2012 Internal Audit Capabilities and Needs Survey – Healthcare POV
AHIA 31st Annual ConferenceBreakout Session: Leadership Track
Session 1
Top Priorities for Internal Audit in Healthcare Organizations
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
1
Today’s PresentersSusan Haseley is a Managing Director and the Global Industry Leader for Protiviti's Healthcare and Life Sciences practice and also serves as the Dallas Office Market Leader. Susan has over 25 years of experience in providing risk consulting, internal audit and technology consulting services. Susan received her b h l ' d i I f ti S t f Ohi U i it d MBA fbachelor's degree in Information Systems from Ohio University and an MBA from the University of Dallas. She holds the Certified Internal Auditor (CIA), the Certified Information Systems Auditor (CISA), the Project Management Professional (PMP) certifications and is trained as a Six Sigma Green Belt. Susan is a member of the Institute of Internal Auditors (IIA), Information Systems Audit and Control ( ), yAssociation (lSACA), and the Association of Healthcare Internal Auditors (AHIA). She also is a member of AHIP, HFMA, HCCA.
Alex Robison is a Managing Director and serves as Protiviti’s Western Region Healthcare Practice Leader and the firm’s National Healthcare Industry Revenue Assurance and Compliance practice leader. He has more than 15 years professional experience in providing operational, financial, information technology and regulatory consulting and internal audit services to the healthcare industry. Prior to entering consulting, Alex worked for a large multi-regional healthcare system responsible for integrating Managed Care HMO protocols with federally regulated Medicare guidelines for healthcare delivery. Alex is also a Certified Healthcare Compliance professional (CHC) and holds a master’s degree
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
2
Certified Healthcare Compliance professional (CHC) and holds a master s degree in Healthcare Administration (MHA).
Today’s Presenters – Cont.
Mike Fabrizius is Vice President of Audit Services for the Carolinas HealthCare System. He is a CIA, CPA and MBA. He has been active in the Association of Healthcare Internal Auditors (AHIA) in a variety of volunteer positions, including Chairman of the Board of Directors in 2011. Carolinas HealthCare System provides a full spectrum of healthcare and wellness programs throughout North and South Carolina. Its network of more than 650 care locations includes academic medical centers, hospitals, healthcare pavilions, physician practices, surgical and
Michael Fabrizius@carolinashealthcare org
centers, hospitals, healthcare pavilions, physician practices, surgical and rehabilitation centers, home health agencies, nursing homes and hospice and palliative care.
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
3
IntroductionAb t th SAbout the Survey
• Ongoing professional development i ti l f t d ' i t l
• Ongoing professional development i ti l f t d ' i t lis essential for today's internal auditors. They are:
– Facing greater demands to improve organizational processes
is essential for today's internal auditors. They are:
– Facing greater demands to improve organizational processesimprove organizational processes
– Ensuring proper risk management and controls are in place
improve organizational processes
– Ensuring proper risk management and controls are in place
– Required to stay informed on the changing dynamics of business and technology
– Required to stay informed on the changing dynamics of business and technology
– Enjoying a broader range of career paths and opportunities
– Innovative thinkers ready to meet id f h ll
– Enjoying a broader range of career paths and opportunities
– Innovative thinkers ready to meet id f h ll
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
4
a wide range of challengesa wide range of challenges
IntroductionAb t th SAbout the Survey
• For internal auditing professionals to • For internal auditing professionals to g pachieve all of this – and more – a strong level of competency in key areas is required
g pachieve all of this – and more – a strong level of competency in key areas is required
• The purpose of this survey, sixth in the series, was to continue to assess:
• The purpose of this survey, sixth in the series, was to continue to assess:
– How internal auditors perceive their present capabilities
– Where they currently see need for
– How internal auditors perceive their present capabilities
– Where they currently see need for improvement
– How they prioritize those needs
improvement
– How they prioritize those needs
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
5
IntroductionAb t th SAbout the Survey
• Protiviti conducted the survey from S t b 2011 th h O t b
• Protiviti conducted the survey from S t b 2011 th h O t bSeptember 2011 through October 2011
• The survey included close to 200 topic areas divided into four major
September 2011 through October 2011
• The survey included close to 200 topic areas divided into four majortopic areas divided into four major sections:
– Use of Technology in Auditing Business Process Controls
topic areas divided into four major sections:
– Use of Technology in Auditing Business Process ControlsBusiness Process Controls
– General Technical Knowledge
– Healthcare Technical Knowledge
Business Process Controls
– General Technical Knowledge
– Healthcare Technical Knowledge
– Audit Process Knowledge
– Personal Skills and Capabilities
– Audit Process Knowledge
– Personal Skills and Capabilities
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
6
IntroductionAb t th SAbout the Survey
• Respondents were asked to rate:
– Their competency in these areas
• Respondents were asked to rate:
– Their competency in these areas on a scale of 1 to 5
– Indicate whether competency was adequate or needs improvement
on a scale of 1 to 5
– Indicate whether competency was adequate or needs improvement
• The survey also assessed the following:
– Competency levels of CAEs
• The survey also assessed the following:
– Competency levels of CAEsCo pete cy e e s o C s
– Differing needs by industries and business size
Three year trends for CAEs and
Co pete cy e e s o C s
– Differing needs by industries and business size
Three year trends for CAEs and– Three-year trends for CAEs and overall results
– Three-year trends for CAEs and overall results
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
7
IntroductionAb t th SAbout the Survey
• Protiviti distributed the survey to the following groups:
• Protiviti distributed the survey to the following groups:
– Attendees at various conferences
– KnowledgeLeader subscribers and trialers
– Attendees at various conferences
– KnowledgeLeader subscribers and trialers
– Internal audit professionals expressing interest in the survey
• NetReflector online survey software
– Internal audit professionals expressing interest in the survey
• NetReflector online survey software• NetReflector online survey software was used to tabulate the results
• Over 800 respondents participated in this survey
• NetReflector online survey software was used to tabulate the results
• Over 800 respondents participated in this surveyin this survey
• 13% or 104 respondents represent U.S. Healthcare Providers
in this survey
• 13% or 104 respondents represent U.S. Healthcare Providers
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
8
IntroductionS R d t B kdSurvey Respondent Breakdown
PositionC f (C ) %Chief Audit Executive (CAE) 24%Director of Auditing 15%Audit Manager 21%Audit Staff 17%All Others 23%
Type of OrganizationPublicly Traded 50%Private 23%Private 23%Not-For-Profit 16%Government 8%
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
9
Other 3%
IntroductionS R d t B kdSurvey Respondent Breakdown
Size of Organization (Gross Annual Revenues)
$20 billi 12%IndustryFi i l S i 17%> $20 billion 12%
$10 billion - $19 billion 8%$5 billion - $9 billion 11%
Financial Services 17%Healthcare Provider (U.S.) 13%
M f t i 12%$1 billion - $4 billion 32%$500 million - $999 million 16%$100 million $499 million 14%
Manufacturing 12%Government/Education/Not-for-profit 9%
All Oth I d t i 49%$100 million - $499 million 14%< $100 million 7%
All Other Industries 49%
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
10
OverviewT i f FTopics of Focus
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
11
Use of TechnologyA E l t dAreas Evaluated
IT asset management Time and expense reporting
Vendor negotiation and set-up CTO/vacation tracking
Access controls Facilities leases/improvementsccess co t o s ac t es eases/ p o e e ts
Cash receipts/applications Electronic data interchange (EDI) analysis
Supplier management Validation of employment
Travel and entertainment Credit memo process
Purchasing/purchase order Capital/operating leases
Data/telecom costs Physical security/building access
HR records management Obsolete/expired inventory
Accounts receivable Construction analysis
Revenue recognition Inventory valuation
Billing Intercompany/interbusiness unit sales and transfer pricing
Fixed asset control Inventory master control
Recei ing Book and ph sical in entor differencesReceiving Book and physical inventory differences
Compensation and benefits management Sales contract timing
Accounts payable/cash disbursements Call center/customer service
Credit collection/bad debt Royalties
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
13
Cash management segregation of duties Warranty repair
Use of Technology T Fi O ll R ltTop Five – Overall Results
"Need to Increase Use of Technology"
R kAreas Evaluated by Respondents Competency
(5-pt. scale)Rank (5 pt. scale)
1 IT asset management 2.9 2 Vendor negotiation and set-up 2.7 3
(ti )Access controls 3.3
C h i t / li ti 2 9(tie) Cash receipts/applications 2.9 4
(tie)Supplier management 2.8
Travel and entertainment 2.9
5Purchasing/purchase order 3.1
D t /t l t 2 85(tie)
Data/telecom costs 2.8 HR records management 2.8
Accounts receivable 3.0
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
14
Use of Technology S tt DiScatter Diagram
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
15
Use of Technology S tt Di KScatter Diagram Key
1 IT asset management 19 Time and expense reporting
2 Vendor negotiation and set-up 20 CTO/vacation tracking
3 Access controls 21 Facilities leases/improvements
4 Cash receipts/applications 22 Electronic data interchange (EDI) analysis
5 Supplier management 23 Validation of employment
6 Travel and entertainment 24 Credit memo process
7 Purchasing/purchase order 25 Capital/operating leases
8 Data/telecom costs 26 Physical security/building access
9 HR records management 27 Obsolete/expired inventory
10 Accounts receivable 28 Construction analysis10 Accounts receivable 28 Construction analysis
11 Revenue recognition 29 Inventory valuation
12 Billing 30 Intercompany//interbusiness unit sales and transfer pricing
13 Fixed asset control 31 Inventory master control
14 Receiving 32 Book and physical inventory differences
15 Compensation and benefits management 33 Sales contract timing
16 Accounts payable/cash disbursements 34 Call center/customer service
17 Credit collection /bad debt 35 Royalties
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
16
17 Credit collection /bad debt 35 Royalties
18 Cash management segregation of duties 36 Warranty repair
Use of Technology T Fi CAE R ltTop Five – CAE Results
"Need to Increase Use of Technology" Rank Areas Evaluated by Respondents Competency
(5-pt. scale)1 IT asset management 2.82
(tie)Cash receipts/applications 2.8
Supplier management 2.63 Purchasing/purchase order 3.04 Access controls 3.2
5 (tie)
Accounts receivable 2.9Revenue recognition 2.7Data/telecom costs 2 7Data/telecom costs 2.7
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
17
Use of Technology C Si B kd
Rank Small < $1B Medium $1B-9B Large > $10B
1Vendor negotiation and set-up
IT asset management Vendor negotiation and set p
Company Size Breakdown
1 IT asset management Vendor negotiation and set-upAccess controls
2
IT asset management Access controls
Data/telecom costsCash receipts/applications
Cash receipts/applications
Purchasing/purchase orderPurchasing/purchase order
3 Travel and entertainmentTravel and entertainment Supplier management
Supplier management HR records management
Supplier management Data/telecom costs IT asset management
4Accounts receivable Vendor negotiation and set-up
Revenue recognition
CTO/vacation tracking
Purchasing/purchase order
HR records management
5
Billing Compensation and benefits management
HR records management
Fixed asset control
Compensation and benefits management
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
18
• Circled items are consistent top five items by company size
Use of Technology Ad i i t ti th A dit PAdministrating the Audit Process
• More than one out of three organizations – 35 percent – are not utilizing any sort of software application to administrate their audit processespp p
– 37 percent of those who do so, are using basic word processing or spreadsheet software
– Just one in four of those who are not using technology plan to implement oneJust one in four of those who are not using technology plan to implement one within the next 12 months
– While more large companies tend to use a software application as part of their audit processes, nearly one in five (18 percent) do not
• Most respondents – 87 percent – noted that the tool they use delivers significant or moderate value to the audit process
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
19
Use of Technology P t D t t M it d I ti t F dPrevent, Detect, Monitor and Investigate Fraud
50%No we do not use technology to monitor for fraud
Do you utilize results from your organization’s fraud risk assessment to identify business processes that need to be monitored for fraud?
31%
50%
Yes, we monitor high-risk processes using technology.
No, we do not use technology to monitor for fraud.
19%
0% 10% 20% 30% 40% 50%
Yes, we monitor high-risk and medium risk processes using technology.
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
20
Use of Technology C ti A diti d C ti M it iContinuous Auditing and Continuous Monitoring
Who utilizes continuous auditing and continuous monitoring the most in your organization?
Executive management Mid level management Internal audit Other
4% 13% 70% 13%Continuous Auditing
6% 36% 44% 14%
0% 20% 40% 60% 80% 100%
Continuous Monitoring
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
21
Key Questions to Consider – Healthcare Commentary
• Is the internal audit function partnering effectively with the CIO and IT department to assure that IT assets are managed and controlled appropriately? Are you aware of any
I th ffi i t i l t th it li i d ti f
assure that IT assets are managed and controlled appropriately? Are you aware of any gaps in the IT asset management process that should be addressed? Does the audit team have relevant and appropriate experience to handle technical matters?
• Is there a sufficient process in place to assess the security policies and practices of vendors that work with your organization? Does the organization have confidence that vendors’ access controls and privacy standards exceed or are on par with its own? Are vendor access controls terminated when vendor relationships end?
• Does the internal audit function have appropriate technology tools to audit effectively business processes such as expense management, purchase orders, suppliers and accounts receivable, among other areas?
• How are internal auditors leveraging technology to prevent, detect, monitor and investigate fraud?
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
22
• Have all significant classes of mobile devices been considered?
General Technical KnowledgeA E l t dAreas Evaluated
Social media applications GTAG 14 - Auditing User-developed Applications
Cloud computing Practice Guide - Auditing the Control Environment
GTAG 13 - Fraud Prevention and Detection in an Automated World GTAG 5 - Managing and Auditing Privacy Risks
Fraud risk management COBIT
GTAG 16 - Data Analysis Technologies GTAG 9 - Identity and Access Management
ISO 31000 (risk management) GTAG 12 - Auditing IT Projects
Practice Guide - Assessing the Adequacy of Risk Management
Practice Guide - Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing
Practice Guide - Measuring Internal Audit Effectiveness and Efficiency Six sigma
International Financial Reporting Standards (IFRS) GTAG 11 - Developing the IT Audit Plan
The Guide to the Assessment of IT Risk (GAIT) GTAG 2 - Change and Patch Management Controls
GTAG 6 - Managing and Auditing IT Vulnerabilities GTAG 1 - Understanding IT Controls
GTAG 15 - Information Security Governance GTAG 4 - Management of IT Auditing
GTAG 3 - Continuous Auditing GTAG 7 - IT Outsourcing
ISO 27000 (information security) GTAG 10 Business Continuity Management
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
24
ISO 27000 (information security) GTAG 10 - Business Continuity Management
IT governance GTAG 8 - Auditing Application Controls
General Technical KnowledgeA E l t dAreas EvaluatedReporting on Controls at a Service Organization – SSAE 16 / AU 324 (replaces SAS 70) Fair value accounting
Practice Advisory 2050-3 - Relying on the Work of Other Assurance Providers FASB Accounting Standards CodificationTMAssurance Providers
COSO Enterprise Risk Management Framework Tax laws (in your applicable region/ country)
ISO 9000 (quality management and quality assurance) Corporate governance standards (or local country equivalent)
Recently Enacted IIA Standards (effective January 1, 2009) -Functional Reporting Interpretation (Standard 1110)
Revenue Arrangements with Multiple Deliverables (EITF 08-1 (ASU 2009 13))Functional Reporting Interpretation (Standard 1110) (ASU 2009-13))
Evaluating executive compensation risk of Regulation S-K U.S. GAAP (or local country equivalent)
Recently Enacted IIA Standard (effective January 1, 2009) - Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1) Foreign Corrupt Practices Act (FCPA)
AU S ti 322 Th A dit ’ C id ti f th I t lBoard risk oversight (SEC Item 407(h) of Regulation S-K) AU Section 322 – The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements
Recently Enacted IIA Standard (effective January 1, 2009) -Overall Opinions (Standard 2450) COSO Internal Control Framework
Practice Advisory 1312-3 - Independence of External Assessment T i h P i S Stock-based compensationTeam in the Private Sector Stock based compensation
Country-specific Enterprise Risk Management Framework Standards for the Professional Practice of Internal Auditing (IIA Standards)
Practice Advisory 1312-4 - Independence of the External Assessment Team in the Public Sector UK Bribery Act
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
25
Extensible Business Reporting Language (XBRL) Sarbanes-Oxley (Sections 301, 302, and 404)
ISO 14000 (environmental management)
General Technical Knowledge T Fi O ll R lt
"Need to Improve" Rank Areas Evaluated by Respondents Competency
(5-pt. scale)
Top Five – Overall Results
1 Social media applications 2.6
2 Cloud computing 2.6
3 GTAG 13 - Fraud Prevention and Detection in an Automated World 2.9 Automated World
4 Fraud risk management 3.3
5 GTAG 16 - Data Analysis Technologies 2.9
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
26
General Technical KnowledgeS tt DiScatter Diagram
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
27
General Technical KnowledgeS tt Di KScatter Diagram Key
1 Social media applications 16 GTAG 14 - Auditing User-developed Applications
2 Cloud computing 17 Practice Guide: Auditing the Control Environment
3 GTAG 13 - Fraud Prevention and Detection in an Automated World 18 GTAG 5 - Managing and Auditing Privacy Risks
4 Fraud risk management 19 COBIT
5 GTAG 16 - Data Analysis Technologies 20 GTAG 9 - Identity and Access Managementy g y g
6 ISO 31000 (risk management) 21 GTAG 12 - Auditing IT Projects
7 Practice Guide - Assessing the Adequacy of Risk Management 22Practice Guide - Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing
8 Practice Guide - Measuring Internal Audit Effectiveness and Efficiency 23 Six sigma
9 International Financial Reporting Standards (IFRS) 24 GTAG 11 - Developing the IT Audit Plan
10 The Guide to the Assessment of IT Risk (GAIT) 25 GTAG 2 - Change and Patch Management Controls
11 GTAG 6 - Managing and Auditing IT Vulnerabilities 26 GTAG 1 - Understanding IT Controls
12 GTAG 15 - Information Security Governance 27 GTAG 4 - Management of IT Auditing
13 GTAG 3 - Continuous auditing 28 GTAG 7 - IT Outsourcing
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
28
14 ISO 27000 (information security) 29 GTAG 10 - Business Continuity Management
15 IT governance 30 GTAG 8 - Auditing Application Controls
General Technical KnowledgeS tt Di KScatter Diagram Key
31 Reporting on Controls at a Service Organization – SSAE 16 / AU 324 (replaces SAS 70) 45 Fair value accounting
Practice Advisory 2050-3 - Relying on the Work of Other S S C f TM32 Practice Advisory 2050 3 Relying on the Work of Other Assurance Providers 46 FASB Accounting Standards CodificationTM
33 COSO Enterprise Risk Management Framework 47 Tax laws (in your applicable region/ country)
34 ISO 9000 (quality management and quality assurance) 48 Corporate governance standards (or local country equivalent)
Recently Enacted IIA Standards (effective January 1 2009) - Revenue Arrangements with Multiple Deliverables (EITF 08-135 Recently Enacted IIA Standards (effective January 1, 2009) -Functional Reporting Interpretation (Standard 1110) 49 Revenue Arrangements with Multiple Deliverables (EITF 08-1
(ASU 2009-13))
36 Evaluating executive compensation risk of Regulation S-K 50 U.S. GAAP (or local country equivalent)
37Recently Enacted IIA Standard (effective January 1, 2009) -Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
51 Foreign Corrupt Practices Act (FCPA))
38 Board risk oversight (SEC Item 407(h) of Regulation S-K) 52 AU Section 322 – The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements
39 Recently Enacted IIA Standard (effective January 1, 2009) -Overall Opinions (Standard 2450) 53 COSO Internal Control Framework
40 Practice Advisory 1312-3 - Independence of External 54 St k b d ti40 y pAssessment Team in the Private Sector 54 Stock-based compensation
41 Country-specific Enterprise Risk Management Framework 55 Standards for the Professional Practice of Internal Auditing (IIA Standards)
42 Practice Advisory 1312-4 - Independence of the External Assessment Team in the Public Sector 56 UK Bribery Act
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
29
43 Extensible Business Reporting Language (XBRL) 57 Sarbanes-Oxley (Sections 301, 302, and 404)
44 ISO 14000 (environmental management)
General Technical KnowledgeTh Y C i O ll R ltThree Year Comparison – Overall Results
Rank 2012 2011 2010
IFRS
1 Social media applications GAITGTAG 13 - Fraud Prevention and Detection in an Automated World
2 Cloud computing ISO 31000 IFRSp g
3 GTAG 13 - Fraud Prevention and Detection in an Automated World
Penalties in Administrative Proceedings (§ 929P) XBRL
4 Fraud risk management Six sigma ISO 27000
5 GTAG 16 - Data Analysis T h l i
Hedging by Employees and Directors (§ 955)
COBIT5 Technologies COBITGTAG 15 - Information Security
Governance
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
30
• No consistent top five items for 2012, 2011 and 2010
General Technical KnowledgeC Si B kdCompany Size Breakdown
Rank Small < $1B Medium $1B-9B Large > $10B
1 Social media applications Social media applications Social media applications
2 Cloud computing Cloud computing ISO 31000 (risk management)
3
GTAG 13 - Fraud Prevention and Detection in an Automated World GTAG 13 - Fraud Prevention and
Detection in an Automated World
Evaluating executive compensation risk of Regulation S-K
GTAG 16 - Data Analysis Fraud risk managementTechnologies Fraud risk management
4 The Guide to the Assessment of IT Risk (GAIT) Fraud risk management Country-specific enterprise risk
management framework
Fraud risk management ISO 31000 (risk management) ISO 9000 (quality management and quality assurance)
5
g ( g ) quality assurance)
IT governance GTAG 16 - Data Analysis Technologies
Board risk oversight (SEC Item 407(h) of Regulation S-K)
Practice Guide - Assessing the Adequacy of Risk Management Practice Guide - Assessing the 0 ( ) o egu at o S )dequacy o s a age e t Practice Guide - Assessing the
Adequacy of Risk ManagementPractice Guide - Measuring Internal Audit Effectiveness and Efficiency
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
31
• Circled items are consistent top five items by company size
General Technical Knowledge T Fi CAE R ltTop Five – CAE Results
"Need to Improve"
R kAreas Evaluated by Respondents Competency
(5 pt. scale)Rank (5 pt. scale)
1 Social media applications 2.6
2 Cloud computing 2.7
3 GTAG 13 Fraud Prevention and Detection in an Automated World 3 13 GTAG 13 - Fraud Prevention and Detection in an Automated World 3.1
4 GTAG 16 - Data Analysis Technologies 3.0
5 International Financial Reporting Standards (IFRS) 2.9
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
32
General Technical KnowledgeTh Y C i CAE R ltThree Year Comparison – CAE Results
Rank 2012 2011 2010
1 Social media applications IFRS GAIT
2 Cloud computing GTAG 13 - Fraud Prevention and Detection in an Automated World XBRL
3 GTAG 13 - Fraud Prevention and D t ti i A t t d W ld
Penalties in Administrative Proceedings (§ 929P)
IFRS3 Detection in an Automated World IFRSHedging by Employees and Directors
(§ 955)
4GTAG 16 - Data Analysis
Technologies
GTAG 14 - Auditing User-developed Applications
COBITGTAG 15 Information SecurityGTAG 15 - Information Security
Governance
5 IFRSGTAG 3 – Continuous Auditing
ISO 27000 GTAG 12 - Auditing IT Projects
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
33
• Circled items are consistent top five items for 2012, 2011 and 2010
Addressing and Managing Existing and Emerging Risks H lth I d t R lt G l T h i l K l d
"Need to Improve"
R kAreas Evaluated by Respondents Competency
(5 pt. scale)
Healthcare Industry Results - General Technical Knowledge
Rank (5 pt. scale)
1 Social media applications 2.8
2 Cloud computing 2.5
3 GTAG 16 Data Analysis Technologies 3 03(tie)
GTAG 16 - Data Analysis Technologies 3.0
Fraud risk management 3.4
4(tie) GTAG 13 - Fraud Prevention and Detection in an Automated World 3.1(tie)
5(tie)
GTAG 3 – Continuous Auditing 3.2
GTAG 12 – Auditing IT Projects 3.0
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
34
Meeting Today’s ChallengesP i t f Di iPoints for Discussion
• Do you agree with these findings?
• What areas are you weakest in related to the following topics?y g p
- Use of Technology in Auditing Business Process Controls
- General Technical Knowledge
• Are there other professional competencies that you want to improve upon?
• What other comments or questions do you have?What other comments or questions do you have?
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
37
Questions?
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
38
Thank you for joining us!
[email protected] Alex. [email protected]
Managing Director Protiviti – Dallas
+1 (469) 374-2435
Managing Director Protiviti – Phoenix
+ 1 (602) 273-8022( )
( )
Vice President of Audit Services for the Carolinas HealthCare System
Past Board Chair, AHIA – Denver,
+1 (704) 512-5928
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
39
© 2012 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
40