Notes
i. A survey by the Open Compliance and Ethics Group was inconclusive on this point, with about half assigning some measure to internal audit and the rest holding them essentially harmless. However, 70% of finance professionals replied that they believe internal auditors were at least partly to blame.
ii. As we note on p. 15 (Staffing and Resources) the level of experience is improving—but improvements can still be made.
iii. IIA Standard 2010 on Planning states, “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals.”
iv. PwC also suggested that many audit organizations still require a shift in their focus from financial reporting controls to a focus on the sources of risk that impact or destroy shareholder value. We concur with this observation.
v. One of the benefits of assessing and providing assurance over management's risk management program is that it can be brought up to the level where internal audit can rely on it to identify the significant risks to include in the audit plan.
vi. According to Paisley in their 2009 Best Practices in GRC Convergence: Building a Business Case for GRC Convergence (p. 2), “the assurance functions of internal audit, risk management and compliance in most cases do not share business processes, terminology, or a common assurance methodology.” Their recommendation is to develop a discipline of “risk convergence” where governance, risk, and compliance are aligned and supported by a standardized technology solution across the enterprise.
vii. The need for and benefits of a CRCA initiative to internal auditors can be found in a document entitled “A Look into the Future: The Next Evolution of Internal Audit” at http://download.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/brochures/index.epx
viii. E&Y's 2008 Global Internal Audit Survey reported that workpaper documentation, tracking findings, and reporting were the primary areas where internal audit functions found technology very effective.
ix. The primary BI vendors include SAP Business Objects, Oracle Hyperion, and IBM Cognos.
x. Vendors include ACL, SAP BusinessObjects, Oracle, Oversight, and IDEA.
xi. Some products do not require data extracts. They monitor the data from within the organization's ERP, enabling rapid identification and investigation of exceptions.
xii. Internal audit departments that are performing SOX testing have often hired more junior staff to support that work. However, they are typically not involved in monitoring risks and establishing the scope for audit projects, and are supervised in report development by more experienced auditors.