Achieving High Performance in Internal Audit

Transcription

1 Achieving High Performance in Internal Audit

2 Contents Executive Summary 5 About this Study 8 Quality 12 Authority, Independence and Mandate 16 Challenges and Trends 23 Internal Audit Resources 28 Value 33 Graphs About this Study Graph 1 Organisations by Type 9 Graph 2 Organisations by Revenue 9 Graph 3 Organisations by Industry 10 Graph 4 Organisations by State 10 Graph 5 Internal Audit Function by State 11 Challenges and Trends Graph 22 Change in Structure and Direction of Internal Audit in Last 12 Months 24 Graph 23 Proportion of Internal Audit by Functional Areas 25 Graph 24 Internal Audit Scope (previous 12 months) 25 Graph 25 Internal Audit Scope (next 12 months) 26 Graph 26 Emerging Priorities in Next 3 Years 27 Quality Graph 6 Ensuring Quality in Internal Audit 13 Internal Audit Resources Graph 7 Level of Compliance with the Standards 14 Graph 27 Growth of FTE Personnel in Internal Audit 29 Graph 8 Level of Compliance with the Standards by Revenue 14 Graph 28 How Much Did Your Organisation Spend on Graph 9 Last External Quality Assessment Review 15 Internal Audit in the Last 12 Months? 30 Graph 10 Last External Quality Assessment by Sector 15 Graph 29 Thinking about the Next 12 Months, Do You Expect to Spend More or Less on Internal Audit 31 Graph 30 Unfilled Demand for Technical Skills 31 Authority, Independence and Mandate Graph 11 Appointing and Removing the CAE 17 Graph 31 Staff Retention Graph 32 Internal Audit Certification Graph 12 Appointing and Removing the CAE by Sector 17 Graph 13 Setting the Remuneration and Bonus of the CAE 18 Value Graph 14 Setting the Remuneration and Bonus by Sector 18 Graph 33 The Level of Value that Internal Audit Provides 34 Graph 15 Evaluating the Performance of the CAE 19 Graph 34 Projects that have Added the Most Value in Graph 16 Evaluating CAE Performance by Sector 19 Last 12 Months 35 Graph 17 Approving the Scope and Budget of Internal Audit 20 Graph 35 Extent of Reliance by External Auditor 36 Graph 18 Approving Scope and Budget by Sector 20 Graph 36 Extent of Reliance by External Auditors 36 Graph 19 Composition of the Audit Committee 21 Graph 37 Audit Issue Resolutions 37 Graph 20 CAE Meeting Privately without Management 22 Graph 38 Actions Tracked Arising from Audits (Standard 2500) 37 Graph 21 CAE Meeting Privately without Management by Size 22 Graph 39 Reporting Findings 38 Graph 40 Providing Assurance Opinions 38 Graph 41 Providing Assurance Opinions 39 Graph 42 Providing Macro Opinions 39 Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 2

3 Key Messages Christopher McRostie Chief Executive Officer The Institute of Internal Auditors Australia Welcome to the Internal Audit Benchmarking Survey. The Survey is a key undertaking for IIA- Australia and Protiviti, and is aimed at holding up a mirror to our profession, with a view to highlighting current practices and priorities and charting our progress. There were many highlights this year. For a start, there has been visible progress in Audit Committees asserting their responsibility for internal audit a positive development that reduces the risk of management capture and improper influence from C-level executives. Audit Committees are increasingly having final say over internal audit s scope and budget as well as performance evaluations. A good majority of Chief Audit Executives are now also holding private meetings with Audit Committees in the absence of management. While there is still some way to go before internal audit s reporting and accountability lines support full independence of the function, taken together, these improvements add up to substantial steps in the right direction. A major area that is proving to be a perennial difficulty for the profession however, is adherence to internal auditing standards. Although the vast majority of organisations agree that compliance with the IIA s International Professional Practices Framework (IPPF) is a mainstay of internal audit quality, the survey confirmed that full adherence to these standards has fallen by 11 per cent over the past three years. In fact, less than a third of Australian organisations fully comply with the IPPF even though these are the only globally accepted standards for internal audit practice. To address this issue, IIA-Australia will be responding with a comprehensive solution to boost internal audit quality through a tightening of our membership criteria. From 1 July, we will be introducing a new professional membership program which will support internal auditors to meet high community expectations. Professional members will be required to meet prescribed competency standards as well as apply the IPPF in performing all internal audit work. Importantly, professional members will be identified by a new designation which will signal to employers, peers and the broader community that they have the necessary skills to be effective internal auditors. We believe the mark of professional membership will become a real asset to internal auditors. It will signal their commitment to quality practice, validate their expertise, and will rapidly become a ticket to career progression and greater professional standing for every internal auditor. I look forward to your support of our new membership program. I would like to thank Protiviti for their excellent work and valuable assistance in conducting this Survey. I am also very grateful to all who took the time to participate. The information you share builds a broader picture of the state of play in our profession and provides important insights to guide us toward where we want to be. I am sure you will find this report as useful as we do. Christopher McRostie CEO, The Institute of Internal Auditors Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 3

4 Key Messages Gary Anderson Managing Director Protiviti This is the third year that Protiviti and the IIA have worked together to produce the Benchmarking Survey. We are pleased to be involved in this study which continues to reveal important trends about the internal audit profession. This year has been characterised by many achievements as the profession continues to grow in stature. Internal audit is increasingly operating as a valued adviser with the survey demonstrating strong alignment between the internal audit agenda and the organisation s strategic objectives. We have seen strategic risk emerge as a major focus an encouraging sign that internal audit is appropriately focussed on the organisation s longer term priorities and is asserting its involvement in aspects of the business that drive future value. As economic conditions continue to improve and Corporate Australia renews its appetite for capital investment, it s also pleasing to see internal auditors strengthening their focus on major project reviews which will be is a vital safeguard for investor and shareholder value. Our community expects nothing less than exceptional governance from its institutions so it is encouraging to see internal auditors stepping up to the plate. The profession is also gaining significant credibility with the survey indicating that Audit Committees place a high value on internal audit services. This is a reflection of the excellent relationship many internal auditors are continuing to develop with senior board members who are able to discharge their risk oversight responsibilities far more thoroughly with the support and assurance provided by their internal audit teams. By contrast, there appears to be scope for management to be won over by the benefits of internal audit. The challenge for auditors is to develop a better understanding of management needs and deliver to them. This may involve striking a better balance between their assurance and strategic consulting roles. Harnessing the review process to pinpoint areas where efficiencies and performance can be improved may well generate findings that resonate better with management than pure compliance issues. It is also important to remember that raising the overall professionalism of internal audit plays a key part in building credibility. It s therefore disappointing that compliance by Australian organisations with internal auditing standards has fallen for a third year in a row with organisations citing compliance costs as a major cause. Implementing standards to ensure a minimum level of rigour in the conduct of internal audit work clearly requires some investment in time, money and commitment. This is the normal price of doing things properly. But it is a necessary price if management and the board are to receive accurate, objective and complete information from internal audit about whether the organisation is being effectively governed. As expectations of internal audit grow, the challenge for our profession is to evolve ahead of the curve and embrace all opportunities to improve the quality of our service and the relevance of our expertise. I hope the survey will provide a useful reference for organisations to reflect on the strengths and weaknesses of their internal audit teams and to take steps where necessary, toward positive change. Gary Anderson Managing Director, Protivi Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 4

5 Executive Summary Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 5

6 Executive Summary Quality The majority of respondents (83%) reported that they strive to ensure quality in internal audit through compliance with the International Professional Practices Framework (IPPF) Standards. Despite this, full compliance with the Standards continues to decline from 38% in to 31% in. Top reasons cited for not fully complying with the IPPF Standards include: the organisation and/or internal audit function is too small, full implementation is too costly or time consuming and compliance is not perceived by the Board and/or management as adding value. Key additional methods of ensuring quality include staff membership and certification with IIA-Australia, implementation of a quality assurance and improvement program in accordance with IPPF Standard 1300 and sign-off of internal audit reports by CIA qualified staff. The use of these measures was at similar levels to last year. A consistently high standard of internal audit practices across all organisations and sectors can only be achieved by adherence to the IPPF Standards. The results present a compelling case for mandating full compliance with the Standards for anyone conducting internal audit work. Challenges and Trends The top six areas identified by Chief Audit Executives (CAEs) as priorities in the next 3 years are: Major Project Implementations IT Core Financial Controls Risk Management Attestation Strategic Risk Fraud Organisations are more willing to invest since the end of the economic downturn. Projects that were put on hold are now being undertaken as confidence returns. Addressing the implementation of major projects has increased by 11% from 58% in to 69% in. This is an encouraging trend that internal audit is seeking involvement in this area which organisations use to drive future value. The challenge for internal audit is to have the approach and skills to deliver against management and Audit Committee expectations. An increase in strategic risk as a priority is also an encouraging trend. It suggests that internal audit is looking at long-term risk priorities of an organisation and not just focussing on the short-term. Although still in the top six, fraud has significantly decreased as a priority since. Internal Audit Resources For the third year in a row, CAEs have reported an urgent skills shortage in the area of IT audit. This is a concern given that IT has been identified as a major priority over the next 3 years. It is interesting to observe the increase in the requirement for environment and sustainability skills. This could be due to a move to more strategic risks and assessing the effectiveness and efficiency of the environmental process rather than from a pure compliance perspective. For example, more organisations are measuring power and water to reduce costs, know their carbon impact and also potentially improve their reputation as a socially responsible organisation. Audit functions spend the majority of their time on non-financial matters (79%) highlighting the need for organisations to consider how to obtain the most appropriate skill mix to the internal audit activity when the majority of existing internal auditors have primarily financial based skills. Some organisations have successfully recruited broad skills and rotated staff from the business into internal audit while others have co-sourced or out-sourced these skill needs. Generally, larger internal audit groups with over 10 staff have been more successful at recruiting and rotating staff. Value There is a significant difference in how internal auditors perceive the value they are delivering to management versus the Audit Committee. According to CAEs, Audit Committees place a significantly greater value on internal audit services (72%) compared to management (45%). Explanations for the perceived differences could be that either management does not fully appreciate the extent of value that internal audit provides or that the audit plan and projects are focussed more toward assurance to the Audit Committee rather than direct value to management. The Audit Committee on the other hand heavily relies on the internal audit function for the assurance they provide over risk management, control and governance processes. Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 6

7 Executive Summary Process and/or operational audits are projects that have added the most value in the last 12 months (32%). Fewer than 1% of organisations indicated that finance related projects created the greatest value. Some consistent examples of projects that add value include: Cost Control Reviews Major Projects Reviews Business Case Reviews Data Analysis Continuous Controls Monitoring/Auditing Fraud Awareness Training Projects that delivered the greatest value were typically driven by the use of specialist skills, frameworks and tools. Organisations spent an average of $1.1 million to maintain an in-house internal audit function. This is consistent with previous studies and equates to approximately 5-8 staff. The average spend on out-sourced internal audit that was also consistent with previous years at approximately $190,000 per annum. This indicates that out-sourcing is occurring for internal audit functions that require the equivalent of 1-5 staff. There is broad confidence in budgets for next year with 36% of organisations planning to increase spending on in-house activity and 55% to spend about the same. For co-source activity it drops to 3 planning an increase and 28% are unsure about the direction of next year s spend. For full-outsourced activity the trend continues with only 11% planning an increase and 53% being unsure. This could be the result of two factors. 1. The perceived value of in-house activity could be increasing while it is decreasing for co-source and out-source activity. 2. The planned spending increase on in-house activity reflects its more fixed cost nature while co-source and out-source activity is viewed as more variable according to assessment of value delivered, organisation needs and higher expectations of productivity improvement. Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 7

8 About the Study Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 8

9 About the Study The study includes a diverse range of sectors and organisations. Participants invited to participate in the survey were Chief Audit Executives who are current members of the IIA-Australia. Overall, the profile of participants is similar to previous years. Since, participation by listed companies as a percentage of total participants has dropped from 37% to 24%. Organisations by Type - Graph 1 Data was collected from 115 organisations. Participants in the survey included listed companies (24%), unlisted private companies (14%), federal, state and local government agencies (5) and not for profit organisations (9%). Graph 1 Organisations by Revenue - Graph 2 Large and very large organisations represent over half of the respondents (53%). 24% of all organisations have turnover between $1 and 5 billion and of organisations have turnover exceeding $5 billion % 41% 37% 3 28% 24% 14% 14% 14% 6% 9% 1% 7% 3% Listed Company Unlisted Private Sector Company Government Not for Profit Service Provider or Other Graph 2 35% 35% 34% 3 31% 3 29% 32% 25% 23% 15% 17% 18% 14% 18% 19% 5% Small ( $ million) Medium ( $ million) Large ( $ billion) Very Large ( $ > 1 billion ) Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 9

10 About the Study Organisations by Industry - Graph 3 As in previous years, respondents from the government sector represented the largest industry sector taking part in the survey (44%) and participation is growing each year. Although 5 of organisations advised they are government by type (see graph 1), when responding by industry some government respondents allocated their industry to other sectors for example Resources & Utilities. Financial services is the next highest category (17%) and consumer products and retail (14%). Organisations by State - Graph 4 Information was collected across each of the six states and the Australian Capital Territory. The highest proportion of respondents came from New South Wales (38%), followed by Queensland (17%) and Victoria (16%). A small proportion of respondents were resident outside of Australia. Graph % 44% 3 18% 17% 17% 14% 14% 9% 7% 6% 8% 6% 4% 5% 5% 6% 2% Financial Services Resources & Utilities Consumer Products & Retail Construction & Manufacturing Government Not for Profit Other Graph 4 35% 36% 38% 3 31% 25% 15% 21% 18% 16% 17% 19% 17% 5% 12% 6% 7% 12% 13% 12% 3% 4% 8% 3% 3% 1% 1% 1% 1% NSW VIC QLD ACT WA SA Outside Australia TAS Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 10

11 About the Study Internal Audit Function by State - Graph 5 New South Wales has the highest State average of the proportion of internal audit function based in that State. Surprisingly, South Australia and Western Australia have a high proportion of internal audit functions based in these States relative to other larger States such as Victoria and Queensland. Graph % 6 64% 68% 75% 65% 71% 37% 7% ACT NSW QLD SA VIC WA NT TAS Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 11

12 Quality Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 12

13 Quality This section asked participants to indicate how they ensured quality and professionalism in their teams and functions. The majority of respondents reported that they strive to ensure quality in internal audit through compliance with the International Professional Practices Framework (IPPF) Standards. Despite this, full compliance with the Standards continues to decline. Ensuring Quality in Internal Audit - Graph 6 Respondents revealed in the majority of organisations (88%) that the best way to ensure quality in their internal audit activity was to comply with the Standards, an increase of 9% from. Internal audit team membership of the IIA has remained consistent at around three quarters of all organisations encouraging audit practitioners to be members of IIA-Australia. Graph % 88% 8 79% 79% 75% 76% 6 55% 53% 41% 43% 39% 31% 31% 33% 21% 12% Compliance with IPPF Standards IA Staff Membership (IIA) Quality Program IPPF Standard 1300 IA Staff Certificiation CIA Reports Signed Off by CIA Other Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 13

14 Quality Level of Compliance with the Standards - Graphs 7 and 8 Despite acknowledgement of the importance of adherence to the Standards, under onethird (31%) of respondents indicated they fully complied with the Standards, with two-thirds (66%) indicating partial compliance and 3% unsure. The level of compliance to the Standards is relatively consistent across sectors. Organisations with greater revenue turnover of > $500 million ( up to 5) are more likely to be in full compliance than organisations with lower turnovers. Graph % 65% % 38% 3 31% Full Compliance Partial Compliance 2% 1% Not in Compliance 6% 4% 3% Do Not Know Graph % 0-100m m % 63% 500-1b 1-5b >5b % 5 37% 3 26% 16% Full Compliance Partial Compliance 5% 5% 6% Not in Compliance Do Not Know Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 14

15 Quality Last External Quality Assessment Review - Graphs 9 and 10 The Standards require an external assessment of the internal audit function at least every five years with internal quality processes to be performed on an ongoing basis. Almost half (49%) of respondents have not undertaken an external quality assessment. Less than one-tenth have completed an assessment within the last 12 months a major reduction from previous years. Across all sectors around half have never completed an external quality assessment. Graph % 43% 42% 3 18% 23% 25% 22% 9% 6% 7% 7% 3% 3% 6% 5% 5% 7% Within the Last 12 Months 1-3 Years Ago 4-5 Years Ago More than 5 Years Ago Never Completed Do Not Know Graph % 5 46% 43% Listed Company Unlisted Private Sector Company Government Not for Profit 3 25% 22% 22% 11% 14% 7% 9% 14% 7% 4% 7% 7% 6% Within the Last 12 Months 1-3 Years Ago 4-5 Years Ago More than 5 Years Ago Never Completed Do Not Know Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 15

16 Authority, Independence and Mandate Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 16

17 Authority, Independence and Mandate Internal audit s role in the governance process is optimised when the internal audit function is independent from management and reports to individuals with no actual or perceived motivation to limit the scope of internal audit activities. A direct reporting line to the audit committee is best practice. In this year s study, the research found there has been no improvement by Audit Committees exercising their authority in having the ultimate decision over appointing and removing the CAE. In addition, the Audit Committee is still only making these decisions in less than half of all organisations. Appointing and Removing the CA - Graphs 11 and 12 The Chief Financial Officer s involvement in appointing and removing the CAE is of concern and has increased from previous years, particularly amongst unlisted private companies (19%). Graph 11 By sector, the Audit Committee Chair is most actively involved in the appointment & removal of the CAE in listed companies (7) and least actively involved in government organisations (22%). 5 45% 41% 3 36% 35% 33% 31% 14% 11% 11% Board Graph 12 Audit Committee Chair Chief Executive (or equivalent) 4% 2% 5% 2% 4% 4% 2% 2% 4% 4% 4% 2% 1% 3% Chief Financial Officer (or equivalent) Company Secretary / General Counsel (or equivalent) Chief Risk Officer Division Head Other % 48% Listed Company Unlisted Private Sector Company Government Not for Profit 3 3 7% 6% Board 22% Audit Committee Chair 19% 15% Chief Executive (or equivalent) 7% 19% 7% 7% 5% Chief Financial Officer (or equivalent) Company Secretary / General Counsel (or equivalent) Chief Risk Officer Division Head Other Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 17

18 Authority, Independence and Mandate Setting the Remuneration and Bonus of the CAE - Graphs 13 and 14 The Chief Executive (or equivalent) is primarily involved in setting the remuneration and bonus of the CAE, particularly within the government sector. In listed and unlisted companies, almost one third (3 and 31%) of CFOs perform this function. Graph % 42% 3 12% 16% 14% 17% 13% 11% 5% 8% 3% 2% 1% 1% 3% 6% 6% 8% 8% 8% Board Audit Committee Chair Chief Executive (or equivalent) Chief Financial Officer (or equivalent) Company Secretary / General Counsel (or equivalent) Chief Risk Officer Division Head Other Graph Listed Company 5 Unlisted Private Sector Company Government Not for Profit % % 3 19% 22% 19% 13% 9% 7% Board 9% Audit Committee Chief Executive (or equivalent) 7% 7% 7% 3% 3% 4% Chief Financial Officer (or equivalent) Company Secretary / General Counsel (or equivalent) Chief Risk Officer Division Head 9% 6% 4% Other Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 18

19 Authority, Independence and Mandate Evaluating the Performance of the CAE - Graphs 15 and 16 Overall, there is a positive trend for the Audit Committee to evaluate the performance of the CAE while Chief Executives (or equivalent) are decreasing their role in this area. In listed and unlisted companies, it is concerning to see that the CFO is involved in evaluating the performance of the CAE in 19% and 25% respectively of these organisations. Graph % 38% 3 29% 29% 26% 7% 6% 5% Board Audit Committee Chair Chief Executive (or equivalent) 11% 7% 4% 8% Chief Financial Company Officer (or Secretary / equivalent) General Counsel (or equivalent) 4% 4% 2% 3% Chief Risk Officer 6% 5% 4% 4% 3% 2% Division Head Other Graph 16 8 Listed Company 7 7 Unlisted Private Sector Company 6 Government Not for Profit 5 52% % 38% 4% 6% 5% Board Audit Committee 19% 15% Chief Executive (or equivalent) 19% 25% 9% 3% 3% 3% 3% 3% 4% 4% Chief Financial Officer (or equivalent) Company Secretary / General Counsel (or equivalent) Chief Risk Officer Division Head Other Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 19

20 Authority, Independence and Mandate Approving the Scope and Budget of Internal Audit - Graphs 17 and 18 In a positive sign, there is an increasing trend for Audit Committees (63%) to approve the scope and budget of the internal audit. The Audit Committee is responsible for the majority of listed companies (89%) for this function. Graph % 63% 44% 3 32% 23% 19% 9% 7% Board Audit Committee Chair Chief Executive (or equivalent) 6% 3% Chief Financial Officer (or equivalent) 1% 1% 2% 2% 5% 3% 4% Company Secretary / General Counsel (or equivalent) Chief Risk Officer Division Head Other Graph % Listed Company Unlisted Private Sector Company Government Not for Profit 69% % 6% Board Audit Committee 4% 13% Chief Executive (or equivalent) 7% 6% 6% 7% 4% Chief Financial Company Officer (or Secretary / equivalent) General Counsel (or equivalent) Chief Risk Officer Division Head Other Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 20

21 Authority, Independence and Mandate Composition of Audit Committee - Graph 19 Similar to previous years results, almost all of the organisations that responded to the study have an Audit Committee or equivalent body acting in that capacity, which is encouraging. Just over one-third of Audit Committees (35%) do not have an independent chairperson. Continuing with the positive trend, only of audit committees are made up of executives. Graph % 72% % 63% 65% % 14% 2% 2% 1% 1% 1% 1% 1% 3% 1% Independent Chairperson Majority/ All Independent Members Audit Committee Made Up Primarily of Executives (Management) No Audit Committee, Function is Served by a Similar Sub-committee of the Board No Audit Committee, Function is Served by the Full Board No Audit Committee in Place Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 21

22 Authority, Independence and Mandate Private Meetings without Management - Graph 20 63% of CAEs are having private meetings with the Audit Committee Chair or full Audit Committee, an increase of 15% from the previous year. Organisations with revenue less than $100 million are less likely to have private meetings without management present. Graph % 3 33% 34% 3 32% 25% 18% 22% 12% 14% 15% Yes, Private Session with Audit Committee Chair Yes, Private Session with Full Audit Committee Yes, Separate Private Sessions with Audit Committee Chair and the Full Audit Committee No Private Meetings without Management by Size - Graph 21 Graph m 5 55% 5 48% m 500-1b 1-5b 38% 43% >5b 3 14% 27% 9% 19% 17% 9% 27% 19% 17% 24% 9% 14% 16% 5% Yes, Private Session with Audit Committee Chair Yes, Private Session with Full Audit Committee Yes, Separate Private Sessions with Audit Committee Chair and the Full Audit Committee No Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 22

23 Challenges and Trends Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 23

24 Challenges and Trends Internal audit is a long standing but rapidly evolving profession, with increasing demands on the extent and scope of work performed. This poses challenges for the profession in meeting new expectations while not losing sight of traditional core areas. Level of Change in Structure and Direction - Graph 22 The level of change in organisations has continued to stabilise with just under half (46%) indicating no major changes to structure, roles or reporting lines during last 12 months. Graph % 43% 43% 3 31% 33% 28% 24% 23% 25% 2% 1% 1% Highly Stable - No Major Changes to Structure, Role, Reporting Lines Moderately Stable Some Change in These Areas Significant Change Significant Change in Structure, Role and/or Reporting Lines Do Not Know Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 24

25 Challenges and Trends Proportion of Internal Audit by Functional Areas - Graph 23 Audit functions spend the majority of their time on non-financial matters (79%) highlighting the need for organisations to consider how to obtain the most appropriate skill mix to the internal audit activity when the majority of existing internal auditors have primarily financial based skills. Some organisations have successfully recruited broad skills and rotated staff from the business into internal audit while others have co-sourced or out-sourced these skill needs. Generally, larger internal audit groups with over 10 staff have been more successful at recruiting and rotating staff. Graph % 79% 1% 6% 6% 12% 15% Other Fraud Governance IT Risk Management Compliance Operational 3 21% 29% Change of Scope of Internal Audit in Last 12 Months - Graph 24 Over the last 3 years, there has been a moderate decrease in the structure and direction of internal audit in most areas with the exception Graph 24 Financial Mixed Sections of consulting and advisory which has remained relatively stable % 67% 58% 59% 69% % 33% 3 44% 43% 5 33% 35% % 17% Overall Size of Plan (Days) Financial Process Audits (Including External Audit Support) Operational Audits Compliance Audits (Laws, Regulations and Policy) Consulting / Advisory Assurance on Risk Framework Note This graph only depicts increases to the internal audit scope and does not show decreases or no change. Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 25

26 Challenges and Trends Change of Scope of Internal Audit in Next 12 Months - Graph 25 Over half of organisations (59%) expect that assurance on risk frameworks will increase over the next 12 months. Only 25% expect an increase in financial audits. Graph % % 49% 38% 34% 54% 56% 44% 47% 36% 42% 65% 56% 52% 66% 59% 24% 25% Overall Size of Plan (Days) Financial Process Audits (Including External Audit Support) Operational Audits Compliance Audits (Laws, Regulations and Policy) Consulting / Advisory Assurance on Risk Framework Note This graph only depicts increases to the internal audit scope and does not show decreases or no change. Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 26

27 Challenges and Trends Emerging Priorities for Internal Audit in the Next 3 Years - Graph 26 The top six areas identified by CAEs as priorities in the next 3 years are: Major Project Implementations IT Core Financial Controls Risk Management Attestation Strategic Risk Fraud Organisations are more willing to invest since the end of the economic downturn. Projects that were put on hold are now being undertaken as confidence returns. Addressing the implementation of major projects has increased by 11% from 58% in to 69% in. An increase in strategic risk as a priority is also an encouraging trend. It suggests that internal audit is looking at long-term risk priorities of an organisation and not just focussing on the short-term. Although still in the top six, fraud has significantly decreased as a priority since. This is an encouraging trend that internal audit is seeking involvement in these areas which organisations use to drive future value. The challenge for internal audit is to have the approach and skills to deliver against management and Audit Committee expectations. Graph % 58% 69% 66% 52% 6 53% 6 72% 55% 55% 53% 54% 61% 45% 43% 3 Major Project Implementations IT Core Financial Controls Risk Management Attestation Strategic Risk Fraud Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 27

28 Internal Audit Resources Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 28

29 Internal Audit Resources As internal audit s scope continues to broaden, skills and resources need to evolve to keep pace. This section outlines key findings in this area. Number of Full Time Equivalent Personnel in Internal Audit - Graph 27 Almost 6 in 10 organisations employ between 1 and 5 FTE s in their internal audit department. The number of in-house staff employed is relatively consistent with previous years with a reduction in the overall average from 8 FTE s in to 6 in. Not surprisingly, organisations with annual turnover of > $5 billion employ the most staff with 19 employed in-house on average. The low proportion of organisations out-sourcing internal audit is reflective of the sample where CAEs with in-house and co-source arrangements complete the survey with few service providers completing it on behalf of organisations where the internal audit function is completely out-sourced. Average Employees by Organisation Size $ 0-100m $ m $ 500-1b $ 1-5b $ > 5b In-house Co-sourced Outsourced Graph % 61% 59% 3 19% 18% 1 to 5 Staff 13% 6 to 10 Staff 9% 9% 11 to 15 Staff 3% 4% 5% 16 to 20 Staff 11% 12% 9% >20 Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 29

30 Internal Audit Resources Internal Audit Expenditure - Graph 28 Organisations spent an average of just under $1 million to maintain an in-house internal audit function. This is consistent with previous studies and equates to approximately 5-8 staff. The average spend on out-sourced internal audit is also consistent with previous years at approximately $215,000 per annum. This indicates that out-sourcing is occurring for internal audit functions that require the equivalent of 1-5 staff. Graph 28 $1,000,000 $963,575 $800,000 $600,000 $629,091 $400,000 $200,000 $215,241 0 In-House Co-Sourced Outsourced The table below shows the average spend of internal audit in the last 12 months by organisation size. $ 0-100m $ m $ 500-1b $ 1-5b $ > 5b In-house 127, , ,714 1,039,943 4,733,333 Co-sourced 165, , , ,833 2,017,500 Outsourced 38,571 48, , , ,000 There is broad confidence in budgets for the next 12 months with 36% of organisations planning to increase spending on in-house activity and 55% to spend about the same. For co-source activity it drops to 3 planning an increase and 28% are unsure about the direction of next year s spend. For fully out-sourced activity the trend continues with only 11% planning an increase and 53% being unsure. This could be the result of two factors: 1. The perceived value of in-house activity could be increasing while it is decreasing for cosource and out-source activities. 2. The planned spending increase on in-house activity reflects its more fixed cost nature while co-source and out-source activities are viewed as more variable according to perception of value delivered, organisation needs and higher expectations of productivity improvement. Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 30

31 Internal Audit Resources Thinking About the Next 12 Months, Do You Expect to Spend More or Less on Internal Audit? - Graph 29 Graph More 8 55% 28% 53% Less About the Same Unsure 6 34% 8% 8% 26% 37% 3 11% In-House Co-Sourced Fully Outsourced Unfilled Demand for Key Technical Skills - Graph 30 The top three key technical skills where there is high or very high unfilled demand are IT (42%), project management (38%) and operations (28%). For the third year in a row, CAEs have reported an urgent skills shortage in the area of IT audit. This is a concern given that IT has been identified as a major priority over the next 3 years. It is interesting to observe the increase in environment and sustainability skills. This could be due to a move to more strategic risks and assessing the effectiveness and efficient of the environmental process rather than from a pure compliance perspective. For example, more organisations are measuring power and water to reduce costs, know their carbon impact and also potentially improve their reputation as a socially responsible organisation. Graph % 45% 42% 38% 38% 3 29% 26% 32% 28% 33% 21% 23% 19% 19% 17% 9% 14% 13% 14% IT Skills Project Management Operations Risk Management Environment and Sustainability Financial and Accounting Treasury and Finance Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 31

32 Internal Audit Resources Staff Retention - Graph 31 Similar to previous years, over one in three organisations (36%) are concerned about keeping staff. Listed organisations are the most concerned (), while not for profit organisations have the least concern overall. Reasons for concerns include price pressures, stability, growth opportunities and a high demand for talent. An emerging theme this year is higher salary expectations, particularly among more junior staff. Graph Listed Company Unlisted Private Sector Company Government Not for Profit 67% % 3 32% 36% 25% 27% 24% 17% 22% 8% 11% 8% 11% 11% Very Concerned Somewhat Concerned A Little Concerned Not at All Concerned Internal Audit Certification - Graph 32 Respondents were asked whether they were a Certified Internal Audit. Just under half (46%) are not certified while 36% of respondents are an increase from last year. The remainder have intentions to become a CIA in the future. Graph % 48% 46% 3 35% 36% 28% 17% 18% 18% Yes No No, But Intend to Become One in Future Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 32

33 Value Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 33

34 Value For the value of the internal audit function to be understood by the organisation, appropriate accountability frameworks must be in place for internal audit so that results are achieved and communicated in a transparent way. This section outlines key findings in this area. Internal Audit Value - Graph 33 There is a significant difference in the level of value internal auditors perceive they deliver to management versus the Audit Committee. According to CAEs, Audit Committees place a significantly greater value on internal audit services (72%) compared to management (45%). Explanations for the perceived differences could be that either management does not fully appreciate the extent of value that internal audit provides or that the audit plan and projects are focused more toward assurance to the Audit Committee rather than direct value to management. The Audit Committee on the other hand heavily relies on the internal audit function for the assurance they provide over risk management, control and governance processes. Graph % Management Rating Audit Committee Rating % 47% 3 26% 5% 1% 1% 2% 1% Significant Value Moderate Value Neutral Somewhat Valuable Little or No Value Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 34

35 Value Projects that have Added the Most Value in Last 12 Months - Graph 34 Process and/or operational audits are projects that have added the most value in the last 12 months (32%). Fewer than 1% of organisations indicated that finance related projects created the greatest value. Some consistent examples of projects that add value include: Cost Control Reviews Major Projects Reviews Business Case Reviews Data Analysis Continuous Controls Monitoring/Auditing Fraud Awareness Training. Projects that delivered the greatest value were typically driven by the use of specialist skills, frameworks and/or tools. Graph 34 35% 3 32% 25% 24% 15% 14% 14% 5% 6% Process / Operational Audit Risk Management / Compliance IT Audit Other Project Management None Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 35

36 Value Reliance by External Auditor - Graphs 35 and 36 A coordinated approach between internal and external auditors prevents duplication of effort and presents a holistic assurance plan to the Audit Committee. It also facilitates effective and efficient allocation of internal audit resources. In the last 12 months, the extent of reliance by the external auditor has slightly increased with 46% of CAEs reporting the extent of reliance in the form of a coordinated approach with a high degree of reliance placed on internal audit work. This represents a 4% increase from last year s results. Coordinated approaches are more common in the unlisted private sector. External auditors of 16% of listed companies and 8% of unlisted private sector companies place no reliance on the work of internal audit. Graph % 47% 42% 46% 44% 48% 3 9% 7% 6% Coordinated Approach with High Degree of Reliance Placed on IA Work Limited Reliance in a Small Number of Specific Areas No Reliance Graph % Listed Company Unlisted Private Sector Company 6 Government 57% 56% Not for Profit 5 41% 44% 44% 3 17% 16% 8% 2% Coordinated Approach with High Degree of Reliance Placed on IA Work Limited Reliance in a Small Number of Specific Areas No Reliance Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 36

37 Value Reporting - Graphs 37, 38, and 39 Management responsibility for monitoring corrective action continues to decline. 44% of respondents indicated a shared responsibility for monitoring corrective action no change from last year. Almost half of respondents (42%) use a hybrid model to track actions arising from audits. Over half of all respondents (51%), rate both the area under review and each individual issue when reporting findings. Graph % 44% 41% 38% 3 32% 3 26% 22% 15% 1% 4% 3% Management Internal Audit Both Other Graph % 42% 3 25% 21% 22% 21% 15% 8% 2% 1% Review of Findings from Areas which Received a Poor Rating Review of Findings Which were Rated has High Importance Hybrid Neither Other (Please Specify) Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 37

38 Value Graph % 51% 3 36% 37% 5% 6% 3% 1% 1% 5% Rating of the Area Under Review Rating of Each of the Issues Identified Both Neither Other (Please Specify) Providing Assurance Opinions - Graphs 40 and 41 Internal audit is increasingly being asked to provide assurance opinions. Over two-thirds (67%) of respondents reported that the majority of opinions provided were positive and capable of providing reasonable assurance a slight increase from previous years. On average, just under one-fifth (17%) on average of respondents do not provide assurance opinions a slight decrease from previous years results. One in five listed companies (), do not provide assurance opinions. Graph % 64% 67% % 17% 14% 23% 18% 17% 2% 1% 2% Positive / Reasonable Assurance Conditions Met Negative / Limited Assurance Nothing to Indicate Conditions Not Met No Assurance Exceptions Only Don t Know Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 38

39 Value Graph % 89% Listed Company Unlisted Private Sector Company Government Not for Profit 6 56% 59% Positive / Reasonable Assurance Conditions Met 17% 12% Negative / limited Assurance Nothing to Indicate Conditions Not Met 15% 11% 8% 4% 4% No Assurance Exceptions Only Don t Know Other (Please Specify) Providing Macro Opinions - Graph 42 Almost half of listed companies (44%) are providing macro opinions. Almost seven in ten private sector organisations (67%) and nine in ten not for profit organisations (89%) are not providing macro opinions. Graph % Listed Company Unlisted Private Sector Company Government 6 67% Not for Profit 52% 53% 44% 29% 17% 16% 18% Yes 11% No 4% Don t Know Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 39

40 SYDNEY The Institute of Internal Auditors PO Box A2311 Sydney South NSW 1235 AUSTRALIA Ph: Fax: enquiry@iia.org.au Level 7/133 Castlereagh Street Sydney NSW 2000 Australia IIA provides internal auditing practitioners, executive management, boards of directors and audit committees with standards, guidance and information on internal auditing best practices. Established in Australia in 1952, the IIA has chapters across the country. Globally, the IIA serves more than 160,000 members in internal auditing, governance and internal control, IT audit, education and security from more than 165 countries. BRISBANE Level 15, 333 Ann Street Brisbane, QLD 4000 AUSTRALIA Ph: (07) Fax: (07) brisbane@protiviti.com.au CANBERRA Level 5, 71 Northbourne Avenue Canberra, ACT 2600 AUSTRALIA Ph: (02) Fax: (02) canberra@protiviti.com.au MELBOURNE Level 17, 140 William Street Melbourne, VIC 3000 AUSTRALIA Ph: (03) Fax: (03) melbourne@protiviti.com.au PERTH Level 29, 221 St Georges Terrace Perth, WA 6000 AUSTRALIA Ph: (08) Fax: (08) perth@protiviti.com.au SYDNEY Level 45, MLC Centre 19 Martin Place Sydney, NSW 2000 AUSTRALIA Ph: (02) Fax: (02) sydney@protiviti.com.au Protiviti ( is a global business consulting and internal audit firm composed of experts specialising in risk, advisory and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Protiviti s highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East. All marks used are the property of their respective owners. Protiviti Pty Limited / An Equal Opportunity Employer. Protiviti & Institute of Internal Auditors - Australia/Achieving High Performance in Internal Audit page 40