Chief Audit Executive Survey 2011 - perspectives and trends from internal audit leaders

Chief Audit Executive Survey 2011

Looking to the future:Perspectives and trends from internal audit leaders

Contents

2 Executive summary

5 Internal audit career paths

6 Organizational structure of internal audit departments

8 Internal auditing approach

11 Board relationships

12 Internal audit technology

13 Risk management

16 Conclusion

1

The first annual survey of more than 300 chief audit executives (CAEs) from U.S. institutions reveals the evolving nature of internal audit activities at home and abroad. The survey indicates that the focus of internal audit is broadening beyond financial compliance to drive greater value throughout the organization. Internal audit admirably handled the most onerous demands of the Sarbanes-Oxley Act (SOX) and is ready to take on different challenges around automation, technology risk and operational improvements. While many of these challenges may have been considered in the recent past, actively addressing these items seems to be the order of the day.

2


Executive summary

During the second half of 2010, Grant Thornton LLP’s Advisory Services professionals surveyed more than 300 CAEs from a geographically dispersed mix of public and private U.S. institutions, with a focus on dynamic organizations in the middle market. The purpose of this survey is to provide insights into current trends and identify how internal audit professionals are responding to the changing demands of their profession.

Internal audit is evolving along the value creation dimension. Because of the changes in the profession, no single definition can capture the essence of what internal audit is. Internal audit is a little different for each organization and should be customized accordingly.

“As attention once again moves beyond compliance, CAEs believe that the audit committee, board of directors and executive management want to rely more on internal audit to be their eyes and ears on the ground,” says Paul Kanneman, Grant Thornton’s Business Advisory Services national managing principal. “In response, CAEs are moving from a largely reactive role to an increasingly proactive one.”

After the introduction of SOX, the pendulum had swung far to the end of the audit spectrum and was focused on compliance. This was true for public companies, and private companies, too, began to go down the path of increased effort in financial controls compliance, focusing specifically on financial statement internal controls. Many operational audit areas were left unaddressed as organizations responded to an all-hands-on-deck need to address SOX compliance needs.

Now CAEs and the boards are taking action to rebalance their activities and restore a more even allocation of resources between compliance-related audits and operational audits. CAEs are addressing these concerns, which are known by the internal audit community and highlighted by operations management and audit committees. This survey confirms that internal audit is not only performing traditional activities involving compliance and controls issues, but also has a new focus on responsibilities such as evaluating emerging risks, ensuring appropriate corporate governance, and incorporating technology into internal audit processes. Following are highlights of what CAEs responding to the survey had to say.

“ As attention once again moves beyond compliance, CAEs believe that the audit committee, board of directors and executive management want to rely more on internal audit to be their eyes and ears on the ground.”

3

A springboard for executive advancementNearly seven in 10 CAEs see internal audit as a springboard for advancement into other executive management positions at their own companies or into a CAE role with greater authority at a larger company. And 13% of CAEs serve on boards at outside organizations. The high value of internal audit Organizations place high value on internal audit work as demonstrated by in-house staffing trends: Twenty-three percent of CAEs expect their departments to grow. Most respondents predicting growth come from organizations with internal audit departments that have 10 or fewer professionals. The use of outsourcing and co-sourcing of internal audit services is largely expected to remain unchanged in the next 12 months.

Commitment to operational auditing confirmed; outlook for continuous auditing less certainMore than nine in 10 CAEs perform operational auditing, with nearly one-quarter of all respondents saying that hours dedicated to operational auditing will increase. Only one-third perform continuous auditing, but almost one-half see their time commitment to continuous auditing increasing in the next 12 months.

Internal audit adds value to board Virtually all CAEs (95%) believe they provide value to the audit committee, in particular through risk-monitoring activities and efforts that strengthen corporate governance oversight. Most respondents (89%) are comfortable with taking issues to the audit committee that are inconsistent with management’s views or positions.

Governance, risk and compliance technology underusedMore than four in 10 respondents state that their organization is not using governance, risk and compliance (GRC)-specific technology effectively. However, data analytics has been adopted by two-thirds of CAEs to help achieve more efficient internal audit processes and increased coverage.

Regulatory environment the greatest threatAlmost one-half of CAEs see continuing changes to the regulatory environment as the greatest threat to their organization’s governance performance. The next-highest threats in descending order of importance are global expansion into new regions or culturally different locations, new initiatives, and the launch of new products or services.

4

Anti-fraud efforts enhanced Nearly three in four organizations have formal anti-fraud measures in place. More than eight in 10 CAEs (86%) are directly involved in fraud investigations, with in-house auditors taking the lead 46% of the time and chief counsel supervising just under one-third of anti-fraud investigations. Regulatory changes have the majority of organizations placing greater emphasis on maintaining an effective whistleblower program and monitoring intermediaries in foreign locations via enhanced Foreign Corrupt Practices Act (FCPA)-related policies and procedures.

Technology riskNearly one-quarter of respondents have discussed information technology (IT) trends and governance implications with the chief information officer (CIO) as many as five times in the past year. While 69% of CAEs say their organizations use cloud computing, 64% of them don’t include it in their internal audit plan.

For more information, contact a member of the Governance, Risk and Compliance Solution Group:

Warren StippichNational and Midwest Region Solution LeaderT 312.602.8499E [email protected]

Bailey JordanSoutheast Region Solution LeaderT 919.881.2790E [email protected]

Bill MellonNortheast Region Solution LeaderT 215.376.6087E [email protected]

Edward HillCentral Region Solution LeaderT 832.476.3710E [email protected]

Justin HendricksonWest Region Solution LeaderT 206.398.2436E [email protected]


Internal audit career paths

5

Internal audit is coming of age. Audit professionals increasingly view internal audit positions as a springboard to executive careers within today’s organizations: Nearly seven in 10 CAEs (68%) see the internal audit department as a stepping-stone for advancement to future leadership positions beyond their current role.

Asked what their next career step might be, many CAEs say they expect either to move into another executive management position within their own organization (30%) or to make the move to a CAE role with more authority at a larger company (23%). SOX legislation, which heightened financial reporting mandates, has elevated the status of internal audit. The post of CAE now offers exposure to all aspects of business as an executive as well as to the board of directors, thus giving practitioners insight into the intricacies of how the organization works. This experience is increasingly valued by leadership, who may rely on internal audit to help them understand the implications of business decisions in today’s challenging economic climate.

CAE perceptions today reinforce the August 2010 findings of The Institute of Internal Auditors’ License to Lead survey of CAEs and audit committee members. Conducted in conjunction with Korn/Ferry International, the IIA survey found that audit committees, CEOs and CFOs are demanding more from the internal audit function than ever before. That survey indicates that today’s CAEs need broader experience, more business acumen, and other key leadership skills than ever before to be effective in today’s dynamic economic environment.1 Internal audit is increasingly perceived as a business function that can help save money, eliminate inefficient business practices and minimize risk.

Gaining this level of experience and exposure may still be a work in progress. Only 13% of respondents belong to a board of directors at another organization, usually a not-for-profit. Of those CAEs currently on outside boards, 36% serve on audit committees, 22% on finance committees and 13% on governance committees. Up-and-coming professionals that embrace these trends may soon be pushing for experience on outside boards of directors — and audit committees in particular — to obtain the broad view these types of oversight roles provide, even if that board presence is within a charitable organization.

“Sitting in an audit committee role at another organization gives the CAE a unique perspective of seeing the role of board member and governance oversight monitoring firsthand through a different lens,” explains National Governance, Risk and Compliance (GRC) Solution Leader and Partner Warren Stippich. “It can only make the CAE a better governance executive and a better all-around business adviser to his or her company.” Through advanced education and thought leadership development, CAEs will be better able to meet the demands of audit committees and management who are looking for internal audit to more proactively provide strong business insight than ever before.

I believe the internal audit function is a grooming place for future leadership roles elsewhere in my organization.

Agree 68%Neutral 19% Disagree 13%

1 See www.kornferryinstitute.com/about_us/thought_leadership_library/publication/2316/license_to_lead

6


Organizational structure of internal audit departments

Many CAEs responding to our survey come from organizations whose audit shops are relatively small; 75% of CAEs rely on 10 or fewer employees. The size of internal audit departments is expected to remain largely unchanged over the next 12 months; 73% of CAEs foresee no change in the size of their departments. Another 23% expect their departments to grow. Of CAEs that expect growth, 71% are from departments that have fewer than 10 employees.

With U.S. unemployment figures still hovering at their highest levels in 10 years, the expectation that departments will continue to be staffed at 2010 levels indicates that the volatile economic turmoil of the past three years may be subsiding. Executive search consultant Buzz Patterson of Chicago-based Donahue/Patterson Associates notes that while the overall size of internal audit departments will likely not change, the makeup of the individuals within those departments may. Many highly talented individuals are in the market for traditional internal audit roles in corporate settings for the first time in a long while. “This is an opportunity for companies to ‘change out’ the individuals on the internal audit team, especially at the leadership level,” observes Patterson.

Who actually performs internal audit activities will vary across organizations. Almost two-thirds of respondents (63%) indicate that all internal audit activities are performed in-house. Another one-third (35%) rely on a co-sourcing mix, meaning that internal audit responsibilities are shared between in-house auditors and third-party service providers. Just over 2% of respondents fully outsource their internal audit functions. As internal audit activities expand into ever more complex governance, business improvement and IT areas, more CAEs will have to decide whether to invest in upgrading in-house skill sets or increase reliance on third-party service providers for subject-matter expertise.

How many in-house employees work in your internal audit organization?

0 2%1-10 75%11-25 15% More than 25 8%

How do you expect these numbers to change in the next 12 months?

Increase 23%Stay the same 73%Decrease 4%

“ This is an opportunity for companies to ‘change out’ the individuals on the internal audit team, especially at the leadership level.”

Almost one-half of all CAEs, meanwhile, rank strategic risks as the least important element in their audit focus. It is unclear whether this means that strategic risks are being evaluated elsewhere in the organization — for instance, within specific operating units or an enterprise risk management (ERM) program — or not at all. Or, as Stippich observes, the response might reflect a prioritization of limited resources that puts financial, operational and SOX-related risk mitigation efforts ahead of strategic risk evaluations. Stippich notes, “As CAEs and internal auditors take on additional value-added activities, the opportunity exists for the internal audit function to work through strategic risk assessments and discussions.”

Indeed, CAEs are already facing difficult sourcing decisions and coming to different conclusions about how to meet auditing needs. Plans for outsourcing some audit activities in the next 12 months are varied: About two-thirds of CAEs (64%) plan to continue outsourcing or co-sourcing at current levels, while 20% expect to increase external sourcing. One CAE at a manufacturing company notes, “Finding the right talent on a timely basis has proven challenging, even in this down economy. That is driving me to look outside for external service providers to help meet my scheduling needs.”

Another 16% of CAEs plan to decrease their reliance on outside resources. The survey results indicate that in general, CAEs expect to make only marginal changes in their dependence on outsourcing and co-sourcing to meet auditing needs.

Nevertheless, as the trend to increase the scope of internal audit activities continues, reliance on outsourcing and co-sourcing is likely to persist given the sheer volume of work that needs to be done. CAEs indicate they will continue using outsourcing and co-sourcing arrangements, particularly for subject matter expertise. Third-party providers are also relied upon for operational areas where in-house knowledge is shallow. One of those areas is IT work. “Internal auditors are turning to providers with special knowledge to perform highly technical IT audits,” says Stippich. “This is insight into an area that the organization’s internal auditors may know little about.” In fact, 55% of CAEs list IT audits — both security and nonsecurity — as the most outsourced or co-sourced functions.

Despite organizational demands pulling them in new directions, CAEs say that their audit time is split almost evenly among four main areas of risk: strategic, operational, financial and compliance. While financial risk understandably consumes the most time, some CAEs say that operational risk (36%) slightly edges out time spent on threats to compliance (33%). Given that SOX measures have largely been implemented by now, our findings may indicate that internal audit may be able to focus its attention more broadly on emerging risk areas and operational risk.

What roles are you outsourcing/co-sourcing?

Subject matterexpertise

Staff Management0%

100%

40%

20%

60%

80%

Respondents could select more than one answer.

7

“ Internal auditors are turning to providers with special knowledge to perform highly technical IT audits.”

8


Internal auditing approach

8

Virtually all CAEs are engaged in operational auditing, with more than nine in 10 respondents (91%) now performing some form of operational audit. Operational audits generally focus on the systematic review and evaluation of an aspect or area of a business or business unit to determine whether it is functioning effectively and efficiently, meeting objectives and goals, and using resources appropriately.2 “In some respects this is surprising, based on what I’ve seen in the marketplace recently,” comments National GRC Solution Executive Co-Sponsor Steve Siemborski. “I think the CAEs’ definition of operational auditing is quite broad. The real proof will be if management and the audit committee agree that operational auditing is taking place and adding value,” Siemborski continues.

The percentage of internal audit time dedicated to operational auditing varies among organizations. One-fourth of CAEs (25%) currently spend more than 50% of their time focused on operational auditing, and nearly one-quarter (23%) believe that amount of time will increase in the next 12 months as businesses are pushed harder to achieve optimal performance during the economic recovery. For organizations that had to reduce transaction processing and operating headcount, this area could be fraught with audit risk. A director of internal audit at a retailer notes, “Trying to balance compliance audit needs with operational audit opportunities continues to tax the group time-wise and skill-wise.”

One audit tool CAEs plan to rely on more to achieve higher levels of operational auditing is continuous auditing. The concept of continuous auditing has been around for some time but is not widely applied, as shown by the small number of internal audit professionals currently engaged in the practice. Continuous auditing is any method used by auditors to perform audit-related activities on a more continuous or continual basis.3 Specifically, continuous auditing is the application of automated tools to provide assurance on financial and nonfinancial data within an organization on an ongoing basis throughout the year. “We live in an era in which technology is the key to just about everything. For internal auditors, technology is critical to enabling continuous auditing as a method to automatically perform control and risk monitoring on a more frequent basis and has to be embraced fully,” states National GRC Solution Executive Co-Sponsor Mike Rose. Continuous auditing changes the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of all transactions.

One-third of CAEs say they rely on continuous auditing, yet more than one-half of those CAEs (56%) spend less than 10% of internal audit hours on these efforts. “The change management involved in implementing effective continuous auditing has been a steep mountain to climb for many CAEs and internal audit departments, because it is a significant break from the old way of doing things,” says Stippich.

When automated processes are used effectively, practitioners can provide a higher level of assurance over more significant risks. CAEs recognize that value; almost half of respondents (44%) expect their hours dedicated to continuous auditing to increase over the next 12 months.

2 For more information about operational auditing, see Grant Thornton’s CorporateGovernor white paper The blank sheet of paper: An old tool is new again, www.GrantThornton.com/ corporategovernorseries.3 The Institute of Internal Auditors, Global Technology Audit Guide 3, Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. The guide is available for purchase at www.theiia.org/guidance/technology/gtag3/?search=GTAG%20continuous%20auditing.

“ Trying to balance compliance audit needs with operational audit opportunities continues to tax the group time-wise and skill-wise.”

Do you perform operational auditing?

Yes 91%No 9%

Do you perform continuous auditing?

Yes 33%No 67%

What percentage of hours is dedicated to operational auditing?

Less than 10% 9%11-25% 35%26-50% 32%More than a25%

Less than 10% 56%11-20% 27%21-25% 10%More than 25% 7%

What percentage of hours is dedicated to continuous auditing?

Responses do not total 100% due to rounding.

Operational auditing: How will your number of hours change in the next 12 months?



Continuous auditing: How will your number of hours change in the next 12 months?


9

1010

International resources Internal audit operations are moving abroad as many organizations pursue global agendas. About four in 10 CAEs (39%) say that some of their organizations’ internal audit activities take place on foreign soil. Of these CAEs, about 85% have domestic internal audit staff travel to foreign locations. These results indicate that U.S.-based internal auditors can reasonably expect to travel abroad, the cost for which will be borne by U.S. audit departments. But there is also a benefit: As their international experience increases, U.S.-based internal auditors can build valuable cross-cultural relationships. One CAE at a global financial services firm notes, “The real balancing act is controlling travel and entertainment costs for the global travel of U.S.-based internal auditors with the benefits of bringing the American culture to the local country subsidiary.”

Of CAEs reporting that their organizations perform internal audit activities in other countries, more than two-thirds (69%) note that foreign internal audit personnel do not report directly to CAEs in the U.S. They may be reporting to a local internal audit director assigned to that region of the world or even to local business unit management.

Almost one-half of all CAEs (48%) whose organizations perform foreign internal audit activities say that up to 25% of that work is performed in BRIC countries (Brazil, Russia, India and China). Their high economic growth and sustainable rate of economic activity signal a dynamic market shift that may consume more internal audit resources in the coming years. Internal audit departments must position themselves to handle growth in risk monitoring in these parts of the world.

What percentage of non-U.S. work is conducted by co-sourceproviders with in-country staff?


What percentage of non-U.S. work is conducted by domestic internal audit staff traveling to those foreign locations?

0% 13%1-25% 34%26-50% 11% 51-75% 9% More than 75% 31%Do not know 2%

0% 50%1-25% 26%26-50% 12% 51-75% 7% More than 75% 4%Do not know 2%

What percentage of current internal audit effort is in BRIC (Brazil, Russia, India, China) countries?

0% 43%1-25% 48%26-50% 6% 51-75% 2%More than 75% 1%Do not know 2%


“The real balancing act is controlling travel and entertainment costs for the global travel of U.S.-based internal auditors with the benefits of bringing the American culture to the local country subsidiary.”

11


Board relationships

Virtually all CAEs (95%) believe that internal audit is valuable to the audit committee, with most respondents placing emphasis on risk-monitoring activities and efforts that strengthen corporate governance oversight. Respondents think that business planning, increased efficiency and general business advice are of less value to the board right now. These results may indicate that CAEs are not doing enough of these activities to add consistent and recognizable value. Based on audit committee feedback given to Grant Thornton GRC partners, we believe that audit committees are always looking for additional value-added discussions from the internal audit function. Providing the board with strategic insight, business improvement recommendations and general business advice should be an area of value growth for internal audit.

Three in four CAEs (75%) meet individually with audit committee chairs often, whether in person or by phone. Six in 10 of those respondents (60%) meet up to five times a year with the chair of the audit committee outside regular committee and board meetings. On the other hand, one-quarter of CAEs do not meet with the audit committee chair outside committee meetings at all. These results are surprising and may indicate a need to improve communication, since it is customary to spend time with the audit committee chair outside a regular meeting, usually at his or her request, in order to establish a strong tone of governance.

The requisite independent and objective mindset of internal auditors is illustrated by the large number of professionals who do not shy away from conflict. Roughly one-half of CAEs (52%) say they have to take matters to the audit committee that counter management’s view, and most CAEs — about nine in 10 (89%) — feel comfortable discussing issues with the audit committee that are inconsistent with management’s position.

As organizations expand their reach and activities in today’s higher-risk environment, this open line of communication between objective auditors and overseers at the board level can help provide a check-and-balance mechanism to prevent problems from growing.

Stippich observes: “This data shows that CAEs are independent thinkers and are doing what’s right to uphold the profession and to be the eyes and ears for the audit committee, which is their primary job. Having a CAE report directly to the audit committee helps ensure that the CAE feels safe about raising concerns that may run counter to management’s thinking.”

How many times a year do you meet one-on-one (in personor by phone) with the AC chair outside of regular committee and board meetings?

1-2 29%3-5 31%6-10 9% More than 10 5%Never 25%


1212


Internal audit technology

As the regulatory environment evolves, globalization increases and the business environment changes rapidly, audit committees and executive management are in need of timely, ongoing assurance that controls are working properly and risk is being mitigated effectively. These demands have increased the pressure on internal audit staff — pressure that can be alleviated, at least in part, through a greater reliance on technology.

But when it comes to using technology, CAEs see plenty of room for improvement in the internal audit department: More than four in 10 of them (44%) say that their organizations are not effectively leveraging GRC-specific technology. GRC technology generally enables an organization to perform and manage GRC-related strategy and implementation, such as cataloging risks and compliance requirements and the controls associated with them.

Automated technology solutions that facilitate the GRC process are at work in just over one-half of internal audit shops (54%). Among these organizations, the top three uses for GRC technology are internal audit documentation (37%), internal audit function management and administration (31%), and SOX testing (28%). Use of GRC technology may increase as fundamental concerns about governance, risk management, and compliance costs consume more time at the board and management levels.

Despite respondents’ generally limited use of GRC technology, two-thirds (66%) are using data analytics — or business and audit intelligence — to enhance the internal audit function. Data analytics has the potential to transform both the internal audit department itself and the department’s value to the organization by helping organizations identify and manage risks more effectively, efficiently and promptly.4 The IIA already recognizes the growing importance of data analytics to the future of internal audit.

CAEs who are using data analytics have achieved more efficient internal audit processes (76%); quicker pattern, trend and relationship identification (71%); and increased internal audit coverage (61%). CAEs whose organizations have not yet adopted data analytics cite cost and training as their primary reasons.

I believe that my organization effectively leverages governance, risk and compliance (GRC)-specific technology.

Agree 26%Neutral 30%Disagree 44%

4 See Grant Thornton’s white paper Information overload: How to make data analytics work for the internal audit function, www.GrantThornton.com/informationoverload

13


Risk management

Internal audit helps organizations identify, assess and prioritize risk. Nearly one-half of CAEs (48%) find the shifting regulatory landscape to pose the greatest threat to their companies. Since the passage of SOX, organizations have had to dedicate significant resources to comply with a host of new laws and regulations, including the Red Flags Rule, as mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act); Payment Card Industry (PCI) security standards; the HIPAA Privacy Rule; and, most recently, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

Additional risks beyond potential noncompliance with these new laws, rules and regulations can be found in a variety of areas. Among the risks CAEs cited most often were global expansion into new regions or culturally different locations (22%), new initiatives as the economic recovery takes hold (13%), and the launch of new products or services (12%).

Despite the additional burden that SOX places on organizations from a resource and cost standpoint, nearly nine in 10 CAEs (88%) do not believe that SOX should be repealed for all companies. Whether this outlook reflects resistance to additional regulatory change in the form of repeal or, alternatively, recognition that SOX provides value to some organizations is unclear. Based on discussions with various CAEs during the survey process, many believe that SOX brings a continued focus by management on financial and governance-related controls. Overwhelmingly, CAEs believe that entity- level controls, monitoring controls and the tone at the top have all improved over the nine years since SOX became effective. For the respondents who believe that SOX should be repealed, the cost of compliance was their main reason.

When it comes to risk management and governance, internal audit takes part in a variety of activities within organizations. More than three-quarters of the CAEs (77%) conduct fraud investigations and 59% are engaged in educating the board and management about governance topics. Other activities include having a role on the ERM team and auditing the ERM process.

What do you believe is the single biggest risk to your company?

Changes in the regulatory environment 48%Expansion into new territories/locations withculturally different values and perspectiveson governance 22%Number of change initiatives we are aboutto undertake when the recovery happens 13%Expansion into new products or services 12%Other 5%

Which of the following activities does your internal audit organization perform?

Conducting fraudinvestigations

Educating boardand management ongovernance topics

Having a role onthe ERM team

Auditing theERM process

0%

100%

40%

20%

60%

80%

Respondents could select more than one answer.

1414

With the passage of the Dodd-Frank Act and the enhancedwhistleblower provisions, I believe that my organization places great importance on having an effective whistleblower program.

Agree 62%Neutral 28%Disagree 10%

Relating to the Foreign Corrupt Practices Act (FCPA), what is your organization doing to monitor your intermediaries in foreign locations?

We are not doing anything to 23% monitor intermediaries

Conducting due diligence when 23%engaging for the first time

Performing an annual certification/ 15%background-checking process

Visiting the intermediary 10%home base

Hiring a third party to visit the 3%intermediary home base

Other 5%

Not applicable 21%

Nearly three in four organizations (72%) have formal anti-fraud policies and procedures in place. When internal fraud investigations are conducted, almost one-half of them are led by CAEs (46%), with just under one-third of investigations being supervised by the chief counsel (32%). These results might seem surprising since leading fraud investigation is an area usually outside of internal audit’s role. However, it indicates that many organizations recognize that internal audit is well-equipped, in skills and training, to undertake evidence collection, conduct interrogations and perform other forensic accounting activities necessary to investigate suspicious activities as they occur.

In response to new rules and regulations, most organizations have enhanced anti-fraud efforts in specific areas. For relevant companies, CAEs say that Dodd-Frank Act requirements and enhanced whistleblower provisions have motivated them to place greater emphasis on maintaining an effective whistleblower program. Under the new law, a whistleblower that provides information regarding securities violations, including FCPA violations, can receive up to 30% of the proceeds of any monetary penalty resulting from the violation. This provides greater incentive for individuals to step forward when fraud is suspected, likely placing a higher investigative burden on internal audit and the general counsel.

In order to comply with the FCPA, a majority of internal auditors are looking to better oversee the activities of foreign agents. More than half of respondents are monitoring intermediaries in foreign locations in some way, including conducting due diligence on foreign agents engaged for the first time (23%), performing annual certification or background checks (15%), or conducting visits to the intermediary (10%). But 23% are not doing anything to comply with FCPA requirements. The punitive sanctions associated with noncompliance for companies and individuals should have all CAEs engaged in compliance activities if their organizations conduct operations overseas.

“It is still very surprising that many executives do not seem to understand the ramifications of FCPA violations for the organizations involved for simply not being proactive in trying to detect and deter such activity,” states William Olsen, a principal in Grant Thornton’s Forensics, Litigation and Investigation Services practice. Olsen warns: “Organizations should be cautious when performing FCPA investigations. The investigation team should have the proper skills and expertise for examining these matters. Otherwise, violations may go undetected.”

“ Organizations should be cautious when performing FCPA investigations. The investigation team should have the proper skills and expertise for examining these matters. Otherwise, violations may go undetected.”

15

Technology riskIT issues are an important part of internal audit’s risk assessment process. IT’s impact on the organization’s overall risks has prompted dialogue between internal auditors and IT, management, and business process owners. More than two-fifths of respondents (43%) discuss IT trends and governance implications with the CIO once or twice a year; nearly one-quarter (23%) have broached the topic up to five times in the past year alone.

Survey respondents are relatively aware of cloud computing and the possibilities inherent in pushing data from internal corporate IT infrastructure to a global mesh of shared servers. More than three in four CAEs (77%) are at least somewhat familiar with cloud computing. Many respondents (69%) say that their organizations already use the cloud to reduce costs, improve operations and gain strategic advantages. Despite these statistics, 64% of CAEs say that cloud computing is not part of the internal audit plan. These results indicate room for improvement in planning, auditing and risk mitigation efforts as cloud computing evolves.

Survey responses suggest a lack of clarity around a definition for cloud computing, an understanding of its risks, and its implications for the business environment. Despite their unanswered questions, close to one-half of respondents (45%) expect their organization’s use of the cloud for hosting applications to increase in the next 12 months.

Similar results appear in the 2011 CIO Agenda survey conducted by Gartner Executive Programs. CIOs responding to the Gartner survey identify cloud computing as a top technology priority for 2011. While only 3% of CIOs in that survey run the majority of their IT in the cloud or on software as a service (SaaS) technology today, that number is expected to jump to 43% over the next four years.5

“Cloud computing is making real inroads at companies that choose to support growth and operational efficiencies through technology,” observes Grant Thornton’s National Business Consulting Solutions Leader Susan Pentecost. “Embracing the cloud can lead to real competitive advantages.”

Surprisingly, the security and controls implications of cloud computing are not foremost in the minds of the CAEs we surveyed: More than two in five of them (43%) have yet to give these issues any thought. “As more IT activities take place in a cloud environment, CAEs will need to be prepared to address the inherent risks and plan their internal audit approach accordingly,” cautions Stippich.

In the past year, how often have you and the chief information officer/VP of IT engaged in conversations regarding IT trends and their governance implications?

1-2 times 43%3-5 times 23%More than 5 times 16% Never 18%

How much of your company’s IT environment currently operates in the cloud?

None 31%Minimal 43%Moderate 20% Substantial 5%Extensive 1%

Which best describes your view as to the security, governance, risk and controls implications in moving to a cloud environment?

I haven’t really given it much thought. 43%There will be significant change, but we are alreadyworking on it and understand the implications. 26%It will not change the risk or controls profile ofour company. 16% There will be significant change, and neitherinternal audit nor IT fully understands theimplications. 15%

5 See Gartner Inc.’s 2011 press release Gartner Executive Programs Worldwide Survey of More Than 2,000 CIOs Identifies Cloud Computing as Top Technology Priority for CIOs in 2011, www.gartner.com/it/page.jsp?id=1526414. For more information about the survey, see www.gartner.com/cioagenda.

“ Cloud computing is making real inroads at companies that choose to support growth and operational efficiencies through technology”

1616

The results of our survey confirm that CAEs are seeking to create a new balance in the internal audit function. With their movement toward conducting fewer compliance-based activities and providing more value to the organization, internal audit professionals are responding to the changing demands of the profession. The survey findings also showcase the fact that risk management, particularly as it relates to fraud, technology and regulatory change, is still a high priority and a main concern.


Conclusion

Commenting on the survey results, Stippich is optimistic: “It’s outstanding to see where the profession is going. CAEs are extremely focused on rebalancing how they audit and are performing more operational audits. They are moving the meter on the use of technology and considering technology risk. I am also glad to see that global-mindedness is present in CAEs’ thinking. The profession has a very exciting future, and I’m thrilled to be part of it.”

Your company is:

Public 58%Private 42%

Your company’s revenues are:

Less than $100M 12%$100M-$500M 24%$500M-$1B 21%$1B-$5B 30%Greater than $5B 12%


Industry

Professional services 16%Consumer products 12%Technology 11%Retail 10%Health care 9%Not-for-profit 8%Manufacturing 8%Financial services 7%Higher education 5%Other 14%

Titles

Director 40%Chief audit executive 24%Vice president 14%Internal auditor 13%Chief financial officer 4%Manager 4%Other 2%


Responses came from public and private companies in geographically dispersed U.S. locations. While there was a wide range of organizational revenues, the majority of respondents came from dynamic organizations in the middle market (defined as having $100 million to $5 billion in annual revenues). Respondents worked in a variety of industries such as professional services, consumer products, technology, health care, not-for-profit and manufacturing. Respondents performed internal audit functions under varying titles, including director (40%), chief audit executive (24%) and vice president (14%), among others. Throughout this survey, we refer to all respondents as CAEs.

AnonymityThis report reflects the words of respondents to the maximum extent possible. To preserve anonymity, the survey does not attribute responses to specific individuals.

Survey purposeBudget constraints, emerging business risks, and the increasingly global reach of today’s diverse and complex organizations have created a demand for new ways of doing business. Internal audit roles and responsibilities are expanding in response to these changes. The 2011 survey of U.S. CAEs aimed to uncover how internal audit is adjusting to the changing demands of its role. We hope that by identifying trends taking place in the profession, we can provide CAEs with valuable insights for staffing, career progression, training, use of technology and audit planning.

MethodologyThe survey was administered online and in person during November and December 2010. More than 300 internal audit professionals responded to the survey, which constituted 30-plus questions. Respondents were not required to answer every question.

About the Survey

17

© Grant Thornton LLPAll rights reservedU.S. member firm of Grant Thornton International Ltd

About Grant Thornton Advisory ServicesToday you need trusted advisers who focus on insightful and innovative solutions for your complex issues, such as complying with changing legislation, managing risk, containing costs, streamlining business processes and identifying strategic transaction opportunities. Grant Thornton’s Advisory Services professionals can help add value by providing independent advice to public, private and not-for-profit organizations. Our specialists combine insight and innovation from multiple disciplines with a wide range of business and industry knowledge to deliver value to dynamic organizations in the middle market. To learn more, visit www.GrantThornton.com/advisory.

National Office 175 West Jackson BoulevardChicago, IL 60604312.856.0200

Washington National Tax Office1250 Connecticut Ave. NW, Suite 400Washington, DC 20036-3531202.296.7800

ArizonaPhoenix 602.474.3400

CaliforniaIrvine 949.553.1600Los Angeles 213.627.1717Sacramento 916.449.3991San Diego 858.704.8000 San Francisco 415.986.3900San Jose 408.275.9000Woodland Hills 818.936.5100

Colorado Denver 303.813.4000

FloridaFort Lauderdale 954.768.9900Miami 305.341.8040Orlando 407.481.5100Tampa 813.229.7201

GeorgiaAtlanta 404.330.2000

IllinoisChicago 312.856.0200Oakbrook Terrace 630.873.2500

KansasWichita 316.265.3231

MarylandBaltimore 410.685.4000

MassachusettsBoston 617.723.7900

MichiganDetroit 248.262.1950

MinnesotaMinneapolis 612.332.0001

MissouriKansas City 816.412.2400St. Louis 314.735.2200

NevadaReno 775.786.1520

New JerseyEdison 732.516.5500

New YorkLong Island 631.249.6001Downtown 212.422.1000Midtown 212.599.0100

North CarolinaCharlotte 704.632.3500Raleigh 919.881.2700

OhioCincinnati 513.762.5000Cleveland 216.771.1400

OklahomaOklahoma City 405.218.2800Tulsa 918.877.0800

OregonPortland 503.222.3562

PennsylvaniaPhiladelphia 215.561.4200

South CarolinaColumbia 803.231.3100

TexasAustin 512.391.6821

Dallas 214.561.2300Houston 832.476.3600San Antonio 210.881.1800

UtahSalt Lake City 801.415.1000

VirginiaAlexandria 703.837.4400McLean 703.847.7500

WashingtonSeattle 206.623.1121

Washington, D.C.Washington, D.C. 202.296.7800

WisconsinAppleton 920.968.6700Milwaukee 414.289.8200

Documents

Chief Audit Executive Survey 2011 - perspectives and trends from internal audit leaders