IIARF CBOK Delivering On The Promise Nov 2015 PDF
IIARF CBOK Delivering On The Promise Nov 2015 PDF
IIARF CBOK Delivering On The Promise Nov 2015 PDF
MANAGEMENT
Jane Seago
Sponsored by
CBOK IIA–Charlotte Chapter
The Global Internal Audit IIA–Raleigh-Durham Chapter
Common Body of Knowledge IIA–Triad Chapter
About CBOK
SURVEY FACTS T he Global Internal Audit Common Body of Knowledge (CBOK) is the world’s
largest ongoing study of the internal audit profession, including studies of inter-
nal audit practitioners and their stakeholders. One of the key components of CBOK
Respondents 14,518*
Countries 166 2015 is the global practitioner survey, which provides a comprehensive look at the
Languages 23 activities and characteristics of internal auditors worldwide. This project builds on two
previous global surveys of internal audit practitioners conducted by The IIA Research
EMPLOYEE LEVELS Foundation in 2006 (9,366 responses) and 2010 (13,582 responses).
Chief audit
Reports will be released on a monthly basis through July 2016 and can be
executive (CAE) 26%
downloaded free of charge thanks to the generous contributions and support from
Director 13% individuals, professional organizations, IIA chapters, and IIA institutes. More than
Manager 17% 25 reports are planned in three formats: 1) core reports, which discuss broad topics,
Staff 44% 2) closer looks, which dive deeper into key issues, and 3) fast facts, which focus on a
specific region or idea. These reports will explore different aspects of eight knowledge
*Response rates vary per
tracks, including technology, risk, talent, and others.
question.
Visit the CBOK Resource Exchange at www.theiia.org/goto/CBOK to download
the latest reports as they become available.
Europe 23%
North
America 19%
Middle East
& North 8%
Africa South
Asia 5%
Latin East
America 14% Asia 25%
& Caribbean & Pacific
Sub-
Saharan 6%
Africa
Note: Global regions are based on World Bank categories. For Europe, fewer than 1% of respondents were from Central Asia.
Survey responses were collected from February 2, 2015, to April 1, 2015. The online survey link was distributed via institute email
lists, IIA websites, newsletters, and social media. Partially completed surveys were included in analysis as long as the demographic
questions were fully completed. In CBOK 2015 reports, specific questions are referenced as Q1, Q2, and so on. A complete list of
survey questions can be downloaded from the CBOK Resource Exchange.
Future
Executive Summary 4
Introduction 5
Global
Perspective 1 Delivering the Value of Internal Audit 7
Appendix A 16
Risk Resources 22
Standards &
Certifications
Talent
Technology
www.theiia.org/goto/CBOK ● 3
Executive Summary
I n 2010, The IIA recognized a need to capture a simple, memorable, and straight-
forward way to help internal auditors convey the value of their efforts to important
stakeholders, such as boards of directors, audit committees, management, and clients.
To that end, the association introduced the Value Proposition for Internal Auditing,
which characterizes internal audit’s value as an amalgam of three elements: assurance,
insight, and objectivity (see exhibit 1).
But identifying the conceptual elements of value is only part of what needs to be
done. How does that construct look in the workplace? What activities does internal
audit undertake that deliver the most value? What should be measured to determine
that the organization’s expectations of value are being met? How does internal audit
organize and structure the information that populates the metrics? And, most critically,
do the answers to all these questions align; that is, does internal audit’s perception of
its value, as measured and tracked, correlate with what the organization wants and
needs from the internal audit function?
Source: The Internal Audit Value Proposition graphic is used by permission from The IIA.
All rights reserved.
www.theiia.org/goto/CBOK ● 5
These are the kinds of questions the CBOK 2015 global practitioner survey posed
to chief audit executives (CAEs) from around the world. The activities these CAEs
believe bring value to the organization are consistent with the three elements of The
IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the
most value can be mapped directly to the three elements, as shown in exhibit 2.
However, in looking at the performance measures and tools used by the organi-
zation and the internal audit function, a gap appears to form between value-adding
activities and the ways performance is measured. This report explores that gap in
greater detail and clarifies the respondents’ view of value-adding activities, preferred
performance measures, and the methodologies and tools most commonly used to sup-
port internal audit’s quality and performance processes. Where appropriate, responses
tabulated by geographic regions and organization types are examined.
Finally, based on the findings, the final chapter of the report provides a series of
practical steps that practitioners at all levels can implement to help their internal audit
department deliver on its value proposition of assurance, insight, and objectivity.
Exhibit 2 The Internal Audit Value Proposition (mapped to response options from the CBOK
survey)
ASSURANCE ACTIVITIES
●● Assuring the adequacy and effectiveness of the internal
control system
●● Assuring the organization’s risk management processes
●● Assuring regulatory compliance
●● Assuring the organization’s governance processes
Note: The activities listed in this graphic are from the response options to Q89: In your opinion, which are the five internal
audit activities that bring the most value to your organization? The Internal Audit Value Proposition graphic is used by
permission from The IIA. All rights reserved.
Exhibit 3 Audit Activities That Bring Most Value (CAEs Indicating Their Top Five Choices)
Note: Q89: In your opinion, which are the five internal audit activities that bring the most value to your organization? (Choose up
to five.) CAEs only. Purple bars are assurance activities, royal are insight, and green are objectivity, as related to The IIA’s Internal
Audit Value Proposition. n = 2,641.
www.theiia.org/goto/CBOK ● 7
❝Most work on in exhibit 3 show, there is a mix of the
three elements of internal audit’s value
For the area of objectivity (or objective
advice, represented by green bars), about
assurance focuses proposition—assurance (purple), insight a third of respondents say their top five
on assessing the (blue), and objectivity (green)—but the value activities include “informing and
highest percentages are for assurance. advising management,” “investigating
effectiveness of
In the area of insight, more than half or deterring fraud,” or “informing and
controls (Is the of respondents say that “recommending advising the audit committee.”
control followed?) business improvement” is an important It is important to remember that
way they add value, which is a strong, survey respondents were asked to only
and less work or
positive sign that internal audit is going choose their top five activities, so they
no work at all is beyond assurance in many organiza- were limited in how many activities they
done on assuring tions. In addition, it is significant that could select. This means that they may be
more than one-third of the CAEs indi- involved in other areas, but they did not
the adequacy
cated “identifying emerging risks” as an choose them as a top five value driver.
of controls (Has important value-adding activity. This Value drivers can vary from one
the control been aligns with the current focus on risk- organization to the next for many rea-
based auditing, says Tania Stegemann, sons: industry sector, organization type,
designed properly
executive audit manager, CIMIC Group management preferences, geographic
to mitigate risk?). Ltd, Melbourne, Australia. “It is critical region, and regulatory requirements, to
If auditors are to that auditors understand the key risks name a few. For details on value-adding
facing the organization as well as the key internal audit activities by organization
add value to the
controls in place. This is fundamental to and region type, see exhibit A1 and
business, they risk-based auditing and should form the exhibit A2 in the appendix.
should not only basis of the annual audit plan.”
assess whether
a procedure is
followed but also
determine whether
that procedure can
mitigate the risk. ❞
—Augustino Mbogella,
Chief Internal Auditor, NMB,
Dar es salaam, Tanzania
Exhibit 4 Measures Used for Internal Audit Performance (CAEs Choosing All That Apply)
Other 10%
Note: Q90: What specific measures does your organization use to evaluate the performance of its internal audit activity? (Choose
all that apply.) Green bars are inward-facing measures, purple bars are outward-facing measures, and gray are other options. CAEs
only. n = 2,641.
www.theiia.org/goto/CBOK ● 9
top selection, by a considerable margin, value of those activities by others. On
was “percentage of audit plan complete,” the other hand, it is encouraging to see
chosen by 66% of respondents (this per- that one outward-facing measure—client
centage was similar to the CBOK 2010 satisfaction goals—came in at a close
survey results). “Timely closure of audit fourth place, selected by 38% of respon-
issues” and “completion of mandated dents. This means that many CAEs are
coverage” were virtually tied for a some- connecting their value with their stake-
what distant second at just over 40%. holder needs. Another 32% say they also
In considering the meaning of these measure their value by “the fulfillment
top three choices, it is useful to note the of specific expectations set and agreed
difference between inward-facing and to with key stakeholders,” another out-
outward-facing measures. Inward-facing ward-facing measure.
measures focus on how work is done At the same time, a cause for con-
internally and, very generally speaking, cern may be the fact that 15% indicate
tend to incline toward administrative effi- that no formal measures of value have
ciency. Outward-facing measures focus been established. This fairly substantial
on the customer’s satisfaction (the ulti- percentage would be surprising if the
mate recipient of the benefits provided responses include those who are not in
by the activity) and incline toward effec- management; the fact that all respon-
tiveness. Both types of measures reveal dents to this question are CAEs makes it
important and actionable information. even more perplexing. Those in the 15%
In the case of the results illustrated in category may wish to consider the rami-
exhibit 4, it is important to note that fications of the absence of measures: lack
the top three metrics are inward-facing. of measurements make it more difficult
They focus on completion of tasks as to be in conformity with IIA Standard
the primary indicators that the internal 1311: Internal Assessments, and they risk
audit function is delivering value. This not knowing the quality of their efforts
task-specific focus looks more at a “to-do (or the organization’s perception of that
list” and less on the perception of the quality).
www.theiia.org/goto/CBOK ● 11
Exhibit 5 Methods Used to Support Performance
Note: Q91: Which of the following methodologies and tools do you use to support your quality and performance processes?
(Choose all that apply.) Green bars are inward-focused methods and purple bars are outward-focused measures. CAEs only.
n = 2,641.
strategy, and then translating the strategy For results about measures and meth-
of the internal audit function into appro- odologies by geographic region and
priate balanced scorecard performance industry type, see exhibits A3 through
measures. A6 in the appendix.
Performance
Measures
Note: Internal audit and stakeholders have their own perspectives about value, so they need
to collaborate in order to agree on value-adding activities and how to measure them.
www.theiia.org/goto/CBOK ● 13
4. Start measuring. Implement tools
❝When you want to Steps to Align Performance
Measures and Value-Adding and methodologies to capture and
know how stake- Activities
track internal audit’s performance
holders rate your against the value drivers and the
1. Learn the customer’s expectations.
internal quality standards. Be sure
performance, Internal auditors cannot deliver
to address the non-assurance aspects
you need to do expected value unless they know spe-
of internal audit’s work by devising
cifically how management and key
more than send a way to obtain feedback from key
stakeholders define value. The only
stakeholders on qualitative and advi-
out a feedback way to find out is to ask. Interview
sory activities.
survey. We ask key stakeholders (members of the
board and the audit committee) 5. Report back. Make sure that stake-
an independent and executive management and use holders whose input formed the list
party to sit with those responses to develop a list of of value-driving activities outlined
our stakeholders what they indicate are value-adding in step 1 are regularly informed of
activities. the internal audit function’s status
for a focused and performance against their
2. Validate your understanding.
conversation. ❞ Review the list developed in step
expectations.
1 with the key stakeholders whose 6. Repeat the cycle. Periodically (at
—Robert Kella, Senior Vice
interview comments helped create the least annually) reconfirm the expec-
President of Internal Audit
for Emirates Group, Dubai, list and secure their agreement that it tations with the key stakeholders and
United Arab Emirates is an accurate and complete reflection update the list of value-adding activi-
of value expected from the internal ties as necessary. Support any updates
audit function. with new performance measures.
3. Develop outward-facing and
Remember that successful application
inward-facing performance
of these steps requires use of one of the
measures.
most important skills internal auditors
a. Outward-facing measures: For must possess: communication. Listening
each value activity, develop one or to stakeholders enables internal auditors
more outward-facing performance to craft measurements and methodol-
measure that provides a clear, ogies that reflect stakeholder priorities.
repeatable, and accurate view of Reporting back to them on status and
how well the activity delivered the performance of the identified activities
expected value for the stakeholder. demonstrates internal audit’s competence
and collaborative spirit. Value is thus
b. Inward-facing measures: There
realized on both sides of the equation,
are many critical, inward-facing
and the organization is the ultimate
activities that internal audit must
beneficiary.
undertake to keep its activities in
order. Develop performance mea-
sures for those activities.
T he CAEs who participated in the CBOK 2015 practitioner survey clearly under-
stand that the success of the internal audit function—defined in this case as
meeting stakeholder expectations for value—depends on more than completed audits.
While operational expertise (reflected in completing audits on time and closing audit
issues on schedule) is valuable and therefore measured, other activities such as advising
and recommending are also part of internal audit’s contribution to the organization. To
provide the highest level of service to their organizations, internal auditors should col-
laborate with their stakeholders to align performance measures to their top priorities.
www.theiia.org/goto/CBOK ● 15
Appendix A
Exhibit A1 Audit Activities That Bring Most Value (Organization Type View)
Public sector
global average)
Financial (including
Ranking (by
Recommending business
2 49% 57% 57% 57% 54% 55%
improvement
Assuring regulatory
4 62% 44% 42% 51% 59% 50%
compliance
Investigating or deterring
8 20% 38% 34% 24% 32% 29%
fraud
Note: Q89: In your opinion, which are the five internal audit activities that bring the most value to your organization? (Choose up
to five.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a percentage significantly
above. Only the nine most popular choices are shown. n = 2,641.
●●In the financial sector, internal auditors tend to focus more on assurance activities than on insight or objec-
tive advice.
●●For privately held and publicly traded organizations that are not in the financial sector, internal auditors
tend to focus less on “assuring regulatory compliance” and more on “investigating or deterring fraud.”
Global Average
North America
Latin America
Middle East &
Sub-Saharan
North Africa
& Caribbean
Ranking (by
Pacific
Africa
Value-Adding Activities
Assuring the adequacy and effectiveness of the internal
1 86% 82% 91% 96% 86% 85% 89% 87%
control system
2 Recommending business improvement 57% 58% 48% 39% 55% 56% 56% 55%
3 Assuring the organization's risk management processes 56% 50% 64% 51% 62% 34% 62% 53%
4 Assuring regulatory compliance 43% 46% 57% 70% 57% 46% 57% 50%
5 Informing and advising management 43% 32% 32% 24% 38% 51% 29% 40%
6 Identifying emerging risks 42% 36% 44% 43% 29% 33% 42% 37%
7 Assuring the organization's governance processes 36% 46% 49% 39% 43% 24% 39% 37%
8 Investigating or deterring fraud 27% 25% 26% 34% 31% 28% 34% 29%
9 Informing and advising the audit committee 26% 28% 30% 21% 16% 45% 24% 28%
Note: Q89: In your opinion, which are the five internal audit activities that bring the most value to your organization? (Choose up
to five.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a percentage significantly
above. Only the nine most popular choices are shown. n = 2,605.
●●Respondents in North America assign a lower value to “assuring the organization’s risk management pro-
cesses” than any other global region.
North America was relatively late in adopting formal enterprise risk management (ERM) processes
and assurance of the risk management framework by internal audit, while other areas of the world
have been using risk management standards since the late 1990s.
●●In South Asia, the highest priority after “assuring the adequacy and effectiveness of the internal control
system” is overwhelmingly “assuring regulatory compliance.”
The South Asia region consists primarily of India, where new regulatory requirements for internal
audit have recently been implemented. In India, all listed companies (plus certain unlisted public com-
panies and private companies that fulfill specific conditions) are required by the Companies Act 2013
to appoint an internal auditor (whether an employee or an external agency) to undertake internal
audit activities. The way the legal requirement is currently structured, the duties and responsibilities
of the internal auditor are not yet stipulated, which may account for emphasis on assuring regulatory
compliance.
www.theiia.org/goto/CBOK ● 17
Exhibit A3 Measures Used for Internal Audit Performance (Organization Type View)
Public sector
(including
Financial government
sector Privately Publicly agencies
(privately held traded and
held and (excluding (excluding government- Not-for-
publicly financial financial owned profit
Performance Measures traded) sector) sector) operations) organization Average
Percentage of audit plan complete 73% 66% 65% 65% 55% 66%
Timely closure of audit issues 46% 45% 45% 37% 37% 42%
Budget to actual audit hours 34% 27% 26% 29% 28% 29%
Note: Q90: What specific measures does your organization use to evaluate the performance of its internal audit activity? (Choose
all that apply.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a percentage
significantly above. n = 2,641.
●●When performance measures are viewed according to organization type, most of the significant differences
disappear.
This result suggests that the differences between regions may be related more to the different mix
of organization types than to cultural variances. Expressed another way, the most logical ways of
measuring internal audit performance may be tied more closely to organization type than to regional
distinctions.
Global Average
North America
Middle East &
Sub-Saharan
North Africa
Caribbean
Europe
Pacific
Africa
Performance Measures
Percentage of audit plan complete 64% 69% 82% 69% 66% 56% 76% 66%
Timely closure of audit issues 43% 46% 46% 64% 38% 41% 43% 42%
Completion of mandated coverage 34% 47% 53% 63% 52% 35% 41% 42%
Client satisfaction goals 39% 39% 45% 34% 34% 40% 33% 38%
The fulfillment of specific expectations set and agreed to with key stakeholders 28% 31% 42% 46% 26% 35% 37% 32%
Budget to actual audit hours 25% 40% 30% 30% 30% 29% 32% 29%
Performance against the internal audit financial budget 19% 20% 32% 16% 21% 31% 20% 23%
Cycle time from end of fieldwork to final report 21% 25% 24% 30% 24% 23% 22% 23%
Cycle time from entrance conference to draft report 18% 30% 17% 22% 17% 19% 22% 19%
We have not established formal performance measures. 17% 11% 7% 7% 15% 18% 13% 15%
Note: Q90: What specific measures does your organization use to evaluate the performance of its internal audit activity? (Choose
all that apply.) CAEs only Red indicates a percentage significantly below the global average and blue indicates a percentage
significantly above. n = 2,605.
●●For nearly every region, the measure that outweighs all others is “percentage of audit plan complete.”
●●The use of “client satisfaction goals” is remarkably consistent across all regions—ranging from 33% to 45%.
This represents broad agreement that effectiveness in advising and recommending activities depends
on a thorough understanding of what the client hopes to gain from the internal audit activity.
●●The Sub-Saharan Africa and Latin America & Caribbean areas show a significantly higher reliance on the
“percentage of audit plan complete” as a way to evaluate the value delivered by internal audit.
One possible explanation is that organizations in the region generally match salaries or benefits to a
unit’s performance. Organizations tend to find the percentage of audit plan completed the easiest and
most direct way to measure internal audit’s performance, similar to the way other units are measured
by their percentage of objectives completed. Clearly, more sophisticated measures exist to measure
added value, but they may be less readily understood or accepted throughout the organization.
www.theiia.org/goto/CBOK ● 19
Exhibit A5 Methods Used to Support Quality and Performance (Organization Type)
Public sector
Financial (including
sector Privately Publicly government
(privately held traded agencies and
held and (excluding (excluding government- Not-for-
Methods That Support publicly financial financial owned profit
Performance traded) sector) sector) operations) organization Average
Note: Q91: Which of the following methodologies and tools do you use to support your quality and performance processes?
(Choose all that apply.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a
percentage significantly above. n = 2,641.
●●Privately held organizations were less active than average for “internal quality assessments initiated by
internal audit,” “external quality assessments initiated by internal audit,” and “reviews from external regula-
tors.” In these same areas, the financial sector was more active.
●●Public sector respondents exceeded all other organization types for “peer reviews.”
Latin America
Middle East &
Sub-Saharan
North Africa
& Caribbean
East Asia &
South Asia
America
Average
Europe
Pacific
Global
Africa
North
Methods That Support Performance
Surveys of audit clients 51% 47% 53% 51% 43% 56% 51% 50%
Internal quality assessments initiated by internal audit 48% 49% 55% 37% 43% 51% 39% 47%
Surveys of key stakeholders 26% 30% 31% 34% 26% 32% 26% 28%
External quality assessments initiated by internal audit 35% 28% 25% 21% 17% 33% 18% 27%
Balanced scorecard 22% 31% 39% 31% 23% 20% 34% 26%
Peer reviews 19% 20% 28% 36% 18% 19% 21% 20%
Reviews from external regulators 17% 20% 22% 12% 15% 18% 21% 18%
Reviews by your organization's internal quality assurance function 9% 13% 19% 16% 20% 5% 18% 13%
Note: Q91: Which of the following methodologies and tools do you use to support your quality and performance processes?
(Choose all that apply.) CAEs only. Highlighted cells show the general relationship between “external quality assessments initiated
by internal audit” compared to “reviews by the organization’s internal quality assurance.” Red indicates a percentage significantly
below the global average and blue indicates a percentage significantly above. n = 2,605.
●●The “balanced scorecard” appears to be especially favored in the Sub-Saharan Africa and Latin America &
Caribbean areas, but not so widely used in North America and Europe.
In Sub-Saharan Africa and Latin America & Caribbean, the balanced scorecard is a relatively new con-
cept widely recognized as a good management practice. In North America, the balanced scorecard
may have been replaced or supplemented by the more abbreviated dashboard approach.
●●Regions with higher rates of review by their organization’s quality assurance function tend to have lower
levels of “external quality assessments initiated by internal audit” and vice versa (see highlighted cells).
This would tend to indicate that internal audit may need to explain to its stakeholders the value of
external quality reviews and that internal quality reviews cannot be a substitute for external quality
reviews, which are required for conformance with the Standards at least every five years.
www.theiia.org/goto/CBOK ● 21
Resources
Become a Strategic Internal Auditor: Tying Risk to Strategy by Paul L. Walker (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation, 2014).
The IIA’s Practice Guide, Measuring Internal Audit Effectiveness and Efficiency
(Altamonte Springs, FL: The Institute of Internal Auditors, 2010). www.global.theiia.org
Insight: Delivering Value to Stakeholders by Patty Miller and Tara Smith (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation, 2011).
Job Satisfaction for Internal Auditors: How to Retain Top Talent by Venkataraman Iyer
(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation,
2014).
Keeping Quality in Focus Through Internal Assessments (Altamonte Springs, FL: The
Institute of Internal Auditors, Audit Executive Center, 2014). www.theiia.org/cae
“Options for Using the Value Proposition for Internal Auditing” (Altamonte Springs,
FL: The Institute of Internal Auditors, 2012).
Quality Assessment Manual for the Internal Audit Activity by Patrick Copeland, Donald
Espersen, Martha Catherine Judith Grobler, and James Roth (Altamonte Springs, FL:
The Institute of Internal Auditors Research Foundation, 2013).
Value and Competency—The Stakeholder Perspective: Insights for Internal Auditors and
Management by Vu H. Pham and Betsy Bosak (Altamonte Springs, FL: The Institute
of Internal Auditors Research Foundation, 2013).
Jane Seago is a technical and business writer who focuses on information systems
audit, information security, IT governance, internal audit, enterprise risk, data privacy,
and cybersecurity topics.
Acknowledgments
The IIARF appreciates contributions to the development of this report made by Dick
Anderson (United States) and Serge Van Herpen (Netherlands). In addition, The
IIARF thanks Jørgen Bock (Norway), Robert Kella (United Arab Emirates), and Karen
Begelfer (United States) for providing their perspectives for this report via interviews.
Sponsorship
www.theiia.org/goto/CBOK ● 23
About The IIA Research Foundation
Your CBOK is administered through The IIA Research Foundation (IIARF), which has
provided groundbreaking research for the internal audit profession for the past four
Donation
decades. Through initiatives that explore current issues, emerging trends, and future
Dollars at needs, The IIARF has been a driving force behind the evolution and advancement of
Work the profession.
CBOK reports are
available free to Limit of Liability
the public thanks
to generous The IIARF publishes this document for information and educational purposes only.
contributions IIARF does not provide legal or accounting advice and makes no warranty as to any
from individuals,
legal or accounting results through its publication of this document. When legal or
organizations, IIA
chapters, and IIA accounting issues arise, professional assistance should be sought and retained.
institutes around the
world. Contact Us