Professional Documents
Culture Documents
Version 1.2
DISCLAIMER
Copyright 2009 by The Institute of Internal Auditors (IIAs) and The IIA Research Foundations (IIARFs)
Global Audit Information Network (GAIN) located at 247 Maitland Avenue, Altamonte Springs, Fla. 32701.
All rights reserved. Published in the United States of America.
Except for the purposes intended by this publication, readers of this document may not reproduce, redistribute,
display, rent, lend, resell, commercially exploit, or adapt the statistical and other data contained herein without
the permission of GAIN or The IIARF.
The information included in this document is general in nature and is not intended to address any particular
individual, internal audit activity, or organization. Based on the date of issuance and changing environments, no
individual, internal audit activity, or organization should act on the information provided in this document without
appropriate consultation or examination.
ACKNOWLEDGEMENTS
The IIA would like to thank Don Sparks, CIA, CISA, ARM, and Cesar Martinez, CIA, CGAP, for their
contributions in developing the 2009 IT Audit Benchmarking Study from which this Executive Summary
and Report is based.
TABLE OF CONTENTS
ii
EXECUTIVE SUMMARY
According to IIA Standard 1210.A3: Proficiency, internal auditors must have sufficient knowledge of key IT risks
and controls and available technology-based audit techniques to perform their work. As many long-time users of
technology-based audit techniques know, having the right application can expedite and maximize internal audit
efforts significantly. However, whether an in-house or third-party tool is used, it is important that organizations
incorporate IT audit activities as part of the internal audit plan.
To determine the extent of IT audit planning efforts, the profile of IT audit functions, and the software tools
currently in use, The IIAs and IIARFs GAIN department conducted its first annual IT Audit Benchmarking Study
in February 2009. Of the 138 organizations represented in the study, an overwhelming majority
94.8 percent incorporate IT audit activities as part of the internal audit plan. When asked to explain the
process used to incorporate IT audit activities into the audit plan, 52.9 percent use an integrated planning
approach in which potential IT audit areas are determined as part of the risk assessment process or annual
audit planning process. In addition, many of these organizations use software to support extraction, data
analysis, and risk assessment efforts, among other activities.
In terms of years of IT audit experience, respondents stated they have an average of 2.9 years of expertise in
this area. In addition, most IT audit functions consisted of 13 internal auditors dedicated solely to this task and
25 percent of participants indicated their internal audit function has been performing IT audits for 13 years.
Additionally, the vast majority (83.2 percent) of respondents indicated the IT audit function reports to the CAE
or head of internal auditing followed by the audit committee (8.8 percent).
The study also asked respondents to specify whether their organization co-sources, outsources, or both cosources and outsources any of its IT audit activities. More than half of study participants (52.2 percent) stated
they performed none of these three activities that is, IT audit activities are performed solely by the internal
audit group. Of the remaining responses, 23.9 percent both co-source and outsource their IT audit activities,
followed by 17.4 percent that co-source only and 6.5 percent that outsource only. The top five reasons why
IT audit activities are either co-sourced or outsourced include having better access to subject-matter experts
(79.5 percent), internal audit staff limitations (75 percent), cost-effectiveness of the co-sourcing or outsourcing
activity (43.2 percent), lack of internal audit staff knowledge on the IT systems used in the organization
(36.4 percent), and difficulty in recruiting qualified IT audit staff (22.7 percent).
Furthermore, respondents were asked to list the top three issues that will impact IT audits the most within the
next 24 months. These three issues include IT audit project limitations due to budget restrictions, lack of internal
resources or time, increasing travel costs, and lack of overall knowledge to perform an IT audit (43.5 percent);
data security and privacy (37.7 percent); and being unable to add value to the organization due to the increasing
complexity of IT systems (23.2 percent). Based on these responses, study participants were asked if they had
the skills and training to address the issues that will impact IT audits the most. The vast majority of participants
responded yes to both questions 71.7 percent and 72.2 percent of internal audit activities represented in the
study have the skills and training, respectively, to address the issues that will impact IT audits the most within
the next 24 months.
Similarly, participants were asked to identify the latest three technology innovations that have eased the
performance of IT audits the most within the last three years. These include use of computer assisted audit
techniques (CAATs), availability of many systems online, and guidance on specific IT audit areas or guidance
that is tailored to noncomplex IT environments. In terms of training, the primary source of IT audit knowledge
during the past 24 months is participation in seminars, workshops, and conferences offered by a professional
organization (44 percent), followed by individual research gathered from online resources, and books or selfstudy courses.
RESPONDENT DEMOGRAPHICS
A total of 138 chief audit executives (CAEs), audit directors or managers, and other internal audit professionals
1
participated in the 2009 IT Audit Benchmarking Study. The majority of study participants work in publicly listed
2
companies (44.2 percent) located in the United States (76.1 percent) with annual revenues ranging from US $1
billion to less than US $10 billion (46.3 percent) and internal audit activities ranging from 36 internal auditors
(34.1 percent), immediately followed by 715 as the second highest response (31.2 percent) (refer to figure 1).
The top five industries represented by study participants include financial services, banking, and real estate
(19.7 percent); manufacturing (15.3 percent); educational services (10.2 percent); insurance carriers and agents
(8 percent); and utilities (7.3 percent).
Years of internal audit experience represented in the study vary from 46 to 19 or more, with the latter being the
category with the highest response frequency (49.3 percent) (refer to figure 2). Participants also were asked to
specify the number of years of work experience in different internal audit categories (i.e., internal auditing, IT
auditing, and other). Figure 3 provides a summary of each.
A total of 1,709 invitations were sent to members of GAINs Flash Survey Network, out of which 138 responded to the survey
representing an 8.1 percent response rate. Other positions represented in the survey include audit or IT audit staff, IT audit manager, and
IT audit director. For a percentage breakdown of each position, refer to page 77.
2
Other countries or locations represented in the survey include Canada (8 percent), Australia and Hong Kong (2.2 percent each), and
Albania, Germany, and Switzerland (1.4 percent each).
Besides working in small to mid-size internal audit departments, the low number of IT auditors could be
correlated to how long this function has been present within the organization. According to study results,
25 percent of participants indicated their internal audit function has been performing IT audits for 13 years
followed by 46 years (19.9 percent). These percentages continue to decrease until they hit the 19 years
or more category, where they increase back to 19.9 percent (refer to figure 4 for a breakdown).
Table 1: Process used to incorporate IT audit activities into the internal audit planning process
3
These percentages represent the choices with the highest number of responses.
According to The IIAs International Standards for the Professional Practice of Internal Auditing (refer to all Standards with the letter
C for those pertaining to consulting activities), internal auditors can act in a consulting capacity as long as doing so does not hinder the
internal auditors independence and objectivity to later assess the effectiveness of the same activity. For instance, as long as auditors only
provide advice regarding the design of controls and no help is given in the actual development of the detailed controls, this consulting
activity should not breach any independence issue. If, however, the internal auditor were to develop the controls that form part of the
system, then as stated by the Standards, he or she could not audit that particular area for a period of at least 12 months.
4
Percentages listed in the bulleted list represent the choices with the highest number of responses.
Furthermore, participants were asked to specify how much of their IT audit activities are co-sourced,
outsourced, or both. According to study results:
88.8 percent of the 17.4 percent of organizations that co-source IT audits, co-source anywhere from
1 percent to 25 percent of their IT audit efforts.
50 percent of the 6.5 percent of organizations that outsource IT audits, outsource anywhere from
76 percent to 100 percent of their IT audit efforts.
65.1 percent of the 23.9 percent of organizations that both co-source and outsource IT audits, co-source
and outsource anywhere from 10 percent to 75 percent of their IT audit efforts (refer to figures 68 for a
breakdown of these percentages by type of sourcing activity).
Figures 67: Percent of IT audits that are co-sourced (left) and outsourced (right)
IT audit project limitations due to budget restrictions caused by the current economic downturn or
shifting organizational priorities; time constraints; lack of internal resources to perform the IT audit,
such as lack of qualified staff due to turnover or budget cuts; increasing travel costs; and lack of overall
knowledge to perform an IT audit (60 responses).
Data security and privacy: compliance with data security and privacy laws and regulations (e.g.,
compliance with the Payment Card Industry Data Security Standard) and information security and data
privacy practices within the organization (e.g., user provisioning, data access, and change
management) (52 responses).
Being unable to add value to the organization due to the increasing complexity of IT systems, which
prevents the internal audit activity from keeping up with technological changes and innovations, as
well as not having the knowledge to audit and provide support during new system implementations as
a result of out-of-date technology, replacement of legacy systems, and automation of existing controls
(32 responses).
Table 2: Top three issues that will impact IT audits the most within the next 24 months
These statistics were obtained from 569 organizations representing the gamut of industries, company types, annual revenues, and asset
sizes that participated in the Annual Benchmarking Study from June 30, 2007 until Dec. 31, 2008.
Based on these responses, study participants were asked if they had the skills and training to address the
issues that will impact IT audits the most. The vast majority of participants responded yes to both questions
71.7 percent and 72.2 percent of internal audit activities represented in the study have the skills and training,
respectively, to address the issues that will impact IT audits the most within the next 24 months. In terms of
skills, participants stated their internal audit activity has a dedicated group of IT auditors or internal auditors with
sufficient training to perform IT audits or with IT-specific certifications, such as the ISACAs Certified Information
Systems Auditor, while training criteria identified include providing staff with the continuing education needed to
perform their work and the presence of a training plan that addresses the needs of each auditor.
Furthermore, participants were asked to identify the latest three technology innovations that have eased the
performance of IT audits the most within the last three years. These include:
1. Use of CAATs, such as audit administration tools and documentation software; automated change
management applications; new audit tracking software, and help desk audit software.
2. Availability of many systems online, which enables remote audit activities.
3. Guidance on specific IT audit areas or guidance that is tailored to noncomplex IT environments.
By far the primary source of IT audit knowledge during the past 24 months is participation in seminars,
workshops, and conferences offered by a professional organization (44 percent), remotely followed by individual
research gathered from online resources (e.g., The IIA and ISACA), and books or self-study courses (refer to
figure 9 for a summary of all responses). The top organization selected as the first choice for increasing IT audit
knowledge was ISACA (47.8 percent) followed by The IIA (20 percent), the MIS Training Institute
(18.9 percent), the SANS Institute (4.4 percent), and the American Institute of Certified Public Accountants
(2.2 percent).
Extraction Software
____________________________________
How has the use of the software identified previously improved your internal audit capabilities?
Enables audits consisting of 100 percent of the population (20 responses).
Improves productivity and efficiency of work (i.e., better able to extract, analyze, and acquire data from corporate systems; has drill-down
capabilities; and reduces the amount of time required to identify potential problems) (18 responses).
Enables continuous monitoring of data (2 responses).
Please provide a success story or best practice linked to the use of the software identified previously:
Has enabled the use of exception reports and tests that identify fraud, misuse of expense reports, and staff who didn't charge leave
time, as well as test pricing invoices and internal controls (12 responses).
Analyzes the entire population rather than a sample and identifies true error rates (6 responses).
Identifies financial savings to the organization (1 response).
Please provide an example of a barrier or challenge presented by the use of the software identified previously:
Learning curve and training (e.g., training staff to use the system; the system is cumbersome to work with) (14 responses).
Getting data in the proper format (e.g., using the system requires the use of SQL querying) (7 responses).
The tool doesn't work or integrate well with other systems and is only used by internal audit department (5 responses).
Difficulty accessing data; takes more time to access data than it should; or difficulty in getting access from data owners (5 responses).
Table 3: Responses to questions on software improvement areas, success stories, and challenges presented
Table 4: Responses to questions on software improvement areas, success stories, and challenges presented
10
Table 5: Responses to questions on software improvement areas, success stories, and challenges presented
11
How has the use of the software identified previously improved your internal audit capabilities?
Use of standard templates (e.g., standardization of templates provides high-productivity and efficiency of work and for the automation of
audit processes and consistency between projects) (14 responses).
Improves quality of review, audit program, and work papers (e.g., reduces review times for audit files and facilitates the sharing and remote
reviews of working papers) (7 responses).
Better organization and access of information (e.g., provides a centralized storage of audit working papers) (6 responses).
Enhances the follow up of audits, tracking of audits, and repeatability of audits (4 responses).
Reduces planning time and staff work (e.g., time used to ensure working paper documentation complies with IIA Standards is significantly
reduced) (4 responses).
Provides better coordination of all audits (e.g., coordination of audits with Sarbanes-Oxley audits and automated reporting of SarbanesOxley work and other internal audits) (2 responses).
Increases audit penetration (1 response).
Improves data protection (1 response).
Please provide a success story or best practice linked to the use of the software identified previously:
Facilitated the automation of work (e.g., has enabled the automation of tracking issues and responses from responsible parties, as well as
the automation of draft reports generated after completion of field work) (2 responses).
Enabled auditors to review work papers from remote locations (2 responses).
Eliminated used hard copies (i.e., all work papers are saved electronically, which saves space and reduces waste) (2 responses).
Provided consistency of work (e.g., enables consistency of work papers by allowing auditors to choose which fields to use) (2 responses).
Increased the efficiency of compliance reviews with IIA Standards (2 responses).
Enabled more than one auditor to work on the same project (1 response).
Eased the documentation of work papers (1 response).
Please provide an example of a barrier or challenge presented by the use of the software identified previously:
Software can be cumbersome to use, replicate in the existing environment, or integrate with other software, which leads to an inefficient
use of time (5 responses).
Auditors have lost work occasionally due to bugs within the system and lack of customer service support from vendor (2 responses).
Because the software automates all work papers, too much information is kept, which can be overwhelming (2 responses).
Use of the software and review of work papers still requires human interaction, which introduces inconsistencies unless the internal audit
department has a standard infrastructure in place (2 responses).
It is difficult to access work papers in locations where bandwidth is an issue (1 response).
Cost of training (1 response).
Cannot monitor action items in an automated fashion (1 response).
Table 6: Responses to questions on software improvement areas, success stories, and challenges presented
12
How has the use of the software identified previously improved your internal audit capabilities?
The tool has made the control self-assessment process more efficient and less costly (3 responses).
Results are immediately summarized and graphs produced, which has resulted in significantly reduced time in summarizing control
self-assessment results (1 response).
Please provide a success story or best practice linked to the use of the software identified previously:
Other groups in the organization are able to design their own questions, which has cut costs of external resources for management testing
to less than 10 percent (1 response).
Self-assessments are performed on a more timely basis, and it is easier to provide assessment information as needed (1 response).
Please provide an example of a barrier or challenge presented by the use of the software identified previously:
The control self-assessments tool questionnaire design has presented problems (1 response).
Third-party software has response issues (1 response).
Vendor is not helpful in automating tasks and there are consulting fees associated with assisting in data uploads (1 response).
Not all divisions in the company are using the software (1 response).
The audit team is unable to run reports off of the information received (1 response).
Table 7: Responses to questions on software improvement areas, success stories, and challenges presented
Compliance Software
____________________________________
Similar to the use of control-self assessment software, compliance tools are not widely used 55.4 percent of
study respondents do not use compliance software compared to 23.9 percent who do and 20.7 percent who
stated this type of software is not applicable to their work. While no single software tool was listed by more
than one study participant as the primary software used for compliance, applications identified include Access,
ACL, Compliance 300, Excel, IDEA, Implexus, Movaris, Oracles Apex Application, Oracle GRC, PolicyIQ,
Resolver Risk, Showcase Quary, and Word. The only secondary software listed by respondents for compliance
is Access.
Ways compliance software has improved internal audit capabilities or posed a challenge are listed in table 8.
How has the use of the software identified previously improved your internal audit capabilities?
Our compliance area primarily uses this software (1 response).
Identify specific transactions of possible concern (1 response).
Directs audit work (1 response).
Provides a common centralized approach to performing compliance audits (1 response).
Compliance audits are timely, easy, and effective (1 response).
Please provide a success story or best practice linked to the use of the software identified previously:
Provided a common centralized approach to performing compliance audits (1 response).
Please provide an example of a barrier or challenge presented by the use of the software identified previously:
It is not easy to update use compliance logs (1 response).
Table 8: Responses to questions on software improvement areas, success stories, and challenges presented
13
How has the use of the software identified previously improved your internal audit capabilities?
Auditors are alerted of issues as they occur (i.e., there is no lag time to identify issues) and tool creates exception reports (2 responses).
Tool audits 100 percent of the population rather than a sample (1 response).
Allowed the internal audit activity to create preventive controls for process owners (1 response).
Please provide a success story or best practice linked to the use of the software identified previously:
Ability to quickly identify a number of irregularities including fraudulent transactions (1 response).
Please provide an example of a barrier or challenge presented by the use of the software identified previously:
Process takes a while to implement correctly, based on the organizations needs and system changes (2 responses).
Auditors need to have detailed knowledge of the underlying data structures to use the tool correctly (1 response).
Auditors have to determine the parameters to be used (1 response).
The organization has a hard time accepting reports generated by the tool (1 response).
Table 9: Responses to questions on software improvement areas, success stories, and challenges presented
Table10: Responses to questions on software improvement areas, success stories, and challenges presented
14
CLOSING THOUGHTS
Establishing an effective IT audit function should be a carefully thought-out process that not only incorporates
existing internal audit resources, but meets the organizations IT audit needs. Respondents to this study seem to
be moving in the right direction in terms of their IT audit activities the vast majority of study participants
incorporate IT audits as part of the internal audit plan; the majority of internal audit groups represented in the
study have the skills and knowledge necessary to evaluate the quality, effectiveness, and efficiency of the
organizations IT audit activities; and overall satisfaction with IT audit efforts is positive. In addition, more than 70
percent of study respondents indicated their internal audit activity has the skills and training needed to address
the issues that will impact IT audits the most within the next 24 months. This is particularly important given
todays economic downturn, which is affecting many organizations ability to provide the training needed to keep
up with todays technological innovations.
If there is one area for improvement, it is in the use of audit software. In particular, most study respondents
indicated they do not use software to detect or investigate fraud, perform control self-assessments, monitor
compliance activities, partake in continuous auditing, and assess risks for the annual audit plan. While no
reasons were given regarding the lack of software used for these activities, technology-based audit techniques
can greatly maximize internal audit efforts. This is especially true in large-size organizations, where continuous
audit software, for instance, can increase the scope of internal audit activities to cover as much as 100 percent
of all auditable universe components, and in small internal audit groups, where audit software can help internal
auditors perform faster, more effective audits.
15
Chart
Frequency
Count
Yes
70.3%
97
No
29.7%
41
Valid Responses
138
Total Responses
138
2: Does your organization incorporate IT audit activities as part of the internal audit plan?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
94.8%
92
No
5.2%
Valid Responses
97
Total Responses
97
2a: Please explain the process used to incorporate IT audit activities as part of the internal
audit plan:
Response (Yes)
The internal audit activity takes an integrated IT audit planning approach in which potential IT audit areas
are determined as part of the risk assessment process or annual audit planning process to determine all audit
universe components. Once an IT audit universe is determined based on areas of high risk, a schedule is
created to monitor/review IT audit universe components on a specific timeframe. These IT audit universe
components are either incorporated into the annual audit plan or kept as a separate IT audit plan (e.g., a
universe of IT audits is created as part of the normal audit planning process, in which IT audit areas are riskranked. The highest risk-ranked audits are included in the overall audit plan to the extent that the internal
audit department has the IT resources to allocate to them. Risk assessment interviews are also performed,
including interviews with IT management. IT components that are ranked for risk include system
applications, as well as operations, access, and change management controls) (73 response).
The internal audit activity performs a separate IT audit risk assessment to identify the IT audit areas to be
audited throughout the year. These areas are added to the overall annual audit plan (15 responses).
IT audits are determined based on core business functions and processes (8 responses).
16
2b: Please explain why you do not incorporate IT audit activities as part of the internal audit
plan:
Response
The internal audit activity does not have the skills or financial resources necessary to perform IT audits
(1 response).
IT management does not provide the information necessary for the internal audit activity to review IT
activities and processes (1 response).
IT audits are outsourced (1 response).
3: Please identify whether your organization co-sources or outsources any of its IT audit
activities.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Co-source
17.4%
16
Outsource
6.5%
23.9%
22
None
52.2%
48
Valid Responses
92
Total Responses
92
Chart
Frequency
Count
44.4%
10%25%
44.4%
26%50%
0.0%
51%75%
0.0%
76%99%
0.0%
100%
11.1%
17
Valid Responses
18
Total Responses
18
Chart
Frequency
Count
16.7%
10%25%
16.7%
26%50%
0.0%
51%75%
16.7%
76%99%
33.3%
100%
16.7%
Valid Responses
Total Responses
3c: How much of your organization's IT audit activities are both co-sourced and outsourced?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
17.4%
10%25%
21.7%
26%50%
21.7%
51%75%
21.7%
76%99%
13.0%
100%
4.3%
18
Valid Responses
23
Total Responses
23
Chart
Frequency
Count
75.0%
33
Budget limitations
9.1%
43.2%
19
79.5%
35
0.0%
Regulatory requirement
4.5%
36.4%
16
22.7%
10
13.6%
0.0%
Valid Responses
44
Total Responses
44
5: Please rate the ability of your in-house audit staff to evaluate the quality of the outsourced
or co-sourced IT audit work performed and explain why you chose the rating:
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
2.3%
2.3%
4.5%
11.4%
47.7%
21
31.8%
14
19
Valid Responses
44
Total Responses
44
5.1: Please explain why you rated the ability of your in-house audit staff as unacceptable:
Response
Staff do not evaluate the IT audit work; work is 100 percent outsourced and only evaluated or reviewed by
the CAE (1 response).
5.2: Please explain why you rated the ability of your in-house audit staff as needs major
improvement:
Response
None of the in-house staff have an IT background (1 response).
5.3: Please explain why you rated the ability of your in-house audit staff as needing some
improvement:
Response
Staff have general IT knowledge and background, but are not fully technically competent (1 response).
Working with consultants is a new skill set for my staff, and we continue to work with managing their work
and their reporting activities (1 response).
5.4: Please explain why you rated the ability of your in-house audit staff as fair:
Response
Staff have limited technology knowledge (2 responses).
5.5: Please explain why you rated the ability of your in-house audit staff as good:
Response
Experienced IT auditor(s) (7 responses).
Experience of internal audit manager and CAE (4 responses).
Good contract management skills (6 responses).
Good peer references and feedback from the auditees (1 response).
5.6: Please explain why you rated the ability of your in-house audit staff as excellent:
Response
Experienced IT auditor works at the organization (9 responses).
Excellent communications with service providers (3 responses).
20
6: Please rate the effectiveness of your organizations IT audit activities and explain why you
chose the rating:
(Respondents could only choose a single response)
Response
Chart
Moderately effective
(explained in 6.4)
Frequency
Count
1.1%
3.3%
8.7%
23.9%
22
45.7%
42
17.4%
16
Valid Responses
92
Total Responses
92
6.1: Please explain why you rated the effectiveness of your organizations IT audit activities as
highly ineffective:
Response - None
6.2: Please explain why you rated the effectiveness of your organizations IT audit activities as
ineffective:
Response
Reduced or understaffed (1 response).
Without expertise in this area, it is difficult to conduct audits other than access control audits, which
can be done by a non-IT auditor (1 response).
6.3: Please explain why you rated the effectiveness of your organizations IT audit activities as
moderately ineffective:
Response
Not enough skilled IT audit staff available (4 responses).
Inexperienced staff (2 responses).
IT general control audits have not been completed for quite some time. Other audit work was identified on
an ad hoc basis. I am new to my position and making significant changes to our processes (1 response).
Limited in-house resources and knowledge (1 response).
21
6.4: Please explain why you rated the effectiveness of your organizations IT audit activities as
moderately effective:
Response
Lack of solid skills (6 responses).
IT auditing is a new function, and we have had some trouble in the IT area (2 responses).
The organizations IT audit executive has acquired knowledge of the IT environment and control situations
during the audit exercise and has an established relationship with IT management personnel (1 response).
Need for better coordination with IT department for mapping the IT universe and following up on
recommendations (1 response).
Not well-led and not using current technology; we are several generations behind. This is because the
company is not heavily IT dependent, which is proven based on the frequency of outages (1 response).
Provides a level of insight to our CIO that previously did not exist (1 response).
Generally, these activities are effective but we have issues with the ISO position (1 response).
We have done a comprehensive review but have not touched on key controls (1 response).
We just expanded our staff from one to three people and we are still improving our processes
(1 response).
We need a formalized risk model that will increase the effectiveness of our IT audit activities (1 response).
We review key risks, but probably need a lot more focus around information security (1 response).
6.5 Please explain why you rated the effectiveness of your organizations IT audit activities as
effective:
Response
Good communications and response from function, IT department, and the board (16 responses).
Excellent vendor and risk assessment process (5 responses).
Solid knowledge and provides value-added recommendations (4 responses).
Changes are made to improve controls (3 responses).
All risks are covered on a risk-based cycle (1 response).
I believe we hit the high-risk areas, but we could do more if we had more audit resources (1 response).
IT reviews are operational but not technical (1 response).
Key IT general controls seem to be working; IT governance was weak but appears to be improving to
acceptable standards. Key applications are rigidly maintained as they support government-regulated
processes (1 response).
Findings are always relevant and helpful to the organization (1 response).
We are effective for control testing, but not necessarily for operational efficiencies (1 response).
We have the audit committees and CEO attention and CIO is making changes (1 response).
22
6.6: Please explain why you rated the effectiveness of your organizations IT audit activities as
highly effective:
Response
Excellent and well-trained staff (7 responses).
All areas are subject to audit including IT activities (2 responses).
Areas to be audited are mutually agreed upon by internal auditing and the CIO (1 response).
We get positive feedback from auditees and the audit committee (1 response).
Reduces external audit fee and IS agree with recommendations (1 response).
Good collaboration between IS management, internal audit management, and vendors (1 response).
We look at controls; others review technical issues (1 response).
7: Please rate the efficiency of your organizations IT audit activities and explain why you chose
the rating:
(Respondents could only choose a single response)
Response
Chart
Moderately efficient
(explained in 7.4)
Frequency
Count
1.1%
0.0%
9.9%
37.4%
34
38.5%
35
13.2%
12
Not Answered
1
Valid Responses
91
Total Responses
92
7.1: Please explain why you rated the efficiency of your organizations IT audit activities as
highly ineffective:
Response - None
7.2: Please explain why you rated the efficiency of your organizations IT audit activities as
ineffective:
Response - None
23
7.3: Please explain why you rated the efficiency of your organizations IT audit activities as
moderately ineffective:
Response
Inexperienced staff (4 responses).
Slow to respond; short staffed; internal cooperation (2 responses).
Sometimes too thoroughly audited (1 response).
We are efficient for our size and skill, but unable to address critical concerns due to staffing (1 response).
7.4: Please explain why you rated the efficiency of your organizations IT audit activities as
moderately effective:
Response
IT audit area and plans are new and still in development (4 responses).
Staff experience and IT background is limited (3 responses).
Experience of IA audit manager and resources (2 responses).
Access to outsource providers supplements departmental needs (2 responses).
Challenge completing audits within budgeted time and given deadlines (2 responses).
Using co-sourcing partners is inefficient without adequate management oversight (2 responses).
Legacy systems and IT silos are key issues (1 response).
Significant research is needed for in-house audit procedure development (1 response).
Implementing an ERP (1 response).
The IT audits can be bigger and more challenging (1 response).
Inefficiency is caused by physical distance between our department and the IT department (1 response).
We can get better in timely completion of audit reports (1 response).
We have standardized IT audit procedures and testing is generally consistent (1 response).
We need a formalized risk model that will increase the efficiency of our IT audit activities (1 response).
24
7.5: Please explain why you rated the efficiency of your organizations IT audit activities as
effective:
Response
Highly qualified staff (10 responses).
Excellent working relationship with management and external auditors (5 responses).
Continuous improvement and review (3 responses).
Excellent use of tools and methodologies (2 responses).
Use of risk ranking to guide audit performance (2 responses).
Use of rotation plan for GCC audits (1 response).
7.6: Please explain why you rated the efficiency of your organizations IT audit activities as
highly effective:
Response
Well trained, dedicated, and certified staff (4 responses).
IT audit activities are risked-based and targeted to issue risks ranked as high (3 responses).
Excellent communications with audit committee and CIO (1 response).
Excellent outsourcing partner (1 response).
8: Please rate your overall satisfaction with your organization's IT audit activity and explain why
you chose the rating:
(Respondents could only choose a single response)
Response
Chart
25
Frequency
Count
1.1%
8.7%
4.3%
28.3%
26
34.8%
32
22.8%
21
Valid Responses
92
Total Responses
92
8.1: Please explain why you rated your overall satisfaction as highly dissatisfied:
Response None
8.2: Please explain why you rated your overall satisfaction as dissatisfied:
Response
Lack of professional staff and training (4 responses).
There are many IT security issues with limited audit staff (2 responses).
There is no chief information officer and therefore the quality is lacking (1 response).
8.3: Please explain why you rated your overall satisfaction as moderately dissatisfied:
Response
Limited and inexperienced staff (3 responses).
8.4: Please explain why you rated your overall satisfaction as moderately satisfied:
Response
Area is still in development with room for improvement (9 responses).
Excellent work but limited resources (2 responses).
Missing application audits (1 response).
Our available IT audit hours are not adequate to meet our audit plan (1 response).
Unrealistic audit committee's expectations for definitive audit opinions and ratings (1 response).
Audit recommendations have generally been accepted and implemented (1 response).
We do not have a large exposure to in-house development. Our risks are limited to third-party products.
Our IT structures are decentralized and aligned with each business unit, so we have limited exposure to
global problems (1 response).
We need a formalized risk model that will increase the quality of our IT audit activities (1 response).
26
8.5: Please explain why you rated your overall satisfaction as satisfied:
Response
Good work, experienced in systems, and technology that meets audit needs (6 responses).
Limited staff with excellent experience (4 responses).
Excellent communications with audit committee and executive management (1 response).
Experience of internal audit manager and resources (1 response).
Cost is a major consideration (1 response).
We have improved our efficiency by prioritizing IT risks (1 response).
Knowledge transfer is a key to learning the IT area (1 response).
Effective balance between in-house and co-sourced audits and our IT management team seeks our
assistance (1 response).
Need to incorporate technology into all of our audit activities (1 response).
Our IT audits have been improving over the past few years and are approaching highly satisfied
(1 response).
Our surveys come back from the organization with high scores (1 response).
Provide basic coverage of key controls (1 response).
Staff from outsourced firm generally not outstanding, but their associate director makes sure everything
works in the end (1 response).
We cover the management of critical applications and are able to assess ICT governance (1 response).
8.6: Please explain why you rated your overall satisfaction as highly satisfied:
Response
Highly trained qualified staff (7 responses).
We provide good coverage of all major risks (1 response).
Excellent feedback from auditees and the audit committee (1 response).
IT is taking action on IT audit reports (1 response).
Material weaknesses are identified and addressed by management (1 response).
Strong relationship with IT; high-quality audit work (1 response).
Good outsourcing partner (1 response).
Viewed as a resource by IT management (1 response).
27
9.1: List the top three issues that will impact IT audits the most within the next 24 months:
Response
IT audit project limitations due to budget restrictions caused by the current economic downturn or
shifting organizational priorities; time constraints; lack of internal resources to perform the IT audit, such
as lack of qualified staff due to turnover or budget cuts; increasing travel costs; and lack of overall
knowledge to perform an IT audit (60 responses).
Data security and privacy: 1) Compliance with data security and privacy laws and regulations (e.g.,
compliance with the Payment Card Industry Data Security Standard) and 2) information security and data
privacy practices within the organization (e.g., user provisioning, data access and change management)
(52 responses).
Being unable to add value to the organization due to the increasing complexity of IT systems,
which prevents the internal audit activity from being able to keep up with technological changes and
innovations, as well as not having the knowledge to audit and provide support during new system
implementations as a result of out-of-date technology, replacement of legacy systems, and automation of
existing controls (32 responses).
10: Do you have the skills to address the issues that will impact IT audits the most within the
next 24 months?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
71.7%
66
No (explained in 10.2)
28.3%
26
Valid Responses
92
Total Responses
92
28
11: Do you have the training to address the issues that will impact IT audits the most within
the next 24 months?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
72.2%
65
No (explained in 11.2)
27.8%
25
Not Answered
2
Valid Responses
90
Total Responses
92
12.1: List the latest three technology innovations that have eased the performance of IT audits
the most within the last three years:
Response
Use of CAATs, such as audit administration tools and documentation software (e.g., ACL, IDEA,
TeamMate); automated change management applications; new tracking software; and help desk audit
software (56 responses).
Availability of many systems online, which enables remote audit activities (8 responses).
Guidance on specific IT audit areas or tailored to noncomplex IT environments (7 responses).
29
13: Which of the following has been your primary source of IT audit knowledge during the last
24 months?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
44.0%
40
2.2%
5.5%
9.9%
On-the-job training
8.8%
Peer-to-peer assistance
6.6%
2.2%
13.2%
12
7.7%
1
Valid Responses
91
Total Responses
92
13.1: Please explain why you selected Individual research gathered from online
resources as your primary source of IT audit knowledge during the last 24 months:
Response
ISACA (4 responses)
AICPA
ITIL
COBIT
ACUA (2 responses)
13.2: Please explain why you selected Other as your primary source of IT audit
knowledge during the last 24 months:
Response
Outsourcing provider (2 responses)
ISO
COBIT
30
14: Please select which organization would be your first choice as a source for increasing
your IT audit knowledge:
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
2.2%
20.0%
18
ISACA
47.8%
43
18.9%
17
SANS Institute
4.4%
6.7%
Not Answered
2
Valid Responses
90
Total Responses
92
14.1: Please select which organization would be your first choice as a source for increasing
your IT audit knowledge:
Response
SAP (2 responses)
Vendor-specific training
31
15: Does your internal audit function use software for extraction?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
63.0%
58
No
32.6%
30
Not applicable
4.3%
Valid Responses
92
Total Responses
92
15a: Please provide the name of the primary software used for extraction, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
7
of responses
Is this software
useful to IA
Yes
Yes
Yes
ACL (34)
7
8
For questions 1522: Only one response was provided in cells where no number is shown.
For questions 1522: Only one response was provided in cells where no number is shown.
32
15a: (continued) Please provide the name of the primary software used for extraction, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Application queries
(4)
Yes
Business Objects
Yes
No comments provided.
Crystal Reports
Yes
Excel (2)
Expert Level
Intermediate level of expertise
Yes
Yes
No comments provided.
Small data extracts can be manipulated.
IDEA
Yes
MS Access
Expert Level
Yes
No comments provided.
Yes
No comments provided.
Yes
Yes
Yes
Highly useful; we perform all our audits using SAP. We have also written
certain exception reporting applications.
No comments provided.
No comments provided.
Proprietary
SAP (3)
33
15a: (continued) Please provide the name of the primary software used for extraction, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Showcase
SQL (3)
Is this software
useful to IA
Yes
Yes
Yes
Yes
15a: Please provide the name of the secondary software used for extraction, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses
Is this software
useful to IA
ACL (2)
Yes
Yes
BankAudit
Yes
No comments provided.
Crystal Reports
Yes
No comments provided.
Define
Yes
34
15a: (continued) Please provide the name of the secondary software used for extraction, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Yes
None chosen
Yes
Yes
Yes
Focus
Yes
No comments provided.
IDEA (2)
Yes
Yes
No comments provided.
Used to analyze or sample transactions.
Microsoft Suite
Yes
No comments provided.
Monarch
Yes
Can pull data from almost any report or common file format.
MS Access (2)
Yes
SAP
No
SQL (2)
Yes
Yes
No comments provided.
Ability to obtain other required information.
SharePoint
Yes
No comments provided.
Excel (6)
35
Audit 100 percent of the population rather than doing a samplebased audit (20 responses).
Improved productivity and efficiency of work (i.e., better able to
extract, analyze, and acquire data from corporate systems; drilldown capabilities; and reduced the amount of time required to
identify potential problems) (18 responses).
Continuous monitoring of data (2 responses).
Has enabled the use of exception reports and tests that identify
fraud, misuse of expense reports, and staff who didn't charge leave
time, as well as test pricing invoices and internal controls
(12 responses).
Please provide a success story or best practice linked to the use of the
software identified previously:
15c. Please explain why you do not use software for extraction?
36
16: Does your internal audit function use software for data analysis?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
76.1%
70
No
19.6%
18
Not applicable
4.3%
Valid Responses
92
Total Responses
92
16a: Please provide the name of the primary software used for data analysis, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses
ACL (36)
Is this software
useful to IA
Yes
37
16a: (continued) Please provide the name of the primary software used for data analysis, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Yes
ActiveData
Yes
No comments provided.
38
16a: (continued) Please provide the name of the primary software used for data analysis, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Application
reporting features
Yes
No comments provided.
DCMS
Yes
Yes
No comments provided.
Yes
Excel (10)
Expert Level
Yes
No comments provided.
Hyperion
Yes
IDEA (4)
Yes
Expert Level
Yes
39
16a: (continued) Please provide the name of the primary software used for data analysis, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Yes
Good tool for filtering lots of data, so comparing data from two sources.
Yes
No comments provided.
SAS
Yes
No comments provided.
40
16a: Please provide the name of the secondary software used for data analysis, skill level required, its usefulness to internal auditors, and why it
is useful or not:
Software/ Number
of responses
ACL (5)
Crystal Reports
Excel (17)
Focus
Is this software
useful to IA
Yes
No comments provided.
Yes
No comments provided.
Yes
No
No comments provided.
Complexity limits its usefulness.
None given
Yes
Yes
Yes
Expert Level
Yes
Yes
No comments provided.
No comments provided.
Yes
Easy to use. (2)
41
Please provide a success story or best practice linked to the use of the
software identified previously:
The tool is not user friendly and requires a high level of training
(5 responses).
Problems accessing data (i.e., data is saved in formats that are not
conducive to software analysis or getting data stored in two systems
or legacy systems is difficult) (6 responses).
Older versions of Excel or Access do not have the bandwidth to
analyze large volumes of data (2 responses).
16c. Please explain why you do not use software for data analysis?
42
17: Does your internal audit function use software to detect or investigate fraud?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
46.7%
43
No
48.9%
45
4.3%
Not applicable
Valid Responses
92
Total Responses
92
17a: Please provide the name of the primary software used to detect or investigate fraud, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Yes
Easier to detect abnormal activity.
43
17a: (continued) Please provide the name of the primary software used to detect or investigate fraud, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
ACL (23)
continued
Yes
Tool identifies such things as name and address matches for vendors and
employees.
Data analysis and extraction.
Good functionality.
Expert Level
Yes
Yes
No comments provided.
44
17a: (continued) Please provide the name of the primary software used to detect or investigate fraud, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
ActiveData
Yes
Application
reporting and query
Yes
Crystal Reports
Yes
To sort and select data that may be indicative of fraudulent activity or to find
transactions related to alleged fraudulent activity.
DCMS
Yes
No comments provided.
DISSCO
Yes
No comments provided.
Excel (2)
Yes
Focus
Yes
No comments provided.
Yes
Expert Level
Yes
IDEA (2)
No comments provided.
No comments provided.
45
17a: (continued) Please provide the name of the primary software used to detect or investigate fraud, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
MS Access
Yes
Patriot Officer
Yes
PeopleSoft Queries
Yes
SAS
Yes
No comments provided.
Yes
No comments provided.
Yes
Showcase Query
VIPs
46
17a: Please provide the name of the secondary software used to detect or investigate fraud, skill level required, usefulness to internal audit, and
why it is useful or not:
Software/ Number
of responses
Crystal Reports
Is this software
useful to IA
Yes
Yes
Yes
No comments provided.
IDEA
Yes
In-house program
Yes
No comments provided.
MS Access (2)
Yes
No comments provided.
Easy to use and share information.
Nuix
Yes
Excel (5)
47
Finding bogus vendors or addresses (e.g., matched vendor addresses with employee
addresses) (2 responses).
Mapping data to users (e.g., mapping of e-mails to determine the content, who received
the e-mail, and the actions taken; mapping data to identify noncompliant cases)
(2 responses).
More visibility of information (1 response).
Increased number of fraud items for investigations (1 response).
Issues with the data (e.g., obtaining data in the first place; getting files to import from IT
in a timely manner; and defining data to conduct the investigation) (3 responses).
High volume of data to analyze (1 response).
Learning curve to use software properly (1 response).
Cannot perform transactions in real time (1 response).
17c. Please explain why you do not use software to detect or investigate fraud:
48
18: Does your internal audit function use software for automated working papers?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
52.2%
48
No
47.8%
44
Not applicable
0.0%
Valid Responses
92
Total Responses
92
18a: Please provide the name of the primary software used for automated working papers, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Adobe Acrobat
Is this software
useful to IA
Yes
Yes
Yes
AutoAudit (7)
We are implementing the software; the software will help us to implement a
better work flow and documentation.
Good for global teams and storage and review of working papers.
49
18a: (continued) Please provide the name of the primary software used for automated working papers, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses
Crowe Horwath's
AWP
Excel (4)
In-house tool
MS Office Suite and
Server File Structure
MS Word (5)
Is this software
useful to IA
Yes
Yes
Yes
Yes
Yes
Yes
Developed in-house; all work papers linked; all work papers are electronic
Yes
No comments provided.
50
18a: (continued) Please provide the name of the primary software used for automated working papers, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
PAWS Pentana
Yes
Yes
Resolver Risk
Yes
No comments provided.
SharePoint
None given
Yes
No comments provided.
Provides a central repository for audit working papers and great reporting
capabilities.
Efficiency in preparation and review of work papers.
Great application, work papers are encrypted; easy to use.
Has cut overall audit time by 30 percent. Audit review by supervisors is ongoing
and has cut the elapsed time by 90 percent. Report production also has resulted in
time savings,
Reduction in paper and related storage costs,
Efficient system,
It is a centralized repository of documentation within our organization. Risk
assessment tools have not aligned with our risk assessment methodology to date.
Yes
TeamMate (22)
No
51
18a: (continued) Please provide the name of the primary software used for automated working papers, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Yes
Audit work and evidence are maintained in a system that provides good data
protection and easy retrieval.
Avoid many other files and documents.
For all the obvious reasons!
Good method of documenting audits for standardization and efficiency.
It has enabled us to make our audit procedures more efficient. The review process
is also more efficient and we require much less physical storage space.
More efficient.
Standardizes working papers, facilitates review, etc.
Allows us to share data and provide remote supervision. Overall opinion of the
software is that it is too complicated.
Yes
No comments provided.
Yes
TeamMate (22)
continued
Expert Level
None given
52
18a: Please provide the name of the secondary software used for automated working papers, skill level required, its usefulness to internal
auditors, and why it is useful or not:
Software/ Number
of responses
Excel
Is this software
useful to IA
Yes
No comments provided.
Yes (3)
No comments provided.
Yes
No comments provided.
MS Access
Yes
We summarize the results into Access, which relates them to financial statement
accounts, risks, financial statement impact, etc.
OpenPages
Yes
Central repository.
TeamMate
No
Harder to use than Pentana and does not provide a risk and control matrix in
readable form.
53
54
18c. Please explain why you do not use software for automated working papers:
55
19: Does your internal audit function use software to perform control self-assessments?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
21.7%
20
No
65.2%
60
Not applicable
13.0%
12
Valid Responses
92
Total Responses
92
19a: Please provide the name of the primary software used to perform control self-assessments, skill level required, its usefulness to internal
auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Auto Audit
Yes
Axentis
Yes
Eliminated resources to capture and report data; easy for process owners;
facilitated self-assessments.
Excel (3)
Yes
No response
No response
56
19a: (continued) Please provide the name of the primary software used to perform control self-assessments, skill level required, its usefulness
to internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
FCM
No
In-house developed
template
Yes
Lumigent Audit DB
Yes
Movaris
Yes
No comments provided.
.
Allows process owners access to key controls.
E-mail using MS
Yes
No comments provided.
Option Finder
Yes
PolicyIQ
Yes
Risk Navigator
None chosen.
Sharpe Decision
Yes
Easy to use.
TeamRisk
Yes
No comments provided.
Yes
No response
No comments provided.
57
19a: Please provide the name of the secondary software used to perform control self-assessments, skill level required, its usefulness to internal
auditors, and why it is useful or not:
Software/ Number of
responses
Turning Point Audience
Response System
Is this software
useful to IA
Yes
19c. Please explain why you do not use software to perform control self-assessments:
As a new internal audit department, we have not yet done any control self-assessments (1 response).
58
20: Does your internal audit function use software for compliance?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
23.9%
22
No
55.4%
51
Not applicable
20.7%
19
Valid Responses
92
Total Responses
92
20a: Please provide the name of the primary software used for compliance, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses
Is this software
useful to IA
ACL
Yes
Compliance 360
Yes
No comments provided.
Excel
Yes
59
20a: (continued) Please provide the name of the primary software used for compliance, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number of
responses
Is this software
useful to IA
Yes
IDEA
Yes
No comments provided.
Implexus
Yes
Microsoft Access
Yes
Movaris
Yes
Yes
Oracle GRC
No
The lack of usefulness is simply due to the application owners decision for
implementation and rollout. Currently the application is rolled out to process
owners, but not internal audit department. This will be changing this year,
but to date, we have not had access to this.
PolicyIQ
Yes
60
20a: Please provide the name of the primary software used for compliance, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses
Is this software
useful to IA
Resolver Risk
None chosen
Yes
No comments provided.
RCTS
None chosen
Yes
No comments provided.
Showcase Query
Yes
No comments provided.
MS Access
Yes
No comments provided.
20c. Please explain why you do not use software for compliance:
61
21: Does your internal audit function use software for continuous auditing?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
25.0%
23
No
59.8%
55
Not applicable
15.2%
14
Valid Responses
92
Total Responses
92
21a: Please provide the name of the primary software used for continuous auditing, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
ACL (15)
Is this software
useful to IA
Yes (15)
62
21a: (continued) Please provide the name of the primary software used for continuous auditing, skill level required, its usefulness to internal
auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Yes (15)
continued
Exception reporting.
No comments provided.
Excel
Yes
No comments provided.
IDERA
Yes
In-house
Yes
No comments provided.
Oracle Apex
Database
(homegrown)
Yes
No comments provided.
63
21a: (continued) Please provide the name of the primary software used for continuous auditing, skill level required, its usefulness to internal
auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
PeopleSoft
Yes
Proprietary Data
Extraction
Yes
It allows us to access specific data points within our larger data base.
This allows for audits of targeted risk areas.
Showcase Query
Yes
No comments provided.
21a: Please provide the name of the secondary software used for continuous auditing, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
ARC
Expert Level
Yes
MS Access
Yes
No comments provided.
64
Auditors are alerted of issues as they occur (i.e., there is no lag time to identify issues)
and tool creates exception reports (2 responses).
Audit 100 percent of the population rather than a sample (1 response).
Allowed the internal audit activity to create preventive controls for process owners
(1 response).
Ability to quickly identify a number of irregularities including fraudulent transactions
(1 response).
Process takes a while to implement correctly and is based on the organization's needs and
system changes (2 responses).
Auditors have to determine the parameters to be used (1 response).
Auditors need to have detailed knowledge of the underlying data structures to use tool
correctly (1 response).
Organization has a hard time accepting reports (1 response).
21c. Please explain why you do not use software for continuous auditing:
65
22: Does your internal audit function use software to assess risks for the annual audit plan?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
39.1%
36
No
57.6%
53
3.3%
Not applicable
Valid Responses
92
Total Responses
92
22a: Please provide the name of the primary software used to assess risks for the annual audit plan, skill level required, its usefulness to internal
auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
ACL
Yes
AutoAudit
Yes (2)
CCH TeamMate
Yes
66
22a: (continued) Please provide the name of the primary software used to assess risks for the annual audit plan, skill level required,
its usefulness to internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Yes (25)
Easy to use and generate reports from standard templates.
Custom-developed model.
Intermediate level of expertise
(11)
We are able to link and perform calculations without the cost and time
associated with other software.
67
22a: (continued) Please provide the name of the primary software used to assess risks for the annual audit plan, skill level required, its
usefulness to internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Excel (25)
continued
Software is not that useful because it is manual and not that user friendly.
In-house developed
(3)
Saves time.
Yes
Yes
No comments provided.
Yes (2)
22a: Please provide the name of the secondary software used to assess risks for the annual audit plan, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses
Is this software
useful to IA
Crystal Reports
Yes
No comments provided.
TeamMate
Expert Level
No
68
Consistent tracking and format for all risk assessments and risk calculations, which makes it
easier to compare risks across the organization (5 responses).
Provides a central tracking location (2 responses).
Saves time when performing the risk assessment (e.g., sort for different types of views and
risks) (2 responses).
Software illustrates results of risk assessment graphically and through reports (1 response).
Helps in the audit planning process (e.g., annual audit plan is prepared promptly by the use
of the risk assessment system) (2 responses).
Provides a common communication mechanism of risk assessment results (1 response).
Is enabling internal audit activity to develop a mathematical risk assessment model
(1 response).
Risk criteria are consistently updated as audits are performed, which enables auditors to
determine which audit areas are considered high risk at a glance because of the control
environment or an audit has not been performed in a while (1 response).
Enables use of Monte Carlo technique for risk assessments (1 response).
Software is cumbersome to use and could use additional automation (2 responses).
It is difficult to incorporate changes to spreadsheet (1 response).
Risk assessment is still subjective (1 response).
Lack of adequate resources to patch or upgrade the system to eliminate problem areas and
to build new features (1 response).
22c. Please explain why you do not use software for the annual audit plan:
69
23: Are there any additional comments related to the use or nonuse of software
applications this survey has not addressed?
Response
Too many audit tools are not intended for small audit shops and their cost is too expensive. As a result, the tool's
cost and effort needed to learn how to use it and implement it correctly does not justify its acquisition
(3 responses).
Information on GRC tools we are in the process of selecting a GRC portal for use across the internal audit activity
(1 response).
The use of software and having in-house IT audit resources depends on the size of the organization (e.g., for a
smaller company, it is cost effective to co-source activities for special needs in a focused manner) (1 response).
Much feedback received from peers is that they spend a lot of time putting information into a software and only get
back the information they put into it with the addition of pretty graphs, etc. to show for the effort
(1 response).
70
Demographics
24: How many individuals are part of your IT audit activity?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
13
77.2%
105
46
13.2%
18
79
3.7%
More than 10
5.9%
Not Answered
2
Valid Responses
136
Total Responses
138
25: What is the size of your internal audit activity (calculated in total full-time equivalents)?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
12
11.6%
16
36
34.1%
47
715
31.2%
43
1620
8.7%
12
2130
5.8%
More than 30
6.5%
Not applicable
2.2%
71
Valid Responses
138
Total Responses
138
Chart
Frequency
Count
83.2%
114
8.8%
12
0.7%
1.5%
5.8%
Not Answered
1
Valid Responses
137
Total Responses
138
26.1: If not listed above, to whom does the IT audit function report?
Response
Board of directors
Do not have a separate IT audit function
Elected official
Functionally to board's audit committee and administratively to the CFO
Head of corporate services
Senior audit manager
Vice president for administrative and fiscal services
72
27: How many years have you been a chief audit executive or equivalent?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
13
17.4%
24
46
16.7%
23
79
13.0%
18
1012
8.0%
11
1315
7.2%
10
1618
2.9%
19 or more
9.4%
13
25.4%
35
Valid Responses
138
Total Responses
138
Not applicable
28: How many years has your audit function been performing IT audits?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
13
25.0%
34
46
19.9%
27
79
14.0%
19
1012
8.8%
12
1315
5.1%
1618
2.9%
19 or more
19.9%
27
Not applicable
4.4%
Not Answered
73
Valid Responses
136
Total Responses
138
Chart
Frequency
Count
13
0.7%
46
4.3%
79
9.4%
13
1012
15.2%
21
1315
8.7%
12
1618
12.3%
17
19 or more
49.3%
68
Valid Responses
138
Total Responses
138
29a: Please specify the number of years of experience you have in each area below (please use
numeric values only; e.g., 1, 1.5):
(Respondents could only choose a single response)
Response
Internal Audit
IT Auditing
Other
Average
Years
Count
Average
Years
Count
Average
Years
Count
5 or less
3.9
18
2.9
39
3.3
30
5.5 10
8.4
29
8.1
31
8.6
20
11 15
12.9
27
13.5
13
13.1
16 20
18.0
13
18.4
18.8
21 25
22.9
23
22.6
23.0
26 or more
33.0
23
29.3
34.7
Experience
74
Chart
Frequency
Count
Private company
25.4%
35
44.2%
61
Nonprofit organization
13.8%
19
Government agency
13.0%
18
3.6%
75
Valid Responses
138
Total Responses
138
Chart
Frequency
Count
0.0%
Agriculture/forestry/fisheries
0.0%
Communication/telecommunication services
1.5%
Construction/engineering/architecture
2.2%
Consulting services
0.7%
Distribution
1.5%
Educational services
10.2%
14
2.9%
19.7%
27
Gaming/lotteries
2.2%
Health services
6.6%
Hospitality/entertainment/restaurant
1.5%
Insurance carriers/agents
8.0%
11
Local government
0.7%
National/federal government
0.7%
Manufacturing
15.3%
21
Mining
0.7%
Nonprofit sector
2.2%
Pharmaceuticals
0.7%
0.0%
State/provincial government
4.4%
Technology
1.5%
Transportation
0.7%
Utilities
7.3%
10
Wholesale/retail
3.6%
Other
5.1%
Not Answered
76
Valid Responses
137
Total Responses
138
32: Select the annual revenue range in U.S. dollars that best describes your organization:
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
2.2%
6.0%
3.0%
16.4%
22
13.4%
18
46.3%
62
12.7%
17
Not Answered
4
Valid
Responses
Total
Responses
134
138
33: What title best describes your current role within your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Audit staff
3.6%
Audit manager
12.4%
17
Audit director
15.3%
21
54.0%
74
IT audit staff
1.5%
IT audit manager
8.0%
11
IT audit director
4.4%
Retired
0.7%
Not Answered
77
Valid Responses
137
Total Responses
138
Chart
Frequency
Count
76.1%
105
Albania
1.4%
Australia
2.2%
Bahrain
0.7%
Barbados
0.7%
Canada
8.0%
11
France
0.7%
Germany
1.4%
Hong Kong
2.2%
Ireland
0.7%
Lebanon
0.7%
Mexico
0.7%
Netherlands
0.7%
Puerto Rico
0.7%
South Africa
0.7%
Switzerland
1.4%
Venezuela
0.7%
United States
78
Valid Responses
138
Total Responses
138
79