publication of five
detailed monographs (see Birkett, et al., 1999). To summarize the large amount of information
presented, The IIA published a short executive summary monograph (McIntosh, 1999). These
studies surveyed five groups of participants and provided information about the changing nature of
internal auditing from compliance to assurance, risk exposures, and control strategies.
The scope of Birkett, et al.’s (1999) studies addressed the areas of the future of the internal audit
profession, the value proposition of internal auditing, the critical competencies of internal auditors,
global practices, and an assessment of these competencies. One of the interesting conclusions
from this study was that the future will be driven by global organizational change, which would be
accompanied by lower independence for internal auditors. The monographs also concluded that
internal auditors must increasingly get involved with the assessment of risk and strategies for
control. The authors proved to be correct as both of these issues have been addressed by the U.S.
Sarbanes-Oxley Act of 2002.
Internal Auditing: The Global Landscape
Birkett, et al. (1999) found that there were major difficulties in discussing the topic of internal
auditing at a global level. They found that there was a lack of common meaning for terms like
“internal control” and “compliance.” There were also differences in interpretation of “proper
governance.” The surveyed countries agreed on the desired skills that an internal auditor should
possess, including cognitive, behavioral, technical, analytic, appreciative, personal, interpersonal,
and organizational skills. It was also important for internal auditors to have knowledge in specific
areas such as information systems, finance, risk analysis, accounting, internal auditing, benchmarking
techniques, and legal/regulatory systems. The respondents expressed concern that the certification
requirements for the CIA designation were oriented toward North American practice. Major issues
and concerns that would affect the profession in the future were identified as globalization, increased
competition, rapid technological advancement, and changes in corporate governance.
Internal Auditing Knowledge: Global Perspectives
The profession of internal auditing was also discussed at the global level. The internal auditor’s
work environment was further analyzed by its context, factors of influence, key roles in the function,
critical knowledge/expertise needed, and the evaluation of the auditing function. The key roles in
the auditing function included audit management, project leader, internal auditor, management
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 371
development trainee, specialist, and external consultant. A competent internal audit department
must have knowledge of the organization, auditing tasks, technical applications, management
processes, risk/control framework, and commercial viability. Developing competency within internal
auditing was done through an improved recruiting process and implementation of training/development
programs. The auditing function was then assessed based on the linkage between their activities
and the value they provided. It was suspected that in the future, internal auditing would take on a
more anticipatory/proactive role which brought up a discussion on auditors’ independence.
Competency: Best Practices and Competent Practitioners
This monograph includes six units, 27 elements, and many sub-elements, which are assessed through
best practices. The focus of the monograph was on internal auditor competencies (skills) and
capabilities (potential for making judgment). The authors found that competency was the relationship
between task performance and individual attributes such as knowledge, skills, and attitudes
(McIntosh, 1999, p. 4). The authors argued for common terminology but admitted that this was not
an easy task because there is no equivalent for certain terminology (e.g., compliance) in some
countries.
Competency was defined in terms of best practices that are subject to benchmarks. The authors
defined competency standards in terms of units of set tasks needed to meet the fundamental
requirements of performing the audit. Elements of competency are subsets of tasks such as
understanding organizational objectives/strategies, processes and capabilities, and the contextual
dynamics affecting its functioning and sub-elements such as “identify/clarify the organization’s
objectives.” The authors listed six units of competency:
1.
2.
3.
4.
5.
6.
U1: Understanding risk
U2: Understanding adequacy of control strategies
U3: Improve risk management and control
U4: Provide ongoing assurance to organizations
U5: Manage the IA function
U6: Manage the dynamic context that affect the work of the function
The Future of Internal Auditing: A Delphi Study
Birkett, et al. (1999) conducted a study that captured the opinions of 136 internal auditing experts
representing 21 countries. The study focused on topics of importance to the future of the profession,
key tasks performed, drivers of change, skills/knowledge required, and assessment criteria. The
results indicated that the profession was gradually moving toward a focus on alignment with
The Institute of Internal Auditors Research Foundation
372 A Global Summary of the Common Body of Knowledge 2006 ______________________
organizational needs and how to create value for the organization. Drivers such as globalization,
competition, increasing expectations/demands from stakeholders, legal perspectives, and technology
were changing the context of internal auditing work. With the changes that the profession was
facing, auditors needed to be knowledgeable and aware of the importance of evaluating risk
exposures. The assessment of the auditing function could be assessed internally according to the
organization’s value proposition or externally relative to best practices.
Assessing Competency in Internal Auditing: Structures and Methodologies
In this study, the authors provided four performance criteria: qualitative outcomes such as accuracy,
critical process variables such as holistic review, evidence and performance such as relevant
documents, and consulting and timing. The authors stated that the different designations of auditor
levels are trainee, team leader, manager, and director. Other designations included junior, senior,
manager, and director. Internal auditors can also be called consultant, managing consultant, and
vice president of audit.
North American Literature Review on Internal Auditing
Overview
The literature reviewed indicates that the role of the IAA has grown significantly over the years
and given the significant change factors organizations are facing, such as the regulatory environment
and new technologies, it is likely to be subjected to more significant changes in the future. The
literature is fairly extensive in its investigation of the internal auditor’s role in various corporate
governance issues. An extensive literature review by Gramling, et al. (2004) investigated the
increasing role of the IAA in corporate governance. Due to the recent review of this topic provided
by Gramling, et al. (2004), that literature is not reviewed in detail in this chapter. The focus of this
literature review is primarily on the external environment that is causing change in the organization
and the resulting expanded scope of audits required of the IAA.
The Professional Practices Framework of 2004
The most recent study undertaken by The IIA to determine the nature of the changes in internal
auditing and the need to update the definition and standards of the profession was in 1999. Based
on this study The IIA published a report titled, A Vision for the Future: Professional Practices
Framework for Internal Auditing (The IIA, 1999). The report had the following objectives:
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 373
•
•
•
Revise the definition of internal auditing
Produce a new framework
Improve existing processes of standards-setting and guidance development through better
coordination and leveraging of The IIA’s volunteer committees
This report resulted in changes to the definition of internal auditing, The IIA’s Code of Ethics, and
The IIA’s Standards. As seen below, the new definition of internal auditing expands the scope of
internal auditing into corporate governance and risk management (The IIA, 2004):
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
This is The IIA’s most proactive and comprehensive definition of internal auditing. It acknowledges
the changing role of internal auditing in organizations, the need for a comprehensive and adaptable
framework, and the ever-increasing value that the IAA contributes to contemporary organizations
of differing sizes and types.
As late as the beginning of the twenty-first century, the evolutionary practice of internal auditing
resulted in developing internal audit best practices and adding value to the organization and its
stakeholders by understanding the link between internal audit and organizational goals. Before the
enactment of Sarbanes-Oxley, internal audit services were focusing on detection, not prevention.
Internal auditors were moving from a confrontational approach to partnering with management
and moving from a controls approach to a risk-based approach. They were also focusing on
consulting services (Roth, 2002).
Chapman and Anderson (2002) argue that the inclusion of assurance and consulting services in the
new definition of internal auditing results in internal auditing becoming a proactive, consumerfocused activity concerned with the important issues of control, risk management, and governance.
The definition specifically states the internal audit activity (IAA) is designed to add value and
improve an organization’s operations (The IIA, 2002).
The Standards indicate examples of assurance engagements as financial, performance, compliance,
system security, and diligence audits. Examples of consulting activities include conducting internal
control training, providing advice to management about the control concerns in new systems, drafting
policies, and participating in quality teams. In addition, assurance services include financial auditing,
performance auditing, and quick response auditing, and consulting services includes assessment
The Institute of Internal Auditors Research Foundation
374 A Global Summary of the Common Body of Knowledge 2006 ______________________
services, facilitation services, and remediation services (Anderson, 2003). These are all valueadded activities and contribute to organizational success and strategic achievement. This was
reflected in the revised Professional Practices Framework which recognized that the IAA needed
to support and promote a broad range of value-adding activities (RGTF, 1999). This also allowed
for the recognition of the practice of internal auditing as evolutionary in the competitive marketplace
(Krogstad, et al., 1999). The next sections include more focused discussion of the factors that
significantly impact the future of the IAA.
Regulations
Prior to the need for compliance with the requirements of Sarbanes-Oxley in the United States and
similar laws in other countries, the emphasis of the IAA in the late 1990s was more a consultative
partner with management (Roth and Espersen, 2003). Internal auditors also performed reviews of
controls over operational systems. In responding to regulatory and technological change factors,
organizations are evolving in their need for different types of internal audit involvement. The
Sarbanes-Oxley Act (2002) legislation in the United States resulted in extensive regulatory
requirements for a more effective and better documented system of internal controls over financial
reporting in publicly listed companies. The IAA is in an advantageous position to help organizations
comply with these requirements and is being called upon by companies to do much of the work in
documenting and testing key internal controls over financial reporting. The new regulatory
requirements have increased the IAA’s participation in the development of control documentation
and compliance auditing over financial reporting that was often left in the past to external auditors.
Sarbanes-Oxley legislation in the United States required the creation of the Public Accounting
Oversight Board in 2004 (PCAOB, 2004). PCAOB was created to reform the auditing of internal
control systems and financial reporting systems. The major objectives of the PCAOB are to enhance
reliable financial reporting and to restore investor confidence after the business scandals and
accounting failures of early 2000s. Faced with the regulatory requirements of Sarbanes-Oxley,
many organizations turned to their IAAs for help. Internal auditor involvement was primarily
compliance work surrounding the adequacy of key controls to aid in the increased reporting and
governance requirements for publicly held companies. Although Sarbanes-Oxley work primarily
emphasized control compliance, it also required internal auditors to provide consulting activities
such as control system design.
Sarbanes-Oxley Changes Audit Coverage
The shift of the IAA to a compliance focus is a result of a regulatory regime imposed by the
requirements of Sarbanes-Oxley (2002) and the PCAOB (2004). Also influential were the changes
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 375
in governance requirements that various stock exchanges implemented (Gray, 2004). Although the
resulting involvement in responding to regulatory requirements is still deemed value-added work, it
is a different trend than was evolving before the business scandals at the beginning of the century
in such areas as governance and risk assessment.
An outcome of the current regulatory climate in the United States is that many IAA resources are
spent on Sarbanes-Oxley compliance assurance work. A survey of audit managers undertaken in
the third quarter of 2005 indicated that Sarbanes-Oxley (2002) first-year compliance efforts utilized
50% or more of internal audit (PwC, 2006). In the resource constrained paradigm within which the
IAA operates, this emphasis means that resources must be diverted from operational audits and
consulting activities to increase Sarbanes-Oxley assurance services. This is a challenging resource
allocation problem for the IAA, where strong leadership and analytical skills as well as the ability
to manage projects more efficiently and effectively are required. Also needed are effective
communication and negotiation skills to interact with various stakeholders. When diverting resources,
leaders of the IAA must be certain that they have a thorough understanding of how their work
contributes value and links to strategy execution and achievement.
The assurance work emphasis necessitated by regulatory requirements could also result in a negative
reputation effect. For example, IAA stakeholders may develop a negative perception that is reverting
back to the stereotypes of compliance duties in earlier periods. Gray (2004) argues that the image
of internal auditors may be regressing to that of “police” as they identify negative findings in their
assessment and tests of internal controls. This is a serious reputation issue that the IAA must
address. Internal auditors must understand when this is happening and neutralize or eliminate such
negative perceptions if they are to be effective in their assurance and consulting activities, relationship
with key stakeholders, and in their role as supporter of organizational success. Ignoring such
perceptions can result in reduced effectiveness of the IAA in its assurance and consulting activities
and with stakeholders.
Finally, an outcome of the expanding regulatory requirements is that internal auditors work closely
with internal management and external auditors. Critics question whether this might damage the
objectivity of the IAA (Krell, 2005). Since independence and objectivity are the cornerstones of
the definition of internal auditing, there is a need for development of holistic models in which the
IAA can maintain its objectivity and independence despite the close working relationships with
internal management and external auditors. To do so may require internal auditors to use effective
interpersonal skills such as relationship management and team building, concepts that are widely
researched and discussed in management science.
The Institute of Internal Auditors Research Foundation
376 A Global Summary of the Common Body of Knowledge 2006 ______________________
Risk Assessment
A recent survey shows that regulatory requirements diverted internal audit resources from other
important internal audit activities such as risk-based audits to assurance work (PwC, 2005A).
Failure to address key strategic and operational risks as well as compliance risk in an annual audit
program undermines the effectiveness of the IAA. It diminishes its strategic value to key
stakeholders and exposes the enterprise to greater operational and financial risks in the future.
Balancing all risks that an organization faces is imperative to the success of the IAA and the
organization as a whole (Krell, 2005).
Internal auditors must not only be able to assess risks in their larger organizations, they must also
be able to complete complex risk analyses in their own IAA. Being able to self-evaluate is important
to the success of the IAA. To accomplish this, internal auditors need to possess increasing levels
of critical thinking, analysis, decision making, and logic. These are among the skills included in the
CBOK 2006 study.
Increased Demands on the IAA
Balancing the complex, competing demands of stakeholder needs with limited IAA resources also
requires effective management by the chief audit executive (CAE) (PwC, 2006). To be perceived
to add value, the internal audit activity must strategically align with the needs and priorities of all of
its key stakeholders, including the audit committee, executive management, and external auditors.
Communicating the needs of the audit function, both orally and in writing, to key stakeholders is
critical to successfully maximizing resources. Effective risk analysis, time management, and
prioritization of tasks are important skills for internal auditors to ensure effective utilization of
scarce resources.
The increased demand for the IAA services places strain on many departments’ limited time
budgets resulting in outsourcing and/or co-sourcing of activities. Rittenberg and Covaleski (1997)
argue that outsourcing would be viable for functions that are not unique. For areas with specialized
needs or competencies, outsourcing may be a viable alternative. Outsourcing reduces the demand
for a scarce resource but requires management of external contract workers and their employers.
CAEs must ensure that their management of internal audit staff is a transferable skill that can be
used for the management of external co-sourcing relationships.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 377
Information Technology
The information technology (IT) used by companies is becoming increasingly more complex. The
IAA must embrace technology, understand it, and be able to effectively audit the processes and
use it as an audit tool. Internal auditors will have to provide increased assurance by providing IT
control assessment within the system of internal controls. If IT controls are selected and implemented
properly on the basis of the risks they are designed to manage, then a methodology to continuously
monitor IT control effectiveness and validity could provide the assurances needed (Le Grand,
2005). Knowledge of IT controls, IT auditing techniques, and the current trends in IT enhances
understanding and efficient utilization of IAA resource.
While the complexity of IT makes auditing more challenging, it also provides an opportunity to
streamline internal audit activities by designing and utilizing continuous IT controls. This can relieve
some of the stress of limited IAA resources that were noted previously. The use of continuous
auditing may reduce the need for detailed annual reviews that have been typical in the past.
Continuous auditing gives internal auditors the ability to monitor key business systems for both
anomalies at the transaction level and for data-driven indicators of control deficiencies and emerging
risk. This can also be incorporated into other aspects of the audit process (Coderre, 2005). Under
continuous auditing, technology is an enabler, but must be initiated and managed by the IAA (Warren,
2003). Continuous auditing should not be confused with continuous monitoring, which may be
management driven (COSO, 2004).
Computer-assisted audit tools (CAATs) can also expand audit coverage when there are finite
resources. Maintenance of existing resource levels while expanding the scope of continuous
monitoring and reporting of organizational effectiveness can be accomplished by utilization of
automated testing capabilities. Effectively enhancing the extent of audit coverage would reduce
the risks that arise with constrained resource allocation (PwC, 2005B). Training for computer skills
for the internal audit staff would ensure IT expertise as an alternative to traditional manual audit
techniques.
Risk-based Internal Auditing
The IIA’s Standards require the establishment of risk-based plans to determine that the priorities
of the IAA are consistent with organizational goals. For example, the risk of noncompliance with
the regulatory requirements of Sarbanes-Oxley and other laws is a risk to the organization that
should be assessed along with other risks when finalizing audit plans. Sarbanes-Oxley requires
management’s development and monitoring of procedures and controls for making their required
attestation regarding the adequacy of internal controls over financial reporting.
The Institute of Internal Auditors Research Foundation
378 A Global Summary of the Common Body of Knowledge 2006 ______________________
The Standards require that internal audit activities evaluate and contribute to the improvement of
the organization’s risk management, control, and governance processes through consulting and
assurance activities. Thus, after the first few years of compliance, the role of internal auditing
activity for Sarbanes-Oxley compliance should be one of support through consulting and assurance
activities as outlined in the Standards (The IIA, 2004). This should allow the IAA to go back to a
broader scope of services and provide more consulting than assurance services.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released
Enterprise Risk Management - Integrated Framework to help businesses respond to enterprise
risk management issues in their own organizations (COSO, 2004). The COSO definition of internal
control differs a bit from The IIA’s definition but the two are substantively similar enough that they
seek to accomplish the same purpose. Since assessing the effectiveness of risk management is
core to the globally accepted definition of internal auditing, the role of internal auditors must be
clearly defined by organizations to ensure that they do not set the risk appetite, impose risk
management processes, or make decisions about risk responses. These are the duties of
management. The IAA must not be accountable for risk management decisions for the organization
(The IIA, 2005). The IAA must be objective and independent if it is to perform its value-added
duties and continue to contribute efficiently and effectively to corporate success.
The current emerging business trend appears to be that the business environment challenges many
organizations to simultaneously strengthen their internal controls and sustain compliance with
Sarbanes-Oxley while also operating efficiently. After the first year of material compliance costs,
organizations are faced with trying to reduce these costs. A top down risk-based approach to cost
cutting may help companies cut costs while identifying the most effective and efficient controls
needed to both achieve compliance and reduce efforts (Deloitte, 2006). If this impacts the internal
audit activity in the future, concern about objectivity, independence, and risk may occur but must
instantly be mitigated. By working independently and organizing the audit plan to focus on the
needs identified in a risk-based assessment in conjunction with discussion with key stakeholders,
the IAA will be able to perform objective and independent audits.
Objectivity
Internal audit’s role is critical in assurance audits because it provides objective assurance (PwC,
2005B). The assurance function of internal audit has always been perceived as an independent
and continuing appraisal of an organization’s internal control system, providing appropriate assurance
that the systems were adequate, effective, and could be relied upon (The IIA, 2002). This is
important because the internal control system comprises the entire network of systems established
in an organization to provide reasonable assurance that organizational objectives will be achieved
with particular reference to risk; effective operations; economical and efficient use of resources;
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 379
compliance with procedures, laws, and regulations; safeguarding against loss, including fraud; and
the integrity and reliability of information and data (PwC, 2006). If auditors are to succeed in this
environment, they must be comfortable with governance, fraud, and ethical audits as they perform
an objective evaluation of the control environment.
New regulation has elevated internal auditing and moved it to the forefront of executive consciousness
and corporate governance. Internal auditors are now being viewed as the “go-to” group and
management is more receptive to changes and recognition of those individuals who help minimize
the negative consequences of disruption caused by the new regulations (Gray, 2004). Objectivity
and professionalism are necessary for effective internal audit services. A change in the traditional
services offered leads to an increase in the risks related to objectivity and independence. Managing
these risks requires auditors to be competent, have integrity, and to use due care when performing
their duties. Training and education provide the foundation for the objectivity needed for auditor
competence and adherence to moral values avoids the perception of deception (Mutchler, 2001).
Strategic Perspective
Due to the demands for increased corporate governance by external stakeholders, management
has been demanding a more tangible explanation of value-added contributions from various functions
(Zoellick, 2005). To be perceived to add value, the IAA must strategically align with the needs and
priorities of its key stakeholders, including the audit committee, executive management, and external
auditors. Strategic implementation has become increasingly important as organizations must compete
with other, often more nimble, entities. Therefore, value for internal auditors may be defined as
supporting the execution of strategy and those that lead its implementation (Simons, 2000).
To achieve this goal, foundational knowledge for internal auditors includes an understanding of the
business, the competitive nature of the industry, and the linkages of all functional and operational
areas in the company. The importance of academic training in foundational business subjects and
a focus on the functions and skills learned in upper-level management courses appear critical for
today’s new auditors. Without such knowledge, misunderstanding the strategic orientation of
stakeholders could impact perceived value added by and the success of the IAA.
Summary
The main message from this literature review is that understanding how internal audit activities
create value in an organization is of critical importance. Also important is the recognition that the
contemporary IAA is positioned to strategically align its goals with those of its many stakeholders,
and yet must remain independent and objective. Another important message from this review is
that the IAA must position itself to be actively involved with risk assessment, control, and governance.
The Institute of Internal Auditors Research Foundation
380 A Global Summary of the Common Body of Knowledge 2006 ______________________
Given the regulatory requirements in the United States that have absorbed approximately 50 percent
of the IAA’s limited resources, resource allocation has become a key activity of the IAA. Internal
auditors need to take full advantage of new technologies such as continuous auditing and software
innovations in IAA department management. The IAA must use its limited resources to support
key activities and organizational needs. Strategic alignment requires that the internal audit function
posture itself as vital to a rigorous, sustainable organizational vision of responsiveness to both
internal and external needs. Enterprise risk assessment, and the subsequent allocation of resources
to provide assurance about the adequacy of the control environment to key stakeholders, is a
daunting task. Audits for all scope areas require a broad set of specialized skills.
Asia Pacific Literature Review on Internal Auditing3
Overview
Most available literature relates to Australia, New Zealand, China, Malaysia, Singapore, and Hong
Kong. The approach in this literature review is to review the Asia Pacific developments in
approximate chronological order rather than country by country.
Early 1980s
The first known empirical study on the role of internal auditing in the Asia Pacific region was that
undertaken by Cooper and Craig (1983). This seminal research on internal auditing in Australia
found a number of issues that were of concern to the profession. It was found that there were a
number of misconceptions about what internal auditors were doing and what their chief executive
officers (CEOs) perceived was being done, and in fact there were expectations by the CEOs that
internal auditors could do more than the traditional financial auditing work mainly being done at the
time. There was nevertheless strong support for internal audit by CEOs and at the time it was seen
as offering long-term career prospects. However, the profession in Australia in the early 1980s
suffered from an image problem, it did not have a strong professional body to represent its interests
as it has now, and there were no generally accepted professional qualifications recognized as
necessary to practice as an internal auditor. This study was undertaken before the development of
modern internal auditing.
3
The Asia Pacific literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal
(MAJ), Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions
of the following article: Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,”
Managerial Auditing Journal 21 (8), 2006, pp. 822-834.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 381
Early 1990s
Cooper’s et al. (1989) Hong Kong study surveyed both CEOs and internal audit managers with
respective reasonable response rates of 25.8% and 23.1% in a survey of 485 organizations. At the
time, this was a very good response rate from business people as the culture in Hong Kong is not
generally conducive to responding to surveys.
The Hong Kong study was aimed at determining the (then) current state of internal audit practice
in Hong Kong, the level of professionalism evident in internal audit departments, and their training
needs. The majority of CEOs (45.6%) saw the main role of internal auditing as being an independent
appraisal of the internal control system; 21.6% perceived internal auditing’s main role as an
independent review of the efficient operation of the organization; and 19.2% were more concerned
with proper safeguarding of assets and preventing and detecting fraud and error. From the perspective
of internal audit managers, they saw their main role in financial auditing (including internal control
reviews), representing up to 50% of the activity in 94% of the internal audit departments responding
to the survey. The other major activity was the audit of operational areas to improve operational
efficiency, in line with the expectations of the CEOs as noted above. This study also found that
only a minority of internal audit managers were members of The IIA and that on-the-job training
was mainly relied upon to develop internal audit skills.
During 1992, Cooper, et al. (1994) sent a major survey to the internal audit profession in Australia.
He mailed questionnaires to CEOs and internal audit managers of a wide range of organizations in
both the private and public sectors. The research aimed to provide a profile of internal auditing in
Australia in the 1990s. It also addressed a number of issues, including attitudes and recognition;
professionalism; role and scope of internal audit work; career opportunities; education and training;
and the future role of internal auditing. A total of 687 organizations were surveyed with separate
surveys being sent to CEOs and internal audit managers, with usable response rates of 31.0% and
30.9% respectively.
Although the overall view was a positive one in terms of attitudes and recognition, there was some
confusion between perceptions by CEOs and the reality as seen by the internal audit managers.
Findings included:
•
The perceived high profile of internal auditing as reported by the CEOs was not necessarily
borne out by their understanding of the audit process; for example, their strong support for
the “mechanical” aspects of the process rather than a more management-oriented role for
internal auditing.
The Institute of Internal Auditors Research Foundation
382 A Global Summary of the Common Body of Knowledge 2006 ______________________
•
•
•
•
•
•
•
Reporting levels were generally less than ideal and the confusion between perceived status
and the reality of the situation was further reinforced by internal audit managers’ views on
how their role was seen by clients, particularly with respect to a perceived policing function.
The survey did uncover some concerns over the number of internal audit managers who
are not members of The IIA and confusion about the value of the existing internal audit
qualifications such as the CIA designation.
Regarding the role and scope of internal auditing, the CEOs appeared to place the greatest
emphasis on the audit of financial areas, and yet most internal auditors were by then
concentrating on operational areas.
There was general overall support for education and training, but there was apparent
confusion among internal audit managers as to whether internal auditing is a training ground
or a career position.
85 percent of them agreed that management usually implemented audit recommendations.
80 percent agreed that there was adequate feedback from management on audit
recommendations.
85 percent agreed (including 24 percent strongly agreeing) that the internal audit activity
would become increasingly important to management in the future.
The Mid-1990s
In 1996, the first study on benchmarking internal auditing in the region was published by Cooper,
Leung, and Mathews (1996). The three countries compared were Australia, Malaysia, and Hong
Kong. The paper was based on the aforementioned studies of Australia in 1992, Hong Kong in
1989, and a study by Mathews, Cooper, and Leung in Malaysia in 1994, which was based on a
comparable methodology to the Australian and Hong Kong studies. These comparative studies
showed that CEOs in Malaysia were very positive in their perceptions of internal auditing as were
CEOs in Australia. The perceptions were less positive with CEOs in Hong Kong.
CEOs’ understanding of internal audit activities in Malaysia and Australia appeared to set positive
benchmarks, with Malaysian CEOs particularly positive in their view of internal auditing as an
independent review of the efficient operation of the organization. However, the CEOs in Hong
Kong were more concerned with internal audit resources being devoted to appraisal of internal
control, which is reinforced by their views of internal auditing being more exploitative and authoritative
than consultative.
An important benchmark is ensuring that audit recommendations are well thought through and
useful for management and this will normally be evidenced by the extent to which management
takes notice of, and implements, internal audit findings. In this comparative study, 79.6% of Australian
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 383
internal audit managers agreed (with 19.1 % strongly agreeing) that CEOs recognize their
accomplishments, compared with 80.1% in Malaysia and 83.3% in Hong Kong (although in this
case, only 13.6% strongly agreed). With respect to the implementation of internal audit
recommendations by management, 85.5% of internal audit managers in Australia were in agreement,
compared with 84.4% in Malaysia and 84.9% in Hong Kong. With regard to the adequacy of
feedback from management on audit findings and recommendations, more than 75% of internal
audit managers in all countries were positive on this issue.
The Late 1990s
In 1997, a special edition on internal auditing in China was published by Managerial Auditing
Journal, with papers by a number of practitioners and academics. Although none of the papers
presented empirical data, they did provide an insight into internal audit practice in China at the time.
It is important to understand that the internal audit activity in China is an agent of the State, unlike
in Western countries. Tang, Chow, and Cooper (2000) provide a background on how internal
auditing operates in China in their book Accounting and Finance in China - A Review of Current
Practice. In 1983, the State Council in China established the Audit Administration of the Peoples
Republic of China (AAPRC) to supervise all auditing activities in the republic, and in 1988 issued
the Regulation on Audit of the People’s Republic of China, the first comprehensive statute on
state audit, which dictated that state auditing, internal auditing, and public auditing are all to be
guided by the AAPRC. In 1994, the Eighth National People’s Congress adopted the Audit Law of
the People’s Republic of China, which provided for an audit organizational framework consisting
of government audit institutions (departments), internal audit institutions, and public audit institutions
set up at various levels with varying degrees of authority.
Under the system in China, the designated scope of work carried out by internal audit institutions
includes the audit of financial revenues and expenditures; the audit of economic contracts; the
audit of construction projects; and the audit of internal control. An additional audit area is the audit
of economic responsibility, which ensures that management assumes its economic responsibilities,
including the maintenance of assets, observance of economic laws and regulations, and fulfillment
of operational budgets.
Cai (1997) agrees with the categorization of internal audit roles as noted by Tang, Chow, and
Cooper (2000), but observes that as the socialist economy continues to develop in China, it is the
latter role of the audit of economic responsibility that is assuming major importance. As the economy
develops, different challenges will face internal auditing, and as management and state ownership
separate in formerly State-owned enterprises, the role of internal auditing to help management
make the transition and still protect the interests of the State will become more important. Wang
The Institute of Internal Auditors Research Foundation
384 A Global Summary of the Common Body of Knowledge 2006 ______________________
(1997) also points out that with the development of the market economy, enterprises need to
improve internal control systems, management and production technology, and reduce production
costs; therefore, market competition requires the strengthening of internal auditing.
In addition, the Chinese have a practice called “guanxi” in business. In the Chinese language,
“guanxi” is the term for a personal relationship. It refers to the networks of informal relationships
and exchanges of favors that dominate all business and social activities that occur throughout
China (Lovett, et al., 1999; Lou, 1997). Guanxi works on the basic, unspoken word. Individuals
seek to meet their guanxi responsibilities, and failure to do so results in damaged prestige. In
China, business people first strive to build personal relationships with a potential customer and,
once admitted to the clan/guanxi family, business follows. Thus, trust must be established before
business may be conducted. Guanxi is nurtured by the exchange of gifts and favors. However,
such gifts strike ethical nerves in Western society as gifts are contrary to at least the spirit if not the
letter of the laws such as Sarbanes-Oxley and make it hard to follow internal auditing standards.
2000 Onward
A major study has been undertaken in New Zealand by Van Peursem (2004) on internal auditors’
role and authority. In this study, internal auditors were asked to come to a view on whether functions
they perform in connection with internal audit engagements are essential, and to what degree they
feel they enjoy the authority over, and independence from, management that we might expect of a
professional. The research constituted a survey of New Zealand auditors, all of whom were members
of the New Zealand affiliate of The IIA. A very high response rate of 73% was achieved over the
original and follow-up survey. The study found that characteristics of a “true” profession exist but
did not dominate. Significantly, and as subgroups, Van Peursem (2004) also observed that public
practice and experienced auditors may enjoy greater influence over management, and accountancytrained auditors may enjoy greater status owing to the “mystique” of their activities emanating
from their membership of well-known accountancy professional bodies.
Van Peursem (2004) also notes that Cooper et al. (1996) identified a potential issue in confusion
between expectations that internal auditors will both independently evaluate management’s
effectiveness, and also aid management. More recent observations by Glascock (2002) and McCall
(2002) have expressed similar concerns. Van Peursem (2004) also concludes that a key issue is
that internal auditors will assume whatever position is in the best interests of their employer and be
reluctant to counter management, irrespective of the consequences, which is potentially damaging
in terms of image for the internal audit profession.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 385
In a follow-up study in New Zealand, Van Peursem (2005) examined the role of the New Zealand
internal auditor and conceptualized on the auditor’s influence over that role. The fundamental
question is how an effective internal auditor can overcome the tension of working with management
to improve performance, while also remaining sufficiently distant from management in order to
report on their performance. The research found that there are three concepts characteristic of
those who best balanced their role: the internal auditor’s external professional status; the presence
of a formal and informal communication network; and the internal auditors’ place in determining
their own role. Informing these concepts is the auditor’s ability to manage ambiguity. This was a
qualitative study using a multiple case-based approach in which the researcher made observations,
examined documents, and interviewed senior internal auditors in six New Zealand organizations.
In a Singaporean study reported by Goodwin and Yeo (2001), factors that may impact on the
independence and objectivity of internal auditing were investigated. In particular, the researchers
considered the relationship of internal auditors and the audit committee and the use of the internal
audit activity as a management training ground, in terms of the potential effect on the independence
and objectivity of internal auditing. A survey of chief internal auditors found a strong relationship
between internal auditing and the audit committee, particularly where the committee was comprised
solely of independent directors. Chief internal auditors were generally found to have regular and
private access to the audit committee and this was supported by the regulatory framework in
Singapore, which provided support for the independence and objectivity of internal auditors.
The use of internal auditing as a management training ground was also found to be widespread. It
was also more common where an audit committee existed and where the organization was a larger
entity. This existence of an audit committee minimized any negative impact on independence and
objectivity of the internal audit activity in situations where internal auditing was used as a management
training ground.
A study undertaken by Goodwin (2004) explored similarities and differences between public sector
internal auditing and its counterpart in the private sector. Features examined include organizational
status, outsourcing, using internal auditing as a “tour of duty” function, audit activities, and
relationships with the external auditor. The study is based on a survey of chief internal auditors in
organizations in Australia and New Zealand. Results suggest that there are differences in status
between the internal audit activity in the two sectors, with public sector internal auditors generally
reporting to a higher level in the organization. While a similar amount of work is outsourced, public
sector organizations are more likely than those in the private sector to outsource to the external
auditor. There is little difference between internal audit activities and interactions with external
audit in the two sectors. However, private sector internal auditing is perceived to lead to a greater
reduction in external audit fees compared to that in the public sector.
The Institute of Internal Auditors Research Foundation
386 A Global Summary of the Common Body of Knowledge 2006 ______________________
Goodwin-Stewart and Kent (2006) explored the voluntary use of internal auditing by Australian
publicly listed companies and sought to identify factors that lead listed companies to have an
internal audit activity. The study predicted that internal audit use is associated with factors related
to risk management, strong internal controls, and strong corporate governance. To test the predictions,
the study combined data from a survey of listed companies with information from corporate annual
reports. The results indicate that only one-third of the sample companies use internal auditing.
While size appears to be the dominant driver, there was also a strong association between internal
auditing and the level of commitment to risk management. However, the study found only weak
support for an association between the use of internal auditing and strong corporate governance.
The study indicates that a large proportion of Australian listed companies do not use internal
auditing and many of those firms that do have only one or two internal audit staff, a finding supported
by research by Leung, Cooper, and Robertson (2004). The implications of these findings for sound
corporate governance are serious, as it has been suggested that it is difficult for audit committees
to be effective without the support of internal auditing. It would appear that there is considerable
scope for strengthening the relationship between internal auditing, audit committees, and external
auditors.
Leung et al. (2004) researched the role of internal auditing in corporate governance and management
in Australia. The specific objectives of the research were to identify the accountability structures
and internal audit objectives of organizations; determine the nature and extent of internal audit
practice; determine the management and governance relationships of chief audit executives (CAEs)
within organizations; assess the application of the redefined internal audit activity; identify financial
reporting risks and governance issues encountered by internal auditors; assess the effectiveness of
internal auditing’s role in management accountability in a world actively concerned with corporate
governance issues; and recommend improvements in internal auditing. The researchers used a
two-pronged approach to ascertain information pertinent to the objectives. First, the total population
of CAEs in Australia was surveyed using an e-mail survey. The population total, based mainly on
membership of The Institute of Internal Auditors – Australia, was 397 and a 21.4% response rate
yielded 85 usable responses. Second, eighteen CAEs were interviewed to gain a deeper insight
into issues that internal audit faces in Australia. To minimize any selection bias, an additional seven
senior business representatives from listed companies and the governmental sectors, including
regulatory bodies, were also interviewed.
This Australian study found that CAEs were generally very positive about the performance of the
internal audit activity. They see themselves as a key part of the management team, and that they
can influence decisions, maintain a sufficient level of objectivity, integrity, and competence in their
jobs, and are able to provide good support for their own staff. They view the culture and support
of management as a key factor in ensuring the effectiveness of their role.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 387
A high percentage of respondents indicated that they perceived management recognized their role
in enhancing good corporate governance and that management appeared to take an interest in their
work. On the other hand, there were views expressed that they should have a greater role in the
organization’s governance processes, although some were concerned that they did not have sufficient
resources to discharge such additional work effectively. Many were also unsure about how they
should actually go about making an effective contribution to the improvement of corporate governance
in their organizations. What this Australian study indicates is that despite the universal concerns
about the need to enhance good corporate governance and the contribution that the internal auditing
profession can make, the internal auditor’s role in contributing to the process cannot be taken for
granted.
Ernst & Young et al. (2005) undertook a benchmarking study of internal audit services in the
communications and entertainment sectors in both Australia and New Zealand. The study found
that 63% of respondents indicated they had entered into a co-sourcing relationship with an external
party and 13% had completely outsourced their internal audit function. With regard to reporting
relationships, 72% report primarily to the chair of the audit committee and 62% have increased the
size of their internal audit activities in the prior 12 months. With respect to corporate governance,
63% of respondents are involved in providing assurance or monitoring compliance with the Australian
Stock Exchange (ASX) Corporate Governance Principles.
Fadzil et al. (2005) undertook a study in Malaysia to determine whether the internal audit department
of the companies listed on the Bursa Malaysia (Malaysian Stock Exchange) comply with the
Standards and whether compliance with the Standards affects the quality of the internal control
system of the company.
It was found that management of the internal audit department, professional proficiency, objectivity,
and review processes significantly influence the monitoring aspect of the internal control system.
The scope and performance of audit work significantly influences the information and communication
aspects of the internal control system, while performance of audit work, professional proficiency,
and objectivity significantly influence the control environment aspect of the internal control system.
The study also shows that management of the internal audit department, performance of audit
work, the audit program, and audit reporting significantly influence the risk assessment aspect of
the internal control system. Lastly, performance of audit work and audit reporting significantly
influences the control activities aspect of the internal control system.
A study in Malaysia by Ali, et al. (2004) looked at internal auditing in the state and local governments
of Malaysia. Based on a series of semi-structured interviews, the authors found that only a minority
of local governments in Malaysia have an internal audit activity. The presence of quite a small
The Institute of Internal Auditors Research Foundation
388 A Global Summary of the Common Body of Knowledge 2006 ______________________
number of local governments with internal auditing may be due to the fact that in at least two
states, the internal audit activity of their local government departments is conducted by the internal
audit departments or units attached to the two state governments. There is no comfort, however,
for such an arrangement – though it is certainly better than having no internal audit done at all at
the local government level. This is because internal auditing in so many of the state governments
and their statutory bodies is operating with numerous limitations. The severest problems are
concerned with a shortage of audit staff and staff lacking in audit competencies. In many
organizations, the non-audit personnel and top management are generally unsupportive of internal
auditing.
Another study in Malaysia by Ernst & Young (2004) was undertaken to develop an understanding
of the practice of internal auditing following the tightening of regulations and the increasing
importance of risk management and corporate governance practices in Malaysia. The survey was
given to participants of The IIA Malaysia’s National Conference held in September 2004 in Kuala
Lumpur. Responses were received from 292 out of more than 600 participants. A total of 87% of
the respondents stated that the primary function of internal auditing is to provide assurance of
internal control and risk management processes and systems. The secondary role of the internal
audit activity is focused on three areas, namely, operational reviews (32%), efficiency of operations/
cost savings (20%), and risk management (11%). The majority of respondents indicated having
staff levels ranging from less than 5 to 25, although 50% of the respondents indicated that the size
of internal auditing has increased in the past 12 months. The increase in the number of internal
audit staff could be the result of the rising importance of corporate governance in Malaysia.
Respondents reported that more than half of the internal audit staff are qualified auditors (53%),
complemented by staff with a commercial background (26%) and information technology specialists
(12%). Most of the respondents (in excess of 70%) indicated that their methodology commonly
included risk assessment, control evaluation, and process analysis. However, about 13% and 15%
of the respondents respectively reported not having a risk assessment and control evaluation process.
Only 30% of respondents reported internal auditing having commissioned an independent review.
Of the 30% of respondents who indicated that a review had been conducted, 46% indicated that
the review was conducted by peer companies while 44% engaged a professional services firm.
Ernst & Young (2005) also conducted a survey of internal auditing in Australia and New Zealand
of the Australian Stock Exchange’s (ASX) top 200 companies in Australia and the top 100 listed
companies in New Zealand and received 173 responses. The aim of the survey was to further the
understanding of how internal audit activities in both the public and private sectors are continuing
to evolve to meet ever-increasing demands and expectations. In total, 39% of respondents increased
the size of their internal audit activities over the previous 12 months and 78% of internal audit
activities now report to either the audit committee chair or the CEO. Just 54% of internal audit
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 389
staff have a financial background, suggesting that internal audit teams are increasingly undertaking
non-financial reviews and recruiting more commercial and other specialist skills; 77% of respondents
have at least part of their internal audit conducted by an external party, mostly due to the need for
specialist skills.
Over half the organizations surveyed have changed the coverage of internal auditing to help support
the ASX Principles of Good Corporate Governance. These internal audit teams are undertaking
more detailed controls testing and increasing their focus on providing assurance around risk
management frameworks to underpin compliance with the principles. In New Zealand, 76% of
private sector respondents have audit committees that satisfy the requirements of the updated
New Zealand Stock Exchange Listing Rules. In both countries, 84% of internal audit activities are
basing their annual audit plan on generally accepted risk management principles.
Carey et al. (2006) undertook a study to investigate the determinants of internal audit outsourcing
using survey data on 99 companies listed on the Australian Stock Exchange. It was noted that
54.5% of companies fully rely on an in-house internal audit activity, with the others outsourcing all
or some of their internal audit activities. Outsourcing is associated with perceived cost savings and
the technical competence of the provider. However, it was also observed that 75% of those companies
outsourcing did so to their external auditor, which may have implications for perceptions about the
independence of the external auditor.
Summary
The above provides a summary of the trend and literature covering internal auditing in the Asia
Pacific region from the seminal work by Cooper and Craig in 1983 until the most recently reported
studies in the academic and professional literature. In reviewing the above literature, a few
observations can be noted:
•
•
•
While internal auditing has been strongly supported by management, including the CEOs,
conclusive consensus as to the role of internal auditors has not yet emerged.
The function of internal auditors has changed from a more financially oriented role into
one that focuses on internal controls and risk assessment through the last two decades.
CEOs have generally perceived internal auditing as having a financial function, while
internal auditors moved their emphasis into systems and risks.
There was, and still is, confusion regarding the independence of internal auditors. This is
made more complex by the definition of internal auditing which encompasses both the
expectations of the consulting role and the assurance role. Internal auditors are uncertain
as to how to balance independence in both roles.
The Institute of Internal Auditors Research Foundation
390 A Global Summary of the Common Body of Knowledge 2006 ______________________
•
•
•
•
During the 1990s, the increasing use of international accounting firms in consulting and
assurance engagements overshadowed the internal audit function.
The U.S. Sarbanes-Oxley Act of 2002 added the dimension of internal financial reporting
assurance expected of internal auditors and audit committees.
With the apparent lack of a structured approach to the body of knowledge, a clearly
defined role, and an apparent lack of status underpinned by a rigorous generally accepted
professional program (the CIA program has had limited uptake in Asia Pacific), internal
auditing has suffered from lack of prominence in Asia Pacific.
The Common Body of Knowledge 2006 study is timely and highly significant in shaping
the internal auditing profession in Asia Pacific in the years to come.
European Literature Review on Internal Auditing4
Overview
This section summarizes the major studies addressing internal auditing and related corporate
governance issues in Europe and is drawn from work carried out by authors from Belgium, Italy,
the Netherlands, and the United Kingdom.
Physically, Europe can be described as a continent that contains approximately 45 separate nations
ranging in size from the smallest states in the world to among the largest. Politically and economically,
there is a diversity that includes former centralized economies (former USSR states such as Russia
and Ukraine), economies where state intervention is active (France), and free market capitalist
economies (such as the U.K.). There is also a range of developmental status from post-industrial
through to agrarian-based. Culturally, Europeans speak more than 200 different languages (with
many states being as a minimum bilingual and trilingual). Given that each state also has its own
legal system and business traditions it is not surprising that there can be no “one size fits all” code
of corporate governance. The following is a summary of the major European studies on internal
auditing.
4
The European literature review was published in a special CBOK 2006 issue of Managerial Auditing Journal (MAJ),
Volume 21, Issue 8, in October 2006. With permission from the publisher of MAJ, this section uses portions of the
following article: Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literature review on
internal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 391
Institut Français de l’Audit et du Contrôle Internes (2005)
This French study followed up a previous version in 2002 that was conducted in conjunction with
Ernst & Young. The survey was sent to 508 chief audit executives (CAEs), with a response rate of
37%. Both the private and public sectors were included. Statistics include detailed descriptive
results illustrated with charts and tables completed with results from interviews with the six major
CAEs. By conducting this survey, Institut Français de l’Audit et du Contrôle Internes (IFACI)
wanted to assess the recent evolution in internal auditing in France, investigate the impact of new
laws and regulations, and assess the future of internal auditing. Major findings are discussed below.
Internal Audit Role in Corporate Governance
The independence and objectivity of internal auditors are guaranteed by their double reporting lines
to top management and the audit committee. About 50% of the internal audit departments in this
study have a formal meeting with their top management every quarter, whereas 40% of the CAEs
have private meetings with the head of the audit committee. The audit committee is primarily
interested in the internal audit activities and mainly the implementation of their recommendations.
More than half of the internal audit departments are involved with activities related to corporate
governance.
Internal Audit: Still Strongly Focused on Assurance
Assurance engagements are still dominant, representing 73% of the working agenda of internal
auditors. These engagements mainly deal with the evaluation of internal controls, as well as
compliance audits. With respect to consulting engagements, internal auditors give advice and
participate in specific projects or working teams.
Internal Audit’s Role in the Implementation of New Laws and Regulations
It is interesting to see that internal auditors play a key role in implementing laws such as the “Loi de
Sécurité Financière” and Sarbanes-Oxley. More than two-thirds of the internal audit departments
have developed a project on internal control reporting and 74% have dedicated a part of their
working time on the implementation of Sarbanes-Oxley. These two laws have slightly changed
internal audit’s work in that it has become more risk-based. In those companies that have to
comply with Sarbanes-Oxley, internal auditors currently spend more time on the evaluation of
financial controls and regularly conduct financial audits.
The Institute of Internal Auditors Research Foundation
392 A Global Summary of the Common Body of Knowledge 2006 ______________________
Internal Auditors as Credible, Objective, and Professional Partners
A large majority (82%) of the internal audit departments have an internal audit charter, formally
approved by top management and the audit committee. In order to guarantee their objectivity, most
of the internal auditors adhere to the Code of Ethics defined by the profession. Even when the
internal audit plan is strongly influenced by specific requests from top management and the audit
committee, the internal audit plan is, in a majority of the cases, also based on a risk assessment. It
was observed that a significant number of CAEs have difficulty finding people with the right
competencies. This is one of the main reasons why internal audit is calling more and more for
expertise coming from other internal departments or from external providers.
Internal Audit has Sufficient Financial and Human Resources
On average, companies have 2.85 internal auditors for every 1,000 employees, with large differences
between sectors. In a majority of the companies, the internal audit budget remains stable, whereas
in 42% of the companies, the internal audit budget increased. About 25% of the internal audit
departments have existed for less than five years and 74% of the departments have less than 10
internal auditors. The profile of an internal auditor did not change during the last three years.
IIA Belgium (2006)
IIA Belgium carried out a survey of its members from November 2005 until March 2006. This
survey was strongly inspired by the IFACI study in France. Internal audit departments in 260
Belgian private companies were contacted. The response rate was 31%, which is quite good for a
first general survey about internal auditing in Belgium.
The survey addressed issues with respect to the internal audit department, the internal audit activities,
risk management and the role of internal auditing, the relationship with stakeholders, and the future
evolution of internal auditing. The survey illustrates that, in Belgium, internal auditing is still a
relatively young profession. The main findings are illustrated below.
Internal Audit Department Review
In terms of age of the internal audit department, more than 50% were created less than 5 years
ago. Most internal auditors have working experience in finance, operations, or external audit.
Internal auditors’ education level is at least at the bachelor’s degree level. On average, internal
auditors remain in internal auditing for less than four years (53% of the respondents). The recruitment
channel for internal auditors is equally spread between internal and external sources. CAEs have
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 393
a relatively short experience in audit, with 64% of the CAEs having less than 10 years experience
in audit. Only 37% of the internal audit departments observed are conducting satisfaction surveys
with their auditees. Networking is important for internal auditors as more than 80% have regular
contacts with colleagues from other companies.
Internal Audit Activities
Integrated and operational audit represent globally more than 50% of the activities of the responding
internal audit departments. Consulting activities remain low (on average 12% of the annual working
time), but a majority of the responding internal audit departments expected an increase in consulting
activities in the next two years.
An internal audit charter is used in more than 90% of the cases. On average, 65% of the internal
audit plan is based on a risk analysis, but discrepancies have been observed by sector. In 42% of
the cases, the yearly internal audit plan is adapted more than twice a year to take new requirements
and priorities into consideration. On average, 65% of the recommendations are implemented within
one year after the audit. In general, 61% of the responding internal audit departments do not use
outsourcing or co-sourcing today, but they expect to use, to some extent, more external service
providers in the future.
Role of Internal Auditing in Risk Management
Seventy percent of the respondents’ organizations have set up a risk measurement process. It is
also remarkable to notice that in a lot of companies, not everyone knows the policies and procedures
he or she has to follow. Gaps are observed by sector in terms of risk management practices. On
average, 29% of the respondents’ IAAs are responsible for the risk management process for their
organizations.
Relationship with Stakeholders
Seventy-four percent of the CAEs report functionally to the audit committee. In 74% of the internal
audit departments reviewed the audit committee is in charge of dismissing the CAE, and in 51% of
the cases the audit committee approves the internal audit budget. In second position, it is the CEO
who dismisses the CAE (44%) or approves the budget (49%). Some deviations have been observed
by sector. It is interesting to see that the relationship with the audit committee is positively perceived
by most responding internal audit departments. Furthermore, there are exchanges between internal
audit and external audit (audit reports and audit planning). However, the relationship is less intensive
in the other direction. Overall, the responding internal audit departments are satisfied with their
The Institute of Internal Auditors Research Foundation
394 A Global Summary of the Common Body of Knowledge 2006 ______________________
interaction with the CEO. Although CAEs are generally satisfied about their interaction with the
CFO, this relationship is less intensive than the one with the CEO.
Challenges for Internal Auditing
The relationship with the audit committee and the board of directors needs to be reinforced and the
assurance provided by internal auditing should become the best independent and objective assessment
in terms of risk management, internal controls, and corporate governance. The activities of internal
auditors will be adapted to the new requirements and evolve with the new legislation and the new
challenges of the organization. The profile of the internal auditor is evolving in order to meet the
broader scope of activities. The profession still needs to become more recognized within the
companies. Moreover, internal auditors need to aspire to a longer career in internal auditing.
Sarens and De Beelde (2006)
This study addressed internal auditors’ perception about their role in risk management, and compared
United States (US) and Belgian companies. The purpose of the study was to describe and compare
in a qualitative way how internal auditors perceive their current role in risk management within
U.S. and Belgian companies, and was based on ten case studies (interviews with CAEs and
analysis of relevant documents).
In the Belgian cases, internal auditors’ focus on acute shortcomings in the risk management system
creates opportunities to demonstrate their value. Internal auditors are playing a pioneering role in
the creation of a higher level of risk and control awareness and a more formalized risk management
system. In the U.S. cases, internal auditors’ objective evaluations and opinions are a valuable input
for the new internal control review and disclosure requirements of Sarbanes-Oxley. In Belgium,
the internal auditing profession is actually in a kind of “transition phase.” In order to survive this
phase, internal auditors need to assume a “teaching role” vis-à-vis the different management levels
to make them aware of their responsibilities in risk management. After this transition period, internal
auditors will be able to focus more on their core activities.
Arena and Azzone (2006)
This study explores the relationship between enterprise risk management (ERM) and internal
auditing. Particularly, this study analyzed internal auditing’s role with respect to ERM systems and
the integration of ERM and internal audit activities. The results are based on multiple case studies
applying semi-structured interviews.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 395
The results show a high diversity in risk management systems with respect to the actual adoption
of an integrated risk management system, the techniques that companies apply to identify risks,
and the methodologies applied for risk assessment. Internal auditors mainly provide assurance on
the ERM process, and in some cases they support the implementation and management of the
process. In half the cases, they found a partial integration between ERM and internal audit activities.
More specifically, this integration concerns the comparison of risk maps made by managers and
those made by internal auditors, the integration of evidence that arises from self-assessment to
support the internal audit plan, and the incorporation of the ERM process in the internal audit
reports.
Allegrini and D’Onza (2003)
Based on a survey of the top 100 companies listed on the Italian stock exchange, this study
investigates internal auditing and risk assessment practices in large Italian companies. The analysis
of the survey answers indicates the existence of three different approaches to internal auditing in
the Italian context. Some companies (25%) have a small internal audit department that carries out
traditional assurance activities. The internal auditor is still perceived as an inspector. These companies
do not integrate the COSO methodology into their audit process, and have a control system entirely
based on hard variables. The annual audit planning generally follows an audit-cycle approach. This
model is often found in smaller companies.
In most companies (67%) internal auditors are providing some contributions to the risk management
process and are trying to incorporate the COSO model in the internal control policies and procedures
as well as in the audit process. In this context, internal auditors perform mainly operational audits
and make use of risk assessment findings in planning the annual schedule of audits (macro level).
In planning the individual audits, they generally start from the recognition of significant risks inherent
to the activity in order to limit or expand the test of controls. The internal audit department of
financial institutions generally follows this model.
Moreover, it is possible to identify a few large companies (8%) in which the internal audit unit is
also focused on consulting activities. Internal auditors attempt to add value through a more active
support to risk management at different levels and to align internal audit objectives with the strategic
goals of the organization. This group includes the “early pioneers” in control and risk self-assessment
(CRSA) projects, insofar as they try to strengthen the accountability at all levels of management
for risk and control. They focus their work on significant risks, and they are trying to adopt a
collaborative approach with line management. A risk-based approach is applied both at the macro
and the micro levels so that we can assume they are embracing the risk paradigm as suggested by
Selim and McNamee (1998). Furthermore, internal auditors focus on monitoring activities and soft
controls.
The Institute of Internal Auditors Research Foundation
396 A Global Summary of the Common Body of Knowledge 2006 ______________________
The survey results also show that, in Italy, control and risk self-assessment may be considered in a
“start-up phase,” since it is possible to identify a few “early pioneers” implementing self-assessment
throughout their entire organization. Some other companies claim to have started applying CRSA
only in a few business areas while others reveal their willingness to introduce it within the next few
years.
Tettamanzi (2003)
This study, based on a questionnaire sent to 150 private companies, describes the historical evolution,
current state, and prospects for future developments of internal audit practices in Italy and the
United Kingdom. Tettamanzi found that the percentage of time spent on financial auditing is lower
than the other types of activities (like compliance or operational reviews). In Italy, as well as the
U.K., it was found that if internal auditing has existed for a period of time, its activities mainly
focus on operational and management auditing. If the internal audit unit has been recently set up,
they mainly focus on financial auditing. Nevertheless, the relevance of financial auditing was
higher in the past. Currently, more resources have been devoted to operational and management
audit and this will increase in the future. The study also reveals that in the U.K., many companies
have introduced an internal audit department to comply with the Cadbury Code. Similarly, in Italy,
the Preda Code has determined the introduction and improvement of internal auditing in listed
companies.
Arena, Azzone, Casati, and Mello (2004)
This study is based on a survey within 365 private Italian companies and investigates the existence
and characteristics of an internal audit activity and the activities performed. It was found that 74%
of the responding companies have introduced an internal audit activity. The existence of an internal
audit activity differs between industries and can be linked with the company size. For those
companies that did not have an internal audit activity at that time, 30% had intentions to introduce
one in the future.
However, 50% are not willing to introduce an internal audit activity in the future, whereas 20%
have removed their internal audit activity. More than 50% of the internal audit departments in this
study have less than five internal auditors. With respect to the internal audit agenda, they found
that operational audits, compliance audits, and the monitoring of the internal control system are the
most prevalent activities.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 397
Allegrini and Bandettini (2006)
This study replicated an earlier study by Selim and Woodward (2004) in the U.K. and Ireland and
focuses on internal audit and consulting assignments. The questionnaire was adapted to the Italian
context and sent to the members of the Italian Institute of Internal Auditors. The results reveal that
the new definition of internal auditing changed consistently the percentage of time allocated to
consulting assignments, which moved from 7% to 26%.
The perceptions regarding internal auditors’ involvement in consulting activities are positive or
very positive in 73% of the responding companies. It is interesting to see that 69% of the respondents
indicate that they perform consulting assignment regarding the Law number 231 (issued in 2001),
which requires companies to set up a structured internal control system. More than half of the
respondents (53%) declared to work on consulting assignments regarding corporate governance
and risk management.
Other Studies on Internal Auditing that Address European Issues
Rittenberg and Covaleski (1999) addressed outsourcing of internal auditing services in a government
environment and provided insight into the methods and reasons for outsourcing. Melville (1999)
addressed the current state of the art of control self-assessment (CSA) practice in the U.K. The
overview was based on a survey of the top 50 companies listed on the FTSE, while the other two
elements were based on structured interviews. The conclusions drawn were that CSA is widely
seen as a beneficial practice, although it may not be repeated after the first exercise.
Hopkins (1997) discussed the fundamental differences in perceptions of internal audit quality between
providers of internal audit services and their prospective clients. The study was based on the U.K.
public sector. Selim and Yiannakis (2001) addressed the various levels and methods of outsourcing
in private and public sector organizations and discussed the various levels of success. Melville
(2003) undertook a study based on an international survey of internal auditors, of which European
responses were approximately 12% of the sample. The results showed that internal auditors were
highly geared toward making a contribution to strategic management, especially where a balanced
scorecard type of system was used.
Selim, et al. (2003) found that based on a survey of six countries, internal auditors already play a
key role in the mergers and acquisitions process, though it was also found that they would prefer
this role to be further developed. Paape, Scheffe, and Snoep (2003) reviewed a survey carried out
by the European Confederation of Institutes of Internal Auditing (ECIIA). While the authors were
The Institute of Internal Auditors Research Foundation
398 A Global Summary of the Common Body of Knowledge 2006 ______________________
unsure about the rigor of their research (due to problems with distribution of the questionnaires
rather than a fundamental flaw in methodology), it is clear that there is a wide variety of internal
audit responses to corporate governance issues.
South African Literature Review on Internal Auditing5
Twenty years ago internal auditing in South Africa was not well known as a profession. In South
Africa, a number of factors contributed to the changes, development, and growth of the country’s
internal auditing profession. During the past five years, there were three major contributors to the
large unexpected growth of the profession in South Africa. The first was the reports of the King
commission on corporate governance (King I: 1994 and King II: 2002). The second was the Public
Finance Management Act (SA 1999. Section 38), which made it a legal requirement for all forms
of public organizations to have an internal audit activity in line with the Standards.
As internal auditing is a relative new profession in South Africa, limited formal research publications
were found on internal auditing within the country. The following briefly discusses the various
research publications found about internal auditing in South Africa.
Communication Skills
During his research, Fourie (2006) attempted to find answers to two research questions. The first
was whether tertiary institutions (universities) in South Africa teach sufficient communication
skills to enable aspiring internal auditors to perform their internal audit assignments professionally.
The second question was whether internal auditors in practice regard themselves as having sufficient
communication skills in order to conduct their internal audit assignments professionally.
The results of the study revealed that universities in South Africa do not teach adequate
communication skills to aspiring internal auditors. The respondents indicated that they do not possess
adequate communication skills to professionally conduct their internal audit engagements.
New Standards Address Challenges Faced by the Profession
Coetzee & du Bruyn (2001) investigated the limitations of the previous Standards and the changes
in the new Standards. They found that change in auditing required by the new Standards was
5
South Africa’s literature review was written by Houdini Fourie of the Tshwane University of Technology, South
Africa and Elmarie Sadler of University of South Africa.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 399
difficult to analyze because the new Standards were to be used in conjunction with the previous
Standards at the time of the paper’s publication. Coetzee & Du Bruyn are of the opinion that the
new Standards successfully address the challenges faced by internal auditors in the profession.
Effectiveness of Public Service Audit Committees
The question for this research was the effectiveness of public service audit committees in improving
accountability in the South African public service as perceived by the independent external auditors
of government (Van der Nest, 2007). Van der Nest stated that “the audit committee is a key
accountability instrument, playing a crucial role in the financial management and control environments
of public corporations.” Audit committees are increasingly regarded as integral to modern control
structures and governance practices in both the private sector and public service. The establishment
of audit committees is recognized as best practice with respect to good corporate governance. The
establishment of audit committees is legislated in the financial management legislation in South
Africa.
Importance of Quality Control
In her study, Marais (2003) investigated the importance of quality control within internal audit
activities as prescribed by the Standards and guidelines of The IIA. The study also attempted to
determine to what extent these Standards and guidelines are applied in internal audit activities in
South Africa.
The study concluded that quality control is not adequately applied within all IAAs in South Africa.
Compliance with the Standards that were implemented during January 2002 should help to improve
the situation. Marais further concluded that The IIA should take action to motivate IAAs to exercise
quality control according to the Standards.
Compliance with Good Practice and Legal Requirements by Audit Committees
In his paper, Van der Nest (2005) evaluated the compliance with good practice and legal requirements
by audit committees in South Africa’s government departments. The performance in four of the
audit committees’ important areas of responsibility was also measured.
The initial general observation by Van der Nest was that there is sufficient compliance with the
legal framework within which the South African public sector audit committees function. A further
observation was that there is general compliance with good practice for audit committees in the
South African public sector. According to Van der Nest, evidence shows that “…there is a
preoccupation with control issues and internal audit reports.” Van der Nest is concerned about the
The Institute of Internal Auditors Research Foundation
400 A Global Summary of the Common Body of Knowledge 2006 ______________________
absence or lack of other critical issues that should be addressed by audit committees, including risk
management, processes, financial reporting, and corporate governance.
Summary
The literature indicates many changes in the activities performed by internal auditors over the past
30 years. The increasing complexity of business transactions, a more dynamic regulatory environment,
and significant advances in information technology are developments that have resulted in
opportunities and challenges for internal auditors. One of the objectives of CBOK 2006 was to
gather information on the current state of internal auditing around the world to determine the
current state of the art for the practice of internal auditing to add to the growing literature and
study of the internal auditing profession.
References
1. Abdolmohammadi, M.J., P.A. Burnaby, and S. Hass, “A review of prior common body of
knowledge (CBOK) studies in internal auditing and an overview of the global CBOK 2006,”
Managerial Auditing Journal 21 (8), 2006, pp. 811-821.
2. Albrecht, W.S, J.D. Stice, and K.D. Stocks, A Common Body of Knowledge for the Practice
of Internal Auditing (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation), 1992.
3. Ali, A.M., S.Z. Saidin, M.Z. Ghazali, M.S. Rahim, M.H. Sahdan, A. Ali, and A. Ahmi, Internal
Audit in the State and Local governments of Malaysia, Working Paper, Universiti Utara Malaysia,
2004.
4. Allegrini, M., and E. Bandettini, Internal Auditing And Consulting Assignments In Italy: An
Empirical Research, Fourth European Conference on Internal Audit and Corporate Governance,
2006b.
5. Allegrini, M., and G. D’Onza, “Internal Auditing and Risk Assessment in Large Italian Companies:
an Empirical Survey,” International Journal of Auditing 7 (3), 2003, pp. 191-208.
6. Allegrini, M., G. D’Onza, L. Paape, R. Melville, and G. Sarens, “The European literature
review on internal auditing,” Managerial Auditing Journal 21(8), 2006a, pp. 845-853.
7. Anderson, U., “Assurance and Consulting Services,” In Research Opportunities in Internal
Auditing, Ch. 4, Bailey, A.D., A.A. Gramling, and S. Ramamoori (eds.) (Altamonte Springs,
FL: The Institute of Internal Auditors Research Foundation), 2003.
8. Arena, M., and G. Azzone, “Internal Audit in Large Italian Companies: adoption, development
and evolution,” Fourth European Academic Conference on Internal Audit and Corporate
Governance, 2006.
9. Arena, M., G. Azzone, P. Casati, and F. Mello, Rapporto di ricerca, Italian Institute of Internal
Auditors, 2004.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 401
10. Barrett, M.J., G.W. Lee, S.P. Roy, and L. Verastigu, A Common Body of Knowledge for
Internal Auditors: A Research Study (Altamonte Springs, FL: The Institute of Internal Auditors),
1985.
11. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal Auditing:
The Global Landscape (Altamonte Springs, FL: The Institute of Internal Auditors), 1999a.
12. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Internal Auditing
Knowledge: Global Perspectives (Altamonte Springs, FL: The Institute of Internal Auditors),
1999b.
13. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P. J. Roebuck, Competency:
Best Practices and Competent Practitioners (Altamonte Springs, FL: The Institute of Internal
Auditors), 1999c.
14. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, The Future of
Internal Auditing: A Delphi Study (Altamonte Springs, FL: The Institute of Internal Auditors),
1999d.
15. Birkett, W.P., M.R. Barbera, B.S. Leithhead, M. Lower, and P.J. Roebuck, Assessing
Competency in Internal Auditing: Structures and Methodologies (Altamonte Springs, FL:
The Institute of Internal Auditors), 1999e.
16. Burnaby, P.A., S. Hass and M.J. Abdolmohammadi, “A survey of internal auditors to establish
the scope of the common body of knowledge study in 2006,” Managerial Auditing Journal
21 8, 2006, pp. 854-868.
17. Cai, C., “Internal audit under the socialist market economy system,” Managerial Auditing
Journal 12 (4/5), 1997, pp. 210-213.
18. Carey, P., N. Subramanaim, and K. Ching, “Internal audit outsourcing in Australia,” Accounting
and Finance 46 (1), 2006, pp. 11-30.
19. CIA World FactBook, https://www.cia.gov/cia/publications/factbook/fields/2145.html, 2006.
20. Chapman, C., and U. Anderson, Implementing the Professional Practices Framework
(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation) 2002.
21. Coderre, D., Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),
2005.
22. Coetzee, G.P., and Du Bruyn, “The relationship between the new IIA standards and the internal
auditing profession,” Meditari 9(6), 2001, pp. 1-79.
23. Cooper, B.J., and J. Craig, A Profile of Internal Audit in Australia (Melbourne: Royal
Melbourne Institute of Technology), 1983.
24. Cooper, B.J., P. Leung, and C. Mathews, “Benchmarking – a comparison of internal audit in
Australia, Malaysia and Hong Kong,” Managerial Auditing Journal 11 (1), 1996, pp. 23-19.
25. Cooper, B.J., P. Leung, and C. Mathews, “Internal Audit: An Australian Profile,” Managerial
Auditing Journal 9 (3), 1994, pp. 13-19.
The Institute of Internal Auditors Research Foundation
402 A Global Summary of the Common Body of Knowledge 2006 ______________________
26. Cooper, B.J., P. Leung, and G. Chau, A Survey of Internal Auditing in Hong Kong (Hong
Kong: Department of Accountancy, Hong Kong Polytechnic), 1989.
27. Cooper, B.J., P. Leung, and G. Wong, “The Asia Pacific literature review on internal auditing,”
Managerial Auditing Journal 21 (8), 2006, pp. 822-834.
28. COSO, Enterprise Risk Management – Integrated Framework Executive Summary (The
Committee of Sponsoring Organizations of the Treadway Commission), 2004.
29. Deloitte & Touche, Lean and Balanced – How to Cut Costs Without Compromising
Compliance, Deloitte & Touche, 2006.
30. Ernst & Young, Internal Audit in Malaysia, Kuala Lumpur, (Malaysia), Ernst & Young, 2004.
31. Ernst & Young and IIA New Zealand and Australia, Trends in Australian and New Zealand
Auditing Second Annual Benchmarking Survey 2005, Ernst & Young and IIA New Zealand
and Australia, 2005.
32. Fadzil, F.H., H. Haron, and M. Jantan, “Internal auditing practices and internal control system,”
Managerial Auditing Journal 20 (8), 2005, pp. 844-866.
33. Fourie, H., Internal auditing and communication: a South African perspective, M. Tech
dissertation, Pretoria, Tshwane University of Technology, 2006.
34. Glascock, K.L., “Auditees or clients?” Internal Auditor, 59 (4), 2002, pp. 84-85.
35. Gobeil, R.E., “The Common Body of Knowledge of Internal Auditors,” The Internal Auditor,
November/December 1972, pp. 20-29.
36. Goodwin, J., “A comparison of internal audit in the private and public sectors,” Managerial
Auditing Journal 19 (5), 2004, pp. 640-650.
37. Goodwin, J., and Y.T. Yeo, “Two factors affecting internal audit independence and objectivity:
evidence from Singapore,” International Journal of Auditing 5, 2001, pp.107-125.
38. Goodwin-Stewart, J., and P. Kent, “The use of internal audit by Australian companies,”
Managerial Auditing Journal 21 (1), 2006, pp. 81-101.
39. Gramling, A.A., M.J. Maletta, A. Schneider, and B.K. Church, “The Role of the Internal Audit
Activity in Corporate Governance: A Synthesis of the Extant Internal Auditing Literature and
Directions for Future Research,” Journal of Accounting Literature 23, 2004, pp. 194-244.
40. Gray, G., Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley
Environment (Altamonte Springs, FL: The Institute of Internal Auditors), 2004.
41. Hass, S., M.J. Abdolmohammadi, and P.A. Burnaby, “The Americas literature review on internal
auditing,” Managerial Auditing Journal 21 (8), 2006, pp. 835-844.
42. Hofstede, G., Culture’s consequences: International differences in work-related values
(London, UK: Sage), 1980.
43. Hofstede, G., “Dimensions of National Culture in Fifty Countries and Three Regions,” in J.B.
Deregowski, S. Dziurawiec, and R.C. Annis (Eds.), Explications in Cross-Cultural Psychology,
Swets and Zeitling, 1983.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 403
44. Hopkins, R., “The nature of audit quality - a conflict of paradigms? An empirical study of
internal audit quality throughout the United Kingdom Public Sector,” International Journal
of Auditing 1 (2), 1997, pp. 117-133.
45. House, R.J., P.J. Hanges, M. Javidan, P.W. Dorfman, and V. Gupta (Eds), Culture, Leadership,
and Organizations: The GLOBE Study of 62 Societies (Thousand Oaks, CA: Sage
Publications), 2004.
46. IFACI (Institute de L’Audit Interne), Resultat de l’enquete sur la pratique de l’audit interne en
France en 2005 (The Institute of Internal Auditors France), 2005.
47. IIABEL (The Institute of Internal Auditors Belgium), Internal audit in Belgium: the shaping of
internal audit today and the future expectations – survey results (The Institute of Internal
Auditors Belgium), www.iiabel.be.
48. King Committee on Corporate Governance, King report on corporate governance for South
Africa, Institute of Directors, 1994.
49. King Committee on Corporate Governance, King report on corporate governance for South
Africa, Institute of Directors, 2002.
50. Krell, E., “Is Sarbanes-Oxley Compromising Internal Audit?” Business Finance, August, 2005.
51. Krogstad, J., A.J. Ridley, and L.E. Rittenberg, “Where We’re Going,” Internal Auditor. October
1999.
52. Le Grand, C.H., Information Technology Controls (Altamonte Springs, FL: The Institute of
Internal Auditors Research Foundation), 2005.
53. Leung, P., B.J. Cooper, and P. Robertson, The Role of Internal Audit in Corporate
Governance and Management (Melbourne: RMIT Publishing), 2004.
54. Lou, Y., “Guanxi: principles, philosophies, and implications,” Human Systems Management 16
(1), 1997, pp. 43-51.
55. Lovett, S., L.C. Simmons, and R. Kali, “Guanxi versus the market: ethics and efficiency,”
Journal of International Business Studies 30 (2), 1999, pp. 231-47.
56. Marais, M., Quality control within internal audit functions and the application thereof in South
Africa, M. Comm. Dissertation, Pretoria, University of South Africa, 2003.
57. McCall, S.M., “The auditor as consultant,” Internal Auditor 59 (6), 2002, pp. 35-39.
58. McIntosh, E.R., Competency Framework for Internal Auditing: An Overview (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation), 1999.
59. Melville, R., “Control self assessment in the 1990s: the UK perspective,” International Journal
of Auditing 3 (3), 1999, pp. 191-206.
60. Melville, R., “The Contribution Internal Auditors Make to Strategic Management,” International
Journal of Auditing 7 (3), 2003, pp. 209-222.
61. Mutchler, J., Independence and Objectivity: A Framework for Internal Auditors (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation), 2001.
The Institute of Internal Auditors Research Foundation
404 A Global Summary of the Common Body of Knowledge 2006 ______________________
62. Paape, L., J. Scheffe, and P. Snoep, “The Relationship between the Internal Audit Activity and
Corporate Governance in the EU - a Survey,” International Journal of Auditing 7 (3), 2003,
pp. 247-262.
63. PCAOB (Public Company Accounting Oversight Board), Auditing Standard No. 2: An Audit
of Internal Controls over Financial Reporting Performed in Conjunction with an Audit of Financial
Statements, (Washington, DC: Public Company Accounting Oversight Board), 2004.
64. PricewaterhouseCoopers LLP, “Internal Audit Global Best Practices: #2 in a series,” The
Internal Audit Newsletter, 2005A, pp.5-6.
65. PricewaterhouseCoopers LLP, “How Computer Assisted Audit Tools Can Be Used in a
Fiduciary Audit Environment,” The Internal Audit Newsletter, 2005B, pp. 2-3.
66. PricewaterhouseCoopers LLP, PricewaterhouseCoopers’ State of the Internal Audit
Profession: Internal Audit Post Sarbanes-Oxley (New York), 2006.
67. RGTF (Report of the Guidance Task Force to The IIA’s Board of Directors), A Vision for the
Future: Professional Practices Framework for Internal Auditing (Altamonte Springs, FL:
The Institute of Internal Auditors Research Foundation), 1999.
68. Rittenberg, L., and M. Covaleski, “Outsourcing the internal audit activity: the British government
experience with market testing,” International Journal of Auditing 3 (3), 1999, pp. 225-235.
69. Rittenberg, L.E., and B.J.Covaleski, The Outsourcing Dilemma: What’s Best for Internal
Auditing (Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation),
1997.
70. Roth, J., Adding Value: Seven Roads to Success (Altamonte Springs, FL: The Institute of
Internal Auditors Research Foundation), 2002.
71. Roth, J., and D. Espersen, Internal Audit’s Role in Corporate Governance: SarbanesOxley Compliance (Altamonte Springs, FL: The Institute of Internal Auditors Research
Foundation), 2003.
72. Sarens, G., and I. De Beelde, “Internal Auditors’ Perception about Their Role in Risk
Management: A Comparison Between US and Belgian Companies,” Managerial Auditing
Journal 21 (1), 2006, pp. 63-80.
73. Selim, G., and A. Yiannakas, “Outsourcing the Internal Audit Activity: A Survey of the UK
Public and Private Sectors,” International Journal of Auditing 5 (1), 2001, pp. 213-226.
74. Selim, G., and D. McNamee, Risk Management: Changing the Internal Auditor’s Paradigm,
(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation), 1998.
75. Selim, G., and S. Woodward, “Internal Auditing and Consulting Practice: UK and Ireland Survey,”
British Academy of Management Annual Conference (UK: University of St. Andrews), 2004.
76. Selim, G., S. Sudarsanam, and M. Lavine, “The Role of Internal Auditors in Mergers, Acquisitions
and Divestitures: An International Study,” International Journal of Auditing 7 (3), 2003, pp.
223-246.
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 405
77. Simons, R., Performance Measurement & Control Systems for Implementing Strategy
(Upper Saddle River, NJ: Prentice Hall), 2000.
78. South Africa, The Public Finance Management Act, Act 1 of 1999, Pretoria, Government
Printers, 1999.
79. U.S. Sarbanes Oxley Act of 2002 (One Hundred Seventh Congress of the United States of
America, HR 3763), 2002.
80. Tang, Y.W., L. Chow, and B.J. Cooper, Accounting and Finance in China – A Review of
Current Practice, 4th, Sweet and Maxwell Asia, (Hong Kong), 2000.
81. Tettamanzi, P., “Internal auditing: evoluzione storica, stato dell’arte e tendenze di sviluppo:
Italia e Regno unito a confronto,” Egea, 2003.
82. The Institute of Internal Auditors, A Vision for the Future: The Professional Practices
Framework for Internal Auditing (Altamonte Springs, FL: The Institute of Internal Auditors
Research Foundation), 1999.
83. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: The Institute of Internal Auditors Research Foundation), 2002.
84. The Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs,
FL: The Institute of Internal Auditors Research Foundation), 2005.
85. The Institute of Internal Auditors, The IIA Research Foundation Request for Proposal (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation), 2005.
86. Van der Nest, D.P., Audit committees in government departments: an internal audit perspective,
The South African Journal of Accountability and Audit Research 6, 2005, pp. 75-83.
87. Van der Nest, D.P., Audit committees and accountability in the South African public service,
D. Tech dissertation, Pretoria, Tshwane University of Technology, 2007.
88. Van Peursem, K.A., “Conversations with internal auditors - The power of ambiguity,”
Managerial Auditing Journal 20 (5), 2005, pp. 489-512.
89. Van Peursem, K.A., “Internal auditors’ role and authority - New Zealand evidence,” Managerial
Auditing Journal 19 (3), 2004, pp. 378-393.
90. Wang, X., “Development trends and future prospects of internal audit,” Managerial Auditing
Journal 12 (4/5),1997, pp. 200-204.
91. Warren, J.D., and X.L. Parker, Continuous Auditing: Potential for Internal Auditors
(Altamonte Springs, FL: The Institute of Internal Auditors), 2003.
92. Zoellick, B., and T. Frank, Governance, Risk Management, and Compliance: An
Operational Approach (The Compliance Consortium), 2005.
The Institute of Internal Auditors Research Foundation
406 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 10-A
Pre-scope Questionnaire for CBOK
Do you agree that the global CBOK scope should include the following:
Demographics for respondents and companies.
Percentage of time spent on different types of audit (scope) in 2005:
• Operational
• Financial (include work with external auditor)
• Governance (ethics, control framework, Sarbanes-Oxley, linkage of
strategy, and company performance)
o The role of internal auditing in organizational governance
• Consulting
• Enterprise risk management (ERM) Need more specification
• Fraud investigations (forensic accounting/auditing)
• Work done by consultants (outsourcing)
• Other:
• Belgium
o Procedures development
o Benchmark analyses (meant to steer company decisions and action
plans for performance improvement)
o Role of internal audit in project management
o IT audit (!)
o Direct operational responsibilities (even limited)
• U.K. Ireland
o Work done by consultants (co-sourcing)
o Assurance work
• U.S.
o I think the work spent with the external auditor should be its own
classification
o With respect to Sarbanes Oxley, the governance component should
be separate from the work done in an advisory capacity
(i.e., monitoring separate from management documentation, testing,
and assessment)
o Outsourced work may be better defined as subject matter expertise
required versus outsourced internal auditing (i.e., is the internal audit
activity outsourced or complemented?)
o Compliance (non-Sarbanes-Oxley)
The Institute of Internal Auditors Research Foundation
Yes
53
No
7
60
58
61
2
2
1
60
59
59
57
3
3
3
5
_____________________________ Chapter 10: Research Method and Literature Review 407
Percentage of time spent on different types of audit (scope)
in 2005: (Cont.)
o Regulatory
o Technology
o Audit of IT function
• Asia
o IT audit
o Probity auditing
o Information technology audit
o Ad hoc/special audit
• Italy
o Compliance programs for the prevention of corporate crime: risk
assessment, compliance audit, monitoring, compliance programs
updating.
• South Africa
o Integrated assurance services (audits that combine financial,
operational, ICT, and governance).
Yes
No
Adherence to the International Standards for the Professional Practice
of Internal Auditing (Standards) (The IIA, 2004):
• 1000 Purpose, Authority, and Responsibility
o Charter outlining nature of assurance and consulting services
• 1100 Independence and Objectivity
o Reporting structure administratively and functionally
o Support of upper management
o Support of the audit committee
• 1200 Proficiency and Due Professional Care
o Level of education required of entry-level auditors
o Certifications
o Skills required of each audit position
• 1230 Continuing Professional Development - number of hours required
• 1300 Quality Assurance and Improvement Program
o How often internal quality review is performed
o How often external quality review is performed
• 2000 Managing the Internal Audit Department
o CAE - rotating or permanent position
o Written policies and procedures
o Staff rotation policy
Yes
No
62
1
61
1
62
0
53
59
5
4
58
5
The Institute of Internal Auditors Research Foundation
408 A Global Summary of the Common Body of Knowledge 2006 ______________________
Adherence to the International Standards for the Professional Practice
of Internal Auditing (Standards) (The IIA, 2004):
• 2010 Planning
o Percentage of audit budget spent on planning activities
• 2210 Engagement Objectives
o Set audit objectives during the planning stages of the audit
• 2240 Engagement Work Program
o % of audit programs written specifically for each engagement
o % of audit programs from prior audits
o % of purchased audit programs
• 2400 Communicating Results
o A written audit report is prepared for what percent of engagements
o Audit report includes a grade or score for the audit process
• 2500 Monitoring Progress
o Follow-up procedures are performed on what % of audits
o Audit department has the support of upper management to ensure
improvements are made by auditee
• Other: Belgium
o Follow-up on implementation of critical recommendations
o Calculation/estimation of “return” of audit work (through
implementation of audit recommendations or through audit review as
such on e.g., double payments: savings achieved; double
disbursements prevented or corrected; etc.)
• U.K. Ireland
o Adherence to the International Standards for the Professional
Practice of Internal Auditing (Standards) (The IIA)
o Adherence to national or sectoral standards, based on the standards
o Adherence to national or sectoral standards, not based on the
standards
• U.S.
o Determination of IA as either a cost center or profit center
o Calculation of cost savings and/or opportunity income gained arising
from internal audit recommendations as part of reporting (estimation)
and monitoring (actual).
The Institute of Internal Auditors Research Foundation
Yes
No
56
7
58
5
56
7
62
1
62
1
_____________________________ Chapter 10: Research Method and Literature Review 409
Specific areas of knowledge required of internal auditors:
• Traditional business school topics (finance, operations, accounting,
marketing)
• Business terminology
• Technology
• Financial reporting
• Costing methods/managerial accounting
• Economic theories
• Accounting standards
• Auditing standards
• Other:
• Belgium
o Language skills (2 x mentioned)
o IT knowledge and skills (company ERP package) (2 x mentioned)
• U.K. Ireland
o Internal auditing standards
o Statistics and analytical techniques
o General management
• U.S.
o Should there be more in the way of operational and compliance
auditing? The above categories seem traditional and exclusive to
the operational and compliance COSO components
o Should technology be more specific as to systems etc- should there
be some additional requirements as to ERM, ERP, etc.?
o Should there be more in the “Other” areas such as forensics, fraud,
money laundering, etc.
o Statistical analyses, Six-sigma, etc.
o Regulatory
o Various industries
o Fraud
o Regulation relevant to the industry
• Asia
o Record keeping electronic
o Risk management practices
• Italy
o Statistics
o New legislation (SOX, D.Lgs 231/01)
• South Africa
o Legislation
The Institute of Internal Auditors Research Foundation
Yes
52
No
11
45
57
50
45
25
49
54
16
6
12
17
35
14
8
410 A Global Summary of the Common Body of Knowledge 2006 ______________________
Role of the board of directors and audit committee:
• How often the CAE reports to the audit committee
• Board’s role in governance issues
• Audit committee/board role in review of annual audit plan
• Other:
• Belgium
o Board’s role in the definition of “risk” as used by the internal auditor
in his risk assessment
o Audit committee support for internal audit activity, internal audit
recommendations
• U.S.
o Directors Loan Committee & Trust Committee interaction
o Board appointment of CAE, salary determination, etc.
o Administrative chain of command
o AC structure and experience
o Reporting relationships, agendas
• Asia
o Induction program for AC members
o Board review of IA performance
• Italy
o Audit committee/board role in budget definition
Yes
60
57
59
Evaluation of staff:
• Questionnaire at end of audit by client
• Staff evaluated at end of each audit
• Other:
• Belgium
o Staff evaluations mid-year and year-end: rotation/career opportunities
inside the company or audit staff
o Evaluation of the overall internal audit activity
• U.S.
o Staff evaluation at certain minimum hours if audit is long term?
o Other internal audit quality metrics and measurements
o Core competency development
o Goal achievement (results)
o Performance evaluation (annual or more frequent).
• Asia
o Preference for annual survey of branch performance
• South Africa
o Ethics
Yes No
53
10
55
8
The Institute of Internal Auditors Research Foundation
No
2
5
3
_____________________________ Chapter 10: Research Method and Literature Review 411
Emerging trends in internal auditing:
• Laws requiring companies to have an internal audit activity
• Internal auditors in advisory role for strategy development
• Implemented an internal control framework (COSO, COSO-ERM,
Cadbury, or CoCo)
• Utilize self-directed, integrated work teams.
• Involved in corporate directives to introduce ERP - Enterprise Resource
Planning software such as SAP, Oracle, Peoplesoft, BAAN, and JD
Edwards
• Implement computer library (Web or CD-ROM) for audit reports,
workpapers, and reference materials
• Implement knowledge management systems
• Work with management to develop ERM system
• Provide training to audit committee
• Share audit programs with “Other” companies’ internal audit departments
• Introduce improvements in cycle time
• Utilize groupware such as Lotus Notes
• Review electronic commerce applications
• Utilize CAATs
• Develop intranet site to educate company personnel about internal
controls, risk management, Sarbanes-Oxley requirements, etc.
• Other:
• Belgium
o Provide control awareness trainings to managers (new recruited
managers: as part of company introduction program; newly
promoted managers - individually; newly acquired company
management team; etc.)
o Implementing total quality related frameworks (e.g., EFQM)
• U.K. Ireland
o Refocused internal audit on role of providing objective assurance in
context of organization's overall assurance framework
o Introducing full risk-based internal auditing
• U.S.
o Analytical (audit) reviews
o Is there a need to address independence if internal audit is used to
“introduce erp,” implement knowledge systems and develop ermhow to audit?
o Regulatory
o Attorney client privilege work
The Institute of Internal Auditors Research Foundation
Yes No
56
7
50
11
57
4
48
45
14
16
55
7
49
52
47
53
44
36
43
56
55
13
11
14
8
19
26
19
6
7
412 A Global Summary of the Common Body of Knowledge 2006 ______________________
Emerging trends in internal auditing: (Cont.)
• Asia
o Audit time recording system of allocation of audit hours
• Italy
o Supporting internal control system definition in BPR projects
o Web-based training for personnel according to D.Lgs 231/01
requirements
Yes
No
Certification:
• Need for certification exams for audit managers and CAEs above
CIA certificate. Already part of the “adherence to Standards”?
• Other:
• Belgium
o Need for a CIA more oriented toward non-profit organizations
• U.K. Ireland
o Need for specific qualification or certification for internal auditors
o Need for certification for practicing internal auditors
• U.S.
o Certifications for seniors (level below mgrs)
o Skills needed - CISA, CFE, etc.
• Asia
o Specialized internal auditing certifications CGAP for public sector,
CFSA for financial services auditor
• Italy
o CPA, ACFE, CSA
Yes
45
No
17
Salaries:
• Entry-level salary at each audit position
• How internal audit salaries compare with managers at similar levels
in the organization
• Other:
• U.K. Ireland
o How internal audit salaries for those with internal audit qualifications
compare
• U.S.
o Does IA have possibility to rotate to another position within the
company? How often does it happen? What is the average time IA
stays within the IA function?
o Staff levels to include bonus and option programs
Yes
42
45
No
18
16
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 413
Salaries: (Cont.)
o Mobility within the organization - how many transfers to the
departments, functions?
o Changes too often and varies globally
o Incentive compensation - bonuses, stock options
• Asia
o Essential criteria for CAEs and staff, i.e., degree
• Italy
o Other benefits
Yes
No
Audit Methods, Tools, and Techniques:
• ACL, Idea, SAS
• Control self-assessment
• Continuous auditing
• Electronic workpapers
• Sampling
• Data mining
• Whistle-blowing hot line
• Comparisons of performance measures to targets in entity’s objectives
• Flowchart software
• Other:
• Belgium
o Generic office IT tools/groupware
• U.S.
o Outsourcing of highly technical/specialized reviews
o Lotus Notes
o Issue tracking repositories
o Intranet portals
o Knowledge management
• Asia
o PowerPoint presentations for audit
• Italy
o Process Modeling Software
o Risk assessment (No: control risk self-assessment)
• South Africa
o Include ERM, benchmarking, QAR, the IA process - procedures,
e.g., compliance, substantive and analytical - Refer PA 2320
Yes
59
57
52
58
59
54
49
52
46
No
3
6
11
3
4
8
13
9
15
The Institute of Internal Auditors Research Foundation
414 A Global Summary of the Common Body of Knowledge 2006 ______________________
Auditee Skill Set (at each level):
• Organization
• Interpersonal
• Writing
• Critical thinking
• Ability to do root cause analysis
• Negotiation
• Conflict resolution
• Interview
• Other:
• Belgium
o IT skills (knowledge of company ERP capabilities and control
features + use of system to prepare projects and substantiate findings)
o Synthesis: know how to extract just that information that is necessary
to put context around a finding and recommendation
• U.K. Ireland
o Influencing
o Presentation of complex results
• U.S.
o Computer skills
o Foreign languages
o Strategic agility
o Facilitation
o Consensus building
o Teamwork
• Asia
o Communication
o Time management
o Judgment
o Business acumen
• Italy
o Corporate crime, fraud
• France
o Courage
The Institute of Internal Auditors Research Foundation
Yes
56
57
57
56
53
56
57
57
No
7
6
5
7
9
7
6
5
_____________________________ Chapter 10: Research Method and Literature Review 415
Other: Please list “Other” topics that you would like to include in the survey:
Yes
• Belgium
o Interaction between internal and external audit
o Co-sourcing/outsourcing
o Auditor’s career: recruitment into internal audit and/or internal move
“in”/career path with internal audit and/or internal move “out”/external
move “out”
• U.K. Ireland
o Knowledge areas are too narrow: should include governance, ethics,
ethnographic methods
o Involvement in corporate social responsibility
o Benchmarking regarding I.A. size (i.e., no. of employees, mixture of
qualified and non-qualified staff, types of qualification of I.A. staff, etc.)
• U.S.
o How is the internal audit plan developed, on the basis of what information
(scoping using risk assessment, particular needs of BU, fraud
investigation, what is the % of each component)?
o What is the duration of the audit plan (1 year, 3 years, etc.)? How often
is it revised?
o Whom does the IA report to (audit committee, CEO, CFO, etc…are
they independent?
o How is the IA founded: special budget, re-invoiced to BU, etc…?
What is the budget?
o What are the yearly training expenses?
o Does IA use any indicator to measure its performance? If yes, what are
they?
o The views expressed are solely my own and do not necessarily reflect
to the position of Fidelity Investments or its associates
o Trend toward outsourcing/partnering
o Resource management and planning
o Internal audit department structure and geographic locations
o Global focus
o Reporting relationship of CAE to board/audit committee, CEO, CFO,
“Other”
o Frequency of private meeting of CAE and board/audit committee
chair/committee - never, once per year, etc.
o Asset size of company/annual sales
o Number of internal auditors
The Institute of Internal Auditors Research Foundation
No
416 A Global Summary of the Common Body of Knowledge 2006 ______________________
Other: Please list “Other” topics that you would like to include in
the survey: (Cont.)
o Annual audit department salaries & benefits
o Public/private/other org.
o Core competency framework
o Soft skill development
o Training and development
o Career pathing
o Knowledge management
• Asia
o Will 1312 review be completed by Jan 1, 2007
o Probity auditing
o Project management
o Standardization of audit reports
o Freedom of information/privacy concerns
o Performance indicators for internal audit
o Standardization of ranking audit
o Balanced scorecards for internal audit
o Disclosure and confidentiality principles for internal audit
o International auditing standards (Global)
o Globalization of auditing profession
o Academic qualifications for internal audit in tertiary institutions
o Career planning for internal audit
o Marketing of the internal audit activity
o “Recognized Professional Association”
o Benchmarking of internal audit
o Introduce CAE within organization for signoff on internal controls
o Ratio of internal audit cost vs. external audit cost
o Boardroom skills
o Personnel management skills
o Managerial skills
o Split information required for financial audit between financial control
work and supporting/interacting on external audit work
o Emerging new technology and trends in business that impact audit
o New business organizational formations that affect audit capability
The Institute of Internal Auditors Research Foundation
Yes
No
_____________________________ Chapter 10: Research Method and Literature Review 417
Other: Please list “Other” topics that you would like to include in
the survey: (Cont.)
• Italy
o Information about staff and outsourcing
o Role of the Collegio sindacale
− The relationship between the collegio sindacale and the internal audit
unit (collegio sindacale is a specific body of the Italian corporate
governance system). The features involves in this relationship could
concern:
∗ The support of the collegio sindacale to the internal audit
independence.
∗ The review of the audit plan.
∗ The communication of audit results to the collegio sindacale.
∗ Other.
o Planning and priority setting
o Role of the collegio sindacale in the Italian corporate governance
system and the relationship with the internal audit department.
• France
o How do IA, MA, compliance, quality control, and “Other” control
functions fit together?
o What are the job positions in internal auditing?
o How can we go from one position to another?
o How to be prepared to get out of the audit department to disseminate
the control culture.
• South Africa
o Environmental auditing
o QAR
o ISO standards relating to internal auditing, e.g., ISO 14000, etc.
The Institute of Internal Auditors Research Foundation
Yes
No
418 A Global Summary of the Common Body of Knowledge 2006 ______________________
APPENDIX 10-B
Topical Areas That Are Addressed in
Past and Current IIA CBOK Studies
Gabeil
(1972)
Accounting
Auditing
Barrett et al.
(1985)
Accounting*
Auditing
Albrecht et al.
(1991)
Accounting**
Auditing
Birkett et al.
(1999)
Accounting
Auditing
Communications
Communications
Communications
Competency
Assessment,
Benchmark,
Competency
Standards
Compliance/
Government
Corporate
Governance
Behavioral
Sciences
Communications
Government
Computers Basis
Computers &
Systems
Computer &
Information
Systems
Computers &
Information
Systems
Data Gathering
& Delivery
Computers &
Information
Systems
Data
Warehousing
CBOK
(2006)
Accounting***
Auditing@
Audit Committee/
Oversight Committee
Audit Plan
Behavioral Skills/
Technical
Skills/Competencies
Communications
Benchmarks/Quality
Assessment
Compliance/
Regulations
Corporate
Governance
Computer Software
Used in the Audit
Information
Technology
Consulting/Advisory
Services
Data Mining
*Specifies as financial, management, and government accounting
**Specifies as financial and managerial accounting
***Financial and managerial accounting as well as specialized accounting appropriate for the type of organization
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 419
Topical Areas That Are Addressed in
Past and Current IIA CBOK Studies (Cont.)
Gabeil
(1972)
Economics
External
Relations
Finance &
Control
Barrett et al.
(1985)
Finance
Albrecht et al.
(1991)
Economics
Ethics
Birkett et al.
(1999)
Economics
Ethics
Expertise
(Experience,
Knowledge, Skills)
Finance
Finance
Finance
Forensic
Accounting/
Auditing
Forensic
Accounting/
Auditing
Fraud
Emerging Issues
Fraud
International
Legal Aspects
of Business
Secretarial
& Legal
Management
and the
Management
Functions
Legal Aspects
of Business
Management
Future of the
Profession and
Influencing Factors
IA Staff Position
in Organizations
Internal Auditor’s
Work Environment,
Context, Population,
and Scope of Work
International/culture
Legal Aspects
(Commercial and
Regulatory Law)
Management
The Institute of Internal Auditors Research Foundation
CBOK
(2006)
Ethics/Ethics Audits
Expertise (Experience,
Knowledge, Skills)
IAA Position in the
Organization
Internal Auditor’s
Work Environment,
Context, Population,
and Scope of Work
International/
Globalization/Culture
Legal Regulations
Management
420 A Global Summary of the Common Body of Knowledge 2006 ______________________
Topical Areas That Are Addressed in
Past and Current IIA CBOK Studies (Cont.)
Gabeil
(1972)
Marketing
Barrett et al.
(1985)
Marketing &
Distribution
Organizations
Albrecht et al.
(1991)
Marketing
Organizational
Behavior
Birkett et al.
(1999)
Marketing
Organizational
Behavior
CBOK
(2006)
Marketing
Organizations/
Industries
Organizational
Behavior
Outsourcing/
Co-sourcing the
Audit/Audit
Function
Personnel
Administration
Professional
Qualification,
Education,
Development,
Training
Professional
Qualifications,
Education,
Development,
Training
Need for a Global
Validated
Framework
(Common
Language, Global
Profession of
Internal Auditing)
Quantitative
Methods
& Statistics
R&D Audit
Professional
Practices
Framework
Reasoning
Risk Management
and Control/Internal
Control
Role of the CAE
Taxes
Production
Quantitative
Methods
Statistics
Quantitative
Methods
& Statistics
Reasoning
Reasoning
Reasoning
Risk Control/
Internal Control
Taxes
Taxes
Research &
Development
The Institute of Internal Auditors Research Foundation
Statistics
_____________________________ Chapter 10: Research Method and Literature Review 421
APPENDIX 10-C
CBOK 2006 CAE AND PRACTITIONER
QUESTIONNAIRE
Note: This is the final English questionnaire. On the next two pages is a summary of
which questions were on just the CAE questionnaire, just the Practitioner questionnaire,
or on both. The IIA combined the two questionnaires as some of the questions appeared
on both questionnaires.
The Institute of Internal Auditors Research Foundation
COMMON BODY OF KNOWLEDGE (CBOK) 2006
Chief Audit Executive (CAE) or Service Provider Equivalent,
Head of Internal Audit Activity,
Engagement Leader, or Service Provider Principal
Welcome to the Common Body of Knowledge (CBOK) 2006! You are about to participate in one
of the most important projects ever undertaken by The IIA Research Foundation. CBOK will help
Understand, Guide, and Shape the future of Internal Auditing! Your participation will ensure this
project is a success.
We anticipate that this survey will take approximately 40 minutes of your valuable time. All of your
answers will be strictly confidential and will not be associated with your personal information or
organization information. Please answer the questions honestly.
Please complete the survey in one session. If you have any technical problems or questions, please
send an e-mail to [email protected].
At the end of the survey you will be given the opportunity to enter an optional drawing for twentyfive US$200 VISA Gift Cards.
The Institute of Internal Auditors Research Foundation
422 A Global Summary of the Common Body of Knowledge 2006 ______________________
Questions for CAE and Practitioner (Per Word file version)
Question
Number
Part I
1a
1b
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17a
17b
18
19
20
21
22a
22b
22c
22d
23
24
Question Description
Personal/Background Information
How long member
Affiliate/Chapter
Age
Level of Education
Academic Major
Organization Position
Professional Qualification
Total Professional Experience
Total Years as CAE, GA, TAP, VP
Reporting Status
Training hours over last 36 months
Training hours over last 12 months
Type of organization you work in
Classification of the industry you offer
internal audit services
Organization Size - (total employees, assets,
revenue)
Area Served
How long has your organization existed?
Does organization have an Internal Audit Activity
(IAA)?
How long has the IAA existed?
Organization Documents
Who is involved in appointing the CAE?
Who evaluates CAE’s performance
Is there an Audit Committee?
Number of Audit Committee meetings
Number of Audit Committee meeting invitations
Number of Audit Committee meetings attended
Meet Audit Committee in addition to regular
meetings?
Have appropriate access to Audit Committee?
How is value added by IAA measured?
Both CAE Practitioner
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
The Institute of Internal Auditors Research Foundation
*
*
*
*
*
*
*
*
*
_____________________________ Chapter 10: Research Method and Literature Review 423
Question
Number
25a
25b
26a
26b
26c
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Question Description
How many times is the audit plan updated?
How do you establish audit plan
Provide IA services to external organizations?
External Organizations that receive IA services
Do you agree with the statements below?
Number of Staff in IAA
Incentives to hire IA professionals
Methods to fill staff vacancies
Methods to compensate for missing skills
Percentage of activities out or co-sourced
Will budget for out/co-sourced activities change?
Number of Members who have Certifications
Need additional certification beyond CIA?
Method of staff evaluation
Frequency of training
Use IIA’s Int’l Standards in whole or part?
Guidance from International standard Adequate?
Standard of Professional Practices Framework
adequate?
Reasons for not using The IIA’s Int’l Standards
IAs have quality assessment and improvement
program?
When was last formal internal quality
assessment?
When was last formal internal quality
assessment?
Activities performed as part of IAA quality
assessment
Who performs following activities/audits?
Percentage time spent on the following activities
Resolution of major differences
Who reports auditing findings to management
Who monitors corrective actions?
How much is IA going to use the following
audit tools?
Both CAE Practitioner
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
The Institute of Internal Auditors Research Foundation
424 A Global Summary of the Common Body of Knowledge 2006 ______________________
Question
Number
51
52
53
51a
52a
53a
53b
54
55
56
Question Description
Behavioral skills for staff
Technical skills for staff
Competencies for staff
Important behavioral skills
Important technical skills
Important competencies
Importance of certain knowledge
Will changes in the IAA scope occur?
Roles of IAA
Indicate whether statements apply to
organization
Both CAE Practitioner
*
*
*
*
*
*
*
*
*
*
I. Personal/Background Information
Note: Background information will be used anonymously for aggregate data analysis. No individual
information will be revealed in research reports.
1a. How long have you been a member of The IIA?
‰ 1-5 years
‰ 6-10 years
‰ 11 years or more
‰ I am not a member of The IIA (Skip to question 2.)
1b. Please select your IIA Affiliate or if you are located in North America or the Caribbean, please
select your Chapter. Affiliate: _______________ Chapter: ________________
2. Your age: _________
3. Your highest level of formal education (not certification) completed:
‰ Secondary/High School Education
‰ Bachelors/Diploma in Business
‰ Bachelors/Diploma in fields other than Business
‰ Masters/Graduate Degree/Diploma in Business
‰ Masters/Graduate Diploma in fields other than Business
‰ Doctoral Degree
‰ Other
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 425
4. Your academic major(s): (Please mark all that apply.)
‰ Accounting
‰ Arts or Humanities
‰ Auditing
‰ Computer Science
‰ Economics
‰ Engineering
‰ Finance
‰ General Business/Management
‰ Information Systems
‰ Internal Auditing
‰ Law
‰ Mathematics/Statistics
‰ Science or Technical Field
‰ Other
‰ No degree
5. Your position in the organization:
‰ Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/
Service Provider Equivalent
‰ Internal Audit Management/Service Provider Management
‰ Internal Audit Senior or Supervisor/Service Provider Senior or Supervisor
‰ Internal Audit Staff/Service Provider Staff
‰ Support Staff (administration, secretarial, and clerical)
‰ Other
6. Your professional qualification(s): (Please mark all that apply.)
‰ Internal Auditing (such as CIA/MIIA/PIIA)
‰ Information Systems Auditing (such as CISA/QiCA/CISM)
‰ Government Auditing/Finance (such as CIPFA/CGAP/CGFM)
‰ Control Self-Assessment (such as CCSA)
‰ Public Accounting/Chartered Accountancy (such as CA/CPA /ACCA/ACA)
‰ Management/General Accounting (such as CMA/CIMA/CGA)
‰ Accounting - technician level (such as CAT/AAT)
‰ Fraud Examination (such as CFE)
‰ Financial Services Auditing (such as CFSA/CIDA/CBA)
‰ Fellowship (such as FCA/FCCA/FCMA)
‰ Certified Financial Analyst (such as CFA)
‰ Other
The Institute of Internal Auditors Research Foundation
426 A Global Summary of the Common Body of Knowledge 2006 ______________________
7. Specify your total years of professional experience using the following categories: (Use whole
numbers.)
Service
Years in
Years in Years in Years in
Provider
Private
Publicly/ Govern- Not-forCompany
Listed
mental
Profit
Company
a. Accounting
b. Engineering
c. External (Independent)
Auditing
d. Finance
e. Information Technology
f. Internal Auditing
g. Management
h. Other Professional
Experience
_____
_____
_____
_____
______
_____
_____
_____
_____
______
_____
_____
_____
_____
_____
_____
_____
_____
_____
_____
_____
_____
______
______
______
_____
_____
_____
_____
______
Total Professional Experience _____
_____
_____
_____
______
8. How many total years have you been the Chief Audit Executive/General Auditor/Top Audit
Position/Vice President - Audit/Service Provider equivalent at your current organization and
previous organizations you have worked for? Years: __________
9. Your reporting status in your organization is:
‰ Staff position reporting to a manager
‰ Managerial position reporting to executive management/high-level government official
‰ Officer position reporting to the executive management/high-level government official
‰ Independent position reporting to the audit committee of the board/oversight board
‰ Other
10. On average, how many hours of formal training have you received over the last 36 month
period or while you have been in the Internal Audit Activity if less than three years? Training
includes, but is not limited to seminars, conferences, workshops, and in-house information
sessions provided by either your organization or another organization.
Hours: ____________
11. How many hours of training over a 12-month period are required by law/statute where you
work?
Hours: ____________
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 427
II. Your Organization
Note: Organization information will be used anonymously for aggregate data analysis. No individual
organization information will be revealed.
12. The type of organization for which you currently work:
‰ Service Provider/Consultant
‰ Publicly Traded (Listed) Company
‰ Privately Held (Non-listed) Company
‰ Public Sector/Government
‰ Not-for-Profit Organization
‰ Other
13. The broad industry classification(s) of the organization for which you work or provide internal
audit services: (Please mark all that apply.)
‰ Agricultural/Forestry
‰ Banking/Financial Services/Credit Union
‰ Building and Construction
‰ Communication/Telecommunication
‰ Consumer Goods
‰ Education
‰ Financial, Accounting, and/or Business Services
‰ Healthcare
‰ Hospitality/Leisure/Tourism
‰ Insurance
‰ Manufacturing
‰ Mining and Oil
‰ Non-Professional Services
‰ Pharmaceutical/Chemical
‰ Professional Services
‰ Real Estate
‰ Retail/Wholesale
‰ Technology
‰ Trade Services
‰ Transport and Logistics
‰ Utilities
‰ Other
The Institute of Internal Auditors Research Foundation
428 A Global Summary of the Common Body of Knowledge 2006 ______________________
14. Size of the entire organization for which you work as of December 31, 2005 or the end of the
last fiscal year: (Please use whole numbers and no abbreviations: use 1,000,000 not 1M.)
Total Employees (Full-time Equivalent):
Employees: ___________________
Total Assets (U.S. Dollar Equivalent):
Assets: _______________________
Total Revenue or Budget if Government or Not-for-Profit (U.S. Dollar Equivalent)
Revenue: _____________________
15. Is your organization:
‰ Local
‰ State/Provincial
‰ Regional
‰ National
‰ International/Multinational
16. How long has your organization been in existence?
Years: _________________
III. Internal Audit Activity
17a. Does your organization have an Internal Audit Activity or provide Internal Audit services?
‰ Yes
‰ No (Skip to question 18.)
17b. If yes, for how long? (Please use whole numbers only.)
Years:
18. Which of the following documents exist in your organization? (Please mark all that apply.)
‰ Corporate Governance Code
‰ Long-term Strategic Plan for the Organization
‰ Audit Oversight/Committee Charter
‰ Internal Audit Charter
‰ Mission Statement for the Internal Audit Activity
‰ Internal Audit Operating Manual/Policy Statement
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 429
‰
‰
‰
‰
Corporate Ethics Policy/Code of Ethics/Code of Conduct
Annual Internal Audit Plan/Rolling Audit Plan/Quarterly Audit Plan
Long-term Audit Plan (longer than 1 year)
Internal Audit Risk Assessment (to determine what areas to audit)
19. Who is involved in appointing the Chief Audit Executive/General Auditor/Top Audit Position/
Vice President - Audit/Service Provider equivalent? (Please mark all that apply.)
‰ Chairperson of the Board
‰ Chief Executive Officer
‰ Audit Committee/Oversight Committee/Committee Chairperson
‰ Chief Financial Officer
‰ Another person reporting to CFO
‰ Other
20. Who evaluates your performance? (Please mark all that apply.)
‰ Board of Directors
‰ Chairperson of the Board
‰ Chief Executive Officer
‰ Audit Committee/Oversight Committee/Committee Chairperson
‰ Senior Management
‰ Auditee/Client at the end of audit
‰ Supervisor periodically
‰ Peers/Subordinates periodically
‰ Not evaluated
21. Is there an Audit Committee/Oversight Committee or equivalent in your organization?
‰ Yes
‰ No (Skip to question 24.)
22a. Number of Audit Committee/Oversight Committee meetings held in the last fiscal year:
Number: _______________
22b. Number of Audit Committee/Oversight Committee meetings you were invited to attend (entirely
or in part) during the last fiscal year:
Number: ______________
22c. Number of Audit Committee/Oversight Committee meetings you attended (entirely or in part)
during the last fiscal year:
Number: ______________
The Institute of Internal Auditors Research Foundation
430 A Global Summary of the Common Body of Knowledge 2006 ______________________
22d. Do you meet with the Audit Committee/Oversight Committee/Chairperson in addition to the
regularly scheduled meetings?
‰ Yes
‰ No
23. Do you believe that you have appropriate access to the Audit Committee/Oversight Committee?
‰ Yes
‰ No
24. How does your organization measure the value added by the Internal Audit Activity? (Please
mark all that apply.)
‰ Customer/Auditee surveys from audited departments
‰ Recommendations accepted/implemented
‰ Cost savings and improvements from recommendations implemented
‰ Number of management requests for internal audit assurance or consulting projects
‰ Reliance by external auditors on the Internal Audit Activity
‰ Budget to actual audit hours
‰ Cycle time from entrance conference to draft report
‰ Number of major audit findings
‰ Other
‰ No formal measurement of value added
25a. How frequently do you update the audit plan?
‰ Multiple times per year
‰ Every year
‰ Every two years
‰ More than every two years
‰ No audit plan (Skip to question 26.)
25b. How do you establish your audit plan? (Please mark all that apply.)
‰ Use of a risk-based methodology
‰ Consult previous years audit plan
‰ Consultation with divisional or business heads
‰ Requests from management
‰ Audit Committee/Oversight Committee requests
‰ Compliance/regulatory requirements
‰ Requests from or consultation with external auditors
‰ Other
26a. Are you currently a service provider of internal audit services to external organizations?
‰ Yes
‰ No (Skip to question 27.)
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 431
26b. What is the number of external organizations to which you provide internal audit services?
Number: ________________
Note: If you have identified yourself as a provider of internal audit services to external
organizations, whenever you see the phrase “Internal Audit Activity” please answer
the question based on your experiences as a service provider, not as an internal
auditor for your organization.
26c. Please indicate your agreement with the following statements as they relate to your current
organization or organizations that you audit.
1 = Strongly Disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly Agree
____ a. Your Internal Audit Activity is an independent objective assurance and consulting
activity.
____ b. Your Internal Audit Activity adds value.
____ c. Internal Audit brings a systematic approach to evaluate the effectiveness of risk
management.
____ d. Your Internal Audit Activity brings a systematic approach to evaluate the
effectiveness of internal controls.
____ e. Your Internal Audit Activity brings a systematic approach to evaluate the
effectiveness of governance processes.
____ f. Your Internal Audit Activity proactively examines important financial matters,
risks, and internal controls.
____ g. Your Internal Audit Activity is an integral part of the governance process by
providing reliable information to management.
____ h. The way our Internal Audit Activity adds value to the governance process is
through direct access to the Audit Committee.
____ i. Your Internal Audit Activity has sufficient status in the organization to be effective.
____ j. Independence is a key factor for your Internal Audit Activity to add value.
____ k. Objectivity is a key factor for your Internal Audit Activity to add value.
____ l. Your Internal Audit Activity is credible within your organization.
____ m. Compliance with The IIA’s International Standards for the Professional
Practice of Internal Auditing is a key factor for your Internal Audit Activity to
add value to the governance process.
____ n. Compliance with The IIA’s Code of Ethics is a key factor for your Internal Audit
Activity to add value to the governance process.
The Institute of Internal Auditors Research Foundation
432 A Global Summary of the Common Body of Knowledge 2006 ______________________
IV. Staffing
27. How many staff are in your Internal Audit Activity? Temporary or co-sourced staff should be
included to the nearest full-time equivalent.
Full-time
Part-time
CAE/General Auditor/Top Audit Position/Service Provider
Equivalent/Vice President - Audit
______
____
Internal Audit Managers
______
____
Internal Audit Supervisors
______
____
Internal Audit Staff
______
____
External Auditors (co-sourced)
______
____
Contract Audit Staff (co-sourced)
______
____
Support Staff (Administrative, Secretarial, and Clerical)
______
____
Other
______
____
28. Is your organization currently offering any special incentives to hire internal audit professionals?
(Please mark all that apply.)
‰ Relocation expenses
‰ Signing bonus
‰ Stock options
‰ Accelerated raises
‰ Vehicle provided by the organization
‰ Transportation allowance
‰ Other
29. What methods do you use to make up for staff vacancies? (Please mark all that apply.)
‰ Facilitate Control Self-assessments in place of audits
‰ Reduce areas of coverage
‰ Increased use of audit software
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 433
‰
‰
‰
‰
Borrowing staff from other departments
Co-sourcing from internal audit service providers
No vacancies
Other
30. What methods is your organization employing to compensate for missing skill sets (e.g., IT
audit, statistical analysis)? (Please mark all that apply.)
‰ Reduce areas of coverage
‰ More reliance on audit software
‰ Borrowing staff from other departments
‰ Co-sourcing/outsourcing
‰ No missing skill sets
‰ Other
31. What percentage of your Internal Audit Activity activities are currently outsourced / cosourced?
‰ No outsourcing/co-sourcing
‰ 0-10 %
‰ 11-20%
‰ 21-30%
‰ 31-40%
‰ 41-50%
‰ 51-60%
‰ 61-70%
‰ 71-80%
‰ 81-90%
‰ 91-100%
32. Do you anticipate that your budget for outsourced/co-sourced activities will change in the next
three years?
‰ Increase
‰ Decrease
‰ Remain the same
The Institute of Internal Auditors Research Foundation
434 A Global Summary of the Common Body of Knowledge 2006 ______________________
33. How many members of the Internal Audit Activity hold the following certifications? If a staff
member has more than one certification, include them in all applicable categories.
Number
Internal Auditing (such as CIA/MIIA/PIIA)
Information Systems Auditing (such as CISA/QiCA/CISM)
Government Auditing/Finance (such as CIPFA/CGAP/CGFM)
Control Self-Assessment (such as CCSA)
Public Accounting/Chartered Accountancy (such as CA/CPA/ACCA/ACA)
Management/General Accounting (such as CMA/CIMA/CGA)
Accounting - technician level (such as CAT/AAT)
Fraud Examination (such as CFE)
Financial Services Auditing (such as CFSA/CIDA/CBA)
Fellowship (such as FCA/FCCA/FCMA)
Certified Financial Analyst (such as CFA)
Other
34. Do you see a need for additional certification beyond the CIA for audit managers and CAEs?
a. Need for additional certification exams for audit managers
‰ Yes
b. Need for additional certification exams for CAEs
‰ No
35. What method of staff evaluation do you use? (Please mark all that apply.)
‰ By supervisor periodically
‰ Customer/auditee feedback
‰ Peers/subordinates periodically
‰ Other
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 435
36. How frequently do you and your staff receive the following types of training?
More frequently than annually
Annually
Less frequently than annually
As needed
Never
a. Standards and professional practices
___________________________________
b. Basic/advanced technology
___________________________________
c. Anti-fraud techniques
___________________________________
d. Ethics training
___________________________________
e. Communication skills
___________________________________
f.
___________________________________
Team-building skills
V. Internal Auditing Standards
37. Does your organization use The IIA’s International Standards for the Professional Practice
of Internal Auditing in whole or in part? If you are a service provider do you use The IIA's
International Standards for the Professional Practice of Internal Auditing in whole or in
part for your audits of your clients?
‰ Yes
‰ No (Skip to question 40.)
The Institute of Internal Auditors Research Foundation
436 A Global Summary of the Common Body of Knowledge 2006 ______________________
38. If your Internal Audit Activity follows any of The IIA’s International Standards for the
Professional Practice of Internal Auditing, please indicate if the guidance provided by
these standards is adequate for your Internal Audit Activity and if you believe your organization
complies with the Standards.
[provide links to all below]
Guidance is
Adequate
‰
‰
‰
‰
Your Organization
is in Compliance
Yes
No
Do not use
I do not
know
AS 1000 - Purpose, Authority, and Responsibility
AS 1100 - Independence and Objectivity
AS 1200 - Proficiency and Due Professional Care
AS 1300 - Quality Assurance and Improvement
PS 2000 - Managing the Internal Audit Activity
PS 2100 - Nature of Work
PS 2200 - Engagement Planning
PS 2300 - Performing the Engagement
PS 2400 - Communicating Results
PS 2500 - Monitoring Progress
PS 2600 - Resolution of Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
‰ Yes, full
compliance
‰ Yes, partial
compliance
‰ No, not in
compliance
‰ I do not know
_____________________________ Chapter 10: Research Method and Literature Review 437
39. If your Internal Audit Activity uses any of the Practice Advisories provided by The IIA in the
International Professional Practices Framework, indicate if they are adequate for your Internal
Audit Activity. If your organization does not use any of the Practice Advisories, skip to question
40.
[provide links to all below]
Guidance is
Adequate
‰ Yes
‰ No
‰ Do Not Use
AS 1000 - Purpose, Authority, and Responsibility
AS 1100 - Independence and Objectivity
AS 1200 - Proficiency and Due Professional Care
AS 1300 - Quality Assurance and Improvement
PS 2000 - Managing the Internal Audit Activity
PS 2100 - Nature of Work
PS 2200 - Engagement Planning
PS 2300 - Performing the Engagement
PS 2400 - Communicating Results
PS 2500 - Monitoring Progress
PS 2600 - Resolution of Management’s Acceptance of Risks
The Institute of Internal Auditors Research Foundation
438 A Global Summary of the Common Body of Knowledge 2006 ______________________
40. What are the reasons for not using The IIA’s International Standards for the Professional
Practice of Internal Auditing, in whole or in part? (Please mark all that apply.) Skip to
question 41 if your organization is in full compliance with The IIA’s International Standards
for the Professional Practice of Internal Auditing.
‰ Standards or Practice Advisories are too complex
‰ Not appropriate for small organizations
‰ Too costly to comply
‰ Too time consuming
‰ Superseded by local/government regulations or standards
‰ Not appropriate for my industry
‰ Compliance not supported by management/board
‰ Not perceived as adding value by management/board
‰ Inadequate Internal Audit Activity staff
‰ Compliance not expected in my country
‰ Other
Please explain: _______________________________________________________
41. Does your Internal Audit Activity have a quality assessment and improvement program in
place in accordance with The IIA’s International Standards for the Professional Practice
of Internal Auditing Standard 1300?
‰ Yes, currently in place
‰ To be put in place within the next twelve months
‰ No plans to put in place in the next twelve months
‰ Your quality assurance program is not in accordance with Standard 1300
‰ I do not know
42. When was your Internal Audit Activity last subject to a formal internal quality assessment,
periodic or ongoing, in accordance with The IIA’s International Standards for the Professional
Practice of Internal Auditing Standard 1311 on internal assessments?
‰ Scheduled to be completed prior to January 1, 2007, but not yet completed
‰ Within the last 12 months
‰ 1-3 years ago
‰ 4-5 years ago
‰ More than 5 years ago
‰ Never
‰ The internal review was not done in accordance with Standard 1311
‰ I do not know
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 439
43. When was your Internal Audit Activity last subject to a formal external quality assessment in
accordance with The IIA International Standards for the Professional Practice of Internal
Auditing Standard 1312 on external assessments?
‰ Scheduled to be completed prior to January 1, 2007, but not yet completed
‰ Within the last 12 months
‰ 1-3 years ago
‰ 4-5 years ago
‰ More than 5 years ago
‰ Never
‰ The external review was not done in accordance with Standard 1312
‰ I do not know
44. For your Internal Audit Activity, which of the following activities are performed as part of your
internal audit quality assessment and improvement program? (Please mark all that apply.)
‰ Verification that the Internal Audit Activity is in compliance with The IIA’s International
Standards for the Professional Practice of Internal Auditing
‰ Compliance with non-IIA standards or codes
‰ Internal audit professionals are in compliance with The IIA’s Code of Ethics
‰ Checklists/manuals to provide assurance that proper audit processes are followed
‰ Engagement supervision
‰ Feedback from audit customers at the end of an audit
‰ Reviews by other members of the Internal Audit Activity
‰ Review by external party
‰ I do not know
‰ Not applicable
The Institute of Internal Auditors Research Foundation
440 A Global Summary of the Common Body of Knowledge 2006 ______________________
VI. Audit Activities
45. Please indicate who performs the following activities and/or audits: (Please mark all that apply.)
‰ Internal Audit
Activity
‰ Other
department
in the
organization
‰ Co-sourced
‰ Outsourced
‰ Not Performed
a. Administrative (audit plan, assign tasks)
b. Business viability assessments
c. Compliance with company privacy policies
d. Compliance with corporate governance and regulatory
code requirements
e. Control framework monitoring and development
f.
Corporate takeovers/mergers
g. Enterprise risk management
h. Ethics audits
i.
External audit assistance
j.
Health, safety, and environment
k. Financial auditing
l.
Information risk assessment
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 441
m. Information technology department assessment
n. Internal auditing
o. Internal control testing/systems evaluation
p. Investigations of fraud and irregularities
q. Linkage of strategy and company performance
r.
Management effectiveness review/audit
s. Operational audits
t.
Project management
u. Quality assessment of internal audit activity
v. Quality/ISO audits
w. Resource management and controls
x. Security issues
y. Social and sustainability audits
z. Special projects
aa. Technical competency training for auditors
The Institute of Internal Auditors Research Foundation
442 A Global Summary of the Common Body of Knowledge 2006 ______________________
46. Please estimate the percentage of time spent by the Internal Audit Activity on each of the
following activities for the most recent fiscal year:
3 Years
Ago
Currently
3 Years
From Now
a. Compliance audits (laws, regulations,
and policy
______
______
______
b. Consulting/Advisory
______
______
______
c. Financial process audits (including
assistance to the external auditor)
______
______
______
d. Fraud investigations (forensic
accounting/auditing)
______
______
______
e. Governance (ethics, control framework,
regulatory, linkage of strategy and
company performance)
______
______
______
f.
______
______
______
g. Operational
______
______
______
h. Management audits
______
______
______
i.
______
______
______
______
______
______
Information technology audits
Other
Total should add to 100% in each column
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 443
47. If major differences arise around audit issues (audit results versus policy or between auditor
and auditee/client), when are they resolved?
‰
‰
‰
‰
‰
Never
Rarely
Sometimes
Usually
Always
During planning
During audit fieldwork
During audit reporting
After audit report is issued
Never
48. After the release of an audit report in the organization, who has the primary responsibility for
reporting findings to senior management?
‰ Auditee/client
‰ Chief Audit Executive/General Auditor/Top Audit Position/Vice President - Audit/Service
Provider equivalent
‰ Internal auditor manager
‰ Both internal audit manager and auditee/client
‰ Both Chief Audit Executive and auditee/client
‰ Other
‰ No formal reporting of results
49. After the release of an audit report with findings that need corrective action, who has the
primary responsibility to monitor that corrective action has been taken?
‰ Auditee/client
‰ Internal auditor
‰ Both internal audit and auditee/client
‰ No formal follow-up
‰ Other
The Institute of Internal Auditors Research Foundation
444 A Global Summary of the Common Body of Knowledge 2006 ______________________
VII. Tools, Skills, and Competencies
50. Indicate the extent the Internal Audit Activity uses or plans to use the following audit tools /
techniques on an audit engagement:
1 = Not Used, 2 = Moderately Used, 3 = Average Use, 4 = Very Much Used, 5 = Extensively Used
Currently
Used
‰
‰
‰
‰
‰
1
2
3
4
5
a. Analytical review
b. Balanced scorecard or similar framework
c. Benchmarking
d. Computer Assisted Audit Techniques
e. Continuous/real-time auditing
f.
Control Self-assessment
g. Data mining
h. Electronic workpapers
i.
Flowchart software
j.
Other electronic communication (e.g., Internet, e-mail)
k. Process mapping application
l.
Process modeling software
The Institute of Internal Auditors Research Foundation
Plan to use
in the next
3 years
‰ 1
‰ 2
‰ 3
‰ 4
‰ 5
_____________________________ Chapter 10: Research Method and Literature Review 445
m. Risk-based audit planning
n. Statistical sampling
o. The IIA’s Quality Assessment Review tools
p. Total quality management techniques
51. Please mark the five most important of the following behavioral skills for each professional
staff level to perform their work. (Behavioral skills are actions towards others measured by
commonly accepted standards and management of one’s own actions).
Staff
Supervisor Management
Head of
Audit
Activity
a.
Confidentiality
‰
‰
‰
‰
b.
Facilitating
‰
‰
‰
‰
c.
Governance and ethics sensitivity
‰
‰
‰
‰
d.
Interpersonal skills
‰
‰
‰
‰
e.
Leadership
‰
‰
‰
‰
f.
Objectivity
‰
‰
‰
‰
g.
Relationship building
‰
‰
‰
‰
h.
Staff management
‰
‰
‰
‰
i.
Team building
‰
‰
‰
‰
j.
Team player
‰
‰
‰
‰
k.
Working independently
‰
‰
‰
‰
l.
Work well with all levels
of management
‰
‰
‰
‰
The Institute of Internal Auditors Research Foundation
446 A Global Summary of the Common Body of Knowledge 2006 ______________________
52. Please mark the five most important of the following technical skills for each level of professional
staff to perform their work. (Technical skills are using terminology or subject matter in a
particular field)
Staff
Supervisor Management
Head of
Audit
Activity
a.
Data collection and analysis
‰
‰
‰
‰
b.
Financial analysis
‰
‰
‰
‰
c.
Forensic skills/Fraud awareness
‰
‰
‰
‰
d.
Identifying types of controls
(e.g., preventative, detective)
‰
‰
‰
‰
e.
Interviewing
‰
‰
‰
‰
f.
ISO/quality knowledge
‰
‰
‰
‰
g.
Negotiating
‰
‰
‰
‰
h.
Research skills
‰
‰
‰
‰
i.
Risk analysis
‰
‰
‰
‰
j.
Statistical sampling
‰
‰
‰
‰
k.
Total Quality Management
‰
‰
‰
‰
l.
Understanding business
‰
‰
‰
‰
m.
Use of information technology
‰
‰
‰
‰
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 447
53. Please mark the five most important of the following competencies for each level of professional
rank to perform their work. (Competencies are skills essential to perform certain tasks).
Staff
Supervisor Management
Head of
Audit
Activity
a. Ability to promote the Internal
Audit Activity within the
organization
‰
‰
‰
‰
b. Analytical (ability to work
through an issue)
‰
‰
‰
‰
c. Change management
‰
‰
‰
‰
d. Communication
‰
‰
‰
‰
e. Conflict resolution
‰
‰
‰
‰
f.
Critical thinking
‰
‰
‰
‰
g. Conceptual thinking
‰
‰
‰
‰
h. Foreign language skills
‰
‰
‰
‰
i.
Keeping up to date with
professional changes in
opinions, standards and
regulations
‰
‰
‰
‰
j.
Organization skills
‰
‰
‰
‰
k. Presentation skills
‰
‰
‰
‰
l.
‰
‰
‰
‰
Problem identification
and solution
The Institute of Internal Auditors Research Foundation
448 A Global Summary of the Common Body of Knowledge 2006 ______________________
Staff
Supervisor Management
Head of
Audit
Activity
m. Project planning and
management
‰
‰
‰
‰
n. Report development
‰
‰
‰
‰
o. Time management
‰
‰
‰
‰
p. Training and developing staff
‰
‰
‰
‰
q. Understanding complex
information systems
‰
‰
‰
‰
r.
‰
‰
‰
‰
Writing skills
51a. Please indicate the importance of the following behavioral skills for you to perform your work
at your position in the organization. (Behavioral skills are actions towards others measured by
commonly accepted standards and management of one's own actions).
Rank from 1 (minimally important) to 5 (very important)
___ a. Confidentiality
___ b. Facilitating
___ c. Governance and ethics sensitivity
___ d. Interpersonal skills
___ e. Leadership
___ f.
Objectivity
___ g. Relationship building
___ h. Staff management
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 449
___ i.
Team building
___ j.
Team player
___ k. Working independently
___ l.
Work well with all levels of management
52a. Please indicate the importance of the following technical skills for you to perform your work
at your position in the organization (Technical skills means using terminology or subject matter
in a particular field).
Rank from 1 (minimally important) to 5 (very important)
___ a. Data collection and analysis
___ b. Financial analysis
___ c. Forensic skills/Fraud awareness
___ d. Identifying types of controls (e.g., preventative, detective)
___ e. Interviewing
___ f.
ISO/quality knowledge
___ g. Negotiating
___ h. Research skills
___ i.
Risk analysis
___ j.
Statistical sampling
___ k. Total Quality Management
___ l.
Understanding business
___ m. Use of information technology
The Institute of Internal Auditors Research Foundation
450 A Global Summary of the Common Body of Knowledge 2006 ______________________
53a. Please indicate the importance of the following competencies for you to perform your work at
your position in the organization (Competencies are skills essential to perform certain tasks).
Rank from 1 (minimally important) to 5 (very important)
___ a. Ability to promote the Internal Audit Activity within the organization
___ b. Analytical (ability to work through an issue)
___ c. Change management
___ d. Communication
___ e. Conflict resolution
___ f.
Critical thinking
___ g. Conceptual thinking
___ h. Foreign language skills
___ i.
Keeping up to date with professional changes in opinions, standards, and regulations
___ j.
Organization skills
___ k. Presentation skills
___ l.
Problem identification and solution
___ m. Project planning and management
___ n. Report development
___ o. Time management
___ p. Training and developing staff
___ q. Understanding complex information systems
___ r.
Writing skills
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 451
53b. How important are the following areas of knowledge for satisfactory performance of your job
at your position in the organization?
Rank from 1 (minimally important) to 5 (very important)
___ a. Accounting
___ b. Auditing
___ c. Business law and government regulation
___ d. Business management
___ e. Changes to professional standards
___ f.
Enterprise risk management
___ g. Ethics
___ h. Finance
___ i.
Fraud awareness
___ j.
Governance
___ k. Human resource management
___ l.
Internal auditing standards
___ m. Information technology
___ n. Managerial accounting
___ o. Marketing
___ p. Organization culture
___ q. Organizational systems
The Institute of Internal Auditors Research Foundation
452 A Global Summary of the Common Body of Knowledge 2006 ______________________
___ r.
Strategy and business policy
___ s. Technical knowledge for your industry
VIII. Emerging Issues
54. Do you perceive likely changes in the role of the Internal Audit Activity in the organization over
the next 3 years?
‰ Increase
‰ Decrease
‰ Stay the same
a. Review of financial processes
b. Risk management
c. Governance
d. Regulatory compliance
e. Operational auditing
55. Please identify the roles that the Internal Audit Activity currently has in your organization or
will have in the next 3 years. Role means that it is within the scope of your work.
‰ Currently have a role
‰ Likely to have a role within
the next 3 years
‰ Unlikely to have a role
‰ Not applicable
a. Alignment of strategy and performance
measures (e.g., Balanced Scorecard)
b. Benchmarking
c. Corporate governance
d. Corporate social responsibility
The Institute of Internal Auditors Research Foundation
_____________________________ Chapter 10: Research Method and Literature Review 453
e. Develop training and education of
organization personnel (e.g., internal
controls, risk management, regulatory
requirements)
f.
Disaster recovery
g. Evidential issues
h. Emerging markets
i.
Environmental sustainability
j.
Executive compensation
k. Fraud prevention/detection
l.
Globalization
m. Intellectual property and knowledge
assessment
n. IT management assessment
o. Knowledge management systems
development review
p. Mergers and acquisitions
q. Project management
r.
Provide training to the audit committee
s. Regulatory compliance assessment monitoring
t.
Risk management
u. Strategic frameworks
The Institute of Internal Auditors Research Foundation
454 A Global Summary of the Common Body of Knowledge 2006 ______________________
56. Please indicate if the following statements apply to your organization now, in the next 3 years
or will not apply in the foreseeable future.
‰ Currently Apply
‰ Likely to Apply Within
the Next 3 Years
‰ Will Not Apply in the
Foreseeable Future
‰ Not Applicable
a. Internal auditing is required by law or regulation
where the organization is based.
b. Internal auditors in the organization have an
advisory role in strategy development.
c. The organization complies with a corporate
governance code.
d. The organization has implemented an internal
control framework.
e. The organization has implemented a knowledge
management system.
f.
The Internal Audit Activity has provided training
to audit committee members.
g. The Internal Audit Activity assumes an important
role in the integrity of financial reporting.
h. The Internal Audit Activity educates organization
personnel about internal controls, corporate
governance, and compliance issues.
i.
The Internal Audit Activity places more emphasis
on assurance than consulting services.
The Institute of Internal Auditors Research Foundation
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 455
THE WILLIAM G. BISHOP III, CIA,
MEMORIAL FUND
CONTRIBUTORS
DIAMOND LEVEL
Association of Certified Fraud Examiners
The Institute of Internal Auditors (IIA)
IIA Baltimore
IIA Dallas
IIA New York
IIA Washington, DC
EMERALD LEVEL
The Bishop Family
Jane Lee and William L. Taylor
Thomas J. Warga, CIA
JCPenney Company Inc.
Jefferson Wells International Inc.
Protiviti Inc
IIA Central Illinois
IIA Central Penn
IIA Houston
RUBY LEVEL
Robert Antoine, CIA
Dennis K. Beran, CIA, CCSA
John J. Fernandes, CIA, CCSA
John J. Flaherty, CIA
Jean-Pierre Garitte, CIA, CCSA
Eric Hespenheide
Al Holzinger
Bruce Meikle
Patricia K. Miller, CIA
Sandra L. Pundmann
Sridhar Ramamoorti, Ph.D., CIA, CPA,
CFE, CFSA, CGAP
Anthony J. Ridley, CIA
C. Wayne Rose, CIA
Richard M. Serafini, CIA, CFSA
American Institute of Certified Public
Accountants (AICPA)
Asian Confederation of Institute of Internal
Auditors (ACIIA)
Association of Healthcare Internal Auditors
Fannie Mae
Microsoft Corporation
IIA Ak-Sar-Ben
IIA Albany
IIA Austin
IIA Australia
IIA Birmingham (AL)
IIA Green Mountain (VT)
IIA Los Angeles
IIA Milwaukee
IIA Montreal
IIA Nashville
IIA New Zealand
IIA North Jersey
IIA Norway
IIA Orange County (CA)
IIA Phoenix
IIA Southern New England
IIA United Kingdom and Ireland
IIA Vancouver
IIA Wichita
The Institute of Internal Auditors Research Foundation
456 A Global Summary of the Common Body of Knowledge 2006 ______________________
FRIEND LEVEL
Urton L. Anderson, Ph.D., CIA, CCSA
Audley L. Bell, CIA
Andrew J. Dahle, CIA
Stephen D. Goepfert, CIA
Timothy R. Holmes
Howard J. Johnson, CIA
Carman Lapointe-Young, CIA, CCSA
John M. Polarinakis, CIA
Ralph E. Purpur
Larry E. Rittenberg, Ph.D., CIA
Roderick M. Winters, CIA
Association of Credit Union
Internal Auditors (ACUIA)
MIS Training Institute
Salt River Project
IIA Baltimore
IIA Central Florida
IIA Central Iowa
IIA Central Kentucky
IIA Detroit
IIA Greater Boston
IIA Indianapolis
IIA Kansas City
IIA Long Island
IIA Madison
IIA Malaysia
IIA Miami
IIA Ocean State (RI)
IIA Salem (OR)
IIA Saskatchewan
IIA St. Louis
IIA Sweden
IIA Tallahassee
IIA Tidewater
IIA Tulsa
IIA Twin Cities
IIA Westchester Fairfield
IIA Winnipeg
DONOR LEVEL
Ronald W. Acker, CIA
Bruce Alan Adamec, CIA
Augusto Baeta
Thomas J. Beirne
Joanna Berens
Lucia B. Bishop
Sten Bjelke, CIA
LeRoy E. Bookal, CIA
Katy Brown
Robert Bullen
Judith K. Burke, CCSA
Richard F. Chambers, CIA, CCSA, CGAP
Nicolette Creatore
Prof. Mortimer Dittenhofer, CIA
William J. Duane, CIA, CFSA
Edward M. Dudley, CIA
Charles B. Eldridge
Ivy N. Estes
Robert A. Ferst, CIA
Robert B. Foster
Hal A. Garyn, CIA
Kimberly Parker Gavaletz, CIA
Gaston L. Gianni, Jr., CGAP
Audrey A. Gramling, CIA
Trish Harris
Rudy Hernandez, Jr., CIA
Glenn P. Hoffman, CIA, CFSA
John Gregory Hutsell
Cynthia Huysman
Steven Earl Jameson, CIA, CCSA, CFSA
Thomas A. Johnson, CIA
Wendy W. Kerins, CIA
Donald E. Kirkendall, CIA
Joel F. Kramer
Kevin Kuntz
Daniel B. Langer, CIA, CCSA
Susan B. Lione, CIA, CCSA, CFSA, CGAP
Philip B. Livingston
The Institute of Internal Auditors Research Foundation
_______________________ The William G. Bishop III, CIA, Memorial Fund Contributors 457
Melani P. Lovik, CIA
Marjorie A. Maguire-Krupp, CFSA
Stacy M. Mantzaris, CIA, CCSA, CGAP
Carlo L. Mastropaolo
Dorick V. Mauro
Jill E. Mayhew, CIA
Sam Michael McCall, CIA
Robert N. McDonald, CIA
Betty L. McPhilimy, CIA
Guenther Meggeneder
T. Fred Miller
James A. Molzahn
Perry Glen Moore, CIA
Wayne G. Moore, CIA
Kevin M. Morrissey
D. Richard Moyer, CIA
Jane F. Mutchler
Donald J. Nelson, CIA
Frank M. O’Brien, CIA
Amy B. Owen
Paula W. Parker, CIA
Dolores C. Pasto-Ziobro, CIA
Basil H. Pflumm, CIA
Jarred and Shannon Pittman
David Polansky
Robert B. Powell
Charity A. Prentice, CIA, CCSA, CGAP
Walter D. Pugh
Michael S. Raphael, CIA
Richard K. Robinson
Anastasia Rodriguez Ford, CIA
H. David Rosenstein
James P. Roth, Ph.D., CIA, CCSA
Charles T. Saunders, Jr., CIA, CCSA
Mitchell James Smith
Paul J. Sobel, CIA
Donald E. Sparks
Peteris Strazdins, CIA
Margaret G. Summers
Johanna S. Swauger, CIA, CCSA, CFSA
Deborah L. Sword
Deborah Wheless Tanju, CIA
David A. Tenney, CIA
Archie R. Thomas, CIA
Bena G. Tinsley, CIA
Bonnie L. Ulmer
Dallal Helen Van Hoeck, CIA
Curtis C. Verschoor, CIA
Dominique Vincenti, CIA
H.C. Warner, CIA
John K. Watsen, CIA
Billy G. Weathers
Scott D. White, CIA, CFSA
Douglas E. Ziegenfuss, Ph.D., CIA, CCSA
Michael A. Zowine
American International Group
Association of College and University Auditors
(ACUA)
Board of Environmental, Health & Safety
Auditor Certifications (BEAC)
JPA International Inc.
Junior Achievement of Central Florida
Kraus-Manning Inc.
Majestic Star Casino
Memphis Blues Rugby Club
Office Depot Inc.
Omni Hotels Corporation
Paisley Consultants/CARDdecisions Inc.
PBD Worldwide Fulfillment Services Inc.
Shenandoah Group
Simon Operation Services Inc.
IIA Atlanta
IIA Calgary
IIA Central Virginia
IIA Chattanooga Area
IIA Chicago
IIA Chinese Taiwán
IIA Coastal Georgia
The Institute of Internal Auditors Research Foundation
458 A Global Summary of the Common Body of Knowledge 2006 ______________________
IIA Downeast Maine
IIA Edmonton
IIA El Paso
IIA Granite State (NH)
IIA Lansing (MI)
IIA Las Vegas
IIA Monroe
IIA Ozarks
IIA Rochester
IIA Santa Fe
IIA Sioux Falls
IIA Spokane
IIA Tucson
IIA U.S. Pacific
THE IIA RESEARCH FOUNDATION
CHAIRMAN’S CIRCLE
Cargill Inc.
Chevron
Deloitte & Touche LLP
Ernst & Young LLP
ExxonMobil Corporation
JCPenney Company
Lockheed Martin Corporation
Microsoft Corporation
PricewaterhouseCoopers LLP
Protiviti Inc.
Raytheon Company
David A. Richards, CIA
Paul J. Sobel, CIA
Rod and Donna Winters
The Institute of Internal Auditors Research Foundation
_________________________________ The IIA Research Foundation Board of Trustees 459
The IIA Research Foundation
Board of Trustees
President
Roderick M. Winters, CIA, CPA
Microsoft Corporation
Vice President - Strategy
Eric J. Hespenheide, CPA
Deloitte & Touche LLP
Treasurer
Stephen W. Minder, CIA
Archer Daniels Midland Company
Vice President - Research
Robert B. Foster, CFE
Fidelity Investments
Secretary
Oliver Ray Whittington, Ph.D., CIA
DePaul University
Vice President - Development
Dennis K. Beran, CIA, CCSA, CPA, CFE
JCPenney Company, Inc.
Members
Mark Hamill
Protiviti Inc.
Gregory C. Redmond
Chevron Corporation
Michael A. Herzog
Ernst & Young LLP
Paul J. Sobel, CIA, CPA
Mirant Corporation
Robert B. Hirth, CPA, CA
Protiviti Inc.
Jay R. Taylor, CIA
General Motors Corporation
Howard J. Johnson, CIA, CPA.
William L. Taylor, CPA, CGFM
Michael Lickteig, CIA, CCSA
Susan J. Komen Breast Cancer Foundation
Donald E. Tidrick, Ph.D., CIA
Northern Illinois University
Marjorie A. Maguire-Krupp
American International Group
Susan D. Ulrey
KPMG LLP
Wayne G. Moore, CIA, CPA
Anton B. van Wyk, CIA, CFA
PricewaterhouseCoopers LLP
Johannes (Hans) Nieuwlands
NUON
Sridhar Ramamoorti, Ph.D., CIA, CPA, CFE,
CFSA, CGAP
Grant Thornton Chicago
Shi Xian
Nanjing Audit University
Douglas Ziegenfuss, Ph.D., CIA, CCSA
Old Dominion University
The Institute of Internal Auditors Research Foundation
460 A Global Summary of the Common Body of Knowledge 2006 ______________________
The IIA Research Foundation
Board of Research and Education Advisors
Chairman
Robert B. Foster, CFE, Fidelity Investments
Vice Chairman
Susan D. Ulrey, KPMG LLP
Members
George R. Aldhizer III, Ph.D., CIA, Wake Forest
University
Lalbahadur Balkaran, CIA, FCMA, KPMG LLP
Kevin W. Barthold, CPA, CISA, San Antonio Credit
Union
Edmund Beemer, Hudson
Thomas J. Beirne, CFSA, CPA, CBA, Protiviti Inc.
Audley L. Bell, CIA, CPA, CFE, CISA, Habitat for
Humanity International
Iva Cerna, CIA, Zentiva a.s.
Thomas J. Clooney, CCSA, CPA, CBA, CSP, KPMG
LLP
Kathryn Constantopoulos, Deloitte & Touche LLP
Jean Coroller, Ernst & Young LLP
Mary Christine Dobrovich, Jeffersonwells
International
Helen Dozois, CIA, Burger King Corporation
Susan Page Driver, CIA, CPA, CISA, Comptroller
of Public Accounts
Donald A. Espersen, CIA, CBA, despersen &
associates
Gareth Evans, MIIA, United Kingdom
Philip E. Flora, CIA, CCSA, CFE, CISA, Texas
Guaranteed Student Loan
John M. Furka, CPA, Brown Brothers Harriman &
Co.
John C. Gazlay, CPA, CCP, Freddie Mac
Dan B. Gould, CIA, JCPenney Company, Inc.
Peter M. Hughes, Ph.D., CIA, CPA, CFE, Orange
County
Ronald W. Lackland, University of Central England
Richard B. Lanza, CPA, Cash Recovery Partners
LLC
David J. MacCabe, CIA, CGAP, Teacher Retirement
System of Texas
Gary J. Mann, Ph.D., CPA, University of Texas at El
Paso
Trevor B. Martin, National Oilwell Varco
Gary R. McGuire, CIA, CPA, Lennox International
Inc.
John D. McLaughlin, Smart and Associates LLP
Steven S. Mezzio, CIA, CCSA, CFSA, CPA, CISSP,
CBA, Resource Connection
Anna Rebecca Nicodemus, CIA, CPA, CFE, Belo
Corporation
Claire Beth Nilsen, CFSA, CRCM, CFE, CRP,
Yardville National Bank
Jacob Nuss, Israel Aircraft Industries Ltd.
Daniel Pantera, The Methodist Hospital
Mark R. Radde, CIA, CPA, Buffets Inc.
M. Rajeshwaran, EID Parry India Ltd.
Alan Reinstein, Ph.D., CPA, PBA, Wayne State
University
David G. Royal, Texas Department of Insurance
Mark L. Salamasick, CIA, CISA, CDP, CSP,
University of Texas at Dallas
Jesus Antonio Serrano Nava, CIA, Banco Azteca
Katherine E. Sidway, Ernst & Young LLP
James G. Swearingen, CPA, Weber State University
The Institute of Internal Auditors Research Foundation