Escolar Documentos
Profissional Documentos
Cultura Documentos
Mean %
Ownership
Mean %
Support
Continuous
Monitoring
26.20% 34.50% 27.40% 11.90%
21.40% 78.60%
Enterprise Risk
Management
13.10% 39.30% 39.30% 8.30%
24.20% 75.80%
HR Compliance 6.00% 59.00% 31.30% 3.60%
2.70% 97.30%
Intellectual
Property
Compliance
32.90% 61.00% 4.90% 1.20%
3.80% 96.20%
IT Security
9.60%
43.40% 34.90% 12.00%
2.90% 97.10%
Licensing
Compliance
36.60% 61.00% 2.40% 0.00%
4.10% 95.90%
Medical
Compliance
63.90% 22.90% 9.60% 3.60%
6.50% 93.50%
Nonmedical
Compliance
2.40%
36.10% 44.60% 16.90%
9.30% 90.70%
Other 70.50% 2.30% 9.10% 18.20%
53.80% 46.20%
Critical Factor Five: Potential Misalignment
with the Value Propositions
Table 8 reveals the extent of management and internal audit misalignment, i.e., disagree-
ment between management and internal auditing about the importance of various internal
audit activities. There can be many measures of potential misalignment and as posited
in the conceptual model, this misalignment may affect the resources devoted to internal
auditing. Note that we are not arguing that managements view is more correct, or that
internal auditings view is more correct. We simply asked CAEs whether or not their views
are aligned with managements views so that we can determine whether potential misalign-
33
V. Results
ment affects the resources allocated to internal auditing and, as importantly, which
factors of misalignment most affect resource allocation.
For the most part, responses indicate that management and internal auditing agree on the
importance of each of the activities. However, we fnd that for more than 30 percent of
the universities represented in our study, internal auditors believe that a focus on ethics, IT
auditing, operational auditing, and risk management is more important (at least slightly)
than management does. On the other hand, in 10 percent of the universities, management
believes that providing external audit support is more important than the internal audit
department does.
Table 8: Extent of Management and Internal Audit Misalignment
Management Believes
It is More Important
Than Internal
Auditing Does
Internal Auditing
Believes It is More
Important Than
Management Does
N/A Signifcantly Slightly Agree Slightly Signifcantly
Athletics 17.80% 1.40% 6.80% 58.90% 11.00% 4.10%
EHS 9.50% 0.00% 1.40% 71.60% 14.90% 2.70%
Ethics 9.50% 0.00% 2.70% 55.40% 18.90% 13.50%
Ext. Audit Support 14.90% 4.10% 5.40% 71.60% 2.70% 1.40%
Fed. Grant
Compliance
8.10% 0.00% 1.40% 71.60% 12.20% 6.80%
Financial Reporting 8.20% 2.70% 5.50% 74.00% 6.80% 2.70%
HR Compliance 2.70% 2.70% 2.70% 71.60% 14.90% 5.40%
IT Audit 1.40% 2.70% 2.70% 52.70% 31.10% 9.50%
Medical School
Compliance
60.60% 0.00% 1.40% 35.20% 1.40% 1.40%
Operational Auditing 1.40% 1.40% 1.40% 65.80% 20.50% 9.60%
Other 1.40% 0.00% 1.40% 66.20% 20.30% 10.80%
Purchasing Audits 1.40% 0.70% 5.50% 75.30% 9.60% 5.50%
Risk Management 1.40% 2.70% 4.10% 50.70% 27.40% 13.70%
Whistleblower
Hotline
13.50% 1.40% 1.50% 60.80% 14.90% 8.10%
Effective Sizing of Internal Audit Activities for Colleges and Universities
34
In addition, we compare the activities explicitly described in the internal audit mission
(see Figure 10) to the activities the internal audit function includes as value propositions
and actually performs (see Figure 7). To the extent that the activities listed in the internal
audit mission differ from those actually performed by internal auditing, we expect that the
internal audit department may not be meeting managements expectations. Specifcally,
for each item listed in the mission, we determine whether the organization reported that
resources are devoted to that activity. We verifed that all activities to which resources are
dedicated are included in the mission. We added together all of the activities that are not
included in both the mission and the stated activities as our measure of mission alignment.
We consider organizations with alignment equal to zero (0) or one (1) to be well aligned.
We consider organizations with an alignment score greater than one (1) to be misaligned.
Table 9 provides an example of our calculation of the mission alignment variable.
Table 9: Mission Alignment Example
Included in
Mission?
Activities
Performed?
Diferences
Between Mission
& Activities
Compliance Activities Yes Yes
Consulting Activities Yes No X
Financial Audit No No
Fraud-related Activities Yes Yes
IT Audit Yes No X
Operational Audit Yes Yes
Risk Management No No
Leadership Development No Yes X
Total Diferences 3
If there are one or fewer diferences, we consider the activities aligned with the mission of internal
auditing. If there is more than one diference, we consider the activities and mission to be misaligned.
Using the methodology described above, we fnd that approximately 80 percent of the
organizations in our sample perform activities that are included in the stated mission
of the internal audit function. That is, approximately 80 percent are aligned. Further
35
V. Results
examination of mission alignment in public and private organizations separately reveals
that approximately 80 percent of each is aligned (79.5 percent and 81.8 percent, respec-
tively). We did not specifcally test whether the nature of the alignment (misalignment)
made the most difference. Rather, for the broad model, we are interested in whether or not
there is a strong or weak consistency between the activities included in the mission and the
activities performed by internal auditing.
Critical Factor Six: Characteristics of the Internal Audit Department
As posited in the conceptual model, an internal audit departments staffng philosophy,
as well as automation strategy, may infuence the effective size of an audit activity. For
example, we would expect that a department with experienced CIAs might be smaller than
a department with CIAs in the management position supervising a number of staff audi-
tors that are on a rotation through internal auditing as part of a fnancial management
training program. We also expect that an audit department that uses a great deal of auto-
mation may be able to cut down the size of the activity to take advantage of its investment
in technology. We report the characteristics of the organizations in our sample next.
Characteristics of Internal Audit Personnel. By comparing Panels A and B of Table 10,
we fnd that, on average, each classifcation of internal audit employee has slightly more
experience in internal auditing than they do within the organization as a whole. This is
consistent with the notion that many organizations rely on experienced internal audi-
tors when hiring new staff. Indeed, our survey results indicate that less than 24 percent
(23.9 percent) of organizations hire inexperienced auditors directly from college campuses
(described more fully in Table 12).
Table 10: Internal Auditors Years of Experience
Rotation Career
Org.
Employee
Entry
Level
Exp.
Hire
Entry
Level
Exp.
Hire Other N/A
Public 4.10% 12.30% 5.50% 13.70% 52.10% 4.10% 8.20%
Private 7.10% 7.10% 7.10% 7.10% 35.90% 21.40% 14.30%
Total Sample 4.50% 11.40% 5.70% 12.50% 50.00% 6.80% 9.10%
Internal Audit Use of Tools. In addition to the characteristics of internal audit personnel, it
is also important to consider the tools that they use to complete their tasks. To understand
that issue, we collect data regarding the extent to which the internal audit department
leverages automated internal audit tools. There are a variety of resources and tools avail-
able to internal auditors to improve the effciency of audits. Further, many of these tools
can improve the effectiveness of the audits by allowing auditors to examine the complete
population of transactions, thereby performing a thorough review of the entire organiza-
tion, rather than being limited by sample size. We asked participants to indicate how much
they use each of the following: 1) data extraction and analysis tools; 2) audit management
tools (e.g., automated workpapers or scheduling tools); 3) control self-assessment tools;
4) fraud detection and prevention tools; 5) continuous monitoring tools; and 6) Sarbanes-
Oxley compliance tools. Figure 12 reveals the percentage of organizations reporting at
least a moderate usage of each type of internal audit tool. As shown, data extraction and
audit management tools are the most commonly used technology tools, with 65.8 percent
of organizations indicating at least a moderate usage of data extraction tools and 59.7
percent indicating at least a moderate usage of audit management tools.
Effective Sizing of Internal Audit Activities for Colleges and Universities
38
Figure 12: Usage of Internal Audit Tools
D
a
t
a
E
x
t
r
a
c
t
i
o
n
a
n
d
A
n
a
l
y
s
i
s
A
u
d
i
t
M
a
n
a
g
e
m
e
n
t
C
o
n
t
r
o
l
S
e
l
f
-
a
s
s
e
s
s
m
e
n
t
F
r
a
u
d
D
e
t
e
c
t
i
o
n
a
n
d
P
r
e
v
e
n
t
i
o
n
C
o
n
t
i
n
u
o
u
s
M
o
n
i
t
o
r
i
n
g
S
a
r
b
a
n
e
s
-
O
x
l
e
y
C
o
m
p
l
i
a
n
c
e
0%
10%
20%
30%
40%
50%
60%
70%
% Organizations with at least moderate usage
Critical Factor Seven: Internal Audit Service Quality
The next critical factor in the model focuses on perceptions of the service quality of internal
auditing. To assess this factor, we asked participants to provide their own assessments of
the value provided by internal auditing. Specifcally, internal auditors indicated whether
or not they believe internal auditing is meeting or exceeding its potential. As evidenced in
Figure 13, approximately 40 percent indicate that the internal audit department operates
slightly, somewhat, or signifcantly below its full potential. About 15 percent of partici-
pants say the internal audit department meets its potential, and 0 percent say internal
auditing is signifcantly exceeding expectations. Thus, internal auditors perceptions of
value leave room for improvement.
39
V. Results
Figure 13: Assessment of Internal Audit Quality
S
i
g
n
i
f
c
a
n
t
l
y
B
e
l
o
w
S
o
m
e
w
h
a
t
B
e
l
o
w
S
l
i
g
h
t
l
y
B
e
l
o
w
M
e
e
t
s
P
o
t
e
n
t
i
a
l
S
l
i
g
h
t
l
y
A
b
o
v
e
S
o
m
e
w
h
a
t
A
b
o
v
e
S
i
g
n
i
f
c
a
n
t
l
y
A
b
o
v
e
0%
5%
10%
15%
20%
25%
30%
Extent to Which Internal Auditing Meets Its Potential
Model Conclusion: The Size of the Internal Audit Function
Internal Audit Staffng Size and Budgets. The ultimate goal of our conceptual model is to
help determine the appropriate size of the internal audit function. Ultimately, given an
organizations value proposition for internal auditing, its staffng philosophy, and other
factors, we would like to identify characteristics that lead to a specifc size of internal
audit department. More importantly, we would like to predict the factors that seem to
be most valued by management. In this section, we present descriptive data on various
measures of internal audit department size in our sample organizations. Table 13 shows
the total number of internal auditors for the full sample and various industry categories.
The results reveal that, on average, sample organizations have about six internal auditors
on their staff, with public universities having more than private universities (Table 13,
panel A), and systems audit departments being slightly larger than campus audit depart-
ments (Table 13, panel B).
Effective Sizing of Internal Audit Activities for Colleges and Universities
40
Table 13: Number of Internal Auditors
Panel A: Number of Internal Auditors Public versus Private
Internal Audit Function
Total Internal Audit
Employees (Includes Director) Staf Seniors Managers
Public Universities 5.74 2.21 3.10 1.74
Private Universities 4.14 2.60 1.89 1.00
Total Sample 5.46 2.25 2.94 1.58
Panel B: Number of Internal Auditors Campus versus System
Internal Audit Function
Total Internal Audit
Employees (Includes Director) Staf Seniors Managers
Campus Auditors 4.78 1.60 2.62 1.26
System Auditors 6.27 3.04 3.42 2.06
Total Sample 5.46 2.25 2.94 1.58
Table 14 documents the 2007 and 2008 internal audit budgets (in hours and USD) and the
2006 and 2007 internal audit expenses. Average expenses and hours for both budgets and
actual activities have increased approximately 10 percent in the past two years (although,
budgeted hours have only increased 7 percent). Average cost per hour has remained stable
at approximately $80.
41
V. Results
T
a
b
l
e
1
4
:
I
n
t
e
r
n
a
l
A
u
d
i
t
B
u
d
g
e
t
a
n
d
A
c
t
u
a
l
E
x
p
e
n
s
e
s
A
v
e
r
a
g
e
I
A
$
/
H
o
u
r
%
I
n
c
r
e
a
s
e
M
i
n
.
I
A
$
/
H
o
u
r
%
I
n
c
r
e
a
s
e
M
a
x
.
I
A
$
/
H
o
u
r
%
I
n
c
r
e
a
s
e
T
o
t
a
l
I
A
A
c
t
i
v
i
t
i
e
s
-
H
R
S
2
0
0
6
5
,
5
5
0
$
8
0
.
7
0
1
0
%
1
,
4
0
0
$
1
0
.
0
0
0
%
2
2
,
3
7
5
$
8
9
.
3
9
-
4
%
T
o
t
a
l
I
A
A
c
t
i
v
i
t
i
e
s
-
H
R
S
2
0
0
7
6
,
0
8
4
$
7
9
.
9
9
1
,
4
0
0
$
1
2
.
1
4
2
1
,
5
0
4
$
9
3
.
0
1
T
o
t
a
l
I
A
A
c
t
i
v
i
t
i
e
s
-
U
S
D
2
0
0
6
$
4
4
7
,
9
0
2
-
-
9
%
$
1
4
,
0
0
0
-
-
2
1
%
$
2
,
0
0
0
,
0
0
0
-
-
0
%
T
o
t
a
l
I
A
A
c
t
i
v
i
t
i
e
s
-
U
S
D
2
0
0
7
$
4
8
6
,
6
8
5
-
-
$
1
7
,
0
0
0
$
2
,
0
0
0
,
0
0
0
-
-
T
o
t
a
l
I
A
B
u
d
g
e
t
-
H
R
S
2
0
0
7
5
,
7
7
8
$
7
4
.
9
5
7
%
1
,
4
0
0
$
1
2
.
1
4
0
%
2
1
,
5
0
4
$
9
3
.
0
1
-
5
%
T
o
t
a
l
I
A
B
u
d
g
e
t
-
H
R
S
2
0
0
8
6
,
1
9
7
$
7
7
.
7
2
1
,
4
0
0
$
1
4
.
1
1
2
0
,
4
4
4
$
9
7
.
8
3
T
o
t
a
l
I
A
B
u
d
g
e
t
-
U
S
D
2
0
0
7
$
4
3
3
,
0
6
1
-
-
1
1
%
$
1
7
,
0
0
0
-
-
1
6
%
$
2
,
0
0
0
,
0
0
0
-
-
0
%
T
o
t
a
l
I
A
B
u
d
g
e
t
-
U
S
D
2
0
0
8
$
4
8
1
,
6
5
9
-
-
$
1
9
,
7
5
0
-
-
$
2
,
0
0
0
,
0
0
0
-
-
Effective Sizing of Internal Audit Activities for Colleges and Universities
42
Internal Audit Resource Adequacy. While the preceding information provides descriptive
evidence concerning the actual staffng and budgetary resources allocated to internal audit
departments currently, we also asked participants to assess whether they believe those
resources are adequate. The results (untabulated) reveal that 31 percent of respondents
believe that the current number of internal audit staff is appropriate, while approximately
68 percent believe more internal auditors are needed. One percent indicate that the current
internal audit department is overstaffed. With respect to the amount of monetary resources
dedicated to internal auditing, 67 percent indicate that more resources are needed, 33
percent believe the current resource allocation is appropriate, and no one responded that
fewer resources are necessary.
Respondents also provided some insights into the audit skills that they need. Table 15
reveals that IT audit skills are the most frequently cited skill need (30.4 percent).
Table 15: Audit Skills Needed
Audit Needed Skill % Indicating Need
IT Skills 30.40%
Specialized Audit Skills 23.00%
Traditional Audit Skills 20.30%
Advanced Audit Skills 14.90%
Compliance Skills 12.20%
Fraud Skills 10.80%
Based on the preceding analysis, an important question emerges. Given that the overall
results indicate that most CAEs believe they are undersourced, how can we use the data
to develop an estimate of the effective size of an internal audit activity? We answer that
question the following way: The primary model should be based on organizations where
management and audit perceptions of internal audit value are most closely aligned. That
alignment should predict the best ft for the conceptual model. The model should predict
how much internal audit staffng would (should) change when there is less alignment.
Further, we also want to know how staffng changes in response to other elements in the
conceptual model, e.g., the value proposition, the staffng proposition, investment in audit
technology, and so forth.
43
VI. TESTING THE
CONCEPTUAL MODEL
The conceptual model is based on our knowledge gained from interviews and previous
research. In theory, the model provides a framework of issues we should think about in
determining the effective size of an internal audit activity. However, we need to go from
theory to practice. In other words, can the conceptual model be used to predict the effective
size of an internal audit department given its value proposition, staffng philosophy, and
the other factors identifed in developing the model? If yes, can we further refne the model
to determine the effective size that might refect better alignment between management
and audit committee values for internal auditing and the delivery of those value-added
activities?
The most powerful way to frst test the validity of the conceptual model is to use regres-
sion analysis that incorporates real-world data gathered for the specifc purpose of testing
the model (much of the data are described herein). In performing this analysis, we pursue
the association between the critical factors in our conceptual model (i.e., characteristics of
the organization, characteristics of the organizations governance structure, the mission of
the internal audit function, the value proposition of the internal audit function, potential
misalignment with the value propositions, characteristics of the internal audit depart-
ment, and internal audit service quality) and the size of the internal audit departments in
our sample organizations. We not only want to know the association of these factors, but
which ones really make a signifcant difference in predicting the relative size of an internal
audit department that best meets or exceeds managements expectations.
Measuring the Effective Size of an Internal Audit Function
We considered several different measures for the effective size of an internal audit activity,
including the number of internal auditors (in terms of full-time equivalents), internal
audit monetary budgets, and internal audit actual monetary expenses. Analysis of the
correlations between these variables indicates that they are signifcantly correlated (for
all, p<.01).
6
An analysis of the data indicates that the participants were most reliable in
6
These signifcant correlations include frms that engage third-party service providers to perform
a portion of the internal audit services.
Effective Sizing of Internal Audit Activities for Colleges and Universities
44
providing accurate and complete data on the number of internal auditors on their staffs,
and because the data were highly correlated, we decided to use that fgure as our primary
predicted outcome. However, when signifcant differences between inferences across the
alternative effective size measures were noted in our analysis, we performed more in-depth
analysis and discuss it further (see below).
Explanatory Factors
Table 16 documents the factors that signifcantly infuence the size of the internal audit
function and the manner in which each infuences the size (positively or negatively).
Importantly, Table 16 only includes the factors that have a signifcant infuence on the size
of the internal audit department, as revealed through our regression analysis. Therefore,
not all of the variables described in the previous sections of this whitepaper are refected
in Table 16. We use commonly accepted p-values to determine statistical signifcance
(p<0.10).
7
The following paragraphs provide additional descriptions of these variables
and the intuition behind their affect on internal audit size.
Table 16: Factors Infuencing Internal Audit Department Size (FTE)
Variables
Direction
of Efect Interpretation of Result
Characteristics of the Organization
Public versus Private
Organization
+
Internal audit size increases for public organizations
(as compared to private organizations).
Total Revenue for Current
Year
+
Internal audit size increases as the size of the
organization (in total revenue) increases.
Internal Control
Decentralization
+
Internal audit size increases as the control structure of
the organization becomes more decentralized.
IT Control System
Decentralization
+
Internal audit size increases as the control structure
of the organizations IT system becomes more
decentralized.
7
The p-value is the probability of obtaining the test statistic (i.e., the relationship between each
variable and internal audit size) randomly. Lower p-values provide stronger confdence that the
observed relationship is not pure chance.
45
VI. Testing the Conceptual Model
Table 16: Factors Infuencing Internal Audit Department Size (FTE) (continued)
Variables
Direction
of Efect
Interpretation of Result
Complexity of Medical
Science
+
Internal audit size increases as the number of medical
science programs (e.g., hospital, medical school, etc.)
increases.
Characteristics of the Governance Structure
Audit Committee
Oversight of Internal Audit
Summary Statistic
+
Internal audit size increases as the overall governance
of the audit committee improves.
Internal Audit Reporting
to Audit Committee
+
Internal audit size increases when the audit
department reports directly (and privately) to the
audit committee.
Statutory Audit
Requirements
+
Internal audit size increases when the organization
must comply with statutory audit requirements.
Internal Audit Mission and Value Proposition
Operational Auditing
Included in Internal Audit
Mission
+
Internal audit size increases when operational
auditing is explicitly included in the mission
statement.
Developing Leadership
Skills Included in Internal
Audit Mission
+
Internal audit size increases when the development of
leadership skills (including training for management
positions) is explicitly included in the mission
statement.
Involvement in
Compliance and Risk
Management Activities
+
Internal audit size increases as the extent of
auditings involvement in various compliance and
risk management activities increases (including
continuous monitoring, ERM, etc.).
Mission Misalignment
Management and Internal
Auditing Disagree on the
Importance of IT Auditing