IA Effective Sizing College and University

Effective Sizing of
Internal Audit Activities

for Colleges and Universities
Effective Sizing of Internal Audit Activities
for Colleges and Universities
Not all internal audit activities are created equal, nor do they have the
same mission within their organizations. Simply comparing the size of one
department with another even in the same industry and same relative
size can give misleading indications as to the appropriate size of an
internal audit department.
These effective sizing issues formed the basis for this recent research
study. A number of different activities that a department might perform were
analyzed. This led to the development of a conceptual model of internal audit
size that identies the key factors that may be tailored to each organization.
Authors Urton Anderson, Margaret Christ, Karla Johnstone, and Larry
Rittenberg examine seven critical factors that affect the size of an internal
audit department:
1. Characteristics of the organization.
2. Characteristics of the organizations governance structure.
3. The mission of the internal audit function.
4. The value proposition of the internal audit function.
5. Alignment with the value proposition.
6. Characteristics of the internal audit department.
7. Internal audit service quality.
An interactive tool is included that allows CAEs to enter data to calculate
an estimated effective size for their internal audit department. Detailed
instructions are provided, including a troubleshooting guide with helpful
suggestions for adjusting the tool if necessary.
R
E
S
E
A
R
C
H
Item No. 5014
IIA members US $25
Nonmembers US $35
1
0
2
0
2
R
E
S
E
A
R
C
H
E
f
f
e
c
t
i
v
e

S
i
z
i
n
g

o
f

I
n
t
e
r
n
a
l

A
u
d
i
t

A
c
t
i
v
i
t
i
e
s

f
o
r

C
o
l
l
e
g
e
s

a
n
d

U
n
i
v
e
r
s
i
t
i
e
s
ISBN: 978-0-89413-689-4
Urton L. Anderson, PhD, CIA, CCSA, CGAP, CFSA
Margaret H. Christ, PhD, CIA
Karla M. Johnstone, PhD
Larry Rittenberg, PhD, CIA
10202 RF-Effective Sizing Universities BkCvr.indd 1 10/5/10 8:15 AM
EFFECTIVE SIZING OF
INTERNAL AUDIT ACTIVITIES
FOR COLLEGES AND
UNIVERSITIES
By
Urton L. Anderson, PhD, CIA, CCSA, CGAP, CFSA
The University of Texas at Austin
Margaret H. Christ, PhD, CIA
The University of Georgia
Karla M. Johnstone, PhD
The University of WisconsinMadison
and
Larry Rittenberg, PhD, CIA
The University of WisconsinMadison
With Sponsorship By:
The Association of College and University Auditors
The University of California System Department of the Auditor
IIA Norway
The Institute of Internal Auditors
Disclosure
Copyright 2010 by The Institute of Internal Auditors Research Foundation (IIARF),
247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. No part
of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form by any means electronic, mechanical, photocopying, recording, or otherwise
without prior written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This
document is intended to provide information, but is not a substitute for legal or accounting
advice. The IIARF does not provide such advice and makes no warranty as to any legal
or accounting results through its publication of this document. When legal or accounting
issues arise, professional assistance should be sought and retained.
The Institute of Internal Auditors (IIAs) International Professional Practices Framework
(IPPF) comprises the full range of existing and developing practice guidance for the
profession. The IPPF provides guidance to internal auditors globally and paves the way to
world-class internal auditing.
The mission of The IIARF is to expand knowledge and understanding of internal
auditing by providing relevant research and educational products to advance the profes-
sion globally.
The IIA and The IIARF work in partnership with researchers from around the globe who
conduct valuable studies on critical issues affecting todays business world. Much of the
content presented in their fnal reports is a result of IIARF-funded research and prepared
as a service to The Foundation and the internal audit profession. Expressed opinions,
interpretations, or points of view represent a consensus of the researchers and do not
necessarily refect or represent the offcial position or policies of The IIA or The IIARF.
ISBN 978-0-89413-689-4
09/10
First Printing
iii
TABLE OF CONTENTS
Acknowledgments .............................................................................................................v
About the Authors ..........................................................................................................vii
I. Introduction and Executive Summary of Key Findings .............................................1
II. The Internal Auditing Resource Problem .................................................................5
III. A Conceptual Model for Determining the Effective Size of an Internal Audit
Function .................................................................................................................9
Critical Factor One: Characteristics of the Organization .....................................11
Critical Factor Two: Characteristics of the Organizations Governance
Structure ..........................................................................................................11
Critical Factor Three: The Mission of the Internal Audit Function .....................12
Critical Factor Four: The Value Proposition of the Internal Audit Function .......12
Critical Factor Five: Alignment with the Value Propositions ...............................13
Critical Factor Six: Characteristics of the Internal Audit Department .................13
Critical Factor Seven: Internal Audit Service Quality ..........................................14
Conceptual Result: The Size of the Internal Audit Function ...............................14
IV. Data Collection ....................................................................................................15
V. Results .................................................................................................................17
Critical Factor One: Characteristics of the Organization .....................................17
Critical Factor Two: Characteristics of the Organizations Governance
Structure ..........................................................................................................19
Critical Factor Three: The Mission of the Internal Audit Function .....................24
Critical Factor Four: The Value Proposition of the Internal Audit Function .......29
Critical Factor Five: Potential Misalignment with the Value Proposition ............32
Critical Factor Six: Characteristics of the Internal Audit Department .................35
Critical Factor Seven: Internal Audit Service Quality ..........................................38
Model Conclusion: The Size of the Internal Audit Function ...............................39
VI. Testing the Conceptual Model ...............................................................................43
VII. Conclusion ............................................................................................................51
VIII. References ............................................................................................................53
Effective Sizing of Internal Audit Activities for Colleges and Universities
iv
Research Sponsor Recognition ........................................................................................55
The IIA Research Foundation Board of Trustees .............................................................56
The IIA Research Foundation Board of Research and Education Advisors .......................57
List of Tables
Table 1: Average Number of Students Enrolled in the Institution ..................................17
Table 2: Audit Committee Characteristics ......................................................................20
Table 3: Comprehensive Risk Management/Compliance Network .................................22
Table 4: Most Frequently Listed Noninternal Audit Function for Each Activity ...........23
Table 5: Defnitions of Objectives Included in the Internal Audit Mission .....................24
Table 6: Defnitions of Objectives Included in the Internal Audit Mission .....................29
Table 7: Internal Auditings Involvement in Compliance and Risk Management ...........32
Table 8: Extent of Management and Internal Audit Misalignment ................................33
Table 9: Mission Alignment Example ............................................................................34
Table 10: Internal Auditors Years of Experience ...........................................................35
Table 11: Percentage of Auditors with Certifcations ......................................................36
Table 12: Internal Audit Staffng Philosophy ..................................................................37
Table 13: Number of Internal Auditors ..........................................................................40
Table 14: Internal Audit Budget and Actual Expenses ...................................................41
Table 15: Audit Skills Needed ........................................................................................42
Table 16: Factors Infuencing Internal Audit Department Size (FTE) ............................44
List of Figures
Figure 1: Method of Developing Conceptual Model .......................................................9
Figure 2: Conceptual Model ..........................................................................................10
Figure 3: Centralization of the Internal Control System and IT Control System ...........18
Figure 4: Description of IT Environment ......................................................................19
Figure 5: Internal Audit Reporting Relationships ..........................................................20
Figure 6: Audit Committee Governance Characteristics ................................................21
Figure 7: Objectives in the Internal Audit Mission (Full Sample) ..................................26
Figure 8: Objectives in the Internal Audit Mission (Public versus Private) .....................27
Figure 9: Extent of Internal Audit Outsourcing .............................................................28
Figure 10: Audit Resources Dedicated to Specifc Activities ..........................................30
Figure 11: Audit Resources Dedicated to Specifc Activities (Public versus Private) .......31
Figure 12: Usage of Internal Audit Tools .......................................................................38
Figure 13: Assessment of Internal Audit Quality ...........................................................39
v
ACKNOWLEDGMENTS
We thank the many internal audit professionals who provided their time and expertise in
participating in our preliminary roundtable discussions and responding to our surveys.
vii
ABOUT THE AUTHORS
Urton Anderson, PhD, CIA, CCSA, CGAP, CFSA, is the Clark W. Thompson, Jr., Professor
in Accounting Education and chair of the Department of Accounting at the McCombs
School of Business, The University of Texas at Austin. He received his PhD from The
University of Minnesota in 1985. Professor Andersons research has addressed various
issues in internal and external auditing particularly corporate governance, compliance,
enterprise risk management, and internal control. His work has been published in journals
such as The Accounting Review, The Journal of Accounting Research, Auditing: A Journal
of Theory and Practice, Organizational Behavior and Human Decision Processes, and many
others. He has written four books and is one of the co-authors of the internal auditing
textbook Internal Auditing: Assurance and Consulting Services published by The IIA.
Several of his books have been translated into Spanish, Chinese, and Japanese. Professor
Anderson is a certifed internal auditor and active in The IIA. He has been a member
and chair of The IIAs Board of Regents and is the current chair of the Internal Auditing
Standards Board. In 1997 he was named Leon R. Radde Educator of the Year by The
IIA. In June 2006 The IIA recognized his outstanding contributions to the feld of internal
auditing by giving him the Bradford Cadmus Memorial Award. Professor Anderson
serves on the Board of Directors for the Health Care Compliance Association and the
Advisory Board of the Society of Corporate Compliance and Ethics. He is also active
in the Auditing Section of the American Accounting Association (AAA) and currently
serves as its president.
Margaret H. Christ, PhD, CIA, is an assistant professor of accounting at the J. M. Tull
School of Accounting at the University of Georgia. She received her PhD from the
University of Texas at Austin in 2008. She received her B.S. in accounting with a concen-
tration in internal auditing from Louisiana State University in 1999. Before receiving
her doctorate, Professor Christ was an internal auditor and risk consultant with Arthur
Andersen and Protiviti. Her clients included a variety of frms from the banking, energy,
and manufacturing industries, including several Fortune 500 companies. Professor
Christs research focuses on control systems, risk management, and inter-organizational
collaborations. Her dissertation, examining the infuence of managements intentions
when implementing formal control systems, has been recognized with the Michael Barrett
Doctoral Dissertation Award by The IIA and as the runner-up in the Outstanding
Dissertation Competition by the Management Accounting Section of the American
Accounting Association. Her recent research has been published in Internal Auditor,
Strategic Finance, and by The IIA Research Foundation (IIARF). Professor Christ is a
certifed internal auditor and an active member of The IIA. She has served the organiza-
tion as a member of its Academic Relations Committee. She is also active in the Auditing
Section and Management Accounting Section of the AAA.
viii
Karla M. Johnstone, PhD, received her PhD from the University of Connecticut in
1997 and is currently an associate professor at the University of Wisconsin School of
Business. Her research includes studies on corporate governance, internal controls, client
acceptance, fraud, negotiation, internal auditing, audit committee decision-making, and
budget-setting. Professor Johnstone serves on the editorial boards at The Accounting
Review, Auditing: A Journal of Practice & Theory, The International Journal of Auditing,
and Current Issues in Auditing. She is an associate editor at Accounting Horizons. She
has served the AAA by co-chairing the 2007 Auditing Section Midyear Conference and
the Auditing Section Innovation in Auditing Education Award Committee. She has also
served as a committee member of the AAAs Notable Contributions to the Accounting
Literature Award Committee and the Auditing Sections Audit Standards Committee and
Research Committee. She serves as a board member and audit committee member at the
Center for Advanced Studies in Business. Professor Johnstone teaches auditing and was
awarded the 2008 School of Business Chipman Outstanding Faculty Teaching Award. She
is a co-author on the auditing textbook Auditing: A Business Risk Approach.
Larry E. Rittenberg, PhD, CIA, is the Ernst & Young Professor of Accounting &
Information Systems at the University of Wisconsin. On the faculty since 1976, Professor
Rittenberg teaches in the area of audit and assurance, including risk management and
corporate governance topics. His current research deals with the effectiveness of audit
committees, corporate governance, and assurance services. Professor Rittenberg is former
chairman of The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) and continues to serve on the Board of Directors. COSO is a voluntary private-
sector organization formed in 1985 to improve the quality of fnancial reporting through
business ethics, effective internal controls, and corporate governance. Professor Rittenberg
served on The IIAs Board of Directors as vice chairman-research, and as president of
The IIARF. He is also a former member of the Executive Committee of the AAA. He
has written extensively, including as co-author of Auditing: A Business Risk Approach
(2009). He is also a co-author of The Outsourcing Dilemma: What Works Best for Internal
Auditing and Research Opportunities in Internal Auditing published by The IIARF. He was
a member of the drafting subcommittee and a committee member of the Report of the
NACD Blue Ribbon Commission on Audit Committees. He is a recipient of The IIAs Leon
R. Radde Award as the Educator of the Year, and in 2005 he received The IIAs Bradford
Cadmus Memorial Award. He has been a recipient of the Outstanding Contributor Award
from Internal Auditor, and has been recognized by the Wisconsin Institute of Certifed
Public Accountants as their Outstanding Educator. He was named one of the nations 100
most infuential people in fnance in 2005 by Treasury and Risk Management Magazine.
Professor Rittenberg also serves on the Audit Committee of Woodward Governor, a
publicly traded corporation.
1
I. INTRODUCTION AND
EXECUTIVE SUMMARY
OF KEY FINDINGS
It is widely accepted that internal auditing is a key element of internal control, and that
it is vital to the performance and accountability demands of colleges and universities. Yet
these organizations often struggle to know whether the investments they make in resource
allocations for internal auditing are appropriate and effective. We often hear questions
such as: How much should be invested in internal auditing? How does the existence of
other functions within the organization that perform similar activities affect the invest-
ment in internal auditing? How do I know if I am getting value from internal auditing?
Certainly, not all internal audit functions are the same, nor do they have the same mission
within their organizations. This is true even though most internal audit departments strive
to follow the defnition of internal auditing developed by The Institute of Internal Auditors
in 1999:
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organizations operations. It helps an orga-
nization accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control, and gover-
nance processes.
However, some internal audit functions are very active in the area of risk management
and often have a subset of the function that focuses on risk management. Some focus
on compliance activities, while others focus on operational audits, IT security, or fraud
prevention and detection. In other words, not all departments are the same, and they are
often asked to serve different missions within the college or university (described here-
after as the organization). Therefore, simply comparing the size of one internal audit
function with another even in organizations with similar characteristics and the same
relative size can give misleading indications as to the appropriate size of an internal
audit activity.
This study is designed to address these issues. We start by analyzing the number of
different activities that an internal audit activity might perform. That analysis leads us
to a conceptual model of internal audit effective sizing that articulates the key factors
2
that may be tailored to each organizations unique characteristics, mission, personnel, and
quality profle. We subsequently test the conceptual model using data from a wide variety
of higher education institutions, including whether managements views and internal
auditings views of the mission of internal auditing are closely aligned (a surrogate for
managements assessment of the value of internal auditing).
The study differs from traditional approaches to effective sizing that normally benchmark
the size of internal audit departments with other departments in similar organizations or
organizations of similar size. Rather, this study starts from a different premise: The appro-
priate size of the internal audit department should be based on the specifc mission of the
function as determined by management and the board of regents and should vary
with the scope of internal auditings mission, experience of its personnel, the technology
it uses, the control, compliance, and operational audit emphasis, and geographic areas
covered. Using the conceptual model, it is possible for two internal audit departments in
the same type of college or university (e.g., public versus private, of relatively the same
size) to have signifcant differences in both composition and size, but both be judged as
excellent by their respective governing bodies based on their specifc respective missions,
tools used, experience, and scope of work.
We developed the conceptual model by considering prior published academic research
concerning internal auditing in public companies, brainstorming among research team
members in consultation with key personnel at the University of California, and conducting
intensive feld interviews with internal audit directors at universities and several public and
private companies.
1
To test the conceptual model, we surveyed 148 chief audit executives
(CAEs) at an array of organizations located primarily in the United States.
The survey results support the validity of the conceptual model that we present in the next
section. Further, the study results support a tailored answer to the size of an internal audit
1
Our examination of internal audit departments within colleges and universities coincided with
a similar study examining the effective size of internal audit departments within public and
private organizations. While there are many differences between the relevant organizational and
governance characteristics, audit missions, and audit activities in universities and other types
of companies, there are also many similarities. For example, all internal audit departments are
required to adhere to The IIAs International Standards for the Professional Practice of Internal
Auditing. Therefore, our extensive interviews with other types of organizations also informed our
examination of university and college audit departments.
3
I. Introduction and Executive Summary of Key Findings
activity (in terms of the full-time equivalent number of personnel, assuming all other
factors equal).
2
The general fndings indicate that:
Internal audit size (i.e., number of full-time equivalents) increases:
o For public organizations (as compared to privately funded organizations).
o As the size of the organization (in revenue) increases.
o As the control structure of the organization becomes more decentralized.
o As the IT system control structure of the organization becomes more
decentralized.
o As the extent of medical science activities (medical school, etc.) increases.
o As audit committee oversight of the internal audit department increases.
o When the organization must comply with statutory audit requirements.
o As the involvement in risk management and compliance activities increases.
o As the percentage of resources dedicated to regulatory compliance and IT
security and control increases.
o When operational auditing and leadership development is explicitly included
in the mission statement.
o When the internal audit department meets or exceeds the expectations of
key stakeholders such as audit committees or senior management.
Internal audit size (i.e., number of full-time equivalents) decreases:
o As the percentage of audit activities that are outsourced increases.
o When management and the CAE disagree about the importance of IT
auditing (and management places less value on IT auditing than does
internal auditing).
o As the percentage of professional certifcation in the department increases.
o As more reliance is placed on noninternal audit departments for legal
compliance activities.
2
We use the number of personnel as a primary measure of size, although we note that it is corre-
lated with other measures such as budgetary resources. Additional analysis using annual internal
audit budget as the dependent variable yields similar results.
5
II. THE INTERNAL AUDITING
RESOURCE PROBLEM
How much of an organizations resources should be allocated to the internal audit func-
tion? Standard 2030 of The IIAs International Standards for the Professional Practice of
Internal Auditing (Standards) states that the CAE must ensure that internal audit resources
are appropriate (i.e., there is a reasonable mix of knowledge, skills, and competencies of
internal audit staff), suffcient (i.e., of adequate quantity), and effectively deployed (i.e.,
used in a way that optimizes achievement) to achieve the approved plan or objectives
for the internal audit function. Further, Standard 2010 requires that the CAE establish
risk-based plans that are aligned with the organizations overall goals. Following these
standards is necessary and useful. But, there is a need to help guide CAEs in determining
the size necessary to both meet the standards, and where applicable, exceed corporate
objectives for internal auditing.
Traditional Approaches to Determine Effective Size
of Internal Audit Functions
Our observations and interaction with IIA leadership on international committees is that
organizations routinely apply three approaches in determining the right size of their
internal audit department: 1) a static approach that starts with an existing audit function;
2) a risk analysis approach; and 3) a benchmarking approach.
The static approach starts with the size and composition of the existing internal audit
department and makes incremental changes in response to changed conditions in orga-
nizational risk, acquisitions, geographical coverage, control structure, or mission (e.g.
more consulting-type activities) and more recently to challenges to downsize the
organization. When used effectively, this approach carefully considers the skill sets, staff
experience, objectives of internal auditing, and nature of the organizations and internal
auditings information technologies. However, there are two potential problems with this
approach. First, there is little evidence that the existing size is appropriate as a starting
point. Second, the changes and subsequent new size may be infuenced by temporary
factors such as the initial implementation of the U.S. Sarbanes-Oxley Act of 2002.
6
A second method involves a systematic risk analysis approach whereby the internal audit
department presents various plans to the audit committee or management concerning the
amount of effort/coverage that internal auditing can achieve with current resources, a fxed
percentage increase, or a fxed percentage decrease. Such an approach is dependent on
management and audit committee views concerning: a) the effectiveness of the risk identi-
fcation process by internal auditing; b) the organizations risk appetite, risk tolerance, and
residual risk; and c) the appropriate role of internal auditing in risk management.
3
While
there are many merits to this approach, it still suffers from potential drawbacks:
1. It may not consider the use of advanced technology or other functions that
perform risk management activities (both of which could reduce the size of
internal auditing).
2. It may not consider an operational audit mission of the department, cost-
effective compliance activities, or changes in objectives that may include more
consultative-type activities.
3. It may not fully incorporate information about whether the risk analysis process
itself is suffciently comprehensive or the organization has an effective and
comprehensive enterprisewide risk management process.
A third approach to determining the right size of an internal audit department involves
benchmarking, whereby an organization considers its relative size in comparison to other
organizations using The IIAs Global Audit Information Network (GAIN) database or
other industry group surveys. The information is then used to begin discussions as to
whether an internal audit department should be increased, or whether its mission should
be expanded or contracted. One diffculty with benchmarking is that it does not address
the effciency/effectiveness of an internal audit department; it only provides comparisons
with groups in similar industries (and maybe of similar size). Further, the internal audit
peers used for benchmarking may have different objectives, different strategies for staffng,
or may address a different profle of risks in their organization. Benchmarking often does
not consider the extent to which other activities in an organization (either the existing
organization or the organization against which the audit department will be benchmarked)
may be similar in nature and purpose to internal auditing. Finally, benchmarking does not
take into account variation in risk across industry or environment, or changes mandated
by regulations. While benchmarking is often used to either claim that an audit department
3
Risk appetite, risk tolerance, and residual risk are not explicitly considered in our survey.
However, they are implicitly included in measures regarding internal auditings mission/activity
alignment and perceived quality.
7
II. The Internal Auditing Resource Problem
is effcient, or alternatively, that it requires additional resources, such comparisons can be
misleading.
While there are advantages and disadvantages to each of the three approaches (and others
that may be used), we propose that the profession does have a conceptual model that can
be mathematically modeled to provide a potentially more useful discussion of the most
effective size of an internal audit activity. Like the other approaches, we believe that this
approach will be refned as more data becomes available and as internal audit activities
evolve.
Previous Academic Research
Previous academic research has attempted to develop rigorous statistical models to esti-
mate the size of an internal audit function. However, most of these models represent
descriptions of what is in terms of the internal audit activity, not necessarily a descrip-
tion of what should be the size of an internal audit activity. For example, Carcello et
al. (2005) surveyed 217 U.S. public companies in 2001 and 2002 to develop such a model.
Their research shows that monetary budgets for internal auditing are positively associated
with the following factors (i.e., internal audit activity increases directly with increases in):
Organization size.
Organization leverage (higher leverage leading to larger size internal audit
functions).
Certain industries (fnancial, service, and utilities were larger than others).
Level of inventory and operating cash fows.
Audit committee review of internal audit budgets.
Overall, internal audit budgets were negatively associated with the amount of internal
audit work that is outsourced (i.e., the more work that was outsourced, the less the total
amount of internal audit budget).
4
While their model represents a useful frst step in
predicting how internal audit budgets may change in relationship to various factors, they
do not explicitly address the issue of effective sizing of internal auditing based on the
mission or value proposition of internal auditing, managements expectations regarding
internal audit service quality, specifc tasks and tools that internal audit departments use,
or the overall corporate governance environment. Further, their sample does not include
colleges and universities.
4
Note that the total internal audit budget includes the amount spent on outsourcing as well as
the amount spent on internal staff.
8
The conceptual model that we develop in this paper extends the work of Carcello et al.
by: a) developing a surrogate measure for the effective size of the internal audit depart-
ment; b) including variables that represent post-Sarbanes-Oxley relevant tasks and risks;
c) including a much broader scope of internal audit-relevant variables; and d) considering
unique aspects of colleges and universities. The conceptual model also builds on recent
work provided by various internal audit thought leaders on factors affecting the future of
the internal audit function.
9
III. A CONCEPTUAL MODEL
FOR DETERMINING THE
EFFECTIVE SIZE OF AN
INTERNAL AUDIT FUNCTION
We have developed a conceptual model of internal audit size based on factors that should
infuence the size of an internal audit activity generated from a review of the profes-
sional literature and from interviews with leading internal audit practitioners and thought
leaders. We used a three-step process to develop that model, as depicted in Figure 1.
Figure 1: Method of Developing Conceptual Model
Step 1: Preparatory
Development
Evaluate prior research
and professional
standards:
Academic research
IIA research
International Standards
for the Professional
Practice of Internal
Auditing
Step 3: Conceptual
Model
Once articulated, the
model is tested using
the following methods:
Survey development
Data analysis
Model validation
Step 2: Model Development
In-house Analysis and Review
Research team
E&Y internal audit personnel
Field Interviews
Directors of
internal audit
Chief audit
executives
Preliminary
Drafts of
Conceptual
Model
First, we examined previously published research concerning internal auditing, with
particular emphasis on the factors revealed to be important indicators by Carcello et al.
(2005). We also considered the depth of research developed by The IIARF, as well as the
Standards, to identify factors that should infuence the size and scope of an internal audit
activity. Second, we brainstormed among research team members and consulted with key
personnel at Ernst & Young to refne our thoughts. Third, we conducted intensive feld
interviews nationwide with CAEs from a variety of colleges and universities (e.g., Auburn
University, Texas Tech University, University of California System, University of Texas at
Austin, University of Texas at Dallas, and University of Texas at San Antonio).
10
During the feld interviews, we were struck by several insights that ultimately permeated
much of our research, the conceptual model, and our fndings. First, our brainstorming
sessions revealed that tone at the top and the internal audit departments defned mission
are critical to determining resources allocated to the function. Second, while internal audit
activities are important, many of the activities that are often thought of as internal audit
activities have been incorporated into other operational aspects of some organizations,
including functions such as IT security, risk analysis and testing, and continuous audits
of IT data processing. Further, certain activities that were not formerly thought of as
internal audit activities are now defned as such, including functions such as Sarbanes-
Oxley compliance. The insight on the changing nature of internal-audit-type activities
performed within some organizations has signifcantly infuenced our conceptualization
of a model to determine the effective size of an internal audit activity. Third, our brain-
storming process made it clear that some organizations experience alignment between
managements expectations of internal auditing and the functions actually performed by
internal auditing, while others have not achieved such alignment. Obviously, to the extent
that there is alignment (misalignment), management will likely be more (less) satisfed with
the performance and quality of the internal audit function and will be more (less) willing
to expend resources to support it.
Our intent is to test the conceptual model through statistical data analysis to determine
whether it is useful in estimating something close to an effective size of an internal audit
activity given the objectives of such an activity, the nature of the organization, and other
factors that may reasonably affect internal audit activities. Through this iterative process
we developed the following conceptual model of internal audit effective sizing.
Figure 2: Conceptual Model
Critical
Factor 1:
University
Characteristics
Critical
Factor 2:
University
Governance
Characteristics
Critical
Factor 6:
Characteristics
of IA
Function
Critical
Factor 7:
IA Service
Quality
Conceptual
Result:
IA Size
Critical Factor 5:
Mission
Alignment
Critical Factor 3:
IA Mission (as perceived by
university management)
Critical Factor 4:
IA Value Propositions
}
The conceptual model includes seven interrelated critical factors that predict a potentially
appropriate size of the internal audit function:
11
III. A Conceptual Model for Determining the Effective Size of an Internal Audit Function
1. Characteristics of the college or university.
2. Characteristics of the governance structure of the college or university.
3. Mission of the internal audit function as seen by management, the board of
regents, and the internal audit function.
4. The internal audit value proposition as executed by the internal audit function.
5. The alignment of internal auditing with management and the board of regents
expectations.
6. Various characteristics of the internal audit activity (e.g., staffng).
7. Internal audit service quality.
These seven critical factors should then predict the effective size of an internal audit activity
for an organization given its mission, sourcing and staffng strategies, risk coverage, and
use of advanced audit tools and techniques.
Critical Factor One: Characteristics of the Organization
Any consideration of the effective size of an internal audit function should include basic
characteristics of the organization itself. Such characteristics include organization size,
complexity, fnancial condition, and risk. We expect that larger, more complex orga-
nizations will beneft from greater internal audit fnancial resources. Previous research
examining publicly traded companies suggests that fnancially stable organizations make
a greater commitment to corporate governance and therefore have larger internal audit
activities. Similarly, a college or university that has more risk (for example, one that has
extensive medical facilities) has a greater need for internal auditing to help mitigate that
risk, so such an organization should also allocate more resources to the internal audit
function.
Critical Factor Two: Characteristics of the
Organizations Governance Structure
We expect that an organizations governance characteristics, including board of regents
and audit committee characteristics and risk management functions, are also likely to
infuence the size of the internal audit function. It is unclear how these traditional gover-
nance characteristics will infuence internal audit size because strong governance may
have two distinct and opposing effects. On one hand, stronger governance characteristics,
such as an independent audit committee that meets frequently and interacts in private
with the internal audit department regularly, would indicate that the organization has an
appreciation for internal control risk management, and operational effciency and has a
12
strong control environment. Thus, strong governance characteristics could be associated
with high levels of commitment to internal auditing resulting in greater investment and/
or larger internal audit departments. On the other hand, organizations with strong gover-
nance characteristics may have smaller internal audit functions because of the strength of
the control environment, or because the organizations have committed to internal audit-
type functions that exist elsewhere in the organization (IT security, risk management,
etc.). That is, management may believe that its control objectives can be met with a small
internal audit department (or fewer resources dedicated to internal auditing) because
strong controls have been built into the strategic planning, operations, fnancial reporting,
and compliance activities.
Critical Factor Three: The Mission of the Internal Audit Function
In the conceptual model, we separate the internal audit mission (as perceived by manage-
ment and the board of regents) and the internal audit value propositions as executed by
the internal audit department (i.e., the services internal auditing provides to the organiza-
tion). This allows us to investigate the effects of alignment or misalignment between the
internal audit mission and the actual internal audit activities. The potential misalignment
between expectations and performance of internal auditing, as well as the extent to which
some (perhaps former) internal audit activities are now performed by noninternal audit
functions within the organization, may logically infuence the size of an internal audit
activity. We expect that as the internal audit functions mission becomes more comprehen-
sive, its size will necessarily increase to refect those resource demands, but only if there is
an alignment of actual internal audit activity with that mission. Finally, it is logical that
outsourcing some, or all, of an internal audit activity to an external provider will reduce
the overall size of an internal audit function, as measured by internal audit personnel.
Critical Factor Four: The Value Proposition
of the Internal Audit Function
The conceptual model also addresses the specifc value-added activities performed
by internal auditing. The IIAs formal defnition of internal auditing states that it is
designed to add value (IIA 1999). However, each internal audit department must deter-
mine precisely which activities or value propositions it will pursue to meet the goal of
being a value-added service. As the scope of those value-added services increases, along
with the quality of execution of those services, we expect the size of the internal audit
function to increase.
13
III. A Conceptual Model for Determining the Effective Size of an Internal Audit Function
Critical Factor Five: Alignment with the Value Propositions
A key element of our conceptual model concerns the appropriate alignment between
managements beliefs about internal auditings appropriate role and tasks (i.e., the value
proposition of internal auditing) and internal auditings own beliefs concerning its value
propositions. When management and internal auditing agree about the importance of
specifc internal audit activities, the likelihood that management will make a greater
investment in internal auditing increases. In contrast, if there are signifcant differences,
particularly where management does not see the value, we expect the investment in internal
audit activities to be reduced.
Further, our model considers overall alignment between internal auditings value proposi-
tions (as described in the internal audit mission) and the actual activities internal auditors
perform. Greater mission/activity alignment is likely to be positively related to internal
audit quality because internal audit customers (management and the audit committee/
board of regents) are likely to believe internal auditing meets or exceeds their expectations.
Therefore, we expect that greater mission/activity alignment will be positively related to
the size of the internal audit department.
Critical Factor Six: Characteristics of the Internal Audit Department
Next, we consider the characteristics of internal audit staffng and the technology internal
auditing uses in conducting its work. Professional standards and our interviews lead us
to believe that internal-audit specifc experience, organizational experience, and profes-
sional certifcations should all infuence audit department size. We anticipate that a more
professionally oriented staff, along with one that is more highly experienced, will enable
the internal audit function to accomplish its mission and provide value with relatively
fewer overall total resources. Thus, we predict that the size of internal auditing should be
inversely associated with the level of staffng experience and professionalism (as indicated
by the CIA or other similar professional certifcations).
We also consider internal auditings use of effectiveness-enhancing tools, including tools
involving data extraction and analysis, fraud detection and prevention, audit manage-
ment, control self-assessment, and continuous monitoring. We know that investment in IT
will improve the breadth and usually the depth, of audit coverage. There are two poten-
tial impacts of using such technology. First, the investment in audit technology should
allow existing auditors to do more with less staff. Therefore, the investment might lead to
smaller sized staffs. Second, because internal auditors can do more (and add more value
with less staff), it is possible that such organizations may actually invest more in internal
14
auditing because they receive greater beneft from audit activities. Our empirical testing
will examine these two possible interpretations.
Critical Factor Seven: Internal Audit Service Quality
Finally, our interviewees told us that quality of service, although sometimes diffcult to
measure, is a key factor to consider in determining the effective size of an internal audit
function because higher quality work adds more value and generates an expectation of
future quality. Internal audit functions that exceed their potential in terms of quality are
more likely to garner additional resources from management and the board of regents
over time. As such, we predict that internal audit functions that are perceived as high
quality will be those that have a relatively larger size, all other things being equal.
Conceptual Result: The Size of the Internal Audit Function
Ultimately, the conceptual model should allow us to predict the relative size of internal
audit functions within our sample organizations, and hopefully, an effective size of internal
auditing. There are, of course, many alternative ways to measure size. We include full-
time-equivalent headcounts in terms of number of internal audit staff members, along
with monetary budget and actual expense amounts.
15
IV. DATA COLLECTION
With the assistance of The IIARF, the Association of College and University Auditors
(ACUA), and the University CaliforniaDepartment of the Auditor, we identifed CAEs
to target as respondents for our study. Our target respondents included the entire member-
ship of ACUA 566 CAEs. During the summer and fall of 2008, we sent each internal
audit department an e-mail introducing our study. The e-mail included a hyperlink that the
departments could access to complete the survey through an online program. After several
weeks, we sent a reminder e-mail to those audit departments that had not yet responded to
the survey. We received 148 responses, resulting in a response rate of 26.15 percent.
The frst page of the survey provided a detailed introduction to the research project and
informed consent for departments participation. After reading this introductory informa-
tion, the auditors began the survey. Participants responded to questions related to each
critical factor in the conceptual model. A copy of the questionnaire is available from the
authors.
17
V. RESULTS
The following paragraphs, tables, and fgures provide descriptive statistics and discussion
regarding the critical factors of our conceptual model.
Critical Factor One: Characteristics of the Organization
Organizational characteristics likely to infuence the size of the internal audit function
include whether the organization is publicly or privately funded, size and complexity, and
the extent to which the control structure is centralized (or decentralized). We gathered a
number of variables to measure these characteristics of the organizations in our sample.
Ninety-fve public universities and 24 private universities (29 participants did not indi-
cate whether the university was public or private) responded to our survey. Fifty-seven
respondents stated that they are campus auditors, indicating that the scope of their
responsibility includes a specifc campus (or set of campuses) only. Alternatively, 61 respon-
dents stated that they are system auditors, indicating that they have audit responsibilities
over the entire system (with or without shared responsibilities with campus auditors).
Thirty respondents did not report whether they were system or campus auditors.
Thirty-two percent of universities in our sample have medical schools, while 23.6 percent
have schools of allied health, and 13.5 percent have hospitals. Finally, 12.2 percent have
schools of veterinary science. Approximately 40 percent of our sample comprises auditors
from universities classifed as NCAA Division One schools. Finally, on average, schools in
our sample have approximately four satellite campuses, with one school having as many
as 30 campuses. Table 1 shows the average number of students attending the universities
in our sample.
Table 1: Average Number of Students Enrolled in the Institution
Undergraduate Students Graduate Students Total Students
Public Universities 25,438 8,938 31,308
Private Universities 6,718 3,287 9,695
Total Sample 21,118 6,855 26,205
18
Figure 3 describes the extent to which the internal control systems and IT control systems
of the university are centralized. Approximately 26 percent of universities have central-
ized internal control systems, indicating that the internal controls are consolidated and
coordinated within one administrative system and processes are standardized throughout
the organization. Further, 34 percent have centralized IT control systems, indicating that
IT controls are primarily consolidated and coordinated centrally.
Figure 3: Centralization of the Internal Control System and IT Control System
Internal Control Structure IT Control Structure
Decentralized
35.8%
Centralized
26.4%
Partially
Decentralized
37.8%
Decentralized
17.9%
Centralized
34.1%
Partially
Decentralized
48.1%
Organizational complexity is also affected by the IT environment in particular, the
extent to which IT supports multiple systems or continues to support legacy systems. The
results in Figure 4 show that 82 percent use commercial software packages (43 percent
using single hardware systems (i.e., instances), and 39 percent using multiple instances).
19
V. Results
Figure 4: Description of IT Environment
Single Instance of Commercial
Software
Multiple Instance of Commercial
Software
Single Instance of Legacy System
Multiple Instance of Legacy System
Other
10%
43%
7%
39%
1%
Critical Factor Two: Characteristics of the
Organizations Governance Structure
Previous research and interviews with CAEs indicate that the structures and control mech-
anisms associated with various elements of organizational governance will infuence the
size of the internal audit function. We consider board of regents, audit committee, and
risk management characteristics in our analyses.
Board of Regents. Approximately 90 percent of the organizations in our sample indicate
that they have a board of directors or board of regents. Specifcally, 100 percent of private
institutions and 88.6 percent of public institutions report having a board. The difference
between public and private is likely due to some public universities maintaining a board at
the system level (i.e., not at the campus level).
Audit Committee. The majority (71 percent) of respondents indicate that they report to
the audit committee, followed by 11 percent who report to the board of regents as a whole
(see Figure 5).
20
Figure 5: Internal Audit Reporting Relationships
Audit Committee
Board of Regents
Finance & Budget Committee
Other
None
Did Not Respond
6.7%
4.8%
12.3%
61.9%
4.8%
9.5%
As described in Table 2, audit committees have on average about six members, with
four outside members (i.e., not part of the organizations management) and one to two
inside members.
Table 2: Audit Committee Characteristics
Number of Audit Committee Members
Average Minimum Maximum
Total Audit Committee Members 5.75 2 16
Outside Audit Committee Members 4.38 0 10
Inside Audit Committee Members 1.48 0 15
Finally, we asked participants about a variety of characteristics of audit committees that
improve governance. Specifcally, we asked: 1) whether the audit committee includes a
fnancial expert; 2) has access to sensitive information regarding organizational opera-
tions; and 3) has an offcial audit committee charter. As shown in Figure 6, approximately
90 percent of respondents answered yes to each question about audit committee
characteristics.
We also asked participants to provide information about the audit committees inter-
action with the internal audit department, including: 1) approval of the internal audit
21
V. Results
charter; 2) approval of the internal audit plan; 3) approval of the internal audit budget;
4) meeting privately with the CAE; and 5) responsibility for hiring or fring the CAE. As
shown in Figure 6, the majority of audit committees have signifcant interaction with the
internal audit departments (as evidenced by positive responses to the previously described
questions).
Figure 6: Audit Committee Governance Characteristics
F
i
n
a
n
c
i
a
l

E
x
p
e
r
t
S
e
n
s
i
t
i
v
e

I
n
f
o
.

A
v
a
i
l
a
b
l
e
A
C

H
a
s

a

C
h
a
r
t
e
r
A
C

A
p
p
r
o
v
e
s

I
A

C
h
a
r
t
e
r
A
C

A
p
p
r
o
v
e
s

I
A

P
l
a
n
A
C

&

C
A
E

M
e
e
t
A
C

H
i
r
e
s
/
F
i
r
e
s

C
A
E
A
C

A
p
p
r
o
v
e
s

I
A

B
u
d
g
e
t
0%
20%
40%
60%
80%
100%
N/A
No
Yes
Risk Management Function. One important characteristic of organizations governance
practices that is often overlooked is the implementation of a comprehensive risk manage-
ment process. Stated differently, risk management is comprehensive and not simply
something that takes place in different divisions or departments within the organization. To
the extent that departments other than internal auditing are performing risk management,
or risk analysis type activities, the internal audit scope would be less than an organization
22
in which internal auditing performs many of these activities. However, the internal audit
department usually has some responsibility to develop and communicate to management
and the board an assessment of the robustness of the organizations risk management
process, including the identifcation and management of important risks.
We examined the extent to which noninternal audit departments are responsible for
providing various assurance or compliance activities beyond risk management. On average,
the (untabulated) results show that organizations use other, noninternal audit departments
to perform risk management activities to a moderate extent (mean = 5.02 on a 7 point
scale). In Table 6 we document the percentage of respondents indicating that noninternal
audit departments perform specifc audit/compliance and risk management activities. For
example, more than 50 percent of our participants indicate that audit/compliance and/or
risk management activities related to athletics (50.6 percent), environmental health and
safety (59.9 percent), emerging liabilities (54.10 percent), federal grant compliance (63.2
percent), employees health and safety (72.4 percent), IT security (58.5 percent), and legal
compliance (58.6 percent) are performed by a noninternal audit function to a moderate
extent (or greater).
Table 3: Comprehensive Risk Management/Compliance Network
Extent to Which Noninternal Audit Departments are
Responsible for Audit/Compliance Activities
Very Limited Moderate Great
None (1) (2) (3) (4) (5) (6) (7) N/A
Athletics
8.0% 6.7% 5.3% 12.0% 9.3% 13.3% 9.3% 18.7% 17.3%
Construction
Contracts
18.7% 8.0% 9.3% 10.7% 13.3% 9.3% 14.7% 10.7% 5.3%
Environmental
Health & Safety
8.0% 6.7% 8.0% 6.7% 13.3% 13.3% 12.0% 21.3% 10.7%
Emerging
Liabilities
14.9% 9.5% 8.1% 9.5% 23.0% 10.8% 10.8% 9.5% 4.1%
Ethics
22.7% 14.7% 8.0% 9.3% 14.7% 8.0% 12.0% 4.0% 6.7%
Federal Grant
Compliance
5.3% 10.5% 2.6% 7.9% 15.8% 11.8% 13.2% 22.4% 10.5%
Health & Safety
of Employees
5.3% 9.2% 7.9% 3.9% 15.8% 11.8% 14.5% 30.3% 1.3%
IT Security
9.1% 18.2% 5.2% 6.5% 18.2% 6.5% 11.7% 22.1% 2.6%
23
V. Results
Table 3: Comprehensive Risk Management/Compliance Network (continued)
Extent to Which Noninternal Audit Departments are
Responsible for Audit/Compliance Activities
Very Limited Moderate Great
None (1) (2) (3) (4) (5) (6) (7) N/A
None (1) (2) (3) (4) (5) (6) (7) N/A
Legal
Compliance
4.0% 16.0% 9.3% 9.3% 25.3% 12.0% 9.3% 12.0% 2.7%
Loss Prevention
16.2% 10.8% 4.1% 10.8% 16.2% 10.8% 8.1% 12.2% 10.8%
Medical School
Compliance
4.2% 5.6% 0.0% 4.2% 2.8% 4.2% 4.2% 11.1% 63.9%
Post Project
Implementation
23.3% 11.0% 6.8% 8.2% 8.2% 11.0% 5.5% 11.0% 15.1%
QC/QA
13.5% 16.2% 4.1% 9.5% 8.1% 14.9% 5.4% 6.8% 21.6%
Other
0.0% 0.0% 5.9% 0.0% 0.0% 2.9% 0.0% 8.8% 82.4%
Some of these areas represent specialties where internal auditing usually does not func-
tion, e.g., quality control. However, internal auditing usually is responsible for determining
whether those functions are operating effectively. Table 4 identifes the (single) most
frequently cited noninternal audit function responsible for each of the compliance/assurance
services, with Environmental Health & Safety playing a critical role in most organizations.
Table 4: Most Frequently Listed Noninternal
Audit Function for Each Activity
Assurance/Compliance Activity
Most Frequently Stated
Noninternal Audit Department
Percent Providing
Response
Athletics Compliance 29.20%
Construction Contracts Accounting/Finance 22.60%
Environmental Health & Safety Environmental Health & Safety 71.90%
Emerging Liabilities Environmental Health & Safety 31.40%
Ethics Legal 25.00%
Federal Grant Compliance Accounting/Finance 42.90%
24
Table 4: Most Frequently Listed Noninternal
Audit Function for Each Activity (continued)
Assurance/Compliance Activity
Most Frequently Stated
Noninternal Audit Department
Percent Providing
Response
Health & Safety of Employees Environmental Health & Safety 71.40%
IT Security Internal IT Security 83.30%
Legal Compliance Compliance 25.40%
Loss Prevention Accounting/Finance 16.30%
Medical School Compliance Compliance 25.80%
Post Project Implementation Accounting/Finance 47.40%
QC/QA Project Management 12.20%
Critical Factor Three: The Mission of the Internal Audit Function
Although internal auditing is defned broadly, we explored its mission more directly by
asking CAEs which of several objectives, if any, were included in the mission for their
internal audit function (Table 5).
Table 5: Defnitions of Objectives Included in the
Internal Audit Mission
o Operational Auditing Auditing of operational processes.
o Financial Auditing Auditing of fnancial reporting processes.
o IT Auditing Auditing the IT development processes, change controls,
etc.
o IT Security & Control Auditing of IT privacy and security compliance.
o Compliance Auditing compliance with laws and regulations, policy, etc.
o Financial Audit Support Providing assistance to external auditors during fnancial
statement audits.
o Auditing Third Parties Reviewing contract compliance, revenue collection, joint
venture/strategic partner relations, etc.
25
V. Results
Table 5: Defnitions of Objectives Included in the
Internal Audit Mission (continued)
o Reporting on Internal Control Rendering an opinion on internal controls in accordance
with COSO.
o Risk Management Leadership Championing risk management.
o Leadership Development Internal auditing serves as a training ground for
organizational management.
o Control Improvement Providing consulting services on control development
or pre-implementation reviews, control self-assessment
engagements, etc.
o Control Leadership/
Continuous Monitoring
Developing systems to provide information to management
regarding control on a continuous basis.
o Anti-fraud Programs Developing and implementing fraud prevention and
detection programs.
o Governance Providing administrative support for the audit committee.
o Compliance with Statutory
Audit Requirements
Performing audits/reviews to ensure compliance with
various statutory audit requirements.
o Other Defned by participants.
Mission-relevant Responsibilities. The organizations in our sample include a variety of
internal audit function missions. Figure 7 illustrates the percentage of participants indi-
cating each objective that is included in the mission statement. The results reveal that, on
average, the internal audit mission includes approximately fve activities (4.81). Almost all
respondents indicate that operational auditing and compliance is explicitly identifed in the
mission statement (95.5 percent and 94.4 percent, respectively). In addition, approximately
75 percent of respondents indicate that IT auditing, IT security, and control improvement
are explicitly included in the mission statement.
26
Figure 7: Objectives in the Internal Audit Mission (Full Sample)
O
p
e
r
a
t
i
o
n
a
l

A
u
d
i
t
C
o
m
p
l
i
a
n
c
e
I
T

A
u
d
i
t
I
T

S
e
c
u
r
i
t
y
I
m
p
r
o
v
e

C
o
n
t
r
o
l
F
i
n
a
n
c
i
a
l

A
u
d
i
t
A
n
t
i
-
f
r
a
u
d
R
M

L
e
a
d
e
r
s
h
i
p
G
o
v
e
r
n
a
n
c
e
C
O
S
O

R
e
p
t
.
E
x
t
.

A
u
d
i
t

S
u
p
p
o
r
t
R
e
g
.

C
o
m
p
.
3
r
d

P
a
r
t
i
e
s
C
o
n
t
r
o
l

L
e
a
d
e
r
s
L
e
a
d
e
r
s
h
i
p

D
e
v
.
O
t
h
e
r
0%
20%
40%
60%
80%
100%
Not Included in IA Mission Included in IA Mission
Figure 8 compares the percentage of public universities including each objective to the
percentage of private universities including each objective. The most signifcant differ-
ences between the missions of public and private universities include: IT audit and IT
security (included by 77.3 percent of public universities versus 53.8 percent of private
universities), external audit support (included by 40 percent of public universities versus
15.4 percent of private universities) and compliance (included by 97.3 percent of public
universities versus 76.9 percent of private universities).
27
V. Results
Figure 8: Objectives in the Internal Audit Mission (Public versus Private)
Compliance
Operational Audit
IT Security
IT Audit
Improve Control
Financial Audit
Governance
Anti-fraud
RM Leadership
COSO Rept.
Ext. Audit Support
Reg. Comp.
Control Leaders
3rd Parties
Leadership Dev.
Other
0% 20% 40% 60% 80% 100%
Private Universities
Public Universities
Extent of Internal Audit Responsibilities Accomplished via Alternative Sourcing. Many
organizations outsource some or all internal audit activities. Clearly, the extent to which
an organization engages alternative sources to perform internal audit activities impacts
the number of internal auditors the organization employs.
5
Therefore, we asked a variety
of questions to identify the extent of alternative sourcing, as well as the nature of the
outsourced services obtained. The results show that the majority of respondents perform
5
Alternative sourcing of some or all internal audit activities will reduce the number of internal
auditors employed by the company. Additional analysis examining the effect of alternative
sourcing on the internal audit budget and internal audit expenses also reveals that it reduces the
number of FTEs employed to complete the audit plan.
28
most or all internal audit activities in house. Specifcally, 70 percent indicate that all
internal audit activities are performed in house, while only 2 percent say most activities
are outsourced. For the remaining organizations that use cosourcing arrangements to
some extent (approximately 28 percent), most rely on cosourcing to fulfll their specialized
or technical audit needs. Figure 9 illustrates the use of cosourcing by universities in our
sample.
Figure 9: Extent of Internal Audit Outsourcing
100% Completed In House
Primarily Outsourced
Cosourced Activities
Cosource Specialized or
Technical Audits
Cosource Regulatory
Audits
Cosource Everyday Audit
Activities
72.9%
4.0%
28.8%
1.0%
2.0%
23.8%
Table 6 describes the extent to which specifc internal audit activities are outsourced. The
activities that are most commonly not outsourced include temporary audit staffng for
operational audits (92.3 percent), federal grant compliance (67.4 percent), and environ-
mental health and safety (65.3 percent). Activities that are outsourced to a moderate or
very great extent include regulatory audits (34 percent) and IT controls and security (18
percent).
29
V. Results
Table 6: Defnitions of Objectives Included in the Internal Audit Mission
Not at All
To a Very
Limited
Extent
To a
Moderate
Extent
To a Very
Great
Extent N/A
Athletics 57.60% 12.00% 5.40% 4.30% 20.70%
Environmental Health &
Safety
65.30% 10.50% 4.20% 4.20% 15.80%
Federal Grant Compliance 67.40% 6.30% 4.20% 4.20% 17.90%
Fraud 60.00% 17.90% 4.20% 4.20% 13.70%
IT Controls 55.80% 14.70% 9.50% 8.40% 11.60%
Medical School
Compliance
42.10% 2.10% 0.00% 1.10% 54.70%
Regulatory Audits 39.60% 2.20% 7.70% 26.40% 24.20%
Temporary Audit Staf 92.30% 7.70% 0.00% 0.00% 0.00%
Critical Factor Four: The Value Proposition
of the Internal Audit Function
In our survey, we ask participants to identify the value propositions of the internal audit
function and indicate the percentage of total internal audit resources dedicated to each
activity. As shown in Figure 10, approximately 30 percent of activities and associated
resource allocations involve operational auditing, followed by 18 percent dedicated to
compliance-related audit activities. Auditing fnancial reporting processes is the third
largest activity, consuming approximately 18 percent of resources.
30
Figure 10: Audit Resources Dedicated to Specifc Activities
Figure 11 compares the resources spent on each audit activity by public institutions to
those spent on the same activities in private institutions. Operational auditing is the largest
expense in public and private institutions (26.63 percent and 32.08 percent, respectively).
Compliance auditing requires approximately 18 percent of the resources at public institu-
tions and only 9 percent at private institutions. Private institutions focus more resources
on fnancial auditing than do public institutions (15.8 percent compared to 10 percent).
The remaining activities receive similar attention at public and private institutions.
Regulatory Compliance (2%)
Auditing Auxillary Services
Risk Management (4%)
Other Activities (4%)
Consulting Activities (7%)
Fraud (9%)
Financial Auditing (11%)
IT Security (11%)
Compliance Auditing (17%)
Operational Auditing (27%)
(4%)
11%
9%
7%
4%
4%
27%
17%
2%
11%
4%
31
V. Results
Figure 11: Audit Resources Dedicated to Specifc Activities (Public versus Private)
Regulatory
Compliance
Risk
Management
Auditing Auxillary
Services
Other
Activities
Consulting
Activities
Fraud
Financial
Auditing
IT Security
Compliance
Auditing
Operational
Auditing
0% 5% 10% 15% 20% 25% 30% 35%
Private
Public
Next, we examined the extent to which the internal audit function engages in various
compliance and risk-management activities and whether internal auditing takes on an
ownership role including management and oversight or an audit/support role. We
defne an ownership role as when internal auditing has responsibility for the manage-
ment and oversight of the function in general. A support/audit role is defned as internal
auditing performing audit or other supporting activities to assist the process owner. As
shown in Table 7, internal auditing is most extensively involved in non-medical compli-
ance, IT security, and continuous monitoring. However, when internal auditing is involved,
the department rarely assumes an ownership role and instead is primarily involved in a
support role.
32
Table 7: Internal Auditings Involvement in Compliance and Risk Management
Activity
Mean % Extent of Internal Audit
Involvement for Each Activity
Internal Audit Role

in Each Activity
N/A Occasionally Regular Extensive
Mean %
Ownership
Mean %
Support
Continuous
Monitoring
26.20% 34.50% 27.40% 11.90%
21.40% 78.60%
Enterprise Risk
Management
13.10% 39.30% 39.30% 8.30%
24.20% 75.80%
HR Compliance 6.00% 59.00% 31.30% 3.60%
2.70% 97.30%
Intellectual
Property
Compliance
32.90% 61.00% 4.90% 1.20%
3.80% 96.20%
IT Security
9.60%
43.40% 34.90% 12.00%
2.90% 97.10%
Licensing
Compliance
36.60% 61.00% 2.40% 0.00%
4.10% 95.90%
Medical
Compliance
63.90% 22.90% 9.60% 3.60%
6.50% 93.50%
Nonmedical
Compliance

2.40%
36.10% 44.60% 16.90%
9.30% 90.70%
Other 70.50% 2.30% 9.10% 18.20%
53.80% 46.20%
Critical Factor Five: Potential Misalignment
with the Value Propositions
Table 8 reveals the extent of management and internal audit misalignment, i.e., disagree-
ment between management and internal auditing about the importance of various internal
audit activities. There can be many measures of potential misalignment and as posited
in the conceptual model, this misalignment may affect the resources devoted to internal
auditing. Note that we are not arguing that managements view is more correct, or that
internal auditings view is more correct. We simply asked CAEs whether or not their views
are aligned with managements views so that we can determine whether potential misalign-
33
V. Results
ment affects the resources allocated to internal auditing and, as importantly, which
factors of misalignment most affect resource allocation.
For the most part, responses indicate that management and internal auditing agree on the
importance of each of the activities. However, we fnd that for more than 30 percent of
the universities represented in our study, internal auditors believe that a focus on ethics, IT
auditing, operational auditing, and risk management is more important (at least slightly)
than management does. On the other hand, in 10 percent of the universities, management
believes that providing external audit support is more important than the internal audit
department does.
Table 8: Extent of Management and Internal Audit Misalignment
Management Believes
It is More Important
Than Internal
Auditing Does
Internal Auditing
Believes It is More
Important Than
Management Does
N/A Signifcantly Slightly Agree Slightly Signifcantly
Athletics 17.80% 1.40% 6.80% 58.90% 11.00% 4.10%
EHS 9.50% 0.00% 1.40% 71.60% 14.90% 2.70%
Ethics 9.50% 0.00% 2.70% 55.40% 18.90% 13.50%
Ext. Audit Support 14.90% 4.10% 5.40% 71.60% 2.70% 1.40%
Fed. Grant
Compliance
8.10% 0.00% 1.40% 71.60% 12.20% 6.80%
Financial Reporting 8.20% 2.70% 5.50% 74.00% 6.80% 2.70%
HR Compliance 2.70% 2.70% 2.70% 71.60% 14.90% 5.40%
IT Audit 1.40% 2.70% 2.70% 52.70% 31.10% 9.50%
Medical School
Compliance
60.60% 0.00% 1.40% 35.20% 1.40% 1.40%
Operational Auditing 1.40% 1.40% 1.40% 65.80% 20.50% 9.60%
Other 1.40% 0.00% 1.40% 66.20% 20.30% 10.80%
Purchasing Audits 1.40% 0.70% 5.50% 75.30% 9.60% 5.50%
Risk Management 1.40% 2.70% 4.10% 50.70% 27.40% 13.70%
Whistleblower
Hotline
13.50% 1.40% 1.50% 60.80% 14.90% 8.10%
34
In addition, we compare the activities explicitly described in the internal audit mission
(see Figure 10) to the activities the internal audit function includes as value propositions
and actually performs (see Figure 7). To the extent that the activities listed in the internal
audit mission differ from those actually performed by internal auditing, we expect that the
internal audit department may not be meeting managements expectations. Specifcally,
for each item listed in the mission, we determine whether the organization reported that
resources are devoted to that activity. We verifed that all activities to which resources are
dedicated are included in the mission. We added together all of the activities that are not
included in both the mission and the stated activities as our measure of mission alignment.
We consider organizations with alignment equal to zero (0) or one (1) to be well aligned.
We consider organizations with an alignment score greater than one (1) to be misaligned.
Table 9 provides an example of our calculation of the mission alignment variable.
Table 9: Mission Alignment Example
Included in
Mission?
Activities
Performed?
Diferences
Between Mission
& Activities
Compliance Activities Yes Yes
Consulting Activities Yes No X
Financial Audit No No
Fraud-related Activities Yes Yes
IT Audit Yes No X
Operational Audit Yes Yes
Risk Management No No
Leadership Development No Yes X

Total Diferences 3

If there are one or fewer diferences, we consider the activities aligned with the mission of internal
auditing. If there is more than one diference, we consider the activities and mission to be misaligned.
Using the methodology described above, we fnd that approximately 80 percent of the
organizations in our sample perform activities that are included in the stated mission
of the internal audit function. That is, approximately 80 percent are aligned. Further
35
V. Results
examination of mission alignment in public and private organizations separately reveals
that approximately 80 percent of each is aligned (79.5 percent and 81.8 percent, respec-
tively). We did not specifcally test whether the nature of the alignment (misalignment)
made the most difference. Rather, for the broad model, we are interested in whether or not
there is a strong or weak consistency between the activities included in the mission and the
activities performed by internal auditing.
Critical Factor Six: Characteristics of the Internal Audit Department
As posited in the conceptual model, an internal audit departments staffng philosophy,
as well as automation strategy, may infuence the effective size of an audit activity. For
example, we would expect that a department with experienced CIAs might be smaller than
a department with CIAs in the management position supervising a number of staff audi-
tors that are on a rotation through internal auditing as part of a fnancial management
training program. We also expect that an audit department that uses a great deal of auto-
mation may be able to cut down the size of the activity to take advantage of its investment
in technology. We report the characteristics of the organizations in our sample next.
Characteristics of Internal Audit Personnel. By comparing Panels A and B of Table 10,
we fnd that, on average, each classifcation of internal audit employee has slightly more
experience in internal auditing than they do within the organization as a whole. This is
consistent with the notion that many organizations rely on experienced internal audi-
tors when hiring new staff. Indeed, our survey results indicate that less than 24 percent
(23.9 percent) of organizations hire inexperienced auditors directly from college campuses
(described more fully in Table 12).
Table 10: Internal Auditors Years of Experience
Panel A: Average Years of

Experience in Internal Auditing
Panel B: Average Years of
Experience in the University
Internal Audit
Function Staf Manager
Audit
Dept. Staf Manager
Audit
Dept.
Public Universities 5.60 12.17 18.32 4.15 9.23 13.45
Private Universities 4.42 8.25 20.00 2.30 2.00 8.00
Total Sample 5.53 12.33 18.74 4.10 9.15 12.57
36
Table 11 reports the percentage of internal auditors that have achieved various certifca-
tions or are classifed as IT specialists. In the total sample, approximately 51 percent of
internal auditors hold CIA certifcations, with a larger percentage (61 percent) holding
Certifed Public Accountant (CPA) certifcations. Only 26 percent of internal auditors have
the Certifed Information Systems Auditor (CISA) certifcation, which is also refected in
the relatively low number of internal auditors classifed as IT specialists (approximately 4
percent). Approximately 6 percent hold the Certifed Government Auditing Professional
(CGAP) certifcation.
Table 11: Percentage of Auditors with Certifcations
Average Percentage of Auditors with Expertise
Internal Audit Function CPA CIA CISA CGAP IT
Public Universities 57.95% 47.53% 22.61% 6.23% 4.81%
Private Universities 83.21% 82.06% 65.96% 0.00% 1.83%
Total Sample 61.40% 51.31% 26.15% 6.23% 4.34%
Further, we consider the possibility that one of the critical characteristics of an internal
audit department is that it can serve as a training ground for future operational managers.
To this end, we ask several questions designed to determine the extent that the internal
audit department is used to develop managers for the organization. Internal audit depart-
ments that serve as management training grounds are likely to have a larger staff compared
to those that do not, because auditors may be transitioning in and out of the department
and will have relatively limited internal audit experience. Internal audit departments are
often used as a training ground for operational management or for personnel develop-
ment. We asked participants to indicate the extent to which the audit department is used
for leadership/personnel development. The average response indicates that the internal
audit department is used for leadership development to a limited extent (2.58/7.0 with
1 = a very limited extent, 4 = a moderate extent, and 7 = a very great extent). For
further exploration, we asked participants to describe the staffng philosophy of the orga-
nization. That is, we asked whether the internal audit department typically hires internal
auditors to perform a rotation in the department before transitioning into another posi-
tion in the organization, or hires career auditors. Further, we asked whether auditors are
usually hired from within the organization or outside, and as entry-level or experienced
personnel. Table 12 illustrates the results of this analysis and reveals that organizations
37
V. Results
in our sample primarily make experienced hires with the intention of keeping them in the
internal audit department, which is consistent with the relatively limited extent of use of
the internal audit function for leadership development.
Table 12: Internal Audit Stafng Philosophy
Rotation Career
Org.
Employee
Entry
Level
Exp.
Hire
Entry
Level
Exp.
Hire Other N/A
Public 4.10% 12.30% 5.50% 13.70% 52.10% 4.10% 8.20%
Private 7.10% 7.10% 7.10% 7.10% 35.90% 21.40% 14.30%
Total Sample 4.50% 11.40% 5.70% 12.50% 50.00% 6.80% 9.10%
Internal Audit Use of Tools. In addition to the characteristics of internal audit personnel, it
is also important to consider the tools that they use to complete their tasks. To understand
that issue, we collect data regarding the extent to which the internal audit department
leverages automated internal audit tools. There are a variety of resources and tools avail-
able to internal auditors to improve the effciency of audits. Further, many of these tools
can improve the effectiveness of the audits by allowing auditors to examine the complete
population of transactions, thereby performing a thorough review of the entire organiza-
tion, rather than being limited by sample size. We asked participants to indicate how much
they use each of the following: 1) data extraction and analysis tools; 2) audit management
tools (e.g., automated workpapers or scheduling tools); 3) control self-assessment tools;
4) fraud detection and prevention tools; 5) continuous monitoring tools; and 6) Sarbanes-
Oxley compliance tools. Figure 12 reveals the percentage of organizations reporting at
least a moderate usage of each type of internal audit tool. As shown, data extraction and
audit management tools are the most commonly used technology tools, with 65.8 percent
of organizations indicating at least a moderate usage of data extraction tools and 59.7
percent indicating at least a moderate usage of audit management tools.
38
Figure 12: Usage of Internal Audit Tools
D
a
t
a

E
x
t
r
a
c
t
i
o
n

a
n
d

A
n
a
l
y
s
i
s

A
u
d
i
t

M
a
n
a
g
e
m
e
n
t
C
o
n
t
r
o
l

S
e
l
f
-
a
s
s
e
s
s
m
e
n
t
F
r
a
u
d

D
e
t
e
c
t
i
o
n

a
n
d

P
r
e
v
e
n
t
i
o
n

C
o
n
t
i
n
u
o
u
s

M
o
n
i
t
o
r
i
n
g
S
a
r
b
a
n
e
s
-
O
x
l
e
y

C
o
m
p
l
i
a
n
c
e

0%
10%
20%
30%
40%
50%
60%
70%
% Organizations with at least moderate usage
Critical Factor Seven: Internal Audit Service Quality
The next critical factor in the model focuses on perceptions of the service quality of internal
auditing. To assess this factor, we asked participants to provide their own assessments of
the value provided by internal auditing. Specifcally, internal auditors indicated whether
or not they believe internal auditing is meeting or exceeding its potential. As evidenced in
Figure 13, approximately 40 percent indicate that the internal audit department operates
slightly, somewhat, or signifcantly below its full potential. About 15 percent of partici-
pants say the internal audit department meets its potential, and 0 percent say internal
auditing is signifcantly exceeding expectations. Thus, internal auditors perceptions of
value leave room for improvement.
39
V. Results
Figure 13: Assessment of Internal Audit Quality
S
i
g
n
i
f
c
a
n
t
l
y

B
e
l
o
w
S
o
m
e
w
h
a
t

B
e
l
o
w
S
l
i
g
h
t
l
y

B
e
l
o
w
M
e
e
t
s

P
o
t
e
n
t
i
a
l
S
l
i
g
h
t
l
y

A
b
o
v
e
S
o
m
e
w
h
a
t

A
b
o
v
e

S
i
g
n
i
f
c
a
n
t
l
y

A
b
o
v
e

0%
5%
10%
15%
20%
25%
30%
Extent to Which Internal Auditing Meets Its Potential
Model Conclusion: The Size of the Internal Audit Function
Internal Audit Staffng Size and Budgets. The ultimate goal of our conceptual model is to
help determine the appropriate size of the internal audit function. Ultimately, given an
organizations value proposition for internal auditing, its staffng philosophy, and other
factors, we would like to identify characteristics that lead to a specifc size of internal
audit department. More importantly, we would like to predict the factors that seem to
be most valued by management. In this section, we present descriptive data on various
measures of internal audit department size in our sample organizations. Table 13 shows
the total number of internal auditors for the full sample and various industry categories.
The results reveal that, on average, sample organizations have about six internal auditors
on their staff, with public universities having more than private universities (Table 13,
panel A), and systems audit departments being slightly larger than campus audit depart-
ments (Table 13, panel B).
40
Table 13: Number of Internal Auditors
Panel A: Number of Internal Auditors Public versus Private
Internal Audit Function
Total Internal Audit
Employees (Includes Director) Staf Seniors Managers
Public Universities 5.74 2.21 3.10 1.74
Private Universities 4.14 2.60 1.89 1.00
Total Sample 5.46 2.25 2.94 1.58
Panel B: Number of Internal Auditors Campus versus System
Internal Audit Function
Total Internal Audit
Employees (Includes Director) Staf Seniors Managers
Campus Auditors 4.78 1.60 2.62 1.26
System Auditors 6.27 3.04 3.42 2.06
Total Sample 5.46 2.25 2.94 1.58
Table 14 documents the 2007 and 2008 internal audit budgets (in hours and USD) and the
2006 and 2007 internal audit expenses. Average expenses and hours for both budgets and
actual activities have increased approximately 10 percent in the past two years (although,
budgeted hours have only increased 7 percent). Average cost per hour has remained stable
at approximately $80.
41
V. Results
T
a
b
l
e

1
4
:

I
n
t
e
r
n
a
l

A
u
d
i
t

B
u
d
g
e
t

a
n
d

A
c
t
u
a
l

E
x
p
e
n
s
e
s
A
v
e
r
a
g
e
I
A
$
/

H
o
u
r
%

I
n
c
r
e
a
s
e
M
i
n
.
I
A
$
/

H
o
u
r
%

I
n
c
r
e
a
s
e
M
a
x
.
I
A
$
/

H
o
u
r
%

I
n
c
r
e
a
s
e
T
o
t
a
l

I
A

A
c
t
i
v
i
t
i
e
s

-

H
R
S

2
0
0
6

5
,
5
5
0

$
8
0
.
7
0

1
0
%

1
,
4
0
0

$
1
0
.
0
0

0
%

2
2
,
3
7
5

$
8
9
.
3
9

-
4
%
T
o
t
a
l

I
A

A
c
t
i
v
i
t
i
e
s

-

H
R
S

2
0
0
7

6
,
0
8
4

$
7
9
.
9
9

1
,
4
0
0

$
1
2
.
1
4

2
1
,
5
0
4

$
9
3
.
0
1

T
o
t
a
l

I
A

A
c
t
i
v
i
t
i
e
s

-

U
S
D

2
0
0
6

$
4
4
7
,
9
0
2

-
-

9
%
$

1
4
,
0
0
0

-
-

2
1
%

$
2
,
0
0
0
,
0
0
0

-
-

0
%
T
o
t
a
l

I
A

A
c
t
i
v
i
t
i
e
s

-

U
S
D

2
0
0
7

$
4
8
6
,
6
8
5

-
-

$

1
7
,
0
0
0

$
2
,
0
0
0
,
0
0
0

-
-

T
o
t
a
l

I
A

B
u
d
g
e
t

-

H
R
S

2
0
0
7

5
,
7
7
8

$
7
4
.
9
5

7
%

1
,
4
0
0

$
1
2
.
1
4

0
%
2
1
,
5
0
4

$
9
3
.
0
1

-
5
%
T
o
t
a
l

I
A

B
u
d
g
e
t

-

H
R
S

2
0
0
8

6
,
1
9
7

$
7
7
.
7
2

1
,
4
0
0

$
1
4
.
1
1

2
0
,
4
4
4

$
9
7
.
8
3

T
o
t
a
l

I
A

B
u
d
g
e
t

-

U
S
D

2
0
0
7

$
4
3
3
,
0
6
1

-
-

1
1
%
$

1
7
,
0
0
0

-
-

1
6
%

$
2
,
0
0
0
,
0
0
0

-
-

0
%
T
o
t
a
l

I
A

B
u
d
g
e
t

-

U
S
D

2
0
0
8

$
4
8
1
,
6
5
9

-
-

$

1
9
,
7
5
0

-
-

$
2
,
0
0
0
,
0
0
0

-
-

42
Internal Audit Resource Adequacy. While the preceding information provides descriptive
evidence concerning the actual staffng and budgetary resources allocated to internal audit
departments currently, we also asked participants to assess whether they believe those
resources are adequate. The results (untabulated) reveal that 31 percent of respondents
believe that the current number of internal audit staff is appropriate, while approximately
68 percent believe more internal auditors are needed. One percent indicate that the current
internal audit department is overstaffed. With respect to the amount of monetary resources
dedicated to internal auditing, 67 percent indicate that more resources are needed, 33
percent believe the current resource allocation is appropriate, and no one responded that
fewer resources are necessary.
Respondents also provided some insights into the audit skills that they need. Table 15
reveals that IT audit skills are the most frequently cited skill need (30.4 percent).
Table 15: Audit Skills Needed
Audit Needed Skill % Indicating Need
IT Skills 30.40%
Specialized Audit Skills 23.00%
Traditional Audit Skills 20.30%
Advanced Audit Skills 14.90%
Compliance Skills 12.20%
Fraud Skills 10.80%
Based on the preceding analysis, an important question emerges. Given that the overall
results indicate that most CAEs believe they are undersourced, how can we use the data
to develop an estimate of the effective size of an internal audit activity? We answer that
question the following way: The primary model should be based on organizations where
management and audit perceptions of internal audit value are most closely aligned. That
alignment should predict the best ft for the conceptual model. The model should predict
how much internal audit staffng would (should) change when there is less alignment.
Further, we also want to know how staffng changes in response to other elements in the
conceptual model, e.g., the value proposition, the staffng proposition, investment in audit
technology, and so forth.
43
VI. TESTING THE
CONCEPTUAL MODEL
The conceptual model is based on our knowledge gained from interviews and previous
research. In theory, the model provides a framework of issues we should think about in
determining the effective size of an internal audit activity. However, we need to go from
theory to practice. In other words, can the conceptual model be used to predict the effective
size of an internal audit department given its value proposition, staffng philosophy, and
the other factors identifed in developing the model? If yes, can we further refne the model
to determine the effective size that might refect better alignment between management
and audit committee values for internal auditing and the delivery of those value-added
activities?
The most powerful way to frst test the validity of the conceptual model is to use regres-
sion analysis that incorporates real-world data gathered for the specifc purpose of testing
the model (much of the data are described herein). In performing this analysis, we pursue
the association between the critical factors in our conceptual model (i.e., characteristics of
the organization, characteristics of the organizations governance structure, the mission of
the internal audit function, the value proposition of the internal audit function, potential
misalignment with the value propositions, characteristics of the internal audit depart-
ment, and internal audit service quality) and the size of the internal audit departments in
our sample organizations. We not only want to know the association of these factors, but
which ones really make a signifcant difference in predicting the relative size of an internal
audit department that best meets or exceeds managements expectations.
Measuring the Effective Size of an Internal Audit Function
We considered several different measures for the effective size of an internal audit activity,
including the number of internal auditors (in terms of full-time equivalents), internal
audit monetary budgets, and internal audit actual monetary expenses. Analysis of the
correlations between these variables indicates that they are signifcantly correlated (for
all, p<.01).
6
An analysis of the data indicates that the participants were most reliable in
6
These signifcant correlations include frms that engage third-party service providers to perform
a portion of the internal audit services.
44
providing accurate and complete data on the number of internal auditors on their staffs,
and because the data were highly correlated, we decided to use that fgure as our primary
predicted outcome. However, when signifcant differences between inferences across the
alternative effective size measures were noted in our analysis, we performed more in-depth
analysis and discuss it further (see below).
Explanatory Factors
Table 16 documents the factors that signifcantly infuence the size of the internal audit
function and the manner in which each infuences the size (positively or negatively).
Importantly, Table 16 only includes the factors that have a signifcant infuence on the size
of the internal audit department, as revealed through our regression analysis. Therefore,
not all of the variables described in the previous sections of this whitepaper are refected
in Table 16. We use commonly accepted p-values to determine statistical signifcance
(p<0.10).
7
The following paragraphs provide additional descriptions of these variables
and the intuition behind their affect on internal audit size.
Table 16: Factors Infuencing Internal Audit Department Size (FTE)
Variables
Direction
of Efect Interpretation of Result
Characteristics of the Organization
Public versus Private
Organization
+
Internal audit size increases for public organizations
(as compared to private organizations).
Total Revenue for Current
Year
+
Internal audit size increases as the size of the
organization (in total revenue) increases.
Internal Control
Decentralization
+
Internal audit size increases as the control structure of
the organization becomes more decentralized.
IT Control System
Decentralization
+
Internal audit size increases as the control structure
of the organizations IT system becomes more
decentralized.
7
The p-value is the probability of obtaining the test statistic (i.e., the relationship between each
variable and internal audit size) randomly. Lower p-values provide stronger confdence that the
observed relationship is not pure chance.
45
VI. Testing the Conceptual Model
Table 16: Factors Infuencing Internal Audit Department Size (FTE) (continued)
Variables
Direction
of Efect
Interpretation of Result
Complexity of Medical
Science
+
Internal audit size increases as the number of medical
science programs (e.g., hospital, medical school, etc.)
increases.
Characteristics of the Governance Structure
Audit Committee
Oversight of Internal Audit
Summary Statistic
+
Internal audit size increases as the overall governance
of the audit committee improves.
Internal Audit Reporting
to Audit Committee
+
Internal audit size increases when the audit
department reports directly (and privately) to the
audit committee.
Statutory Audit
Requirements
+
Internal audit size increases when the organization
must comply with statutory audit requirements.
Internal Audit Mission and Value Proposition
Operational Auditing
Included in Internal Audit
Mission
+
Internal audit size increases when operational
auditing is explicitly included in the mission
statement.
Developing Leadership
Skills Included in Internal
Audit Mission
+
Internal audit size increases when the development of
leadership skills (including training for management
positions) is explicitly included in the mission
statement.
Involvement in
Compliance and Risk
Management Activities
+
Internal audit size increases as the extent of
auditings involvement in various compliance and
risk management activities increases (including
continuous monitoring, ERM, etc.).
Mission Misalignment
Management and Internal
Auditing Disagree on the
Importance of IT Auditing
When management and the CAE disagree about

the importance of IT auditing (and management
undervalues its importance), the size of internal
auditing is reduced.
Mission/Activity
Misalignment
+
Internal audit size increases when the audit activities
included in the mission are aligned with those actually
performed by internal auditing.
46
Table 16: Factors Infuencing Internal Audit Department Size (FTE) (continued)
Variables
Direction
of Efect
Interpretation of Result
Characteristics of Internal Audit Department/Personnel
Percentage of Auditors
with Certifcations
Internal audit size decreases as the percentage

of auditors within the department have various
certifcations.
Percentage of Internal
Audit Activities
Outsourced
Internal audit size decreases as the percentage of

audit activities that are outsourced increases.
Percentage of Audit
Resources Dedicated to
Regulatory Compliance
+
Internal audit size increases as the percentage
of resources dedicated to regulatory compliance
activities increases.
Percentage of Audit
Resources Dedicated to IT
Controls and Security
+
Internal audit size increases as the percentage of
resources dedicated to IT controls and security-related
activities increases.
Reliance on Noninternal
Audit Department for
Management of Legal
Compliance Activities
Internal audit size decreases as activities regarding

legal compliance are performed by departments
outside of internal auditing.
Internal Audit Service Quality
Internal Audit Value
+
Internal audit size increases when internal auditing
meets or exceeds its potential.
Characteristics of the Organization. Several important organizational characteristics
signifcantly infuence the size of the internal audit function. First, whether the organiza-
tion is publicly or privately funded impacts the size of the internal audit function, such
that public organizations require more internal auditors than similar private organizations.
Second, the size of the organization, as described by its total revenues in the current year,
is positively related to the size of the internal audit department. That is, organizations with
greater total revenues require larger internal audit departments. Third, the complexity
of the organizations control structure is positively associated with internal audit depart-
ment size. Specifcally, organizations with a decentralized control structure have larger
internal audit departments than those with partially decentralized or centralized control
47
structures. Fourth, we fnd that organizations that have a more complex medical science
facility (e.g., includes medical schools, hospitals, and schools of allied health or veterinary
science) have larger internal audit departments.
Characteristics of the Governance Structure. The governance structure of the organization
has a strong, positive infuence on the size of the internal audit department, suggesting
that organizations that have made a commitment to good governance also value internal
auditing and, therefore, invest resources in the internal audit function. Specifcally, internal
audit department size is increasing when the audit department meets directly with the
audit committee.
We also fnd a positive relationship between internal audit size and a summary statistic
describing the extent of audit committee oversight. This statistic is composed of the
answers to the following fve yes/no questions:
1. Does the audit committee review the internal audit charter?
2. Does the audit committee review the internal audit budget?
3. Does the audit committee review the internal audit plan?
4. Does the audit committee have access to sensitive information (e.g., regulatory
actions, etc.)?
5. Does the audit committee have access to the information necessary for monitoring
managements objectives, strategies, and fnancial activities?
Our results reveal that internal audit department size increases in the number of positive
answers to those questions. Thus, the more oversight the audit committee has, the larger
the internal department. When including the above audit committee characteristics in our
statistical model, we fnd little additional explanatory power associated with adding vari-
ables related to the overall board of regents, so we do not include those variables in our
discussion here.
Internal Audit Mission and Value Proposition. The formal mission of an internal
audit department will vary among organizations depending upon the organizations strat-
egies and goals. We fnd that organizations that explicitly include operational auditing
and developing leadership skills in the internal audit mission have larger internal audit
departments than those that do not hold internal auditing responsible for these activities.
Further, the extent to which internal audit activities are outsourced is negatively related
to the number of internal audit staff within the organization. As anticipated, organiza-
tions that outsource some internal audit activities are able to reduce their headcount. Our
results also suggest that the size of internal audit departments increases as the percentage
of resources dedicated to regulatory compliance, IT controls, and security increase.
48
Finally, we evidence that internal audit departments increase in size as the extent of their
involvement in risk management and compliance increases. That is, when internal audit
departments are involved in activities such as continuous monitoring and enterprisewide
risk management, more auditors are needed to ensure all necessary audit activities are
completed.
Mission (Mis)Alignment. We also investigated the extent to which differences between
management and the internal audit departments priorities may infuence the size of
the internal audit department. As previously described, for most activities, respondents
reported that there was considerable agreement between managements beliefs and those
of the internal audit department. However, we fnd a signifcant effect (on internal audit
department size) when management and the internal audit department disagree on the
importance of IT auditing and security. Specifcally, we fnd that internal audit depart-
ments are smaller in organizations where internal auditing believes IT auditing and
security is more important than management does. This suggests that management may
be undervaluing IT auditing and security and therefore providing a relatively lower
level of resources to support the audit department staffng level.
We also examine the extent to which a gap between the internal audit mission and the
actual activities performed by the internal audit department are related to the size of the
internal audit department. We compare each activity listed in the mission with the actual
activities the internal audit department performs. We fnd that when the activities of the
internal audit department do not align with the mission, the internal audit departments
are smaller compared to organizations where there is relatively closer alignment
between the activities. It is likely that in these organizations, the internal audit department
is not able to meet the expectations of management because it is not performing the activi-
ties that have been determined to be most important by the organization.
Characteristics of Internal Audit Department/Personnel. We fnd that characteris-
tics of the internal audit department personnel affect its relative size. Specifcally, we fnd
that the percentage of internal auditors employed within the organization that maintain
various certifcations (e.g., CIA, CPA, CISA, etc.) is negatively related to the number of
internal auditors in the department. This result suggests that as the level of profession-
alism within the internal department increases, the number of auditors needed to execute
internal audit activities decreases. We also fnd that internal audit departments tend to
be smaller when organizations use other departments to perform risk management and
compliance activities related to legal compliance.
49
Internal Audit Service Quality. Internal audit quality, as determined by the internal
auditors responding to the survey, is positively associated with the size of the internal
audit department. Therefore, larger internal audit departments are more likely to perceive
that they meet or exceed their potential.
Internal Audit Effective Sizing Tool
In conjunction with the preceding analysis, we have developed a tool to assist CAEs deter-
mine the appropriate size for the internal audit function of their organization. The tool is
based on the conceptual model and analysis described above. It includes: 1) a description
of the information that is important for CAEs to consider when making internal audit
function sizing decisions; 2) a description of the process for using that information to
determine the appropriate size of the department; and 3) an interactive example for calcu-
lating a specifc number of internal audit staff needed based on our research study.
CAEs may choose to enter their own data into the interactive example, which will provide
an estimated size for their internal audit function. However, it is important to remember
that this example uses specifc calculations based on the data collected in this study and is
only a frst step toward developing a reliable tool. It is likely that the interactive example
will work best for organizations similar to those included in our study (see Section V).
Importantly, the results provided by the interactive example should be evaluated for
reasonableness before they are used as justifcation for changing the size of the internal
audit department. The results are based on the responses from a variety of organizations
(as described in Section V) and the model has been validated on frms of varying sizes and
different characteristics. However, for some audit departments, the results may appear
unreasonable. Therefore, it is necessary that CAEs and management critically evaluate the
results to determine whether they appear reliable.
Also, it is important to note that the tool is intended to illustrate the guidance for staffng
an internal audit function that meets managements expectations and assumes that the
internal audit mission and activities are aligned (as described in Table 9). As a result,
organizations for which internal auditings mission and activities are not aligned can view
the interactive results example as the estimated staffng level if they were to have mission/
activity alignment (which is likely to be a goal for internal audit functions). Detailed
instructions for using the interactive example are provided in the spreadsheet accom-
panying this whitepaper. The instructions include a troubleshooting guide with helpful
suggestions for adjusting the tool if the results provided appear unreasonable.
51
VII. CONCLUSION
The purpose of this whitepaper is to develop and test a conceptual model of internal audit
effective sizing. We begin by describing the process by which we developed the concep-
tual model. We then articulate the relationships among the components of the model,
including describing seven critical factors that determine the size of an internal audit func-
tion: 1) characteristics of the organization (i.e., college or university); 2) characteristics of
the governance structure of the organization; 3) the mission of the internal audit function
as seen by management, the board of regents, the audit committee, and the internal audit
function; 4) the internal audit value proposition as executed by the internal audit function;
5) the alignment of internal auditing with management and audit committee expectations;
6) various characteristics of the internal audit activity (e.g., staffng); and 7) internal audit
service quality.
Next, we discuss the methodology that we used to test the conceptual model, including
development of a survey that was completed by 148 CAEs at a variety of colleges and
universities operating throughout the United States. We then provide a detailed discussion
of the survey results, along with a description of the results of statistical tests that validate
the model. Finally, we describe an effective-sizing tool, which predicts the appropriate
number of internal auditors in a department based on input provided by readers.
Our research results indicate:
Internal audit size (i.e., number of full-time equivalents) increases:
o For public versus private institutions.
o As the size of the organization (in revenue) increases.
o As the control structure of the organization becomes more decentralized.
o As the IT system control structure of the organization becomes more
decentralized.
o As the extent of medical science activities (e.g., medical school, etc.)
increases.
o As audit committee oversight of the internal audit department increases.
o When the organization must comply with statutory audit requirements.
o As the involvement in risk management and compliance activities increases.
o As the percentage of resources dedicated to regulatory compliance and IT
security and control increases.
52
o When operational auditing and leadership development is explicitly included
in the mission statement.
o When the internal audit department meets or exceeds the expectations of
key stakeholders such as audit committees or senior management.
Internal audit size (i.e., number of full-time equivalents) decreases:
o As the percentage of audit activities that are outsourced increases.
o When management and the CAE disagree about the importance of IT
auditing (and management places less value on IT auditing than internal
auditing does).
o As the percentage of certifcations in the department increases.
o As more reliance is placed on noninternal audit departments for legal
compliance activities.
Our results reveal that there are some limitations to traditional benchmarking models
that compare organizations within an industry and based on size. Our model fnds that
the effective size of an internal audit department is infuenced by many variables that are
specifc to each organization, such as the items included in the internal audit mission, tools
used by internal auditing and the reliance on noninternal audit departments to perform
risk management activities.
Importantly, we believe the data that has been developed and tested can be used by organi-
zations and internal audit functions to perform some self-examination that can lead to a)
more goal congruence between internal auditors and management; b) periodic self-assess-
ment by internal auditing, coupled with surveys of management to understand value being
delivered by internal auditing; and c) alternative ways to include both the effciency and
the effectiveness of the internal audit activity. We encourage internal auditors to perform
such self-examination and work toward a continuous improvement model that is required
of all businesses today.
53
VIII. REFERENCES
Bedard, J. C., and K. M. Johnstone. 2004. Earnings manipulation risk, corporate gover-
nance risk, and auditors planning and pricing decisions. The Accounting Review (79,
2): 277304.
Carcello, J. V., D. R. Hermanson, and K. Raghunandan. 2005. Factors associated with
U.S. public companies investment in internal auditing. Accounting Horizons (19, 2):
6984.
The Institute of Internal Auditors. 1999. Definition of Internal Auditing. Altamonte
Springs, FL: The Institute of Internal Auditors.
The Institute of Internal Auditors, 2009. International Professional Practices Framework.
Altamonte Springs, FL: The Institute of Internal Auditors.
Marks, N. How much is enough, Internal Auditor, February 2000.
55
The vision of The IIA Research Foundation is to understand, shape, and advance the
global profession of internal auditing by initiating and sponsoring intelligence gathering,
innovative research, and knowledge-sharing in a timely manner. As a separate, tax-exempt
organization, The Foundation does not receive funding from IIA membership dues but
depends on contributions from individuals and organizations, and from IIA chapters and
institutes, to move our programs forward. We also would not be able to function without
our valuable volunteers. To that end, we thank the following:
RESEARCH SPONSOR RECOGNITION
Research Sponsors
Association of College and University Auditors
University of California System
IIA Norway
IIA Chicago
IIA Houston
IIA Philadelphia
Visionary Circle
Paul J. Sobel, CIA
Chairmans Circle
Stephen D. Goepfert, CIA
Patricia E. Scipio, CIA
3M Company
Cargill Inc.
Chevron Corporation
ExxonMobil Corporation
Itau Unibanco Holding SA
JCPenney Company
Lockheed Martin Corporation
Microsoft Corporation
PricewaterhouseCoopers LLP
Southern California Edison Company
Diamond Donor
IIA New York
IIA San Jose
56
THE IIA RESEARCH FOUNDATION
BOARD OF TRUSTEES
President: Patricia E. Scipio, CIA, PricewaterhouseCoopers LLP
Vice President-Strategy: Mark J. Pearson, CIA, Boise Inc.
Vice President-Research: Philip E. Flora, CIA, CCSA, Texas Guaranteed TG
Vice President-Development: Wayne G. Moore, CIA, Wayne Moore Consulting
Treasurer: Stephen W. Minder, CIA, YCN Group LLC
Secretary: Douglas Ziegenfuss, PhD, CIA, CCSA, Old Dominion University
Neil Aaron, The McGraw-Hill Companies
Richard J. Anderson, CFSA, DePaul University
Urton L. Anderson, PhD, CIA, CCSA, CFSA, CGAP, University of Texas-Austin
Sten Bjelke, CIA, IIA Sweden
Michael J. Head, CIA, TD Ameritrade Holding Corporation
James A. LaTorre, PricewaterhouseCoopers LLP
Marjorie Maguire-Krupp, CIA, CFSA, Coastal Empire Consulting
Leen Paape, CIA, Nyenrode Business University
Jeffrey Perkins, CIA, TransUnion LLC
Edward C. Pitts
Michael F. Pryal, CIA, Michael Pryal & Associates
Carolyn Saint, CIA, Lowes Companies, Inc.
Mark L. Salamasick, CIA, University of Texas at Dallas
Susan D. Ulrey, CIA, KPMG LLP
Jacqueline K. Wagner, CIA, Ernst & Young LLP
Shi Xian, Nanjing Audit University
57
The IIA Research Foundation Board of Research and Education Advisors
THE IIA RESEARCH FOUNDATION BOARD
OF RESEARCH AND EDUCATION ADVISORS
Chairman: Philip E. Flora, CIA, CCSA, Texas Guaranteed TG
Vice-chairman: Urton L. Anderson, PhD, CIA, CCSA, CFSA, CGAP,
University of Texas-Austin
George R. Aldhizer III, PhD, CIA, Wake Forest University
Lalbahadur Balkaran, CIA
Kevin W. Barthold, CPA, City of San Antonio
Thomas J. Beirne, CFSA, The AES Corporation
Audley L. Bell, CIA, Habitat for Humanity Intl.
Toby Bishop, Deloitte & Touche LLP
Sezer Bozkus, CIA, CFSA, KPMG
John K. Brackett, CFSA, RSM McGladrey, Inc.
Adil S. Buhariwalla, CIA, Emirates Airlines
Thomas J. Clooney, CIA, CCSA, KPMG LLP
Jean Coroller, Ernst & Young LLP
Mary Christine Dobrovich, Jefferson Wells Intl
Susan Page Driver, CIA, Texas General Land Offce
Donald A. Espersen, CIA, despersen & associates
Randall R. Fernandez, CIA, Adams Harris
John C. Gazlay, CPA, CCSA
Dan B. Gould, CIA
Ulrich Hahn, CIA, CCSA, CGAP
John C. Harris, CIA, Aspen Holdings/FirstComp Insurance Company
Sabrina B. Hearn, CIA, University of Alabama System
Katherine E. Homer, Ernst & Young LLP
Peter M. Hughes, PhD, CIA, Orange County
David J. MacCabe, CIA, CGAP
Gary R. McGuire, CIA, Lennox International Inc.
John D. McLaughlin, Smart Business Advisory and Consulting LLC
Steven S. Mezzio, CIA, CCSA, CFSA, Resources Global Professionals
Deborah L. Munoz, CIA, CalPortland Company
Frank M. OBrien, CIA, Olin Corporation
Michael L. Piazza, Professional Development Institute
Amy Jane Prokopetz, CCSA, Farm Credit Canada
Mark R. Radde, CIA, Resources Global Professionals
Vito Raimondi, CIA, Zurich Financial Services NA
Sandra W. Shelton, PhD, DePaul University
Linda Yanta, CIA, Eskom

IA Effective Sizing College and University

Enviado por

Dados do documento

Direitos autorais

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

IA Effective Sizing College and University

Enviado por

Direitos autorais:

Effective Sizing of

Internal Audit Activities

Internal Audit Role

Panel A: Average Years of

When management and the CAE disagree about

Internal audit size decreases as the percentage

Internal audit size decreases as the percentage of

Internal audit size decreases as activities regarding

Você também pode gostar