Moving Internal Audit Back into Balance

Transcription

1 Moving Internal Audit Back into Balance A Post-Sarbanes-Oxley Survey Fourth Edition

2 Table of Contents Introduction... 1 Executive Summary... 2 Overview of Rebalancing Initiatives... 4 Current Status of Sarbanes-Oxley Compliance... 4 State of Rebalancing... 5 Making Progress... 6 Primary Benefits... 7 Key Activities by Organizations Seeking to Rebalance... 8 Addressing IT Audits... 9 Sarbanes-Oxley Compliance Strategies as Part of Rebalancing Efforts Addressing IT Audits Primary Ownership Impact of SEC S Interpretive Guidance and PCAOB AS Rebalancing Efforts Changes in Efforts/Hours Quantity and Scope of Processes and Controls Impact of Rebalancing Initiatives Internal Audit Responsibilities in Sarbanes-Oxley Compliance Allocating Internal Audit Efforts for COSO Internal Control Objectives Rebalancing the Skills Gap Internal Audit Staffing, Hours and Budget Allocations Impact of SEC s and PCAOB s Guidance Outsourcing Sarbanes-Oxley Compliance Activities External Quality Assessments Changing Landscape Demands Ongoing Rebalancing Methodology survey Demographics About Protiviti INC... 34

3 Introduction Unless commitment is made, there are only promises and hopes... but no plans. Peter Drucker Without question, much has changed in the seven years since the U.S. Sarbanes-Oxley Act became law. We conducted our first Internal Audit Rebalancing study in 2005 to assess how organizations were relying on their internal audit departments for Sarbanes-Oxley compliance-related activities while seeking to rebalance these functions to also address more traditional internal auditing responsibilities. (For the purposes of this survey, rebalancing is defined as the process of moving activities away from Sarbanes-Oxley compliance to a broader coverage of business objectives as defined by the COSO framework.) In subsequent years of the study, we noted how the landscape continued to change, with organizations becoming more familiar with the Sarbanes-Oxley compliance process and thus streamlining their efforts. Perhaps most notably, in 2007, a potential paradigm shift was introduced with the U.S. Securities and Exchange Commission s (SEC) interpretive guidance to management on implementing Section 404 of Sarbanes-Oxley, along with a new standard, Auditing Standard No. 5 (AS5), from the Public Company Accounting Oversight Board (PCAOB). Both of these were intended, in part, to alleviate some of the time and cost burdens associated with the compliance process. The results of our 2008 Rebalancing survey suggested that both the SEC s interpretive guidance and PCAOB AS5 were having their intended effect. In our 2009 Rebalancing survey, one of the more interesting trends emerging from our analysis of the data is an apparent drop among organizations in activities and perceived benefits relating to these regulatory pronouncements. Both were designed to ease compliance burdens among companies and facilitate a more efficient and streamlined attestation by external auditors of internal control over financial reporting. There could be several reasons behind this trend. Certainly there is a heightened regulatory environment in the wake of the many well-publicized bank and corporate failures worldwide. There also could be a general aura of compliance conservatism because of the global financial crisis that is impacting virtually every organization around the world. It also could be that the rate of changes being implemented by companies has slowed since it has now been two years since the SEC s and PCAOB s announcements. We explore these and other themes further throughout this report. This year s survey, which was modified slightly from previous years, consisted of questions grouped into two divisions: Rebalancing Strategy and Internal Audit Organization and Focus. More than 600 respondents a majority of whom are chief audit executives, audit directors and audit managers took part by completing the survey in person or online. We would like to extend our appreciation to all of the chief audit executives and internal audit professionals who participated in our 2009 Rebalancing survey. We also want to recognize The Institute of Internal Auditors for its continued leadership and guidance for the profession. We are very appreciative of the continued positive feedback on this study that we receive from chief executive officers, chief financial officers, board members and other executives, as well as internal audit leaders. We are certain our 2009 report will again be of interest to any organization assessing how to balance ongoing Sarbanes-Oxley compliance with traditional internal auditing responsibilities. Protiviti June 2009 Moving Internal Audit Back into Balance 1

4 Executive Summary Impact of the SEC s Interpretive Guidance and PCAOB Auditing Standard No. 5 While approximately half of survey participants reported the SEC s guidance and PCAOB AS5 are enabling them to increase rebalancing efforts significantly or moderately, the response was down from Hours for external audit, internal company and other external resources have decreased, but not as much as reported last year. A majority of respondents reported decreases in the number of key controls and total controls documented and tested. One of the more notable trends in this year s results is an apparent lessening in the positive effects of the SEC s interpretive guidance and PCAOB AS5, with a general across-the-board decrease in their respective impact. This could be a result of many factors, including the global economic crisis, heightened regulatory environment, continued significant reliance on manual processes and controls, growing conservatism among companies in order to maintain the status quo, or a belief among organizations that they already have implemented changes in response to these regulatory rulings and are not planning further adjustments. Primary Benefits of Rebalancing Internal audit being able to perform more traditional audits and more appropriate coverage of risk rank as the top benefits. Reduced Section 404 and 302 compliance costs is the third-highest ranked benefit, yet the response was down 7 percent from After 2005 (the first year of the survey), there is a clear trend showing more traditional audits to be a top benefit of rebalancing, which is understandable given the interest in shifting internal audit away from a Sarbanes-Oxley-only emphasis. Such a shift enables organizations to achieve more appropriate coverage of their risks. Sarbanes-Oxley Compliance: Current Status Most respondents are in or beyond their fourth year of Sarbanes-Oxley compliance, generally mirroring the compliance timeline since the act went into effect for large accelerated filers. These results are similar to those from the 2008 Rebalancing study. Of note, there was a year-over-year increase in the number of organizations identifying themselves as in either the first year or pre-first year of compliance. This is the result of the pending deadline for smaller companies to comply with the auditor attestation requirement of Section 404 (beginning for fiscal years ending on or after December 15, 2009). Rebalancing Status: One Year Ago Versus Today Nearly three out of four organizations have achieved or moved beyond rebalancing, or have rebalancing underway or in the planning stages. This is very consistent with results from the 2008 and 2007 Rebalancing surveys. These results clearly show that even with the ongoing requirements for Sarbanes-Oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks. 2 Moving Internal Audit Back into Balance

5 Strategies: Current Versus Planned As in 2008, reducing the number of key controls and using a risk-based testing approach were the top two strategies, but percentages for both were down year-over-year. Reduction in number of key controls leads the strategies that organizations are currently employing, followed by use of a risk-based testing approach, greater reliance on internal auditors by external auditors and reduction in total population of controls. However, when comparing this year s results to those from 2008, there was a consistent decrease in the percentage of responses for each category. This may be a signal that some companies believe they have completed making adjustments in response to the SEC s and PCAOB s pronouncements, or be further indication of an apparent hesitancy among organizations to fully implement practices based on the SEC s interpretive guidance and PCAOB AS5. It also could mean that some organizations believe they have applied a top-down, risk-based approach, consistent with the SEC s guidance. Based on our experience, we believe many organizations with this point of view continue to rely heavily on manual financial reporting processes and controls. Activities as Part of Rebalancing Risk-based testing and rescoping workloads are the top rebalancing activities. Implement risk-based testing, added to the Rebalancing survey this year, ranked as the top activity, with two out of three organizations including this as part of their rebalancing efforts. Rescope workloads has ranked first or second in the past three studies. Also of note, just one in five respondents cited add additional resources this year, continuing a downward trend from 2005 (62 percent). Moving Internal Audit Back into Balance 3

6 Overview of Rebalancing Initiatives Current Status of Sarbanes-Oxley Compliance: Most in their Fourth Year or Beyond A majority of respondents are in or beyond their fourth year of Sarbanes-Oxley compliance, generally mirroring the compliance timeline since the act went into effect for large accelerated filers. Similar to the results from the 2008 Rebalancing study, among all respondents, a majority are at least in their fourth year of Sarbanes-Oxley compliance, and 40 percent are beyond the fourth year. Of note, there was a yearover-year increase in the number of organizations identifying themselves as in either the first year or pre-first year of compliance (22 percent this year versus 16 percent in 2008). This could be the result of the pending deadline that smaller companies or nonaccelerated filers, as defined by the SEC must comply with the auditor attestation requirement of Section 404 beginning in fiscal years ending on or after December 15, This group of companies includes those that underwent initial public offerings in Year of Sarbanes-Oxley Compliance 4 Beyond 4th year of compliance 2 4th year of compliance 16% Pre-1st year of compliance 11% 3rd year of compliance 6% 1st year of compliance 7% 2nd year of compliance 4 Moving Internal Audit Back into Balance

7 State of Rebalancing Most organizations recognize the importance of rebalancing their internal audit departments to focus more on traditional responsibilities. Respondents were asked the following two questions: One year ago, how would you have described your organization s efforts to rebalance internal audit priorities away from Sarbanes-Oxley compliance projects? Today, how would you describe your organization s efforts to rebalance internal audit priorities away from Sarbanes-Oxley compliance projects? Nearly three out of four organizations today 73 percent have achieved or moved beyond rebalancing, or have rebalancing underway or in the planning stages. This is very consistent with results from the 2008 and 2007 Rebalancing surveys. These results clearly show that even with the ongoing requirements for Sarbanes-Oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks. State of Rebalancing 4 One year ago Today 3 32% 27% 2 21% 1 12% 15% 15% 13% 17% 13% 6% 8% 7% 7% 7% Beyond rebalancing Rebalancing achieved Rebalancing underway Rebalancing planned Haven t started planning, but intend to rebalance Doesn t apply not yet under first year of S-O Act compliance Not intending to rebalance Moving Internal Audit Back into Balance 5

8 Overview of Rebalancing Initiatives (cont.) Making Progress Most organizations consistently report moderate progress in their rebalancing efforts. Over the past three years of the Rebalancing study, results on the progress of rebalancing efforts have been very consistent, with 71 percent to 73 percent of respondents reporting their rebalancing projects are making significant or moderate progress. Results related to expectations also have been consistent, with a growing number of respondents noting progress has met or exceeded them. These trends show that once an organization initiates rebalancing efforts, it is likely to achieve significant or moderate progress toward its goals in other words, there is a strong chance of success. Rebalancing Progress Made So Far: Three-Year Comparison (Base: Rebalancing Underway) % 56% 53% % 17% 18% 27% 26% 26% Significant Moderate Minimal 1% 3% None Expectations of Rebalancing Progress to Date: Three-Year Comparison (Base: Rebalancing Underway) % 54% % % 36% 2 24% 1 11% 11% 1 5% 5% 5% Much less than expected Somewhat less than expected About the same as expected Somewhat more than expected 1% 1% 1% Much more than expected 6 Moving Internal Audit Back into Balance

9 Primary Benefits Consistent with previous years results, the top two benefits of rebalancing are having internal audit perform more traditional audits and achieving more appropriate coverage of risk. The top responses for 2009 internal audit being able to perform more traditional audits and more appropriate coverage of risk have been relatively consistent over the four years of the Rebalancing study. However, one notable change this year was a drop in the benefit of having reduced Section 404 and 302 compliance costs. While this may be unexpected to some given that the SEC s interpretive guidance and PCAOB AS5 were intended to facilitate a reduction in efforts and costs for reporting companies, some organizations were of the view that they were already applying a top-down, risk-based approach when the 2007 guidance was issued, while other companies may have the view that they have completed their implementation of the new guidance and standard. Again, significant reliance on manual financial reporting processes and controls can limit the potential benefits from implementing the SEC interpretive guidance and PCAOB AS5. Primary Benefit of Rebalancing: Four-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing) Internal audit able to perform more traditional (operational and nonfinancial reporting-related) audits 18% 36% 35% 47% More appropriate coverage of risk 15% 25% 25% 29% Reduced Section 404 and 302 compliance costs 12% 15% 19% 18% 2005 Increased reliance by external auditors on work of internal audit (PCAOB AS5) Increased effectiveness and efficiency of operations Increased objectivity of the internal audit department Other No benefit 1% 3% 3% 5% 2% 1% 3% 3% 3% 2% 9% 7% 8% 8% 4% 7% 12% 13% 12% 5% 1 15% 2 25% 3 35% 4 45% 5 Moving Internal Audit Back into Balance 7

10 Overview of Rebalancing Initiatives (cont.) Key Activities by Organizations Seeking to Rebalance Risk-based testing and rescoping workloads stand out as the top rebalancing activities. Implement risk-based testing was added to the Rebalancing survey this year and ranked as the top activity, with two out of three organizations including it as part of their rebalancing efforts. Rescope workloads has ranked first or second in the past three studies. Both application of (PCAOB) AS5 by the company s external auditors and increase testing and reliance on monitoring controls were cited by half of respondents. Of note, the latter activity coincides with the recent release of the new COSO Monitoring Guidance, which further indicates the higher priority being placed on the monitoring of controls. Notable four-year trends in the findings for this category include the following: Nearly two out of three respondents 62 percent cited add additional resources in 2005, but just 22 percent did so in 2009, continuing a four-year decline for this rebalancing activity. Reallocate existing resources received approximately half of the response in 2005 and 2007, but just 32 percent in Rescope workload has increased over the past four years as a rebalancing activity, from 41 percent in 2005 to 65 percent this year. Key Rebalancing Activities (Base: All respondents except those not engaged in or planning rebalancing) Implement risk-based testing*** 66% Rescope workload 65% Increase testing and reliance on monitoring controls*** Application of AS5 (vs. AS2) by the company s external auditors* 5 49% Conduct an enterprisewide risk assessment Automating more controls (moving more controls from manual to automated)*** Increased ownership by process owners** 39% 41% 45% Utilize more self-assessment and self-audits by process owners and executives Reallocate existing resources 34% 32% Company s effort in applying the SEC s interpretive guidance* Add additional resources Use third parties to complete certain work to assist in the rebalancing effort Create a separate risk and controls function to focus primarily on Section % 22% 21% 18% * Not applicable in 2005 and 2007 surveys ** Not included in 2005 survey *** Not included in previous surveys Other 2% Moving Internal Audit Back into Balance

11 Addressing IT Audits Respondents specifically were asked how IT audits not related to Sarbanes-Oxley compliance were being addressed as part of their rebalancing efforts. Consistent with last year, the most common response was no change. However, collectively over half of all respondents reported they are increasing IT audits when it comes to rebalancing efforts. This year s results show that technology remains an important part of the rebalancing process. Now that organizations have more experience with Sarbanes-Oxley, IT audit efforts might be shifting toward maintaining compliance efforts while also working to lower compliance costs and improve the balance of audit coverage for other areas of risk. Protiviti s 2009 Internal Audit Capabilities and Needs Survey supports the continued importance of technology as a critical enabler of virtually all business processes and helping organizations achieve objectives and address risks. 1 In this study, technology skills hold a prominent place in the need to improve category of general technical knowledge. The recent changes to The IIA Standards also corroborate the importance of technology audits. For example, IIA Standard 2110.A2 now includes the word must when providing guidance to internal audit in its role related to assessing IT governance. As organizations adopt the new and revised Standards as of January 1, 2009, we will monitor whether IT audits continue to hold an important role in rebalancing efforts, and it is quite possible the survey results for this category will change next year. IT (IT audits not related to Sarbanes-Oxley) Assessed as Part of Rebalancing: Four-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing) % 41% 37% 31% % 25% 26% 26% % 12% 13% 15% 15% Increase(d) It audits >25% Increase(d) It audits 10-25% Increase(d) It audits <1 no change 4% 5% 4% decrease(d) It audits 3% 1 For more information, read Protiviti s 2009 Internal Audit Capabilities and Needs Survey, available at Moving Internal Audit Back into Balance 9

12 Overview of Rebalancing Initiatives (cont.) Sarbanes-Oxley Compliance Strategies as Part of Rebalancing Efforts As in 2008, reducing the number of key controls and using a risk-based testing approach were the top two strategies, but percentages for both were down year-over-year. Similar to last year, reduction in number of key controls leads the strategies organizations are currently employing, followed by use of a risk-based testing approach, greater reliance on internal auditors by external auditors and reduction in total population of controls. For each of these strategies, there also was a significant increase compared to the percentage of respondents who reported in 2008 that they were planning to employ it in the coming year. This shows that, in one sense, the SEC s interpretive guidance and PCAOB AS5 are having their intended effect. However, when comparing the current results with the prior year, there was a consistent decrease in the percentage of responses for each category in In last year s survey, for example, 47 percent of respondents reported they were currently reducing the number of key controls, versus 33 percent this year. For use of a risk-based testing approach, the 2008 currently response was 45 percent versus 30 percent this year, and for reduction in total population of controls the numbers were 43 percent versus 26 percent. These findings could be a further indication that some organizations have already taken steps to reduce their control populations, and thus no longer see a need to incorporate these specific strategies as part of their rebalancing efforts. However, it is also possible that some organizations have an apparent hesitancy in 2009 to implement practices based on the SEC s interpretive guidance as well as PCAOB AS5. This could be attributed to a more conservative approach in order to preserve the status quo. Also of note, increase in number of automated controls leads the strategies organizations are planning to employ in 2009, followed by use of data mining and analytics to better understand process performance, reduction in manual controls, increase in number of monitoring controls and consolidation of redundant IT platforms and systems. These strategies are key because, for many organizations, they represent the last frontier for improving the cost-effectiveness of financial reporting controls, reducing financial reporting risks and streamlining Sarbanes-Oxley compliance. The notable increase in focus on these strategies indicates that some organizations understand their importance in this regard. 10 Moving Internal Audit Back into Balance

13 Strategies: Current vs. Planned reduction in number of key controls use of a risk-based testing approach* greater reliance on internal auditing by external auditors reduction in total population of controls tightening of overall scope centralization of common processes and functions Increase in testing within key risk areas reduction in number of in-scope locations** consolidation of redundant It platforms and systems Increase in number of monitoring controls accelerate timing of selected control tests** Increase in number of automated controls reduction in manual controls use of self-assessment techniques Improvement in quality and compression of time in business processes affecting financial reporting reduction of independent tests of controls use of data mining and analytics to increase understanding of process performance other** no specific strategies considered or employed** * Not included in 2007 survey ** Not included in 2007 and 2008 surveys don't know** 2% 2% 4% 4% 9% 1 11% 13% 14% 14% 12% 14% 14% 21% 18% 12% 16% 18% 11% 13% 18% 9% 11% 1 9% 15% 13% 15% 14% 14% 14% 13% 12% 14% 12% 18% 18% 14% 16% 16% 13% 13% 18% 19% 21% 2 23% 26% 25% 27% 3 33% currently Employing 2009 Planning to Employ 2009 Planning to Employ % 27% 29% 5% 1 15% 2 25% 3 35% Moving Internal Audit Back into Balance 11

14 Overview of Rebalancing Initiatives (cont.) Addressing IT Audits When asked what percentage of IT audits were related to Sarbanes-Oxley for each year of compliance, respondents reported that most IT auditing activity occurs in Years Two and Four. Organizations continue to express that these audits do not have a prominent role in the first year of Sarbanes-Oxley compliance, even though their importance increases significantly in Year One when compared to the precompliance period. As organizations become more experienced with Sarbanes-Oxley, they come to realize the important role IT plays in managing related risks and processes. More than 60 percent of respondents whose organizations are beyond Year Four reported that they spend at least 20 percent of their time on IT audits. This is consistent with the 2008 study. Over the years, organizations have acknowledged the benefits of automating internal controls: increased reliability, lower error rates, and less time and effort required to test compared to manual controls. The bottom line is that technology, when used appropriately, improves risk coverage and test results, leading to an improved internal control environment and effective compliance strategy. This is in line with the intention of the SEC s interpretive guidance and PCAOB AS5. As noted earlier (see page 9), changes this year to IIA Standard 2110.A2, which states that internal audit functions must assess IT governance, reinforce the importance of technology audits. In next year s Rebalancing survey, there may be notable changes in the results for this category. Percentage of IT Audits Related to Sarbanes-Oxley Compliance Beyond 4 th year of compliance 4 th year of compliance 3 rd year of compliance 2 nd year of compliance 1 st year of compliance Pre-1 st year of compliance 3% 4% 5% 4% 6% 5% 5% 4% 9% 9% 9% 9% 9% 9% 11% 1 13% 13% 12% 13% 13% 13% 17% 13% 17% 13% 13% 16% 23% 18% 21% 18% 18% 23% 26% 25% 29% % 35% Don t know None < % 20-49% 50-75% >75% 52% 12 Moving Internal Audit Back into Balance

15 Primary Ownership Internal audit owns the rebalancing process in most organizations. A review of Rebalancing survey results over the past three years shows that internal audit departments consistently have primary ownership of rebalancing activities in their organizations. This year, in fact, there was an even larger gap between internal audit and other business owners in the organization. Respondents also were asked to indicate, in terms of rebalancing efforts, the level of involvement of different groups and individuals in the organization. More than half reported that executive management, the audit committee, management and/or process owners, and the external auditor are involved to a significant or moderate extent. Primary Ownership for Rebalancing: Three-Year Comparison (Base: Beyond Rebalancing, Rebalancing Achieved, Underway, Planned and Intended) % 69% % Internal audit staff 7% 1 1 7% 5% Executive management 14% Management 6% 3% 9% 6% 8% Audit committee Other 12% 4% 5% 3% 3% 3% No one primary owner Don t know Moving Internal Audit Back into Balance 13

16 Impact of SEC s Interpretive Guidance and PCAOB AS5 Similar to results from the 2008 Rebalancing study, this year s response shows a continued positive impact as a result of PCAOB AS5 and the SEC s interpretive guidance for Section 404. However, across all sections in this category of the study, there is a noticeable decrease in the positive impact responses compared to These findings are interesting given that guidance from both organizations was intended to increase the emphasis on applying a top-down, risk-based approach and enable organizations to reduce the time and costs required for compliance. It also would be expected that rebalancing efforts would be sustained. Rebalancing Efforts Efforts have decreased, but less so than in While nearly 40 percent of respondents reported that the impact of the SEC s interpretive guidance is enabling them to increase rebalancing efforts significantly or moderately, the cumulative increase figures dropped from 60 percent in Similarly, while 56 percent of respondents last year said that, as a result of PCAOB AS5, they were increasing rebalancing activities significantly or moderately, the response dropped to 44 percent this year. Impact of SEC s Interpretive Guidance on Rebalancing: Two-Year Comparison % % 3 32% 37% 2 1 6% 14% Significantly increased rebalancing efforts Moderately increased rebalancing efforts No change 1% 3% Moderately decreased rebalancing efforts Impact of PCAOB AS5 (vs. AS2) on Rebalancing: Two-Year Comparison % 52% 42% % 14% Significantly increased rebalancing efforts Moderately increased rebalancing efforts No change 4% 4% Moderately decreased rebalancing efforts 14 Moving Internal Audit Back into Balance

17 Changes in Efforts/Hours Organizations are being more conservative in reducing hours and activities. A large percentage of respondents reported that as a result of the SEC s interpretive guidance and PCAOB AS5, external audit hours have decreased, as have the hours required of other external and internal resources. However, these charts do illustrate slight drops in the percentages of decrease in all three categories. For example, this year a combined 40 percent of respondents reported a decrease in external audit hours as a result of the SEC s guidance, whereas 50 percent reported such a decrease in Similar changes are evident in the other two categories. We will continue to monitor these trends and determine why these changes might be occurring. Changes in Efforts/Hours SEC s Interpretive Guidance SEC s Interpretive Guidance Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison 6 55% 5 49% % % 18% 2 4% 6% Decreased >25% Decreased 10-25% Decreased <1 No change 5% 1% Increased Moving Internal Audit Back into Balance 15

18 Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) SEC s Interpretive Guidance Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison 5 49% 4 44% % % 17% 17% 14% 11% 5% Decreased >25% Decreased 10-25% Decreased <1 No change Increased SEC s Interpretive Guidance Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison % 12% 8% 14% 1 1 Decreased >25% Decreased 10-25% Decreased <1 No change 4% 4% Increased 16 Moving Internal Audit Back into Balance

19 Are Companies Failing to Take Full Advantage of Revised Regulations? This year s findings that suggest a diminished positive impact of PCAOB AS5 and the SEC s interpretive guidance on Section 404 are worth further commentary. Both of these standards relaxed previously stringent guidelines for companies and external auditors with regard to establishing and attesting to internal control over financial reporting, as mandated by Section 404. Among the new guidance from each of these regulatory bodies were opportunities to rely more heavily on the work of others, such as the internal audit function. For example, as detailed in Protiviti s Guide to Internal Audit: Frequently Asked Questions About Developing an Effective Internal Audit Function: The PCAOB encourages greater use of the work of others in AS5 by requiring auditors to (1) understand the relevant activities of others and determine how the results of that work may affect his or her audit, and (2) evaluate whether and how to use their work to reduce audit testing. There is no reason why the external auditor should not do this, particularly if an effectively functioning internal audit function is in place. AS5 emphasizes the importance of assessing the competency and objectivity of the persons who the (external) auditor plans to use to determine the extent to which the (external) auditor may use their work. The higher degree of competence and objectivity, the greater use the (external) auditor may make of the work. The guidance included in AS5 applies the principles in AU 322 to focus the auditor s use of the work of others more specifically on altering the nature, timing and extent of the external auditor s work than otherwise would have been performed to test the operating effectiveness of controls as part of an integrated audit of the financial statements and internal control over financial reporting (ICFR). The basic premise of AS5 is that the external auditor may use work performed by, or receive assistance from, internal auditors, other company personnel (in addition to internal auditors) and third parties working under the direction of management or the audit committee that provides evidence about ICFR effectiveness. In assessing the results from this year s Rebalancing study, it is possible that some companies are being too conservative. There could be a variety of reasons at play to explain why, among them: If it isn t broken, don t fix it Without question, achieving Sarbanes-Oxley compliance was an engrossing and time-consuming process for most reporting companies. Many failed to plan properly or begin their compliance efforts early enough, resulting in organizational fire drills. It is possible that as a result of these trials and tribulations, some companies may have little appetite to rescope workloads or otherwise change processes that currently have them in compliance. This, of course, defeats the purpose of the SEC s guidance and AS5. We have also seen circumstances where managers responsible for Sarbanes-Oxley compliance are rewarded for compliance and not for cost-effectiveness; therefore, there is little incentive for them to alter the status quo. Law of diminishing returns We see many companies continuing to rely heavily on manual processes and controls. The SEC interpretive guidance and PCAOB AS5 can only take a company and its auditors so far until the process reaches the point where there is a declining impact from applying the SEC guidance and the PCAOB standard. There is a strong linkage between (a) improving process quality, time and cost performance, and (b) strengthening the effectiveness of ICFR. A simple, more streamlined and automated process is easier to control than a complex, cumbersome and manual one. Many companies continue to have opportunities to improve their process performance by building in (versus inspecting in) quality, reducing costs and compressing time within their processes and all of this while simultaneously reducing financial reporting risks and the costs of Sarbanes-Oxley compliance. Still figuring it out The difference between this year s results and last year s could be a reflection of companies still determining exactly where and how to achieve time and cost savings by rescoping workloads, reducing controls (key and total number) and increasing their rebalancing efforts. If this year s results indicate a swing back as companies, through trial and error, continue to define how to accomplish these objectives, we might expect higher positive impact responses in the 2010 Rebalancing survey. Moving Internal Audit Back into Balance 17

20 Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) Changes in Efforts/Hours (cont.) Changes in Efforts/Hours PCAOB AS5 PCAOB AS5 Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison 5 48% % 35% % 23% 25% 1 5% 8% Decreased >25% Decreased 10-25% Decreased <1 No change 3% 2% Increased Are Companies Failing to Take Full Advantage of Revised Regulations? (cont.) More small companies beginning the compliance process Beginning for fiscal years ending on or after December 15, 2009, nonaccelerated filers must comply with the auditor attestation requirement of Section 404. It is possible that this year s results reflect the fact that 7 percent of respondents are in the smaller public company category and would not be initiating rebalancing or other cost- and time-saving activities as of yet. Lack of knowledge Despite the SEC s and PCAOB s well-publicized announcements of their respective actions in 2007, it could be that many companies are not fully aware of these new guidelines and the potential opportunities to reduce time and costs involved with compliance. It could be expected in most cases that the external auditor would provide such knowledge; however, there could be some hesitancy among the auditors to leverage the revised guidelines, which could be attributable to custom and habit, the perceived reporting risks, or lack of support for certain AS5 principles such as the use of the work of others to ascertain the effectiveness of an organization s ICFR. Regardless of the reasons, the bottom line is that it behooves any company to acquire a full understanding of the SEC s interpretive guidance and PCAOB AS5, and to talk to its external auditor about activities internal audit and other departments can perform to assist in the ICFR attestation process. 18 Moving Internal Audit Back into Balance

21 PCAOB AS5 Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison % % 17% 17% 17% 19% 15% 15% 5% Decreased >25% Decreased 10-25% Decreased <1 No change Increased PCAOB AS5 Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison 7 67% 6 59% % 11% 1 14% 1 12% Decreased >25% Decreased 10-25% Decreased <1 No change 4% 4% Increased Moving Internal Audit Back into Balance 19

22 Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) Quantity and Scope of Processes and Controls Decreases were reported, but not as much as in Respondents were asked about the impact of the SEC s guidance on numerous compliance-related processes and controls in the organization. They also were asked about the impact of the application of PCAOB AS5 by their external auditors on these same processes and controls. Similar to 2008, there are several positive trends, including a majority of respondents reporting decreases in key controls and total controls documented and tested. However, in most compliance-related process and control categories, the percentage of decreased responses dropped compared to 2008, while the increased response percentages rose year-over-year. Impact of SEC s Interpretive Guidance: Two-Year Comparison 2009 Decreased No Change Increased 2008 Decreased No Change Increased 2009 Number of key controls documented and tested 2008 Number of key controls documented and tested 6 35% 5% 75% 23% 2% 2009 Number of total controls documented and tested 2008 Number of total controls documented and tested 56% 39% 5% 68% 3 2% 2009 Number of key in-scope processes 2008 Number of key in-scope processes 45% 5 5% 58% 4 2% 2009 Number of total risks identified 2008 Number of total risks identified 44% 5 6% 58% 38% 4% 2009 Number of in-scope locations 2008 Number of in-scope locations 24% 7 6% 36% 61% 3% 2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach 15% 5 35% 18% 41% 41% 2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring and/or entity-level controls 15% 56% 29% 17% 41% 42% 2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the external auditor 15% 47% 38% 14% 4 46% *2009 Increased reliance on self-assessment techniques 9% 75% 16% * Not included in 2008 survey Moving Internal Audit Back into Balance

23 The Importance of Understanding Risk The real key in Year Four and beyond of Sarbanes-Oxley compliance is how to keep things fresh and keep people vigilant. The recent financial collapse of so many companies shows that Sarbanes-Oxley was not the be all and end all to prevent loss of shareholder wealth. While companies were spending significant time and money ensuring things were recorded properly, they lost sight of the business risks that could bring down a company or an industry, wiping out billions of dollars in shareholder wealth in the process. The real key for investors (and employees) is around understanding risk: What are the risks? Are they independent or dependent? If they are dependent, what are they dependent on? How can they impact the company? What is the magnitude and likelihood? Are they being monitored properly? This is where internal audit can best assist the audit committee and management, and where we must strengthen our skill set as a profession hence the importance to rebalance resources. Without understanding risk, we can be auditing the wrong areas at the wrong time. The bottom line is that businesses face far greater risks today than Sarbanes-Oxley, and internal audit must not only rebalance but also retool to meet the current requirements. There is going to be a sea change in internal audit, and each of us has a choice be ready, willing and able, or become obsolete. Larry Harrington, Vice President, Internal Audit, Raytheon Company Impact of PCAOB AS5: Two-Year Comparison 2009 Decreased No Change Increased 2008 Decreased No Change Increased 2009 Number of key controls documented and tested 2008 Number of key controls documented and tested 55% 4 5% 64% 34% 2% 2009 Number of total controls documented and tested 2008 Number of total controls documented and tested 51% 44% 5% 6 39% 1% 2009 Number of total risks identified 2008 Number of total risks identified 39% 57% 4% 53% 46% 1% 2009 Number of key in-scope processes 2008 Number of key in-scope processes 42% 54% 4% 51% 48% 1% 2009 Number of in-scope locations 2008 Number of in-scope locations 24% 72% 4% 36% 62% 2% 2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach 12% 53% 35% 17% 44% 39% 2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring and/or entity-level controls 12% 56% 32% 16% 45% 39% 2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the external auditor 1 48% 42% 15% 38% 47% *2009 Increased reliance on self-assessment techniques 7% 16% 77% * Not included in 2008 survey Moving Internal Audit Back into Balance 21

24 Impact of Rebalancing Initiatives Internal Audit Responsibilities in Sarbanes-Oxley Compliance Lead responsibility remains the most common role for internal audit. Findings regarding internal audit s role in Sarbanes-Oxley compliance have been consistent over the course of the Rebalancing studies. Of note, control design evaluation and testing of operational effectiveness decreases with each year of compliance, as do serving as members of compliance teams and steering committees, and developer of documentation. This could indicate that process owners are taking more direct ownership and responsibility for their processes and controls, as permitted under PCAOB AS5. (Please note that in the interest of simplicity, the chart below illustrates internal audit s primary roles in the first year of Sarbanes-Oxley compliance and beyond the fourth year of compliance. Percentages of responses for Years Two to Four consistently fall in the gap between these two trend lines.) Internal Audit Primary Roles 35% 3 25% 1st year of compliance Beyond 4th year of compliance 2 15% 1 5% Control design evaluation and testing of operational effectiveness Lead responsibility Member of compliance team/steering committee Developer of documentation Advisor to compliance team/steering committee Limited to testing of operational effectiveness Limited to control design evaluation None Don t know Other 22 Moving Internal Audit Back into Balance

25 Allocating Internal Audit Efforts for COSO Internal Control Objectives Consistent with the past three surveys, reliability of financial reporting remains the top COSO objective of focus for internal audit activities. The continued concentration on reliability of financial reporting is an interesting trend given that one in three respondents reported that they had achieved rebalancing or were beyond rebalancing. Remember, the purpose of rebalancing is to move internal audit activities away from Sarbanes-Oxley compliance toward broader coverage of the COSO framework. We would expect these rebalanced, or soon to be rebalanced, internal audit organizations to have established a better balance among all aspects of the COSO model by now. Organizations also should be aware that the internal audit landscape is changing. According to The IIA, financial reporting is only part of the internal control picture. As of January 1, 2009, the internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach (Standard 2100). Another Standard (2120.A1) notes that internal audit must evaluate risk exposures regarding reliability and integrity of financial and operational information; effectiveness and efficiency of operations; safeguarding of assets; and compliance with laws, regulations and contracts. Internal Audit Efforts Allocated Against COSO Objectives of Internal Control st year of compliance 2nd year of compliance 3rd year of compliance 4th year of compliance Beyond 4th year of compliance Effectiveness and efficiency of operations Reliability of financial reporting (including Sarbanes-Oxley compliance) Compliance with applicable laws and regulations Safeguarding of assets Note: Chart does not include Other and Don t know responses. Moving Internal Audit Back into Balance 23

26 Impact of Rebalancing Initiatives (cont.) Rebalancing the Skills Gap While down slightly from the 2008 results, a substantial percentage of this year s respondents perceive a significant or moderate skills gap among Sarbanes-Oxley-experienced auditors for other internal audit projects. Survey participants were asked to what extent there is a skills gap in their organizations among Sarbanes-Oxleyexperienced auditors for other internal audit projects, such as operational and nonfinancial reporting audits. Four out of 10 respondents perceive either a significant or moderate gap. This is consistent with Protiviti s Internal Audit Capabilities and Needs Survey. 2 Over the past three years, this study has identified traditional internal audit skills such as enterprise risk management and fraud risk management as competencies most in need of improvement. One troubling finding in this category is the 17 percent Don t know response. The revised IIA Standards (which became effective in January 2009) require the CAE to report any resource constraints to management and the board of directors. More definitive results in this category of the survey would be expected in light of this Standard, as there should not be a lack of knowledge about skills within the internal audit function. Also of note, 43 percent of respondents reported there is no skills gap in their departments with regard to Sarbanes-Oxley auditors performing other types of internal audit activities. Perceived or Real Skills Gap Sarbanes-Oxley-Experienced Auditors for Other Internal Audit Projects: Two-Year Comparison No skills gap 43% 49% Moderate skills gap 31% 36% Significant skills gap 9% 8% 2009 Don t know 7% 17% % 1 15% 2 25% 3 35% 4 45% 5 2 For more information, read Protiviti s 2009 Internal Audit Capabilities and Needs Survey, available at 24 Moving Internal Audit Back into Balance

27 Changes to The IIA Standards On January 1, 2009, The IIA formally released its revised International Professional Practices Framework, which includes revisions to the organization s International Standards for the Professional Practice of Internal Auditing. Key changes to the Standards include the following: Six new Standards have been added. In virtually all of the Standards, The IIA has revised its wording, replacing should with must. Additional requirements have been added to existing Standards. Interpretations have been added, incorporating components that previously were part of The IIA s practice advisories. With the change from should to must in most of the Standards and the addition of six new Standards, internal audit functions must take action to achieve or remain in compliance. For some, only minimal adjustments may be necessary. For others, however, there may be a need for substantial changes to their internal audit plans and structures. Without question, the internal audit rebalancing activities of organizations could be among the many areas affected by the new and revised Standards. Of particular note, IT governance and fraud risk management are key areas The IIA addresses in all-new Standards. We plan to monitor and report on key trends related to the Standards in next year s Rebalancing survey report. Internal Audit Staffing, Hours and Budget Allocations During Year One of Sarbanes-Oxley, most internal audit departments spend a majority of their time on compliancerelated activities. This year s results are consistent with previous Rebalancing surveys. After Year Two, there is a relative level of consistency in internal audit hours dedicated to Sarbanes-Oxley compliance, indicating that internal audit departments are planning or implementing rebalancing efforts to address more traditional responsibilities. Internal Audit Hours Dedicated to Each Year of Sarbanes-Oxley Compliance st year of compliance 2nd year of compliance 3rd year of compliance 4th year of compliance Beyond 4th year of compliance 2 1 > 75% 50-75% 20-49% 10-19% < 1 None Don t know Moving Internal Audit Back into Balance 25

28 Impact of Rebalancing Initiatives (cont.) Impact of SEC s and PCAOB s Guidance These regulations continue to have a positive impact on internal audit hours dedicated to Sarbanes-Oxley compliance. However, as indicated in many of the findings from this year s Rebalancing survey, respondents noted less of a decrease compared to what was reported in Internal Audit Hours, SEC s Interpretive Guidance: Two-Year Comparison % 42% 37% 42% % 3% 8% 3% Significantly increased Moderately increased No change Moderately decreased 11% 1 Significantly decreased Internal Audit Hours, PCAOB AS5: Two-Year Comparison % 38% 43% % 2 1 2% 1% 11% 11% Significantly increased Moderately increased No change Moderately decreased 1 7% Significantly decreased 26 Moving Internal Audit Back into Balance