210 likes | 362 Views
FINANCE PRACTICE AUDIT DIRECTOR ROUNDTABLE TM. 15 June 2009. A COLLECTION OF DISCUSSION GROUP RESPONSES. INDEX OF DISCUSSIONS. INDEX OF DISCUSSIONS (CONTINUED). DISCUSSION GROUPS IN THE RISK TERRAIN. Audit Command Language (ACL) Audit Department Technology Management Tools
E N D
FINANCE PRACTICE AUDIT DIRECTOR ROUNDTABLETM 15 June 2009 A COLLECTION OF DISCUSSION GROUP RESPONSES
INDEX OF DISCUSSIONS © 2009 The Corporate Executive Board Company. All Rights Reserved.
INDEX OF DISCUSSIONS (CONTINUED) © 2009 The Corporate Executive Board Company. All Rights Reserved.
DISCUSSION GROUPS IN THE RISK TERRAIN • Audit Command Language (ACL) • Audit Department Technology Management Tools • Auditing International Operations • Audit Process Efficiency and Professional Practices • Fraud • "Help Me Audit" Discussion Group • Information Technology Auditing • S-OX Compliance for Internal Audit • Risk Management for Internal Audit • ADR Retail Industry Forum • ADR Financial Services Forum • To subscribe to any of these groups, write to Vikas Gopal at vgopal@executiveboard.com © 2009 The Corporate Executive Board Company. All Rights Reserved.
TELEWORK PROGRAMS FOR INTERNAL AUDIT EXECUTIVES May 26, 2009 Question 1. Do you have a formal telework or work-at-home program for your IA team? a. If yes, what percentage of your team routinely works at home for one or more days per week? b. If yes, what percentage of your team works at home nearly every day? 2. Do you have a formal compressed work week program (i.e., where you work slightly more hours over a 4-day or 9-day period and then take the next day off)? a. If yes, is it "9/10" or "4/5"? b. If yes, what percentage of your team has a compressed work week? - CAE, Financial Services Company • Issue—Formal telework and compressed work week programs for Internal Auditors • Key Takeaways • Of the 15 respondents who have formal telework program: • 5 respondents indicate that 16-25% of their team routinely works at home; 3 respondents indicate that it is between 6-15%. • Only 3 respondents indicate that a small percentage of their team work at home every day. • Of the 13 respondents who have formal compressed work week program: • 5 respondents have 4/5 compressed work week program; 4 have a 9/10 compressed work week program. Percentage of Team Teleworking for One or More Days Per Week % of Respondents n= 15 Respondents Offering Formal Telework and/or Compressed Work Week Program % of Respondents Preferred Compressed Work Week Programs % of Respondents n= 60 n= 13 Click here to get a list of all responses © 2009 The Corporate Executive Board Company. All Rights Reserved. 5 N= 60
TELEWORK PROGRAMS FOR INTERNAL AUDIT EXECUTIVES(CONTINUED) May 26, 2009 Answers from Our Clients 1. We allow certain members of our audit team to work from home, normally no more than 1 -2 days a month. They must have approval from their supervisor in advance. a. As noted above it is usually only 1 -2 days a month at most. b. None 2. Yes we have a formalized compressed work week program. a. 9/10 b. All team members are permitted to compress, although only about half of the staff take advantage of the program. Normally limited to 1 day a month. Senior Vice President, Chief Audit | Financial Services Company 1. No, we do not have a work-at-home program. When we have allowed it, it has only been on an exception basis only. 2. We do have a flex program where people work eight - 9 hour days and one - 8 hour day and have a Friday off every other week. Really this was done as a company to help reduce the pollution in the metropolitan area. As a company we have to report annually to the appropriate state agency monitoring the effort of larger employers. Not all departments are required to have the flex program. The disadvantage to the CAE and his managers is that when you need people sometimes they are off that day and the responsibility of getting things done that the auditor would do fall on the upper level management team. The employees who are allowed to be on the program love it. All have been informed that it is a "privilege" not a "right" to be on a flex hour program. Some employees have been taken off it because of performance related issues. We have about half our staff on this program. This is roughly 8 people. Corporate Auditor | Utilities Company Click here to get a list of all responses © 2009 The Corporate Executive Board Company. All Rights Reserved. 6
WHO DETERMINES SOX TEST ATTRIBUTES? May 14, 2009 Answers from Our Clients Question Are SOX test attributes determined at your company by the tester and reviewed by a manager or are they determined following a formal control change process involving all stakeholders (i.e. process owners, SOX controls inventory team, IA testing team)? 1. Tester & Manager 2. All stakeholders 3. Other Background: I recently joined a new company where changes to test attributes are considered significant and require approval from parties not directly involved in SOX testing (e.g. process owners, SOX PMO, SOX controls inventory team). By sending this question, I am trying to get a better feel what is standard practice across US public companies. • Issue—Person/team responsible for determining SOX test attributes • Key Takeaways • Majority (7 out of 10) respondents indicate that the SOX test attributes are determined centrally by SOX Compliance/IA team. • Of these, 2 respondents indicate that their firm allows certain degree of freedom for testers/managers to add more test attributes. The testing attributes should be determined in-conjunction with Internal Audit or external audit teams performing the testing. If the Testers are determining the attributes, they should validate the test is designed to mitigate the risk through internal audit. In most cases the testing attributes are handled through Audit either internal or external to ensure the attributes are designed affectively. Manager Compliance and Financial Controls | Media Responsibility of Determining SOX Test Attributes % of Respondents Our SOX compliance team sets the minimum attributes to be tested. SOX business / IT team leads and testers are free to ADD to that list of attributes. If SOX team lead believes the attributes set by the compliance team are flawed, they are asked to review with SOX compliance team prior to deleting or changing any pre-defined attributes. In our first year of SOX, we let the SOX team leads choose attributes....more often than not, those attributes did not cover all the risks / assertions, so each year since, the SOX compliance team reviews attributes and fine tunes prior to releasing test plans for new year. Director Financial Process Improvement and SOX | Specialty Retail n= 10 Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved. 7
HANDLING NEWS REPORTERS AT AUDIT COMMITTEE MEETINGS May 12, 2009 Answers from Our Clients Question 1) How do you handle the presence of news reporters at Audit Committee meetings? (As a CAE, I am very concerned about the reporter "sensationalizing" a story for the newspaper. I have consulted our Corporate Counsel on this, because it creates a dilemma.) 2) Has your company moved to "closed or executive" sessions to address this type issue when needed? Also, if I am to have a meeting with the Audit Committee alone, this could be very awkward. Any thoughts or ideas to address this would be appreciated. • Issue—Whether news reporters are allowed in audit committee meetings • Key Takeaways • None of the respondents allow news reporters to participate in Audit Committee meetings • 36 out of 41 respondents hold "closed or executive sessions" with the Audit Committee I can't say I have been confronted with outsiders being allowed to attend audit committee meetings in the 25 years I have been involved with audit committees at the corporate level. If confronted, I am sure they would not be allowed in since such meetings are not open to the public. I am now an audit committee member for a State Government. This is a different format where the meetings are open to anyone. In this type of venue, the most important thing is to make sure everyone knows that such reporters could be in the room and comments can appear in the public. The chairman plays a role in setting the proper backdrop and stage for discussion topics to minimize the likelihood of items being taken out of context--but you never can be sure. Vice President, Audit Services | Utilities Company Permitting News Reporters to Witness Audit Committee Meetings % of Respondents N= 41 The Audit Committee meetings are by their nature confidential where there is numerous items such as control issues and financial results are discussed. As a publicly listed company, it would be inappropriate for any outsider to attend such meetings. This would extend to the media. The only Board level meeting where the public or media attend is our Annual General Meeting of shareholders. Executive General Manager Group Audit | Banking Company Click here to get a list of all responses © 2009 The Corporate Executive Board Company. All Rights Reserved. 8
IT SECURITY DEPARTMENT – STRUCTURE AND RESPONSIBILITIES May 11, 2009 Question 1) Does your company have a separate IT Security Department? 2) If yes, who do they report to? the CIO or some other Chief Executive? 3) Does your IT Security Department monitor access within all applications within the company? 4) What other high level responsibilities does your IT Security Department perform? Answers from Our Clients Issue—Role and reporting structure of IT Security department 1) Yes. My organization employs a Chief Information Security Officer who is responsible for corporate information security as well as a number of managers responsible for various functions of operational and non-operational security. 2) The CISO reports directly to the Chief Information Officer (CIO) who is an executive or c-suite position that reports directly to the CEO. The CISO does not report to the vice president of IT. The VP of IT Ops reports to the CIO as well. 3) I'm not sure any security function can make a claim that it monitors access within all applications but , like any other function, we do our best considering the number of applications including automated monitoring of database access. We employ a centralized access request system that provides us with the capability to periodically review access to determine if it represents a valid requirement. 4) We perform the following functions: A. Computer incident and response B. Security vulnerability assessments C. Network connectivity requests and reviews D. Intrusion prevention and detection E. Policy and procedures F. Monitoring and compliance G. Database access monitoring Senior IT Auditor | Government • Key Takeaways • 8 out of 9 respondents indicate that they have a separate IT Security department. • Of these – 5 respondents indicate that the department directly reports to the CIO • 4 out 8 respondents indicate that IT Security department monitors access to only critical applications. Measuring and Tracking Audit Completion % of Respondents IT Security Department Reporting Structure % of Respondents n = 9. © 2009 The Corporate Executive Board Company. All Rights Reserved. 9 Click here to access the discussion thread
IT SECURITY DEPARTMENT – STRUCTURE AND RESPONSIBILITIES (CONTINUED) May 11, 2009 Answers from Our Clients We do have a separate security team that reports directly to the CIO. The team is focused more on network and OS level security, not application security. The team deploys a number of tools to ensure virus definitions are up to date, Operating Systems are configured per policy, and to monitor and respond to network vulnerabilities and breaches. The reality is that they are able to do a good job at the network level, but struggle in other areas. Either their tools are unable to scan all critical systems, or they don’t have a process in place to be proactive and preventative. Also, the tools they use limit what they can test. Internal Audit typically looks much deeper into these areas and goes beyond what a scan can provide. Overall their primary role has been heavily focused on controlling network security. Director of IT Global Compliance | Leisure 1) No, the company has an IT Security Manager. In addition, several users in IT perform security functions for various applications (e.g., we have an IT Network and Communications Manager and his direct reports perform Network Security functions). 2) The IT Security Manager reports directly to the Vice President of Information Technology who reports directly to the CFO. 3) Application access is monitored by business management with assistance from various application security administrators and the IT Security Manager. 4) IT Security Manager also manages end user licenses and monitors installation of unapproved/unlicensed software, anti-virus and safe boot updates, and monitors external and internal threats and vulnerabilities. Senior IT Auditor | Energy Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved. 10
IA ACCESS TO CLIENT PRIVILEGED DOCUMENTS May 11, 2009 Answers from Our Clients Question We are currently working on an audit involving a department reporting through our Legal Department. As a result, many documents related to decisions and interpretations have been marked Attorney Client Privileged. Our charter clearly states audit has access to all books, records and documents of the corporation. However, our Auditee and Legal Department are denying Internal Audit access to review documentation marked as privileged. We are not requesting copies of the documents just the right to review. 1) Have you ever encountered this situation as part of an internal audit? 2) How would you recommend we respect the status of the documents and still conduct a thorough audit? • Issue—Internal Audit’s authority to access of legal department’s client privileged documents • Key Takeaways • Majority (11/13) respondents agree that Internal Audit should have access to Attorney Client Privileged documents. • In cases where Legal department has apprehensions about sharing such documents, respondents suggest adopting workarounds such as: • Reviewing the documents in legal department personnel’s presence and avoiding taking any copies of these documents • Having the Chief Audit Executive or a senior auditor review the documents 1) The challenge is that once privileged documents are shared outside the privilege, they most likely forgo the protections afforded by this process. When facing similar situations while in banking, to the extent that privileged documents needed to be reviewed they were covered under a privileged review requested by the Legal department. The report was provided to the Legal department and no work papers with privileged content were retained by audit. Additionally, the report and workpapers were segregated from other similar documents. No privileged documents were included in these repositories. 2) Where we did review documents, it was in the legal department, No documents were copied or otherwise retained. The staff assigned was trained on privilege. While audit has unrestricted access, unless directed by the audit committee, we were sensitive to the need to protect privilege and found ways to approach this by working closely with Legal. SVP, General Auditor | Financial Services IA Access to Legal’s Client Privileged Documents % of Respondents This question is addressed in the IIA Research Foundation’s Handbook Series: Auditing the Legal Process. Vice President, Corporate Audit | Materials & Construction N= 13 Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved. 11
SOX SUB-CERTIFICATION METHODS May 6, 2009 • Issue—Typeof sub-certification model, number of sub-certification models • Key Takeaways • 7 out of 14 respondents follow sub-certification model mirroring the language of the CEO/CFO certification. • 4 out of 14 respondents collect more than 20 sub-certifications. • 9 out of 14 respondents agree that sub-certifiers (designated by the certifiers) require an additional layer of formal representations from individuals within business units / support functions. Question 1) Which sub-certification model does your company follow (please indicate the relevant option number as your answer)? a) mirroring the language of the CEO/CFO certification b) mirroring the language of the external auditor's letter of representation c) other (please specify) 2) How may sub-certifications (number of people) does your company collect each quarter from business units / support functions (please indicate the relevant option number as your answer)? a) None b) <5 c) 5-14 d) 14-20 e) >20 3) Do the above sub-certifiers (designated by the certifiers) require an additional layer of formal representations from individuals within business units / support functions? a) Yes b) No Type of Sub-Certification Mode Used % of Respondents N=14 Number of Sub-Certifications Collected % of Respondents N=14 Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved. 12
SOX SUB-CERTIFICATION METHODS(CONTINUED) May 6, 2009 Answers from Our Clients 1.a - for 10Q, 10K certs, c for SOX processes - we have IT and Business process team leads certify that process is documented, tested, results have been assessed, and deficiencies have been disclosed...their SOX certs have language to the effect that processes, controls are in place, designed and operating effectively except for the following (here the team leads identify all exceptions to their cert. for example if they implement a new system during the quarter, they would disclose that info and tell us when they plan to test the new controls or existing controls impacted by the implementation. team leads would also disclose if there were any control failures in the quarter, results of remediation testing, etc) 2.e 3.a - all section 16 officers are interviewed by the CEO/CFO as part of the quarterly disclosure controls Director financial process improvement and SOX | Specialty Retail 1) c - Other. Our sub certifications are performed by operating unit CEO & CFOs, as well as key staff positions such as the corporate controller, treasurer, general counsel, etc. Each sub certification is tailored for the function responding, and includes some standard questions (e.g., are you aware of any violations of company policy that could materially impact the company) and a questionnaire focused on the particular function. 2) c - We have 12 required sub certifications. However, each respondent is required to collect sufficient information to support his/her sub certification. They often do so by extending the certification within their organization. 3. a - Yes. Vice President, Corporate Audit | Materials & Construction Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved. 13
CYCLE TIME TO COMPLETE AN AUDIT April 29, 2009 Question Do you measure cycle time to complete an audit such as days to complete fieldwork or "man days" to complete fieldwork, etc.? Please provide any useful efficiency measures you use. Answers from Our Clients Issue—Company policy limiting the risk of corporate officers traveling together. We utilize a balanced scorecard approach for monitoring and reporting the performance of Internal Audit. One of the measures is the Duration Period of Audits. The aim is to complete an audit and issue the final audit report in 18 weeks or less. The duration is measured from the start date contained in the audit plan until the report is sent to the Audit Committee. The implementation of this measure has sharpened the focus of the audit directors on completing the audits in a timely manner. The actual duration target needs to be set so it meets the needs of your organization; ours is a large and complex operation and we do quite comprehensive reviews so 18 weeks is a stretch on past practice. In my previous organizations we typically set the duration target at around 12 weeks. Anonymous, Peer • Key Takeaways • 10 out of 16 respondents measure and track the complete audit cycle from planning to issuance of an audit report in terms of audit days/man days • Among these, 2 respondents indicate that although they measure time to complete fieldwork, they track only time to issue an audit report from the point of completion of fieldwork • 6 out 16 respondents only measure and track time to release the audit report from the point of completion of fieldwork Measuring and Tracking Audit Completion % of Respondents n = 16. • We simply measure four metrics: • Productivity - number of days post field work to issue reports • Efficiency - budget to actual (at a rate per hour by level) • Professionalism - customer survey results • Quality - subjective workpaper/report review • Internal Audit Director | Manufacturing © 2009 The Corporate Executive Board Company. All Rights Reserved. 14 Click here to access the discussion thread
AUDIT CONSULTANTS OFFERING GENERAL CONSULTANCY SERVICES April 29, 2009 • Issue—Audit Consultants providing consulting services in the business units they audit. • Key Takeaways • 92% of the responding companies are not in favor of Audit consultants providing general consultancy services • 8% of the responding companies believe “If the area that they are pitching work for is not what is being audited, then there would be no independence concerns”. Answers from Our Clients Question We utilize consultants for audit work for which we do not have technical expertise. We have identified that some of these consultants wish to "pitch" for work being done in the business units in which they are auditing. While they will not be consulting on the specific issues for which they are auditing ( say, they may audit GST while being required to consult on payroll tax), we are not comfortable with this as we are not sure whether there is an adequate separation to ensure that independence and objectivity is not compromised. How has your firm handled this? “I believe that it is a conflict of interests to both "audit" and consult in this situation. I believe that the "audit" firm should be allowed to do only one of these two activities for a single client. Otherwise, the "auditor" may put its efforts "fishing" for consulting work that may be more lucrative than auditing. We do not allow our "audit firms" to also consult at CalPERS. This applies to both our financial statement auditor by Board policy, and to our real estate compliance auditors by practice. In our experience, our audit firms have been careful to search for conflicts of interest prior to accepting various engagements by applying AICPA standards and ethics. I also note that Arthur Andersen and other large CPA firms had difficulty being objective in their audit work when they were generating more money from consulting fees than audit fees from the client. The prime example of this is the Enron debacle. A few years ago, three of remaining Big Four firms spun-off their consulting practices (Deloitte's spin-off was not completed). Shortly thereafter, the other three firms were right back into consulting. Today, there is potential to revert back to the old practice of performing both auditing and consulting for the same client, with the same conflicts of interest and risks as before.” Tax Senior Manager | Computer Software & Services Are Audit Consultants Allowed to Offer General Consultancy Services? % of Respondents n = 12. Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved.
MINIMIZING AIR TRAVEL RISK April 17, 2009 Question We currently have a policy limiting the risk of corporate officers traveling together, either commercially or on the corporate plane, but this does not specifically include Board of Directors. 1) Do you have a corporate policy limiting the number of board directors who can travel together? 2) If yes, how many directors are allowed to travel on the same flight? Answers from Our Clients Issue—Company policy limiting the risk of corporate officers traveling together. “We do not have a policy. We performed a benchmark some years ago and while we learned that there were disparate practices, it seemed clear that "traveling" together should not be limited to consideration air. Multiple execs in a car is more risky than air statistically.” VP Chief Audit Executive | Leisure • Key Takeaways • 73% of the responding companies do not have a formal policy to limit the risk of corporate officers traveling together • Trends observed in limitation on number of corporate officers travelling together: • In 2/4 responding companies, the policy prohibits more than three directors from travelling together • In 1/4 responding companies, the policy prohibits more than 50% of any management team from travelling together • In 1/4 responding companies, the policy prohibits more than five company officers from travelling together Corporate Policy Limiting BoD Members Travelling Together % of Respondents “1. Policy does identify limits. 2. Prior life, no more than three directors on the same flight; no more than two C-level officers.” Vice President, Internal Audit | Transportation “We have a policy that applies to all company management and board members stating that no more than 50% of any mgmt team (or board members/directors) can travel together. We have 22 directors on our full board.” VP, Audit Services | Insurance n = 15. © 2009 The Corporate Executive Board Company. All Rights Reserved. Click here to access the discussion thread
Materiality of Issues Reported to Board April 15, 2009 Dual Rating? % of Respondents Question We have a diverse business covering many countries and incorporating many differing types of businesses. When doing reviews in small countries we may identify issues which are important for that country but at a group level may / may not be significant. 1) How does your company address this issue? 2) Do you have a dual rating system , one for group impact and one for business impact? 3) Do you dual rate reports overall AND issues or just reports? 4) Do you just rate according to business impact or just for group impact? 5) How does the board know what is the most important or does a principle exists that all significant issues where they sit need to be forwarded to the Board? • Issue—Reporting of issues that may be insignificant at a group level. • Key Takeaways • 54% of the responding companies classify issues according to their importance at the country or group level while the remaining 46% classify issues according to their materiality to the business • 80% of the responding companies dual rate reports • 49%% of the responding companies rate reports, while 13% rate issues • 58% of the responding companies rate by business impact • 92% of the responding companies report all issues to Board/Audit Committee Rate by Business Impact or Group Impact? % of Respondents Rate Issues or Reports? % of Respondents How do you classify issues? % of Respondents Report all issues to Board/Audit Committee? % of Respondents Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved.
Materiality of Issues Reported to Board (CONTINUED) April 15, 2009 Answers from Our Clients (Continued) “We've faced the same issue. We rate all of our audit points on a 4 point scale - a priority 0 is significant to the company or the line of business as a whole; a priority 1 is significant to that particular line of business. Priority 2's and 3's are lower on the scale. That has worked successfully in helping to ensure that even a small line of business places the right priority on closing points while highlighting to senior management the issues that are important at the macro level. We issue one rating per issue and do not put an overall rating on the report. However, our report summary will highlight and call out anything significant from a quality of earnings, quality of internal controls, or business practices perspective. On a quarterly basis, I include a report in our pre-read materials to the audit committee that shows a summary of audit point activity for each of our lines of business. I also show all open priority 0 and priority 1 points with a brief description of the issue, the line of business, the issue rating, expected issue resolution date and whether the point is due, not due, overdue or postponed. I would discuss specific points of concern with the AC Chair directly.” Senior Vice President, Internal Audit | Food “We are a Fortune 50 company with big, medium and small business in over 90 countries. 1. Audits are based on country scope, not total company scope. 2. We have one rating system for all size businesses. 3. We issue one report with the rating for the business 4. We rate based on business impact of business audited. 5. All failed audits are reported in summary form to Audit Committee, but we provide context of the size of entity. Specific issues are only reported to Audit Committee if they are thematic of a company-wide issue. Otherwise they are reported only to senior company management through our issued report. The Audit Committee does not receive copies of audit reports. I only provide overall summaries at each A.C. meeting.” Vice President and General Auditor | Food Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved.
SPREADSHEET AUDITING TOOLS April 04, 2009 • Issue—Tools to perform spreadsheet audits • Key Takeaways • Respondents recommend the following spreadsheet audit tools (not necessarily in that order): • Red Rover Detect • Spreadsheet Professional • Prodiance Spreadsheet IQ • Microsoft Excel Answers from Our Clients Question Does anyone know of any good Spreadsheet Audit Tools, conscious they are used a lot and if there is a tool that can identify inconsistencies in formulas, potential errors and so on would be good to hear about it? We have recently reviewed 3 of these products and recommended Red Rover Detect and Red Rover Audit for use in our department in for another area which makes heavy use of Excel spreadsheets. We found that these provided the best GUI/ease of use and at the top based on number of errors found. These are the largest packages we reviewed and they do slow down the initial excel startup by 10 to 15 seconds (in our environment) so some might prefer Spreadsheet Professional which also scored well on finding errors but does not support as nice a GUI hence scored lower on ease of use. Price is about the same although later has an aggressive volume discount which we are negotiating with Red Rover. Also we like the Red Rover Audit Tool to support change management and spreadsheet review functionality. It is the only product we saw with this capability. Director IT Audit | Utilities Spreadsheet Auditing Tools Utilization Levels n = 12. There's a 'formula audit' function within Excel. It'll show you all the formulas contained within cells that have them instead of only the results. You can then test the formulas for accuracy and completeness. Hope this helps. Senior Auditor | Utilities Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved. 19
UTILIZATION OF TECHNOLOGY TOOLS March 31, 2009 • Resource Allocation 1 (Hewlett-Packard's Project and Portfolio Management) • Workpaper Management 1 (TeamMate) • Risk Assessment 1 (Hewlett-Packard's Project and Portfolio Management) • Audit Scheduling 1 (Hewlett-Packard's Project and Portfolio Management) • Issue Tracking 3 (Moving towards using (Hewlett-Packard's Project and Portfolio Management) • Time and Expense Management 1 (Hewlett-Packard's Project and Portfolio Management) • Reporting 2 (Hewlett-Packard's Project and Portfolio Management) • Others 3 (periodic performance reviews utilize Hewlett-Packard's Project and Portfolio Management) • Senior Executive | Fortune 500 • Issue— Utilization levels of technology tools such as TeamMate and AutoAudit for various Internal Audit activities. • Key Takeaways • While 93% of the respondents fully utilize technology tools (like TeamMate and Auto Audit) for workpaper mangement, only 14% fully utilize these tools for risk assessment. • Further, 45% of the respondents do not utilize TeamMate or Auto Audit for resource allocation. Answers from Our Clients • Question • To what extent do you utilize technology tools like TeamMate and AutoAudit for the following audit activities? Please rate this on a scale of 1 to 3 (1 = Fully Utilize, 2 = Partially Utilize, 3 = Do not utilize) • Resource Allocation • Workpaper Management • Risk Assessment • Audit Scheduling • Issue Tracking • Time and Expense Management • Reporting • Others (please specify) Technology Tools Utilization Levels % of Respondents N=29 Click here to access the discussion thread © 2009 The Corporate Executive Board Company. All Rights Reserved. 20
COPIES AND COPYRIGHT As always, members are welcome to an unlimited number of copies of the materials contained within this handout. Furthermore, members may copy any graphic herein for their own internal purpose. The Corporate Executive Board requests only that members retain the copyright mark on all pages produced. Please contact your Member Support Center at +1-866-913-8102 for any help we may provide. The pages herein are the property of the Corporate Executive Board. Beyond the membership, no copyrighted materials of the Corporate Executive Board may be reproduced without prior approval. LEGAL CAVEAT The Audit Director Roundtable has worked to ensure the accuracy of the information it provides to its members. This report relies upon data obtained from many sources, however, and the Audit Director Roundtable cannot guarantee the accuracy of the information or its analysis in all cases. Furthermore, the Audit Director Roundtable is not engaged in rendering legal, accounting, or other professional services. Its reports should not be construed as professional advice on any particular set of facts or circumstances. Members requiring such services are advised to consult an appropriate professional. Neither the Corporate Executive Board nor its programs are responsible for any claims or losses that may arise from a) any errors or omissions in their reports, whether caused by the Audit Director Roundtable or its sources, or b) reliance upon any recommendation made by the Audit Director Roundtable . www.adr.executiveboard.com Washington, D.C. | London | New Delhi | San Francisco | Chicago | Sydney