IT Audit Benchmarking Study

2009 IT AUDIT BENCHMARKING STUDY
Executive Summary and Report

March 2009
Version 1.2
DISCLAIMER
Copyright 2009 by The Institute of Internal Auditors (IIAs) and The IIA Research Foundations (IIARFs)
Global Audit Information Network (GAIN) located at 247 Maitland Avenue, Altamonte Springs, Fla. 32701.
All rights reserved. Published in the United States of America.
Except for the purposes intended by this publication, readers of this document may not reproduce, redistribute,
display, rent, lend, resell, commercially exploit, or adapt the statistical and other data contained herein without
the permission of GAIN or The IIARF.
The information included in this document is general in nature and is not intended to address any particular
individual, internal audit activity, or organization. Based on the date of issuance and changing environments, no
individual, internal audit activity, or organization should act on the information provided in this document without
appropriate consultation or examination.
ABOUT THIS REPORT

As part of its services, The Institute of Internal Auditors (IIAs) and IIA Research Foundations (IIARFs) Global
Audit Information Network (GAIN) will develop a series of benchmarking studies on specific subjects internal
auditors can use to share, compare, and validate their work and specific business practices. This report
provides a summary of key study findings and recommendations from IIA members to help those looking
to establish an effective IT audit process and acquire technology-based audit tools to maximize their internal
audit efforts.
This study is not a statistically based survey and its results are not representative of the entire population of
internal auditors. Rather, this is a benchmarking study based on the responses of chief audit executives and
other internal audit professionals who are members of GAIN and it is solely intended to provide information
(i.e., tools, resources, and/or other knowledge) that is based on the responses of survey participants.
ACKNOWLEDGEMENTS
The IIA would like to thank Don Sparks, CIA, CISA, ARM, and Cesar Martinez, CIA, CGAP, for their
contributions in developing the 2009 IT Audit Benchmarking Study from which this Executive Summary
and Report is based.
TABLE OF CONTENTS
ABOUT THIS REPORT ................................................................................................................................... i

EXECUTIVE SUMMARY ................................................................................................................................. 1
RESPONDENT DEMOGRAPHICS .................................................................................................................... 2
IT Audit Function Profile ....................................................................................................... 2

THE IT AUDIT ACTIVITY ............................................................................................................................... 4
IT Audit Skills and Sources of Training ................................................................................. 7

IT AUDIT TOOLS AND TECHNIQUES .............................................................................................................. 9
Extraction Software ............................................................................................................... 9

Data Analysis Software ........................................................................................................ 10
Fraud Detection and Investigation Software ....................................................................... 11
Automated Working Paper Software ................................................................................... 11
Control Self-assessment Software ........................................................................................ 12
Compliance Software ........................................................................................................... 13
Continuous Audit Software .................................................................................................. 13
Software Used to Assess Risks for the Annual Audit Plan ................................................... 14
CLOSING THOUGHTS ................................................................................................................................. 15
APPENDIX: IT AUDIT BENCHMARKING STUDY RESULTS .............................................................................. 16
ii
EXECUTIVE SUMMARY
According to IIA Standard 1210.A3: Proficiency, internal auditors must have sufficient knowledge of key IT risks
and controls and available technology-based audit techniques to perform their work. As many long-time users of
technology-based audit techniques know, having the right application can expedite and maximize internal audit
efforts significantly. However, whether an in-house or third-party tool is used, it is important that organizations
incorporate IT audit activities as part of the internal audit plan.
To determine the extent of IT audit planning efforts, the profile of IT audit functions, and the software tools
currently in use, The IIAs and IIARFs GAIN department conducted its first annual IT Audit Benchmarking Study
in February 2009. Of the 138 organizations represented in the study, an overwhelming majority
94.8 percent incorporate IT audit activities as part of the internal audit plan. When asked to explain the
process used to incorporate IT audit activities into the audit plan, 52.9 percent use an integrated planning
approach in which potential IT audit areas are determined as part of the risk assessment process or annual
audit planning process. In addition, many of these organizations use software to support extraction, data
analysis, and risk assessment efforts, among other activities.
In terms of years of IT audit experience, respondents stated they have an average of 2.9 years of expertise in
this area. In addition, most IT audit functions consisted of 13 internal auditors dedicated solely to this task and
25 percent of participants indicated their internal audit function has been performing IT audits for 13 years.
Additionally, the vast majority (83.2 percent) of respondents indicated the IT audit function reports to the CAE
or head of internal auditing followed by the audit committee (8.8 percent).
The study also asked respondents to specify whether their organization co-sources, outsources, or both cosources and outsources any of its IT audit activities. More than half of study participants (52.2 percent) stated
they performed none of these three activities that is, IT audit activities are performed solely by the internal
audit group. Of the remaining responses, 23.9 percent both co-source and outsource their IT audit activities,
followed by 17.4 percent that co-source only and 6.5 percent that outsource only. The top five reasons why
IT audit activities are either co-sourced or outsourced include having better access to subject-matter experts
(79.5 percent), internal audit staff limitations (75 percent), cost-effectiveness of the co-sourcing or outsourcing
activity (43.2 percent), lack of internal audit staff knowledge on the IT systems used in the organization
(36.4 percent), and difficulty in recruiting qualified IT audit staff (22.7 percent).
Furthermore, respondents were asked to list the top three issues that will impact IT audits the most within the
next 24 months. These three issues include IT audit project limitations due to budget restrictions, lack of internal
resources or time, increasing travel costs, and lack of overall knowledge to perform an IT audit (43.5 percent);
data security and privacy (37.7 percent); and being unable to add value to the organization due to the increasing
complexity of IT systems (23.2 percent). Based on these responses, study participants were asked if they had
the skills and training to address the issues that will impact IT audits the most. The vast majority of participants
responded yes to both questions 71.7 percent and 72.2 percent of internal audit activities represented in the
study have the skills and training, respectively, to address the issues that will impact IT audits the most within
the next 24 months.
Similarly, participants were asked to identify the latest three technology innovations that have eased the
performance of IT audits the most within the last three years. These include use of computer assisted audit
techniques (CAATs), availability of many systems online, and guidance on specific IT audit areas or guidance
that is tailored to noncomplex IT environments. In terms of training, the primary source of IT audit knowledge
during the past 24 months is participation in seminars, workshops, and conferences offered by a professional
organization (44 percent), followed by individual research gathered from online resources, and books or selfstudy courses.
RESPONDENT DEMOGRAPHICS
A total of 138 chief audit executives (CAEs), audit directors or managers, and other internal audit professionals
1
participated in the 2009 IT Audit Benchmarking Study. The majority of study participants work in publicly listed
2
companies (44.2 percent) located in the United States (76.1 percent) with annual revenues ranging from US $1
billion to less than US $10 billion (46.3 percent) and internal audit activities ranging from 36 internal auditors
(34.1 percent), immediately followed by 715 as the second highest response (31.2 percent) (refer to figure 1).
The top five industries represented by study participants include financial services, banking, and real estate
(19.7 percent); manufacturing (15.3 percent); educational services (10.2 percent); insurance carriers and agents
(8 percent); and utilities (7.3 percent).
Years of internal audit experience represented in the study vary from 46 to 19 or more, with the latter being the
category with the highest response frequency (49.3 percent) (refer to figure 2). Participants also were asked to
specify the number of years of work experience in different internal audit categories (i.e., internal auditing, IT
auditing, and other). Figure 3 provides a summary of each.
Figure 1: Internal audit activity staff size
Figure 2: Years of combined audit experience
Figure 3: Years of audit experience by category
IT Audit Function Profile

____________________________________
In terms of years of IT audit experience, the largest number of respondents stated they have an average of 2.9
years of experience (28.3 percent) in this area closely followed by 8.1 years (22.5 percent), as shown in figure 2.
The vast majority of respondents also stated their IT audit activity consist of 13 auditors dedicated solely to this
task (77.2 percent). The remaining study participants indicated they have 46 (13.2 percent), 79 (3.7 percent),
or more than 10 IT auditors (5.9 percent).
A total of 1,709 invitations were sent to members of GAINs Flash Survey Network, out of which 138 responded to the survey
representing an 8.1 percent response rate. Other positions represented in the survey include audit or IT audit staff, IT audit manager, and
IT audit director. For a percentage breakdown of each position, refer to page 77.
2
Other countries or locations represented in the survey include Canada (8 percent), Australia and Hong Kong (2.2 percent each), and
Albania, Germany, and Switzerland (1.4 percent each).
Besides working in small to mid-size internal audit departments, the low number of IT auditors could be
correlated to how long this function has been present within the organization. According to study results,
25 percent of participants indicated their internal audit function has been performing IT audits for 13 years
followed by 46 years (19.9 percent). These percentages continue to decrease until they hit the 19 years
or more category, where they increase back to 19.9 percent (refer to figure 4 for a breakdown).
Figure 4: Years internal audit function has been performing IT audits

Finally, respondents were asked to determine to whom the IT audit function reports. The majority (83.2 percent)
indicated the IT audit function reports to the CAE or head of internal auditing followed by the audit committee
(8.8 percent). Figure 5 summarizes these responses.
Figure 5: IT audit function reporting line
THE IT AUDIT ACTIVITY

To determine how IT audits are planned throughout the year, study participants were asked whether they
incorporate IT audit activities as part of the internal audit plan. Nearly all respondents (94.8 percent) indicated
they incorporate IT audit activities during the internal audit planning process while only 5.2 percent indicated
they did not. A cross-tabulation of the data was performed to determine whether IT audit and internal audit staff
sizes were correlated to the incorporation of IT audit activities as part of the audit plan.
The assumption was made that the larger the size of the internal audit or IT audit activity, the more likely the
organization would be not to incorporate IT audit activities as part of the internal audit plan due to the presence
of a dedicated group of IT auditors. However, this was not case. Of the 94.8 percent of organizations that
incorporate IT audit activities as part of the internal audit plan, 81 percent have an IT audit function consisting of
3
13 IT auditors and 37.1 percent have an internal audit activity ranging from 36 full-time internal auditors.
When asked to explain the process to incorporate IT audit activities into the internal audit plan, 52.9 percent use
an integrated planning approach in which potential IT audit areas are determined as part of the risk assessment
process or annual audit planning process performed to determine all audit universe components. Only a few
organizations perform a separate IT audit risk assessment to identify the IT audit areas to be audited throughout
the year (10.9 percent) or identify IT auditable components based on core business functions or processes
(5.8 percent) (refer to table 1 for a summary of these responses).
Gary Allen, CIA, CISA, IT audit manager for Berkshire Life Insurance Company of America, in Pittsfield, Mass.,
is one of the respondents using a risk-based, integrated planning approach that incorporates IT audit
components into the annual audit plan. The entire internal audit staff participates in system development
projects as a way to help the organization mitigate risks in addition to performing transactional and operational
audits. If the sales department is designing and building a new system, for instance, our team would devote
audit resources to the project to give advice on designing controls in the new system, he explains. This way,
our auditors help get the process right to begin with and it is less expensive than coming in later and pointing out
4
all the controls that got left out of the new process or system.
Process Used to Incorporate IT Audit Activities as Part of the Internal Audit Plan
The internal audit activity takes an integrated IT audit planning approach in which potential IT audit areas are
determined as part of the risk assessment process or annual audit planning process performed to determine all audit universe
components. Once an IT audit universe is determined based on areas of high risk, a schedule is created to monitor or review
IT audit universe components on a specific timeframe. These IT audit universe components are either incorporated into the
annual audit plan or kept as a separate IT audit plan. For example,
A universe of IT audits is created as part of the normal audit planning process, in which IT audit areas are
risk-ranked.
The highest risk-ranked audits are included in the overall audit plan to the extent that the internal audit
department has the IT resources to allocate to them.
Risk assessment interviews are also performed, including interviews with IT management.
IT components that are ranked for risk include system applications, and operations, access, and change
management controls (73 responses).
The internal audit activity performs a separate IT audit risk assessment to identify the IT audit areas to be audited
throughout the year. These areas are added to the overall annual audit plan (15 responses).
IT audits are determined based on core business functions and processes (8 responses).
Table 1: Process used to incorporate IT audit activities into the internal audit planning process
3
These percentages represent the choices with the highest number of responses.
According to The IIAs International Standards for the Professional Practice of Internal Auditing (refer to all Standards with the letter
C for those pertaining to consulting activities), internal auditors can act in a consulting capacity as long as doing so does not hinder the
internal auditors independence and objectivity to later assess the effectiveness of the same activity. For instance, as long as auditors only
provide advice regarding the design of controls and no help is given in the actual development of the detailed controls, this consulting
activity should not breach any independence issue. If, however, the internal auditor were to develop the controls that form part of the
system, then as stated by the Standards, he or she could not audit that particular area for a period of at least 12 months.
4
Respondents indicating they did not incorporate IT audit

activities as part of the internal audit plan were also
asked to elaborate on their response. Reasons why IT
audit activities are not incorporated as part of the internal
audit plan include:
The internal audit activity does not have the
skills or financial resources necessary to perform
IT audits.
IT management does not provide the information
necessary for the internal audit group to review
IT activities and processes.
IT audits are outsourced.
Study questions also asked respondents to specify
whether their organization co-sources, outsources,
or both co-sources and outsources any of its IT audit
activities. More than half of study participants
(52.2 percent) stated they performed none of these three
activities that is, IT audit activities are performed
solely by the audit group. Of the remaining responses,
23.9 percent both co-source and outsource their IT audit
activities, followed by 17.4 percent that co-source IT
audit efforts only and 6.5 percent that outsource them.
Again, a cross-tabulation of the data was performed to
determine whether IT audit and internal audit staff sizes
were correlated to the co-sourcing or outsourcing of IT
audit activities. The assumption was made that the
smaller the size of the internal audit activity or IT audit
function, the more likely the organization would be to cosource, outsource, or both co-source and outsource their
5
IT audit activities. This was somewhat the case:
Leading Practices for IT Audit Planning

According to The IIAs Global Technology Audit
Guide, Developing the IT Audit Plan (2008), creating an
effective IT audit plan is a four-step process. The first
step is to understand the business. This means
identifying the strategies, company objectives, and
business models that will enable CAEs to understand the
organizations unique business risks, as well as
understanding how existing business operations and IT
service functions support the organization.
The remaining steps in the IT audit planning process are:
Defining the IT audit universe following a topdown approach that identifies key business
objectives and processes, significant applications
supporting the business processes, the
infrastructure needed for all business applications,
the organizations service support model for IT,
and the role of common supporting technologies
such as network devices.
Performing a risk assessment that ranks audit
subjects using IT risk factors and assesses risk
using business risk factors.
Formalizing the IT audit plan within the
constraints of the internal audit activitys operating
budget and available resources. The IT audit plan
should be integrated into the organizations overall
annual audit plan. Levels of integration may vary
depending on the organizations needs and
available resources. For instance, CAEs may
choose to have a low-integrated IT audit plan (i.e.,
a stand-alone plan under the responsibility of the
IT audit team that is organized by IT subject areas,
is generally isolated from non-IT audit activities,
and includes the review of applications); a partially
integrated audit plan (i.e., a plan that outlines IT
audit engagements available by a core IT audit
team, as well as provides an additional set of
planned engagements distributed across non-IT
audit teams and coordinated with other process
reviews); or a highly integrated audit plan (i.e., a
plan where IT audit activities are incorporated as
part of business process engagements).
Of the 17.4 percent of internal audit departments

represented in the study that co-source their IT
audit activities, 13.2 percent and 6.5 percent
have 13 IT auditors and 36 full-time internal
auditors, respectively.
Of the 6.5 percent of audit departments that
outsource their IT audit activities, 4.4 percent
and 5.4 percent have 13 IT auditors and 36
full-time internal auditors, respectively.
Of the 23.9 percent of audit departments that
both co-source and outsource their IT audit
activities, 23.1 percent and 9.8 percent have
13 IT auditors and 715 full-time internal
auditors, respectively.
Of the 52.2 percent of audit departments that perform their own IT audits, 44 percent and
19.6 percent have 13 IT auditors and 36
full-time internal auditors, respectively.
Percentages listed in the bulleted list represent the choices with the highest number of responses.
Furthermore, participants were asked to specify how much of their IT audit activities are co-sourced,
outsourced, or both. According to study results:
88.8 percent of the 17.4 percent of organizations that co-source IT audits, co-source anywhere from
1 percent to 25 percent of their IT audit efforts.
50 percent of the 6.5 percent of organizations that outsource IT audits, outsource anywhere from
76 percent to 100 percent of their IT audit efforts.
65.1 percent of the 23.9 percent of organizations that both co-source and outsource IT audits, co-source
and outsource anywhere from 10 percent to 75 percent of their IT audit efforts (refer to figures 68 for a
breakdown of these percentages by type of sourcing activity).
Figures 67: Percent of IT audits that are co-sourced (left) and outsourced (right)
Figure 8: Percent of IT audits that are both co-sourced and outsourced

The top five reasons why IT audit activities are either co-sourced or outsourced include having better access to
subject-matter experts (79.5 percent), internal audit staff limitations (75 percent), cost-effectiveness of the cosourcing or outsourcing activity (43.2 percent), lack of internal audit staff knowledge on the IT systems used in
the organization (36.4 percent), and difficulty in recruiting qualified IT audit staff (22.7 percent). Respondents
also were asked to rate the ability of their in-house staff to evaluate the quality, effectiveness, and efficiency of
their IT audit activities, as well as their overall satisfaction with their organizations IT audit efforts. Overall, the
majority of study participants provided positive ratings in each category:
79.5 percent rated the ability of their in-house audit staff to evaluate the quality of their outsourced or
co-sourced IT audit work as good to excellent.
63.1 percent rated the effectiveness of their IT audit activities as effective to highly effective.
51.7 percent rated the efficiency of their organizations IT audit activities as efficient to highly efficient.
57.6 percent were satisfied to highly satisfied with their organizations overall IT audit efforts.
Reasons provided for these ratings include:

Ability of staff (e.g., level of experience of internal audit manager, CAE, and IT audit staff, and the
presence of excellent lines of communication among audit staff with service providers and auditees).
IT audit activity effectiveness (e.g., good communication among IT auditors, the IT department, and
the board; presence of well-trained staff; and an excellent vendor and risk assessment process).
Efficiency of IT audit activities (e.g., presence of highly qualified staff; excellent working relationships
with management and senior auditors; and presence of a continuous improvement and review process).
Overall satisfaction with IT audit activity (e.g., presence of trained, qualified staff with information
systems experience and the use of technology that meets business needs. (A detailed summary of
each rating and why each rating was chosen are provided in the Appendix to this report.)
IT Audit Skills and Sources of Training

____________________________________
According to GAINs Annual Benchmarking Study a year-round survey that compiles the responses of more
than 600 CAEs from organizations around the world 47 percent of general auditors are encouraged to
receive IT training by attending internal or external formal training sessions, while 47 percent of audit staff
6
thoroughly understand IT concepts and test IT general controls as part of their audit reviews. To obtain more
in-depth information regarding these statistics, this years IT audit study participants were asked questions
regarding the IT skills and level of training present in their respective internal audit function.
First, respondents were asked to list the top three issues that will impact IT audits the most within the next 24
months. These three issues include IT audit project limitations due to budget restrictions, lack of internal
resources or time, increasing travel costs, and lack of overall knowledge to perform an IT audit (43.5 percent);
data security and privacy (37.7 percent); and being unable to add value to the organization due to the increasing
complexity of IT systems (23.2 percent). Table 2 provides a detailed summary of each issue.
Top Three Issues That Will Impact IT Audit the Most Within the Next 24 Months
IT audit project limitations due to budget restrictions caused by the current economic downturn or
shifting organizational priorities; time constraints; lack of internal resources to perform the IT audit,
such as lack of qualified staff due to turnover or budget cuts; increasing travel costs; and lack of overall
knowledge to perform an IT audit (60 responses).
Data security and privacy: compliance with data security and privacy laws and regulations (e.g.,
compliance with the Payment Card Industry Data Security Standard) and information security and data
privacy practices within the organization (e.g., user provisioning, data access, and change
management) (52 responses).
Being unable to add value to the organization due to the increasing complexity of IT systems, which
prevents the internal audit activity from keeping up with technological changes and innovations, as
well as not having the knowledge to audit and provide support during new system implementations as
a result of out-of-date technology, replacement of legacy systems, and automation of existing controls
(32 responses).
Table 2: Top three issues that will impact IT audits the most within the next 24 months
These statistics were obtained from 569 organizations representing the gamut of industries, company types, annual revenues, and asset
sizes that participated in the Annual Benchmarking Study from June 30, 2007 until Dec. 31, 2008.
Based on these responses, study participants were asked if they had the skills and training to address the
issues that will impact IT audits the most. The vast majority of participants responded yes to both questions
71.7 percent and 72.2 percent of internal audit activities represented in the study have the skills and training,
respectively, to address the issues that will impact IT audits the most within the next 24 months. In terms of
skills, participants stated their internal audit activity has a dedicated group of IT auditors or internal auditors with
sufficient training to perform IT audits or with IT-specific certifications, such as the ISACAs Certified Information
Systems Auditor, while training criteria identified include providing staff with the continuing education needed to
perform their work and the presence of a training plan that addresses the needs of each auditor.
Furthermore, participants were asked to identify the latest three technology innovations that have eased the
performance of IT audits the most within the last three years. These include:
1. Use of CAATs, such as audit administration tools and documentation software; automated change
management applications; new audit tracking software, and help desk audit software.
2. Availability of many systems online, which enables remote audit activities.
3. Guidance on specific IT audit areas or guidance that is tailored to noncomplex IT environments.
By far the primary source of IT audit knowledge during the past 24 months is participation in seminars,
workshops, and conferences offered by a professional organization (44 percent), remotely followed by individual
research gathered from online resources (e.g., The IIA and ISACA), and books or self-study courses (refer to
figure 9 for a summary of all responses). The top organization selected as the first choice for increasing IT audit
knowledge was ISACA (47.8 percent) followed by The IIA (20 percent), the MIS Training Institute
(18.9 percent), the SANS Institute (4.4 percent), and the American Institute of Certified Public Accountants
(2.2 percent).
Figure 9: Primary source of IT audit knowledge
IT AUDIT TOOLS AND TECHNIQUES

To identify the kinds of tools in place for different internal audit processes, study participants were asked to
provide information on the primary and secondary software tools used for the following activities:
Extraction.
Data analysis.
Fraud detection or investigation.
Automated working papers.
Control self-assessments.
Compliance.
Continuous auditing.
Risk assessments for the annual audit plan.
Following is a summary of all responses for each
of these software categories. (For tips on how
CAEs and other internal auditors can demonstrate
the benefits of using technology-based audit
techniques to their audit committee and senior
management team, read Showing the Value of
IT Audit Tools on this page.)
Extraction Software
____________________________________
Showing the Value of IT Audit Tools

Demonstrating the value of using a particular IT audit software
or tool is not easy, especially in organizations where cost-saving
initiatives are taking place. One way to show the value these
tools can bring to the internal audit function is by setting clear
expectations regarding the tools cost as well as the amount of
time necessary for setting up the tool correctly and learning how
to use it.
Another way to show the value of using IT audit tools is by
demonstrating how the tool can be leveraged by other
departments or teams in their day-to-day work. Not only does
this allow for the tools cost to be absorbed by more than one
business unit, but it enables the organization to use one common
set of metrics for a specific activity.
Finally, CAEs can demonstrate the financial value of using a
particular tool to their audit committee and senior management
team. For instance, CAEs can discuss:
According to study results, 63 percent of

respondents use software for extraction compared
to 32.6 percent who do not and 4.3 percent who
answered not applicable. The top three primary
software or tools identified by study participants
for extraction are ACL, application queries, and
SAP and SQL (tied for third place). Similarly,
study respondents stated that the secondary
software tools used for extraction are Excel, ACL,
IDEA, Access, and SQL.
The number of work hours audit staff will save by

using the tool as well as how this free time can be used
in support of other audit and business projects.
The amount of money the organization will save on a
monthly, quarterly, or yearly basis by using the tool.
The extra number of audits the organization will be
able to perform once the tool is implemented properly
without the need for extra staff.
The amount of money the organization will save by
standardizing key metrics and processes that cross
several business functions through the use of the same
audit tool.
To get a better idea of how these software tools

have helped internal audit activities perform more
effectively, respondents were asked to identify
how the use of the software has improved their
Source: GAINs The Internal Audit Activity: Current Trends, Issues,
internal audit capabilities, a success story or best
and Practices report (March 2009)
practice linked to the use of the software, and an
example of a barrier or challenge presented by
the use of the software. Table 3 summarizes the responses to these three questions.
How has the use of the software identified previously improved your internal audit capabilities?
Enables audits consisting of 100 percent of the population (20 responses).
Improves productivity and efficiency of work (i.e., better able to extract, analyze, and acquire data from corporate systems; has drill-down
capabilities; and reduces the amount of time required to identify potential problems) (18 responses).
Enables continuous monitoring of data (2 responses).
Please provide a success story or best practice linked to the use of the software identified previously:
Has enabled the use of exception reports and tests that identify fraud, misuse of expense reports, and staff who didn't charge leave
time, as well as test pricing invoices and internal controls (12 responses).
Analyzes the entire population rather than a sample and identifies true error rates (6 responses).
Identifies financial savings to the organization (1 response).
Please provide an example of a barrier or challenge presented by the use of the software identified previously:
Learning curve and training (e.g., training staff to use the system; the system is cumbersome to work with) (14 responses).
Getting data in the proper format (e.g., using the system requires the use of SQL querying) (7 responses).
The tool doesn't work or integrate well with other systems and is only used by internal audit department (5 responses).
Difficulty accessing data; takes more time to access data than it should; or difficulty in getting access from data owners (5 responses).
Table 3: Responses to questions on software improvement areas, success stories, and challenges presented
Data Analysis Software

____________________________________
Data analysis tools are the highest type of software used by study participants 76.1 percent of participants
use data analysis compared to 19.6 percent who do not and 4.3 percent who answered not applicable. The top
three primary software or tools identified by study participants for data analysis are ACL, Excel, and Access.
The secondary software tools used by study respondents for data analysis also include Access, ACL, and Excel.
In addition, ways the software has improved internal audit capabilities or posed a challenge are listed in table 4.
Has increased the efficiency of audits (e.g., more detailed analysis of data; helps analyze data for trends; helps to identify what data are
saying easily; and provide timely analysis of data) (11 responses).
Enables the sorting, viewing, and analysis of large amounts of data or 100 percent of all data (11 responses).
Established independence of internal audit function (e.g., internal auditors now provide data to clients or external auditors) (2 responses).
Helps internal auditors obtain frequency of errors and detect fraudulent activities (2 responses).
Helps to continuously monitor control (1 response).
Reduced audits and testing to areas of importance by helping auditors focus fieldwork on data identified with reference to anomalies,
red flags, potential fraud, or other issues otherwise not found without the tool (6 responses).
Has enabled the review of user access, areas leading to losses of revenue, and segregation of duty conflicts (2 responses).
Able to continuously monitor 100 percent of all data (1 response).
Able to conduct inventory analysis of multiple sites (1 response).
The tool is not user friendly and requires a high level of training (5 responses).
Accessing data (i.e., data is saved in formats that are not conducive to software analysis and it is difficult to obtain data stored in two
systems or legacy systems) (6 responses).
Older versions of Excel or Access do not have the bandwidth to analyze large volumes of data (2 responses).
10
Fraud Detection or Investigation Software

____________________________________
In terms of fraud detection or investigation software, responses are split in terms of its use 46.7 percent of
participants use fraud detection or investigation software compared to 48.9 percent who do not and 4.3 percent
who answered not applicable. The top three primary software or tools identified by study participants for fraud
detection or investigation are ACL, Excel, and IDEA, while the secondary software tools used by study
respondents for fraud detection or investigation include Access, Crystal Reports, Excel, IDEA, and Nuix. Ways
the software has improved internal audit capabilities or posed a challenge are listed in table 5.
Enables reporting of fraudulent transactions and abnormal activities and identifies users processing transactions on an ongoing basis
(e.g., on a quarterly basis) (4 responses).
Helps auditors test the entire population in less time (3 responses).
Has the ability to manipulate data for analysis of trends or compare data within different systems or tables (2 responses).
Enables access to data more easily and network access to new IT system information (2 responses).
Is able to investigate fraud more efficiently and save time during fraud investigations (2 responses).
Auditors are able to run CAATs for external auditors (1 response).
Found bogus vendors or addresses (e.g., matched vendor addresses with employee addresses) (2 responses).
Mapped data to users (e.g., mapping of e-mails to determine their content, who received the e-mail, and the actions taken by recipients;
mapping data to identify noncompliant cases) (2 responses).
Provides more visibility of information (1 response).
Increased number of fraud items for investigations (1 response).
Issues with the data (e.g., obtaining data in the first place; getting files to import from IT in a timely basis; and defining data to conduct
the investigation) (3 responses).
High volume of data to analyze (1 response).
Learning curve to use software properly (1 response).
Cannot perform transactions in real time (1 response).
Automated Working Paper Software

____________________________________
A little more than half of study respondents (52.2 percent) use software to automate their working papers
compared to 47.8 percent who do not. The top three primary software or tools identified by study participants for
data analysis are TeamMate, AutoAudit, and Word, and the secondary software tools used by study participants
for automated working papers include Access, Excel, OpenPages, and TeamMate. In addition, ways the
software has improved internal audit capabilities or posed a challenge are listed in table 6.
11
Use of standard templates (e.g., standardization of templates provides high-productivity and efficiency of work and for the automation of
audit processes and consistency between projects) (14 responses).
Improves quality of review, audit program, and work papers (e.g., reduces review times for audit files and facilitates the sharing and remote
reviews of working papers) (7 responses).
Better organization and access of information (e.g., provides a centralized storage of audit working papers) (6 responses).
Enhances the follow up of audits, tracking of audits, and repeatability of audits (4 responses).
Reduces planning time and staff work (e.g., time used to ensure working paper documentation complies with IIA Standards is significantly
reduced) (4 responses).
Provides better coordination of all audits (e.g., coordination of audits with Sarbanes-Oxley audits and automated reporting of SarbanesOxley work and other internal audits) (2 responses).
Increases audit penetration (1 response).
Improves data protection (1 response).
Facilitated the automation of work (e.g., has enabled the automation of tracking issues and responses from responsible parties, as well as
the automation of draft reports generated after completion of field work) (2 responses).
Enabled auditors to review work papers from remote locations (2 responses).
Eliminated used hard copies (i.e., all work papers are saved electronically, which saves space and reduces waste) (2 responses).
Provided consistency of work (e.g., enables consistency of work papers by allowing auditors to choose which fields to use) (2 responses).
Increased the efficiency of compliance reviews with IIA Standards (2 responses).
Enabled more than one auditor to work on the same project (1 response).
Eased the documentation of work papers (1 response).
Software can be cumbersome to use, replicate in the existing environment, or integrate with other software, which leads to an inefficient
use of time (5 responses).
Auditors have lost work occasionally due to bugs within the system and lack of customer service support from vendor (2 responses).
Because the software automates all work papers, too much information is kept, which can be overwhelming (2 responses).
Use of the software and review of work papers still requires human interaction, which introduces inconsistencies unless the internal audit
department has a standard infrastructure in place (2 responses).
It is difficult to access work papers in locations where bandwidth is an issue (1 response).
Cost of training (1 response).
Cannot monitor action items in an automated fashion (1 response).
Control Self-assessment Software

____________________________________
Unlike the other types of software, tools for control-self assessments are not used widely. In fact, 65.2 percent of
study respondents do not use them at all, compared to 21.7 percent who do and 13 percent who stated they are
not applicable to their work. The top primary software or tool identified by study participants for control selfassessment is Excel. Other primary tools listed were only identified by one respondent each and include
AutoAudit, Axentis, FCM, Lumigent Audit DB, Movaris, Option Finder, PolicyIQ, Risk Navigator, Sharpe
Decision, TeamRisk, and Word.
Reasons given by study participants for the use of Excel include its simplicity and availability within the
organization. The only secondary software tool used by respondents for control self-assessment is the Turning
Point Audience Response System. Ways control self-assessment software has improved internal audit
capabilities or posed a challenge are listed in table 7.
12
The tool has made the control self-assessment process more efficient and less costly (3 responses).
Results are immediately summarized and graphs produced, which has resulted in significantly reduced time in summarizing control
self-assessment results (1 response).
Other groups in the organization are able to design their own questions, which has cut costs of external resources for management testing
to less than 10 percent (1 response).
Self-assessments are performed on a more timely basis, and it is easier to provide assessment information as needed (1 response).
The control self-assessments tool questionnaire design has presented problems (1 response).
Third-party software has response issues (1 response).
Vendor is not helpful in automating tasks and there are consulting fees associated with assisting in data uploads (1 response).
Not all divisions in the company are using the software (1 response).
The audit team is unable to run reports off of the information received (1 response).
Compliance Software
____________________________________
Similar to the use of control-self assessment software, compliance tools are not widely used 55.4 percent of
study respondents do not use compliance software compared to 23.9 percent who do and 20.7 percent who
stated this type of software is not applicable to their work. While no single software tool was listed by more
than one study participant as the primary software used for compliance, applications identified include Access,
ACL, Compliance 300, Excel, IDEA, Implexus, Movaris, Oracles Apex Application, Oracle GRC, PolicyIQ,
Resolver Risk, Showcase Quary, and Word. The only secondary software listed by respondents for compliance
is Access.
Ways compliance software has improved internal audit capabilities or posed a challenge are listed in table 8.
Our compliance area primarily uses this software (1 response).
Identify specific transactions of possible concern (1 response).
Directs audit work (1 response).
Provides a common centralized approach to performing compliance audits (1 response).
Compliance audits are timely, easy, and effective (1 response).
Provided a common centralized approach to performing compliance audits (1 response).
It is not easy to update use compliance logs (1 response).
Continuous Audit Software

____________________________________
Continuous audit software is also not widely popular. According to study results, 59.8 percent of respondents do
not use continuous audit software compared to 25 percent who do and 15.2 percent who stated this type of
software is not applicable to their work. The top primary software or tool identified by survey participants for
continuous auditing is ACL. Other primary tools listed were only identified by one respondent each and include
Excel, IDEA, Oracle Apex Database, PeopleSoft, Proprietary Data Extraction, and Showcase Query. Reasons
given for the use of ACL by study participants include its ability to look at control weaknesses, the ease with
which users can evaluate data, and its ability to provide exception reports.
Two tools were identified as the secondary software applications used by respondents for continuous auditing.
These are ARC and Access, in order of importance. Ways compliance software has improved internal audit
13
Auditors are alerted of issues as they occur (i.e., there is no lag time to identify issues) and tool creates exception reports (2 responses).
Tool audits 100 percent of the population rather than a sample (1 response).
Allowed the internal audit activity to create preventive controls for process owners (1 response).
Ability to quickly identify a number of irregularities including fraudulent transactions (1 response).
Process takes a while to implement correctly, based on the organizations needs and system changes (2 responses).
Auditors need to have detailed knowledge of the underlying data structures to use the tool correctly (1 response).
Auditors have to determine the parameters to be used (1 response).
The organization has a hard time accepting reports generated by the tool (1 response).
Software Used to Assess Risks for the Annual Audit Plan

____________________________________
Finally, study participants were asked to identify the primary and secondary software tools used to assess risks
for the annual audit plan. Again, the majority of study participants do not use software to assess annual audit
plan risks 57.6 percent of respondents do not use this kind of software compared to 39.1 percent who do and
3.3 percent who stated this type of software is not applicable to their work. The top three primary software or
tools identified by study participants to assess risks are Excel, TeamMate, and Team Risk. Other primary tools
listed were only identified by one respondent each and include ACL, AutoAudit, and Crystal Reports. In addition,
two tools were identified by study participants as the secondary software applications used for assessing risks.
These are Crystal Reports and TeamMate. Ways risk assessment software has improved internal audit
The tool enables auditors to track risks consistently and provides a standard format for all risk assessments and risk calculations, which
makes it easier to compare risks across the organization (5 responses).
Provides a central tracking location (2 responses).
Saves time when performing the risk assessment (e.g., sort for different types of risks) (2 responses).
Software illustrates risk assessment results graphically and by using standard reports (1 response).
Helps in the audit planning process (e.g., annual audit plan is prepared promptly by the use of the risk assessment system) (2 responses).
Provides a common communication mechanism of risk assessment results (1 response).
Is enabling our internal audit activity to develop a mathematical risk assessment model (1 response).
Risk criteria are consistently updated as audits are performed, which enables auditors to determine which audit areas are considered high
risk at a glance because of the control environment or whether an audit has not been performed in a while (1 response).
Enables use of the Monte Carlo technique for risk assessments (1 response).
Software is cumbersome to use and could use additional automation (2 responses).
It is difficult to incorporate changes to a spreadsheet (1 response).
Risk assessment process is still subjective (1 response).
Lack of adequate resources to patch or upgrade the system to eliminate problem areas and to build new features (1 response).
Table10: Responses to questions on software improvement areas, success stories, and challenges presented
14
CLOSING THOUGHTS
Establishing an effective IT audit function should be a carefully thought-out process that not only incorporates
existing internal audit resources, but meets the organizations IT audit needs. Respondents to this study seem to
be moving in the right direction in terms of their IT audit activities the vast majority of study participants
incorporate IT audits as part of the internal audit plan; the majority of internal audit groups represented in the
study have the skills and knowledge necessary to evaluate the quality, effectiveness, and efficiency of the
organizations IT audit activities; and overall satisfaction with IT audit efforts is positive. In addition, more than 70
percent of study respondents indicated their internal audit activity has the skills and training needed to address
the issues that will impact IT audits the most within the next 24 months. This is particularly important given
todays economic downturn, which is affecting many organizations ability to provide the training needed to keep
up with todays technological innovations.
If there is one area for improvement, it is in the use of audit software. In particular, most study respondents
indicated they do not use software to detect or investigate fraud, perform control self-assessments, monitor
compliance activities, partake in continuous auditing, and assess risks for the annual audit plan. While no
reasons were given regarding the lack of software used for these activities, technology-based audit techniques
can greatly maximize internal audit efforts. This is especially true in large-size organizations, where continuous
audit software, for instance, can increase the scope of internal audit activities to cover as much as 100 percent
of all auditable universe components, and in small internal audit groups, where audit software can help internal
auditors perform faster, more effective audits.
15
APPENDIX: IT AUDIT BENCHMARKING STUDY RESULTS

____________________________________
IT Audit Benchmarking Study

Type: Executive Summary Report
Date: February 2009
Total number of invitations: 1,709
Total number of responses collected: 138 (8.1 percent)
1: Are you the chief audit executive or top internal audit authority of your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
70.3%
97
No
29.7%
41
Valid Responses
138
Total Responses
138
2: Does your organization incorporate IT audit activities as part of the internal audit plan?
Response
Chart
Frequency
Count
Yes
94.8%
92
No
5.2%
Valid Responses
97
Total Responses
97
2a: Please explain the process used to incorporate IT audit activities as part of the internal
audit plan:
Response (Yes)
The internal audit activity takes an integrated IT audit planning approach in which potential IT audit areas
are determined as part of the risk assessment process or annual audit planning process to determine all audit
universe components. Once an IT audit universe is determined based on areas of high risk, a schedule is
created to monitor/review IT audit universe components on a specific timeframe. These IT audit universe
components are either incorporated into the annual audit plan or kept as a separate IT audit plan (e.g., a
universe of IT audits is created as part of the normal audit planning process, in which IT audit areas are riskranked. The highest risk-ranked audits are included in the overall audit plan to the extent that the internal
audit department has the IT resources to allocate to them. Risk assessment interviews are also performed,
including interviews with IT management. IT components that are ranked for risk include system
applications, as well as operations, access, and change management controls) (73 response).
The internal audit activity performs a separate IT audit risk assessment to identify the IT audit areas to be
audited throughout the year. These areas are added to the overall annual audit plan (15 responses).
IT audits are determined based on core business functions and processes (8 responses).
16
2b: Please explain why you do not incorporate IT audit activities as part of the internal audit
plan:
Response
The internal audit activity does not have the skills or financial resources necessary to perform IT audits
(1 response).
IT management does not provide the information necessary for the internal audit activity to review IT
activities and processes (1 response).
IT audits are outsourced (1 response).
3: Please identify whether your organization co-sources or outsources any of its IT audit
activities.
Response
Chart
Frequency
Count
Co-source
17.4%
16
Outsource
6.5%
Both co-source and outsource
23.9%
22
None
52.2%
48
Valid Responses
92
Total Responses
92
3a: How much of your organization's IT audit activities are co-sourced?

Response
Chart
Frequency
Count
Less than 10%
44.4%
10%25%
44.4%
26%50%
0.0%
51%75%
0.0%
76%99%
0.0%
100%
11.1%
17
Valid Responses
18
Total Responses
18
3b: How much of your organization's IT audit activities are outsourced?

Response
Chart
Frequency
Count
Less than 10%
16.7%
10%25%
16.7%
26%50%
0.0%
51%75%
16.7%
76%99%
33.3%
100%
16.7%
Valid Responses
Total Responses
3c: How much of your organization's IT audit activities are both co-sourced and outsourced?
Response
Chart
Frequency
Count
Less than 10%
17.4%
10%25%
21.7%
26%50%
21.7%
51%75%
21.7%
76%99%
13.0%
100%
4.3%
18
Valid Responses
23
Total Responses
23
4: Why is the IT audit activity co-sourced or outsourced in your organization?

(Respondents were allowed to choose multiple responses)
Response
Chart
Frequency
Count
Internal staff limitations
75.0%
33
Budget limitations
9.1%
More cost effective
43.2%
19
Better access to subjectmatter experts
79.5%
35
Audit committee requirement
0.0%
Regulatory requirement
4.5%
36.4%
16
22.7%
10
13.6%
0.0%
Internal auditors do not have

sufficient knowledge on the
IT systems used in the
organization
Difficulty in recruiting
qualified IT audit staff
Difficulty in retaining qualified
IT audit staff
Other (explained in 4.1)
Valid Responses
44
Total Responses
44
4.1: Why is the IT audit activity co-sourced or outsourced in your organization?

Response - None
5: Please rate the ability of your in-house audit staff to evaluate the quality of the outsourced
or co-sourced IT audit work performed and explain why you chose the rating:
Response
Chart
Frequency
Count
2.3%
2.3%
4.5%
Fair (explained in 5.4)
11.4%
Good (explained in 5.5)
47.7%
21
Excellent (explained in 5.6)
31.8%
14
Unacceptable (explained in 5.1)

Needs major improvement
(explained in 5.2)
Needs some improvement
(explained in 5.3)
19
Valid Responses
44
Total Responses
44
5.1: Please explain why you rated the ability of your in-house audit staff as unacceptable:
Response
Staff do not evaluate the IT audit work; work is 100 percent outsourced and only evaluated or reviewed by
the CAE (1 response).
5.2: Please explain why you rated the ability of your in-house audit staff as needs major
improvement:
Response
None of the in-house staff have an IT background (1 response).
5.3: Please explain why you rated the ability of your in-house audit staff as needing some
improvement:
Response
Staff have general IT knowledge and background, but are not fully technically competent (1 response).
Working with consultants is a new skill set for my staff, and we continue to work with managing their work
and their reporting activities (1 response).
5.4: Please explain why you rated the ability of your in-house audit staff as fair:
Response
Staff have limited technology knowledge (2 responses).
5.5: Please explain why you rated the ability of your in-house audit staff as good:
Response
Experienced IT auditor(s) (7 responses).
Experience of internal audit manager and CAE (4 responses).
Good contract management skills (6 responses).
Good peer references and feedback from the auditees (1 response).
5.6: Please explain why you rated the ability of your in-house audit staff as excellent:
Response
Experienced IT auditor works at the organization (9 responses).
Excellent communications with service providers (3 responses).
20
6: Please rate the effectiveness of your organizations IT audit activities and explain why you
chose the rating:
Response
Chart
Highly ineffective (explained in

6.1)
Ineffective (explained in 6.2)

Moderately ineffective
(explained in 6.3)
Moderately effective
(explained in 6.4)
Effective (explained in 6.5)

Highly effective (explained in
6.6)
Frequency
Count
1.1%
3.3%
8.7%
23.9%
22
45.7%
42
17.4%
16
Valid Responses
92
Total Responses
92
6.1: Please explain why you rated the effectiveness of your organizations IT audit activities as
highly ineffective:
Response - None
ineffective:
Response
Reduced or understaffed (1 response).
Without expertise in this area, it is difficult to conduct audits other than access control audits, which
can be done by a non-IT auditor (1 response).
moderately ineffective:
Response
Not enough skilled IT audit staff available (4 responses).
Inexperienced staff (2 responses).
IT general control audits have not been completed for quite some time. Other audit work was identified on
an ad hoc basis. I am new to my position and making significant changes to our processes (1 response).
Limited in-house resources and knowledge (1 response).
21
moderately effective:
Response
Lack of solid skills (6 responses).
IT auditing is a new function, and we have had some trouble in the IT area (2 responses).
The organizations IT audit executive has acquired knowledge of the IT environment and control situations
during the audit exercise and has an established relationship with IT management personnel (1 response).
Need for better coordination with IT department for mapping the IT universe and following up on
recommendations (1 response).
Not well-led and not using current technology; we are several generations behind. This is because the
company is not heavily IT dependent, which is proven based on the frequency of outages (1 response).
Provides a level of insight to our CIO that previously did not exist (1 response).
Generally, these activities are effective but we have issues with the ISO position (1 response).
We have done a comprehensive review but have not touched on key controls (1 response).
We just expanded our staff from one to three people and we are still improving our processes
(1 response).
We need a formalized risk model that will increase the effectiveness of our IT audit activities (1 response).
We review key risks, but probably need a lot more focus around information security (1 response).
6.5 Please explain why you rated the effectiveness of your organizations IT audit activities as
effective:
Response
Good communications and response from function, IT department, and the board (16 responses).
Excellent vendor and risk assessment process (5 responses).
Solid knowledge and provides value-added recommendations (4 responses).
Changes are made to improve controls (3 responses).
All risks are covered on a risk-based cycle (1 response).
I believe we hit the high-risk areas, but we could do more if we had more audit resources (1 response).
IT reviews are operational but not technical (1 response).
Key IT general controls seem to be working; IT governance was weak but appears to be improving to
acceptable standards. Key applications are rigidly maintained as they support government-regulated
processes (1 response).
Findings are always relevant and helpful to the organization (1 response).
We are effective for control testing, but not necessarily for operational efficiencies (1 response).
We have the audit committees and CEO attention and CIO is making changes (1 response).
22
highly effective:
Response
Excellent and well-trained staff (7 responses).
All areas are subject to audit including IT activities (2 responses).
Areas to be audited are mutually agreed upon by internal auditing and the CIO (1 response).
We get positive feedback from auditees and the audit committee (1 response).
Reduces external audit fee and IS agree with recommendations (1 response).
Good collaboration between IS management, internal audit management, and vendors (1 response).
We look at controls; others review technical issues (1 response).
7: Please rate the efficiency of your organizations IT audit activities and explain why you chose
the rating:
Response
Chart
Highly inefficient (explained in

7.1)
Inefficient (explained in 7.2)

Moderately inefficient
(explained in 7.3)
Moderately efficient
(explained in 7.4)
Efficient (explained in 7.5)

Highly efficient (explained in
7.6)
Frequency
Count
1.1%
0.0%
9.9%
37.4%
34
38.5%
35
13.2%
12
Not Answered
1
Valid Responses
91
Total Responses
92
7.1: Please explain why you rated the efficiency of your organizations IT audit activities as
highly ineffective:
Response - None
ineffective:
Response - None
23
moderately ineffective:
Response
Inexperienced staff (4 responses).
Slow to respond; short staffed; internal cooperation (2 responses).
Sometimes too thoroughly audited (1 response).
We are efficient for our size and skill, but unable to address critical concerns due to staffing (1 response).
moderately effective:
Response
IT audit area and plans are new and still in development (4 responses).
Staff experience and IT background is limited (3 responses).
Experience of IA audit manager and resources (2 responses).
Access to outsource providers supplements departmental needs (2 responses).
Challenge completing audits within budgeted time and given deadlines (2 responses).
Using co-sourcing partners is inefficient without adequate management oversight (2 responses).
Legacy systems and IT silos are key issues (1 response).
Significant research is needed for in-house audit procedure development (1 response).
Implementing an ERP (1 response).
The IT audits can be bigger and more challenging (1 response).
Inefficiency is caused by physical distance between our department and the IT department (1 response).
We can get better in timely completion of audit reports (1 response).
We have standardized IT audit procedures and testing is generally consistent (1 response).
We need a formalized risk model that will increase the efficiency of our IT audit activities (1 response).
24
effective:
Response
Highly qualified staff (10 responses).
Excellent working relationship with management and external auditors (5 responses).
Continuous improvement and review (3 responses).
Excellent use of tools and methodologies (2 responses).
Use of risk ranking to guide audit performance (2 responses).
Use of rotation plan for GCC audits (1 response).
highly effective:
Response
Well trained, dedicated, and certified staff (4 responses).
IT audit activities are risked-based and targeted to issue risks ranked as high (3 responses).
Excellent communications with audit committee and CIO (1 response).
Excellent outsourcing partner (1 response).
8: Please rate your overall satisfaction with your organization's IT audit activity and explain why
you chose the rating:
Response
Chart
Highly dissatisfied (explained in

8.1)
Dissatisfied (explained in 8.2)

Moderately dissatisfied
(explained in 8.3)
Moderately satisfied (explained

in 8.4)
Satisfied (explained in 8.5)

Highly satisfied (explained in
8.6)
25
Frequency
Count
1.1%
8.7%
4.3%
28.3%
26
34.8%
32
22.8%
21
Valid Responses
92
Total Responses
92
8.1: Please explain why you rated your overall satisfaction as highly dissatisfied:
Response None
8.2: Please explain why you rated your overall satisfaction as dissatisfied:
Response
Lack of professional staff and training (4 responses).
There are many IT security issues with limited audit staff (2 responses).
There is no chief information officer and therefore the quality is lacking (1 response).
8.3: Please explain why you rated your overall satisfaction as moderately dissatisfied:
Response
Limited and inexperienced staff (3 responses).
8.4: Please explain why you rated your overall satisfaction as moderately satisfied:
Response
Area is still in development with room for improvement (9 responses).
Excellent work but limited resources (2 responses).
Missing application audits (1 response).
Our available IT audit hours are not adequate to meet our audit plan (1 response).
Unrealistic audit committee's expectations for definitive audit opinions and ratings (1 response).
Audit recommendations have generally been accepted and implemented (1 response).
We do not have a large exposure to in-house development. Our risks are limited to third-party products.
Our IT structures are decentralized and aligned with each business unit, so we have limited exposure to
global problems (1 response).
We need a formalized risk model that will increase the quality of our IT audit activities (1 response).
26
8.5: Please explain why you rated your overall satisfaction as satisfied:
Response
Good work, experienced in systems, and technology that meets audit needs (6 responses).
Limited staff with excellent experience (4 responses).
Excellent communications with audit committee and executive management (1 response).
Experience of internal audit manager and resources (1 response).
Cost is a major consideration (1 response).
We have improved our efficiency by prioritizing IT risks (1 response).
Knowledge transfer is a key to learning the IT area (1 response).
Effective balance between in-house and co-sourced audits and our IT management team seeks our
assistance (1 response).
Need to incorporate technology into all of our audit activities (1 response).
Our IT audits have been improving over the past few years and are approaching highly satisfied
(1 response).
Our surveys come back from the organization with high scores (1 response).
Provide basic coverage of key controls (1 response).
Staff from outsourced firm generally not outstanding, but their associate director makes sure everything
works in the end (1 response).
We cover the management of critical applications and are able to assess ICT governance (1 response).
8.6: Please explain why you rated your overall satisfaction as highly satisfied:
Response
Highly trained qualified staff (7 responses).
We provide good coverage of all major risks (1 response).
Excellent feedback from auditees and the audit committee (1 response).
IT is taking action on IT audit reports (1 response).
Material weaknesses are identified and addressed by management (1 response).
Strong relationship with IT; high-quality audit work (1 response).
Good outsourcing partner (1 response).
Viewed as a resource by IT management (1 response).
27
9.1: List the top three issues that will impact IT audits the most within the next 24 months:
Response
IT audit project limitations due to budget restrictions caused by the current economic downturn or
shifting organizational priorities; time constraints; lack of internal resources to perform the IT audit, such
as lack of qualified staff due to turnover or budget cuts; increasing travel costs; and lack of overall
knowledge to perform an IT audit (60 responses).
Data security and privacy: 1) Compliance with data security and privacy laws and regulations (e.g.,
compliance with the Payment Card Industry Data Security Standard) and 2) information security and data
privacy practices within the organization (e.g., user provisioning, data access and change management)
(52 responses).
Being unable to add value to the organization due to the increasing complexity of IT systems,
which prevents the internal audit activity from being able to keep up with technological changes and
innovations, as well as not having the knowledge to audit and provide support during new system
implementations as a result of out-of-date technology, replacement of legacy systems, and automation of
existing controls (32 responses).
10: Do you have the skills to address the issues that will impact IT audits the most within the
next 24 months?
Response
Chart
Frequency
Count
Yes (explained in 10.1)
71.7%
66
No (explained in 10.2)
28.3%
26
Valid Responses
92
Total Responses
92
10.1: Please explain why you selected Yes:

Response
The internal audit activity has a dedicated group of IT auditors or internal auditors with sufficient training
to perform IT audits (29 responses).
The internal audit activity has internal auditors who have IT-specific certifications, such as CISA and
CISP (15 responses).
The internal audit activity outsources its IT audit activities or co-sources them with other business
functions (4 responses).
The internal audit activity has the necessary resources, other than staff, to support the organization's
IT audit needs (3 responses).
10.2: Please explain why you selected No:

Response
The internal audit activity does not include IT auditors, auditors with the necessary IT training or
knowledge (e.g., IT audits are a new area of work), or IT subject-matter experts; there is a lack of
correlation of specific IT skills to IT audit universe components (15 responses).
The internal audit activity does not have 1) the financial resources or time to allow auditors to obtain the
necessary IT audit skills, 2) enough auditors to perform IT audits, and 3) time to perform IT audits (e.g.,
due to shifting organizational priorities) (5 responses).
The internal audit activity needs to outsource or co-source IT audit activities due to lack of resources
(4 responses).
28
11: Do you have the training to address the issues that will impact IT audits the most within
the next 24 months?
Response
Chart
Frequency
Count
Yes (explained in 11.1)
72.2%
65
No (explained in 11.2)
27.8%
25
Not Answered
2
Valid Responses
90
Total Responses
92
11.1: Please explain why you selected Yes:

Response
Auditors are provided with the necessary training through attendance at seminars, conferences, and
other CPE earning events; self-study materials; and internal training (35 responses).
A training plan is developed that addresses the training needs of each auditor (2 responses).
IT audit activities are co-sourced or outsourced to learn from the work and methodologies of others
(2 responses).
11.2: Please explain why you selected No:

Response
There is no budget for IT audit training and training locations are too far for travel to take place
(6 responses).
IT audit training will be addressed in the future (5 responses).
IT audit activity is outsourced and, consequently, there is no need for training (4 responses).
12.1: List the latest three technology innovations that have eased the performance of IT audits
the most within the last three years:
Response
Use of CAATs, such as audit administration tools and documentation software (e.g., ACL, IDEA,
TeamMate); automated change management applications; new tracking software; and help desk audit
software (56 responses).
Availability of many systems online, which enables remote audit activities (8 responses).
Guidance on specific IT audit areas or tailored to noncomplex IT environments (7 responses).
29
13: Which of the following has been your primary source of IT audit knowledge during the last
24 months?
Response
Chart
Frequency
Count
Seminars, workshops, and/or

conferences offered by professional
organizations
44.0%
40
In-house training by company employees
2.2%
External training offered by consultants or

training companies
5.5%
Books or self-study courses
9.9%
On-the-job training
8.8%
Peer-to-peer assistance
6.6%
2.2%
13.2%
12
7.7%
Private training offered by a consultant or

training company
Individual research gathered from online
resources (specified in 13.1)
Other (specified in 13.2)
Not Answered
1
Valid Responses
91
Total Responses
92
13.1: Please explain why you selected Individual research gathered from online
resources as your primary source of IT audit knowledge during the last 24 months:
Response
ISACA (4 responses)
AICPA
The IIA (4 responses)
ITIL
software suppliers' Web sites (2 responses)
COBIT
ACUA (2 responses)
13.2: Please explain why you selected Other as your primary source of IT audit
knowledge during the last 24 months:
Response
Outsourcing provider (2 responses)
ISO
COBIT
Working with our outsourcing consultants
30
14: Please select which organization would be your first choice as a source for increasing
your IT audit knowledge:
Response
Chart
Frequency
Count
American Institute of Certified Public

Accountants
2.2%
The Institute of Internal Auditors (IIA)
20.0%
18
ISACA
47.8%
43
MIS Training Institute
18.9%
17
SANS Institute
4.4%
Other (specified below)
6.7%
Not Answered
2
Valid Responses
90
Total Responses
92
14.1: Please select which organization would be your first choice as a source for increasing
your IT audit knowledge:
Response
SAP (2 responses)
Vendor-specific training
The IIA (Germany) (2 responses)
14a: If not The IIA, why?

Response
Courses do not meet the needs or not enough in-depth training is offered (20 responses).
ISACA better meets the needs in IT knowledge (19 responses).
IIA IT courses are too expensive, especially in comparison to others (10 responses).
The IIA seems to lack the experience, expertise, and knowledge as the IT experts (6 responses).
In comparison, MIS offers better IT technical programs (5 responses).
The IIA would be the second choice (3 responses).
COBIT provides more comprehensive information (2 responses).
Use of Local IIA chapters (1 response).
31
15: Does your internal audit function use software for extraction?
Response
Chart
Frequency
Count
Yes
63.0%
58
No
32.6%
30
Not applicable
4.3%
Valid Responses
92
Total Responses
92
15a: Please provide the name of the primary software used for extraction, skill level required, its usefulness to internal auditors,
and why it is useful or not:
Software/ Number
7
of responses
Skill level and number

8
responding
Is this software
useful to IA
Beginner level of expertise (8)
Yes
Intermediate level of expertise

(24)
Yes
Expert level (2)
Yes
ACL (34)
7
8
Explain why software is useful or not useful

Ease of sample selections and review of large amounts of data (2
responses).
Can use ACL in a variety of audit activities not only IT-related.
Can take huge amounts of data and summarize it and exceptions.
Helps us to standardize how we review the data so we are less system
dependent.
Key extracts add value.
Adaptable to multiple applications and easy to use (7 responses).
Total monitoring of certain controls; ease of sample selection; unrestricted as
to file size (4 responses).
Eases audit analysis in particular of large databases.
Increases efficiency and comprehensiveness of audits.
We have direct access to source systems and do not depend on IT to give
us files.
The software helps to ease the auditor's analysis job.
For questions 1522: Only one response was provided in cells where no number is shown.
For questions 1522: Only one response was provided in cells where no number is shown.
32
15a: (continued) Please provide the name of the primary software used for extraction, skill level required, its usefulness to internal auditors,
Software/ Number
of responses

responding
Is this software
useful to IA
Application queries
(4)
Yes
Easy access to populated information.

Able to extract information from corporate systems for sampling or analysis.
Does not require code development.
Business Objects
Beginner level of expertise
Yes
No comments provided.
Crystal Reports
Yes
It is the most flexible of our accounting software.
Excel (2)
Expert Level
Yes
Yes
Small data extracts can be manipulated.
IDEA
Yes
Awesome ability to seek anomalies.
MS Access
Expert Level
Yes
Yes
Yes
Yes
Yes
Highly useful; we perform all our audits using SAP. We have also written
certain exception reporting applications.
Proprietary
SAP (3)

Expert Level
33
15a: (continued) Please provide the name of the primary software used for extraction, skill level required, its usefulness to internal auditors,
Software/ Number
of responses
Showcase
SQL (3)

responding
Is this software
useful to IA

Yes
Yes
We have companywide tools with many resources to assist us in the use of

this software.
AS/400 Specific.

Expert Level (2)
Yes
Yes
Efficient in being able to extract large volumes of data.

Direct access to data.
15a: Please provide the name of the secondary software used for extraction, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses

responding
Is this software
useful to IA
ACL (2)

Expert Level
Yes
Yes
Larger data sets can be queried.

Good for analysis of data once obtained.
BankAudit
Yes
Crystal Reports
Yes
Define
Yes
Ability to run queries on accounting system databases.
34
15a: (continued) Please provide the name of the secondary software used for extraction, skill level required, its usefulness to internal auditors,
Software/ Number
of responses

responding
Is this software
useful to IA
Yes
None chosen
Yes

Expert Level
Yes
Yes
Helps with smaller systems with less data content.

Flexibility provided to work with live data versus the limitations of
preprogrammed queries or only being able to see totals and summaries.
Excel is limited to the number of records it can extract, plus the ODBC
connection can overwrite live data.
Easy to use.
Focus
Yes
IDEA (2)

Yes
Yes
Used to analyze or sample transactions.
Microsoft Suite
Yes
Monarch
Yes
Can pull data from almost any report or common file format.
MS Access (2)
Yes
Easy to use and flexible.
SAP
No
Occasional/infrequent use; we not totally familiar with the tool.
SQL (2)

Expert Level
Yes
Yes
Ability to obtain other required information.
SharePoint
Yes
Excel (6)
35
15b. Please complete the following:

How has the use of the previously identified software improved your
internal audit capabilities?
Audit 100 percent of the population rather than doing a samplebased audit (20 responses).
Improved productivity and efficiency of work (i.e., better able to
extract, analyze, and acquire data from corporate systems; drilldown capabilities; and reduced the amount of time required to
identify potential problems) (18 responses).
Continuous monitoring of data (2 responses).
Has enabled the use of exception reports and tests that identify
fraud, misuse of expense reports, and staff who didn't charge leave
time, as well as test pricing invoices and internal controls
(12 responses).
Please provide a success story or best practice linked to the use of the
software identified previously:
Please provide an example of a barrier or challenge presented by the use

of the software identified previously:
15c. Please explain why you do not use software for extraction?
No answers were provided.
36
Ability to analyze the entire population rather than a sample and

identify true error rates that sampling didnt (6 responses).
Ability to identify financial savings to the organization (1 response).
Learning curve and training (e.g., training staff to use the system; the
system is cumbersome to work with) (14 responses).
Getting data in the proper format (e.g., using the system requires the
use of SQL querying) (7 responses).
The tool doesn't work or integrate well with other systems and is only
used by internal audit department (5 responses).
Difficulty accessing data; takes more time to access data than
it should; or difficulty getting access from data owners
(5 responses).
16: Does your internal audit function use software for data analysis?
Response
Chart
Frequency
Count
Yes
76.1%
70
No
19.6%
18
Not applicable
4.3%
Valid Responses
92
Total Responses
92
16a: Please provide the name of the primary software used for data analysis, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses
ACL (36)

responding
Is this software
useful to IA
Yes
Larger volume of data testing.
37
16a: (continued) Please provide the name of the primary software used for data analysis, skill level required, its usefulness to internal auditors,
Software/ Number
of responses

responding
Is this software
useful to IA

Allows you to analyze data.
Assists in reviews of full populations and brings exceptions out.
Ability to quickly analyze data.
Built-in analysis tools.
Continuous auditing.
ACL (36) continued

(28)
Yes
Enhances searches and problem identification.

Good functionality.
Helps analyze data for trends.
Poor response from IT group; we have become self-sufficient through use of
ACL.
Provides detailed analysis, which would be time consuming otherwise.
Runs scripts to filter data for audit purposes.
Scripts are reusable but can be hard to create.
Since most of the management systems are automated, data are readily
available in an accessible format, and the software enables auditors to perform
data analysis efficiently.
Allows the auditor a faster and broader analysis.
ActiveData
Yes
38
Software/ Number
of responses

responding
Is this software
useful to IA
Application
reporting features
Yes
DCMS
Yes
Proprietary ERP system.
Yes

(6)
Yes
Excel (10)
Easy to use (2).

Flexibility.
Expert Level
Yes
Hyperion
Yes
Trends and fluctuations.
IDEA (4)

(3)
Yes
Expert Level
Yes
Increase efficiency of field work through up-front analysis.

Measurement of expectations is easy and effective.
Useful for data analysis and sampling.
39
Software/ Number
of responses

responding
Is this software
useful to IA
It allows us to manipulate and select only data relevant to the audit.

MS Access (6)

(6)
Yes
Good tool for filtering lots of data, so comparing data from two sources.
We are in the beginning phases of implementing the software.

SAP
Yes
SAS
Yes
40
16a: Please provide the name of the secondary software used for data analysis, skill level required, its usefulness to internal auditors, and why it
is useful or not:
Software/ Number
of responses
ACL (5)
Crystal Reports
Excel (17)
Focus

responding
Is this software
useful to IA

(2)
Yes
Yes
Expert Level (2)
Yes
No
Complexity limits its usefulness.
None given
Yes
Used for smaller jobs for same purposes as ACL.
Yes
Good for nonenterprise locations.

(9)
Yes
Widespread use and knowledge.

Pivot table reports can be run to filter data for audit purposes.
We can easily sort the data.
Expert Level
Yes
Allows you to analyze data.
Yes

Microsoft Access (4)

(2)
Yes
Easy to use. (2)
41

How has the use of the previously identified software improved your
internal audit capabilities?
Has increased the efficiency of audits (e.g., more detailed analysis

of data; helps analyze data for trends; helps to identify what the
data is saying easily; and provides timely analysis of data)
(11 responses).
Enables the sorting, viewing, and analysis of large amounts of data
or 100 percent of all data (11 responses).
Established independence of internal audit function (e.g., internal
auditors now provide data to clients or external auditors)
(2 responses).
Helps internal auditors to obtain frequency of errors and detect
fraudulent activities (2 responses).
Helps to continuously monitor control (1 response).
Reduced audits and testing to areas of importance by helping
auditors to focus fieldwork on data identified with reference to
anomalies, red flags, potential fraud, or other issues otherwise not
found without the tool (6 responses).
Please provide a success story or best practice linked to the use of the
software identified previously:
Has enabled the review of user access, areas leading to losses of

revenue, and responsibility conflicts (2 responses).
Able to continuously monitor 100 percent of all data (1 response).
Able to conduct inventory analysis of multiple sites (1 response).
Please provide an example of a barrier or challenge presented by the use
of the software identified previously:
The tool is not user friendly and requires a high level of training
(5 responses).
Problems accessing data (i.e., data is saved in formats that are not
conducive to software analysis or getting data stored in two systems
or legacy systems is difficult) (6 responses).
Older versions of Excel or Access do not have the bandwidth to
analyze large volumes of data (2 responses).
16c. Please explain why you do not use software for data analysis?
42
17: Does your internal audit function use software to detect or investigate fraud?
Response
Chart
Frequency
Count
Yes
46.7%
43
No
48.9%
45
4.3%
Not applicable
Valid Responses
92
Total Responses
92
17a: Please provide the name of the primary software used to detect or investigate fraud, skill level required, its usefulness to internal auditors,
Software/ Number
of responses

responding
Is this software
useful to IA
Have the ability to do matches of two databases and highlight exceptions.

ACL (23)
Yes
Easier to detect abnormal activity.
43
17a: (continued) Please provide the name of the primary software used to detect or investigate fraud, skill level required, its usefulness to
internal auditors, and why it is useful or not:
Software/ Number
of responses

responding
Is this software
useful to IA
Permits probability techniques not feasible with manual examination.
Helps us to detect fraud in our disbursement streams.
ACL (23)
continued

(16)
Yes
Tool identifies such things as name and address matches for vendors and
employees.
Data analysis and extraction.
Good functionality.
Expert Level
Yes
Ability to search for suspected cases.
None given (2)
Yes
44
Software/ Number
of responses

responding
Is this software
useful to IA
ActiveData
Yes
Used to identify red flags and outliers.
Application
reporting and query
Yes
Used largely to investigate fraud and to a lesser degree to detect fraud.
Crystal Reports
Yes
To sort and select data that may be indicative of fraudulent activity or to find
transactions related to alleged fraudulent activity.
DCMS
Yes
DISSCO
Yes
Excel (2)
Intermediate level of expertise (2)
Yes
Easy to use and share information.
Focus
Yes
Yes
Expert Level
Yes
IDEA (2)
45
Software/ Number
of responses

responding
Is this software
useful to IA
MS Access
Yes
Allows us to analyze large data populations and create custom queries.
Patriot Officer
Yes
Identify areas we need to concentrate on.
PeopleSoft Queries
Yes
Ability to extract transactions from corporate data to analyze and examine.
SAS
Yes
Yes
Yes
Specific to our industry.
Showcase Query
VIPs
46
17a: Please provide the name of the secondary software used to detect or investigate fraud, skill level required, usefulness to internal audit, and
why it is useful or not:
Software/ Number
of responses
Crystal Reports

responding
Is this software
useful to IA
Yes
Yes
Used to identify red flags and outliers.
Yes
IDEA
Yes
Useful to analyze and examine data extracted from corporate systems.
In-house program
Yes
MS Access (2)

None given
Yes
Easy to use and share information.
Nuix
Yes
Analysis of e-mail content.
Excel (5)
47

How has the use of the previously identified software
improved your internal audit capabilities?
Report on fraudulent transactions, abnormal activities, or identify users processing

transactions on an ongoing basis (e.g., quarterly basis) (4 responses).
Avoid sampling of data and test the entire population in less time (3 responses).
Ability to manipulate data for trending analysis or compare data within different systems or
tables (2 responses).
Have access to data more easily and have network access to new IT system information
(2 responses).
Run CAATs for external auditors (1 response).
Able to investigate fraud more efficiently and save time during fraud investigations
(2 responses).
Used software that is focused specifically on the industry (1 response).
Please provide a success story or best practice linked

to the use of the software identified previously:
Finding bogus vendors or addresses (e.g., matched vendor addresses with employee
addresses) (2 responses).
Mapping data to users (e.g., mapping of e-mails to determine the content, who received
the e-mail, and the actions taken; mapping data to identify noncompliant cases)
(2 responses).
More visibility of information (1 response).
Increased number of fraud items for investigations (1 response).
Please provide an example of a barrier or challenge

presented by the use of the software identified
previously:
Issues with the data (e.g., obtaining data in the first place; getting files to import from IT
in a timely manner; and defining data to conduct the investigation) (3 responses).
High volume of data to analyze (1 response).
Learning curve to use software properly (1 response).
Cannot perform transactions in real time (1 response).
17c. Please explain why you do not use software to detect or investigate fraud:
48
18: Does your internal audit function use software for automated working papers?
Response
Chart
Frequency
Count
Yes
52.2%
48
No
47.8%
44
Not applicable
0.0%
Valid Responses
92
Total Responses
92
18a: Please provide the name of the primary software used for automated working papers, skill level required, its usefulness to internal auditors,
Software/ Number
of responses
Adobe Acrobat

responding
Is this software
useful to IA
Yes
Yes
Yes

Saves on supply costs; provides ease in transferring information among staff for
review, and helps with tracking and reporting issues.
This software has automated our audit process and increased efficiencies. It has
also ensured all of our audits follow a consistent methodology.
AutoAudit (7)
We are implementing the software; the software will help us to implement a
better work flow and documentation.
Good for global teams and storage and review of working papers.
49
18a: (continued) Please provide the name of the primary software used for automated working papers, skill level required, its usefulness to
Software/ Number
of responses
Crowe Horwath's
AWP
Excel (4)
In-house tool
MS Office Suite and
Server File Structure
MS Word (5)

responding
Is this software
useful to IA

This software combines financial, operations, and Sarbanes-Oxley procedures; it
is kept current with regulatory requirements.
Yes
Yes
Yes
Yes
Improved efficiency and consistency of working paper documentation.
Yes
It is something readily available and most auditors are knowledgeable on the

software.
Yes
Developed in-house; all work papers linked; all work papers are electronic
Yes
We use standardized templates to document testing and results.

Our Excel-based system is not fully integrated with working papers, reports,
action items, etc.
We are presently evaluating formal audit management software (e.g. TeamMate,
etc.).
50
Software/ Number
of responses

responding
Is this software
useful to IA
PAWS Pentana

Yes
Yes
It organizes information in a useful way and supports file review.

Provides audit and risk assessment management features.
Resolver Risk
Yes
SharePoint
None given
Yes
Provides a central repository for audit working papers and great reporting
capabilities.
Efficiency in preparation and review of work papers.
Great application, work papers are encrypted; easy to use.
Has cut overall audit time by 30 percent. Audit review by supervisors is ongoing
and has cut the elapsed time by 90 percent. Report production also has resulted in
time savings,
Reduction in paper and related storage costs,
Efficient system,
It is a centralized repository of documentation within our organization. Risk
assessment tools have not aligned with our risk assessment methodology to date.
Yes
TeamMate (22)
No
51
Software/ Number
of responses

responding

(9)
Is this software
useful to IA
Yes
Audit work and evidence are maintained in a system that provides good data
protection and easy retrieval.
Avoid many other files and documents.
For all the obvious reasons!
Good method of documenting audits for standardization and efficiency.
It has enabled us to make our audit procedures more efficient. The review process
is also more efficient and we require much less physical storage space.
More efficient.
Standardizes working papers, facilitates review, etc.
Allows us to share data and provide remote supervision. Overall opinion of the
software is that it is too complicated.
Yes
Yes
TeamMate (22)
continued
Expert Level
None given
52
18a: Please provide the name of the secondary software used for automated working papers, skill level required, its usefulness to internal
auditors, and why it is useful or not:
Software/ Number
of responses
Excel

responding
Is this software
useful to IA

Yes
Yes (3)
Yes
MS Access
Yes
We summarize the results into Access, which relates them to financial statement
accounts, risks, financial statement impact, etc.
OpenPages
Yes
Central repository.
TeamMate
No
Harder to use than Pentana and does not provide a risk and control matrix in
readable form.
Microsoft Office (5)
53


Use of standard templates (e.g., standardization of templates provides high productivity

and efficiency of work; automation of audit processes and consistency between projects;
and all work papers are in electronic format) (14 responses).
Improves quality of review, audit program, and work papers (e.g., reduced review time for
audit files and facilitates sharing of documents and remote review) (7 responses).
Better organization and access of information (e.g., centralized storage of audit work
papers) (6 responses).
Enhanced follow up of audits, tracking of audits, and repeatability of audits (4 responses).
Reduced planning time and staff work (e.g., time used to ensure working paper
documentation complies with IIA Standards is significantly reduced) (4 responses).
Enhanced follow up of audits, tracking of audits, and repeatability of audits (4 responses).
Better coordination of audits (e.g., coordination of audits with Sarbanes-Oxley audits and
automated reporting of Sarbanes-Oxley work and other internal audits) (2 responses).
Enhanced reporting of information (1 response).
Increased audit penetration (1 response).
Improved data protection (1 response).
Automation of work (e.g., automation of tracking issues and in obtaining responses from
responsible parties; automation of draft reports generated after completion of field work)
(2 responses).
Enables auditors to review work papers from remote locations (2 responses).
Elimination of all hard copies (i.e., all work papers are saved electronically, which saves
space and reduces waste) (2 responses).
Consistency of work (e.g., consistency of work papers by choosing which fields to use
and where) (2 responses).
Increase the efficiency of compliance reviews with IIA Standards (2 responses).
Enables more than one auditor to work on the same project (1 response).
Ease of documentation (1 response).
54
18b. (continued) Please complete the following:

previously:
Software can be cumbersome to use, replicate in the existing environment, or integrate

with other software, which leads to an inefficient use of time (5 responses).
Auditors have lost work occasionally due to bugs within the system and lack of customer
service support from vendor (2 responses).
Because the software automates all work papers, too much information is kept, which can
be overwhelming (2 responses).
Use of the software and review of work papers still requires human interaction, which
introduces inconsistencies unless the internal audit department has a standard
infrastructure in place (2 responses).
Difficult to access work papers in locations where bandwidth is an issue (1 response).
Cost of training (1 response).
Cannot monitor action items in an automated fashion (1 response).
18c. Please explain why you do not use software for automated working papers:
55
19: Does your internal audit function use software to perform control self-assessments?
Response
Chart
Frequency
Count
Yes
21.7%
20
No
65.2%
60
Not applicable
13.0%
12
Valid Responses
92
Total Responses
92
19a: Please provide the name of the primary software used to perform control self-assessments, skill level required, its usefulness to internal
Software/ Number
of responses

responding
Is this software
useful to IA
Auto Audit
Yes
Allows easy use of templates, which provides some consistency.
Axentis
Yes
Eliminated resources to capture and report data; easy for process owners;
facilitated self-assessments.
Excel (3)

Expert Level
Yes
No response
No response
It's simple and straightforward.

56
19a: (continued) Please provide the name of the primary software used to perform control self-assessments, skill level required, its usefulness
to internal auditors, and why it is useful or not:
Software/ Number
of responses

responding
Is this software
useful to IA

We rarely refer to it in practice as we do not regularly review the Sarbanes-Oxley
processes.
FCM
No
In-house developed
template
Yes
Lumigent Audit DB
Yes
Movaris
Yes
.
Allows process owners access to key controls.
E-mail using MS
Yes
Option Finder
Yes
Voting is anonymous and instant result of the participant's response.
PolicyIQ
Yes
Automates the process of collecting and reporting data.
Risk Navigator
None chosen.
Sharpe Decision
Yes
Easy to use.
TeamRisk
Yes
Word and Excel
Yes
Part of standard audit work papers.
No response
Facilitates tabulation of results.
57
19a: Please provide the name of the secondary software used to perform control self-assessments, skill level required, its usefulness to internal
Software/ Number of
responses
Turning Point Audience
Response System

responding
Intermediate level of
expertise
Is this software
useful to IA
Yes

Great for encouraging participation in the process.

Made process more efficient and less costly (3 responses).

Results are immediately summarized and graphs produced, which has resulted in
significantly reduced time in summarizing control self-assessment results (1 response).
Other groups in the organization are able to design their own questions, which has
cut costs of external resources for management testing to less than 10 percent
(1 response).
Self-assessments are performed on a more timely basis and it is easier to provide
assessment information as needed (1 response).

previously:
Questionnaire design (1 response).

Third-party software has some response issues (1 response).
Vendor is not helpful in automating tasks and there are consulting fees associated with
assisting in data uploads (1 response).
Not all divisions in the company are using the software (1 response).
Unable to run reports off of the information received (1 response).
19c. Please explain why you do not use software to perform control self-assessments:
As a new internal audit department, we have not yet done any control self-assessments (1 response).
58
20: Does your internal audit function use software for compliance?
Response
Chart
Frequency
Count
Yes
23.9%
22
No
55.4%
51
Not applicable
20.7%
19
Valid Responses
92
Total Responses
92
20a: Please provide the name of the primary software used for compliance, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses

responding
Is this software
useful to IA
ACL
Yes
Lets us examine entire population of entries.
Compliance 360
Yes
Excel
Yes
We prepare centralized compliance logs for each company within our

organization.
59
20a: (continued) Please provide the name of the primary software used for compliance, skill level required, its usefulness to internal auditors,
Software/ Number of
responses

responding
Is this software
useful to IA
E-mail Word, Excel
Yes
Timely, easy, and effective.
IDEA
Yes
Implexus
Yes
Provides a database of controls. However, other functionality is too

laborious to be beneficial.
Microsoft Access
Yes
We have a relational database that relates testing, results, control

deficiencies, and conclusions to various compliance requirements.
Movaris
Yes
Helps perform, track, and document Sarbanes-Oxley and other compliance

testing.
Oracle Apex Application

(Homegrown)
Yes
Enables database software to track compliance of certain laws and

regulations.
Oracle GRC
No
The lack of usefulness is simply due to the application owners decision for
implementation and rollout. Currently the application is rolled out to process
owners, but not internal audit department. This will be changing this year,
but to date, we have not had access to this.
PolicyIQ
Yes
Automate Sarbanes-Oxley risk assessment and organize Sarbanes-Oxley

documentation and testing.
60
20a: Please provide the name of the primary software used for compliance, skill level required, its usefulness to internal auditors, and why it is
useful or not:
Software/ Number
of responses

responding
Is this software
useful to IA
Resolver Risk
None chosen
Yes
RCTS
None chosen
Yes
Showcase Query
Yes
MS Access
Yes

Our compliance area primarily uses this software (1 response).

Identify specific transactions of possible concern (1 response).
Directs audit work (1 response).
Provides a common centralized approach to compliance auditing (1 response).
Compliance audits are timely, easy, and effective (1 response).

previously:
Provides a common centralized approach to compliance auditing (1 response).

It is not easy to update used compliance logs (1 response).
20c. Please explain why you do not use software for compliance:
61
21: Does your internal audit function use software for continuous auditing?
Response
Chart
Frequency
Count
Yes
25.0%
23
No
59.8%
55
Not applicable
15.2%
14
Valid Responses
92
Total Responses
92
21a: Please provide the name of the primary software used for continuous auditing, skill level required, its usefulness to internal auditors,
Software/ Number
of responses
ACL (15)

responding
Is this software
useful to IA
Yes (15)

62
21a: (continued) Please provide the name of the primary software used for continuous auditing, skill level required, its usefulness to internal
Software/ Number
of responses

responding
Is this software
useful to IA
Easy to evaluate data.

Replaces manual Sarbanes-Oxley control testing with continuous monitoring.
ACL is designed to look for control weaknesses.

ACL (15) continued
Expert Level
Yes (15)
continued
Exception reporting.
None given (2)
Excel
Yes
IDERA
Yes
Reports changes that are outside the parameters.
In-house
Yes
Oracle Apex
Database
(homegrown)
Yes
63
21a: (continued) Please provide the name of the primary software used for continuous auditing, skill level required, its usefulness to internal
Software/ Number
of responses

responding
Is this software
useful to IA
PeopleSoft
Yes
Allows us to monitor all AP and AR transactions.
Proprietary Data
Extraction
Yes
It allows us to access specific data points within our larger data base.
This allows for audits of targeted risk areas.
Showcase Query
Yes
21a: Please provide the name of the secondary software used for continuous auditing, skill level required, its usefulness to internal auditors,
Software/ Number
of responses

responding
Is this software
useful to IA
ARC
Expert Level
Yes
Uses output from ACL.
MS Access
Yes
64


previously:
Auditors are alerted of issues as they occur (i.e., there is no lag time to identify issues)
and tool creates exception reports (2 responses).
Audit 100 percent of the population rather than a sample (1 response).
Allowed the internal audit activity to create preventive controls for process owners
(1 response).
Ability to quickly identify a number of irregularities including fraudulent transactions
(1 response).
Process takes a while to implement correctly and is based on the organization's needs and
system changes (2 responses).
Auditors have to determine the parameters to be used (1 response).
Auditors need to have detailed knowledge of the underlying data structures to use tool
correctly (1 response).
Organization has a hard time accepting reports (1 response).
21c. Please explain why you do not use software for continuous auditing:
No answers were provided
65
22: Does your internal audit function use software to assess risks for the annual audit plan?
Response
Chart
Frequency
Count
Yes
39.1%
36
No
57.6%
53
3.3%
Not applicable
Valid Responses
92
Total Responses
92
22a: Please provide the name of the primary software used to assess risks for the annual audit plan, skill level required, its usefulness to internal
Software/ Number
of responses

responding
Is this software
useful to IA
ACL
Yes
AutoAudit
Yes (2)
CCH TeamMate
Yes

Consistency.
Automates the risk assessment process and provides helpful analytics.
66
22a: (continued) Please provide the name of the primary software used to assess risks for the annual audit plan, skill level required,
its usefulness to internal auditors, and why it is useful or not:
Software/ Number
of responses

responding
Is this software
useful to IA

Simple calculations for risk rankings.
Our risk model is fairly simple and is able to be managed with an Excel
spreadsheet. With a small department, a more complicated risk analysis tool
would be overkill.
Flexible; we are not constrained by someone else's view of risk; allows us to
use LEAN tools such as affinity diagrams.
Adequate functionality.

(11)
Excel (25)
Yes (25)
Easy to use and generate reports from standard templates.
Custom-developed model.
(11)
We are able to link and perform calculations without the cost and time
associated with other software.
67
22a: (continued) Please provide the name of the primary software used to assess risks for the annual audit plan, skill level required, its
usefulness to internal auditors, and why it is useful or not:
Software/ Number
of responses

responding
Is this software
useful to IA

It provides a consistent means of documenting our risk assessments.
Excel (25)
continued
We have all risk assessments in one spreadsheet so it is centrally managed

and we have consolidated reports and graphs.

(11) continued
Software is not that useful because it is manual and not that user friendly.
Expert Level (3)
In-house developed
(3)
Team Risk (2)
Saves time.
Yes
Allows us to risk rank all processes and activates in the company.

Audit risk assessment is done by use of this software to provide a risk-rated
audit universe for audit planning.
Risk criteria within the database are consistently updated as audits are
performed.
Yes
Yes (2)
22a: Please provide the name of the secondary software used to assess risks for the annual audit plan, skill level required, its usefulness to
Software/ Number
of responses

responding
Is this software
useful to IA
Crystal Reports
Yes
TeamMate
Expert Level
No
Still in testing stage.
68

Consistent tracking and format for all risk assessments and risk calculations, which makes it
easier to compare risks across the organization (5 responses).
Provides a central tracking location (2 responses).
Saves time when performing the risk assessment (e.g., sort for different types of views and
risks) (2 responses).
Software illustrates results of risk assessment graphically and through reports (1 response).

Helps in the audit planning process (e.g., annual audit plan is prepared promptly by the use
of the risk assessment system) (2 responses).
Provides a common communication mechanism of risk assessment results (1 response).
Is enabling internal audit activity to develop a mathematical risk assessment model
(1 response).
Risk criteria are consistently updated as audits are performed, which enables auditors to
determine which audit areas are considered high risk at a glance because of the control
environment or an audit has not been performed in a while (1 response).
Enables use of Monte Carlo technique for risk assessments (1 response).
Software is cumbersome to use and could use additional automation (2 responses).
It is difficult to incorporate changes to spreadsheet (1 response).
Risk assessment is still subjective (1 response).
Lack of adequate resources to patch or upgrade the system to eliminate problem areas and
to build new features (1 response).

previously:
22c. Please explain why you do not use software for the annual audit plan:
No answers were provided
69
23: Are there any additional comments related to the use or nonuse of software
applications this survey has not addressed?
Response
Too many audit tools are not intended for small audit shops and their cost is too expensive. As a result, the tool's
cost and effort needed to learn how to use it and implement it correctly does not justify its acquisition
(3 responses).
Information on GRC tools we are in the process of selecting a GRC portal for use across the internal audit activity
(1 response).
The use of software and having in-house IT audit resources depends on the size of the organization (e.g., for a
smaller company, it is cost effective to co-source activities for special needs in a focused manner) (1 response).
Much feedback received from peers is that they spend a lot of time putting information into a software and only get
back the information they put into it with the addition of pretty graphs, etc. to show for the effort
(1 response).
70
Demographics
24: How many individuals are part of your IT audit activity?
Response
Chart
Frequency
Count
13
77.2%
105
46
13.2%
18
79
3.7%
More than 10
5.9%
Not Answered
2
Valid Responses
136
Total Responses
138
25: What is the size of your internal audit activity (calculated in total full-time equivalents)?
Response
Chart
Frequency
Count
12
11.6%
16
36
34.1%
47
715
31.2%
43
1620
8.7%
12
2130
5.8%
More than 30
6.5%
Not applicable
2.2%
71
Valid Responses
138
Total Responses
138
26: To whom does the IT audit function report?

Response
Chart
Chief audit executive or

head of internal auditing
Audit committee
Chief executive officer or
equivalent
Chief information officer or
equivalent
Frequency
Count
83.2%
114
8.8%
12
0.7%
1.5%
5.8%
Not Answered
1
Valid Responses
137
Total Responses
138
26.1: If not listed above, to whom does the IT audit function report?
Response
Board of directors
Do not have a separate IT audit function
Elected official
Functionally to board's audit committee and administratively to the CFO
Head of corporate services
Senior audit manager
Vice president for administrative and fiscal services
72
27: How many years have you been a chief audit executive or equivalent?
Response
Chart
Frequency
Count
13
17.4%
24
46
16.7%
23
79
13.0%
18
1012
8.0%
11
1315
7.2%
10
1618
2.9%
19 or more
9.4%
13
25.4%
35
Valid Responses
138
Total Responses
138
Not applicable
28: How many years has your audit function been performing IT audits?
Response
Chart
Frequency
Count
13
25.0%
34
46
19.9%
27
79
14.0%
19
1012
8.8%
12
1315
5.1%
1618
2.9%
19 or more
19.9%
27
Not applicable
4.4%
Not Answered
73
Valid Responses
136
Total Responses
138
29: How many combined years of audit experience do you have?

Response
Chart
Frequency
Count
13
0.7%
46
4.3%
79
9.4%
13
1012
15.2%
21
1315
8.7%
12
1618
12.3%
17
19 or more
49.3%
68
Valid Responses
138
Total Responses
138
29a: Please specify the number of years of experience you have in each area below (please use
numeric values only; e.g., 1, 1.5):
Response
Internal Audit
IT Auditing
Other
Average
Years
Count
Average
Years
Count
Average
Years
Count
5 or less
3.9
18
2.9
39
3.3
30
5.5 10
8.4
29
8.1
31
8.6
20
11 15
12.9
27
13.5
13
13.1
16 20
18.0
13
18.4
18.8
21 25
22.9
23
22.6
23.0
26 or more
33.0
23
29.3
34.7
Experience
74
30: In what type of organization do you work?

Response
Chart
Frequency
Count
Private company
25.4%
35
Publicly listed company
44.2%
61
Nonprofit organization
13.8%
19
Government agency
13.0%
18
3.6%
30: In what type of organization do you work?

Response
Community college. (2 responses)
Retired: I worked for state and federal government.
Public-funded educational institution
University
75
Valid Responses
138
Total Responses
138
31: What is your organizations primary industry?

Response
Chart
Frequency
Count
Aerospace and defense
0.0%
Agriculture/forestry/fisheries
0.0%
Communication/telecommunication services
1.5%
Construction/engineering/architecture
2.2%
Consulting services
0.7%
Distribution
1.5%
Educational services
10.2%
14
Energy/oil and gas
2.9%
19.7%
27
Gaming/lotteries
2.2%
Health services
6.6%
Hospitality/entertainment/restaurant
1.5%
Insurance carriers/agents
8.0%
11
Local government
0.7%
National/federal government
0.7%
Manufacturing
15.3%
21
Mining
0.7%
Nonprofit sector
2.2%
Pharmaceuticals
0.7%
Public accounting/accounting services
0.0%
State/provincial government
4.4%
Technology
1.5%
Transportation
0.7%
Utilities
7.3%
10
Wholesale/retail
3.6%
Other
5.1%
Financial services/banking/real estate
Not Answered
76
Valid Responses
137
Total Responses
138
32: Select the annual revenue range in U.S. dollars that best describes your organization:
Response
Chart
Frequency
Count
Less than USD 10 million
2.2%
USD 10 million to less than USD 50 million
6.0%
3.0%
16.4%
22
USD 500 million to less than USD 1 billion
13.4%
18
USD 1 billion to less than USD 10 billion
46.3%
62
USD 10 billion or more
12.7%
17
Not Answered
4
Valid
Responses
Total
Responses
134
138
33: What title best describes your current role within your organization?
Response
Chart
Frequency
Count
Audit staff
3.6%
Audit manager
12.4%
17
Audit director
15.3%
21
Chief audit executive
54.0%
74
IT audit staff
1.5%
IT audit manager
8.0%
11
IT audit director
4.4%
Retired
0.7%
Not Answered
77
Valid Responses
137
Total Responses
138
34: Where is your organization located?

Response
Chart
Frequency
Count
76.1%
105
Albania
1.4%
Australia
2.2%
Bahrain
0.7%
Barbados
0.7%
Canada
8.0%
11
France
0.7%
Germany
1.4%
Hong Kong
2.2%
Ireland
0.7%
Lebanon
0.7%
Mexico
0.7%
Netherlands
0.7%
Puerto Rico
0.7%
South Africa
0.7%
Switzerland
1.4%
Venezuela
0.7%
United States
78
Valid Responses
138
Total Responses
138
APPENDIX A: ERM SURVEY RESULTS

____________________________________
79

IT Audit Benchmarking Study

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IT Audit Benchmarking Study

Hochgeladen von

Copyright:

Verfügbare Formate

2009 IT AUDIT BENCHMARKING STUDY

Executive Summary and Report

ABOUT THIS REPORT

ABOUT THIS REPORT ................................................................................................................................... i

IT Audit Function Profile ....................................................................................................... 2

IT Audit Skills and Sources of Training ................................................................................. 7

Extraction Software ............................................................................................................... 9

Figure 1: Internal audit activity staff size

Figure 2: Years of combined audit experience

Figure 3: Years of audit experience by category

IT Audit Function Profile

Figure 4: Years internal audit function has been performing IT audits

Figure 5: IT audit function reporting line

THE IT AUDIT ACTIVITY

Respondents indicating they did not incorporate IT audit

Leading Practices for IT Audit Planning

Of the 17.4 percent of internal audit departments

Figure 8: Percent of IT audits that are both co-sourced and outsourced

Reasons provided for these ratings include:

IT Audit Skills and Sources of Training

Figure 9: Primary source of IT audit knowledge

IT AUDIT TOOLS AND TECHNIQUES

Showing the Value of IT Audit Tools

According to study results, 63 percent of

The number of work hours audit staff will save by

To get a better idea of how these software tools

Data Analysis Software

Fraud Detection or Investigation Software

Automated Working Paper Software

Control Self-assessment Software

Continuous Audit Software

Software Used to Assess Risks for the Annual Audit Plan

APPENDIX: IT AUDIT BENCHMARKING STUDY RESULTS

IT Audit Benchmarking Study

Both co-source and outsource

3a: How much of your organization's IT audit activities are co-sourced?

Less than 10%

3b: How much of your organization's IT audit activities are outsourced?

Less than 10%

Less than 10%

4: Why is the IT audit activity co-sourced or outsourced in your organization?

Internal staff limitations

More cost effective

Better access to subjectmatter experts

Audit committee requirement

Internal auditors do not have

4.1: Why is the IT audit activity co-sourced or outsourced in your organization?

Fair (explained in 5.4)

Good (explained in 5.5)

Excellent (explained in 5.6)

Unacceptable (explained in 5.1)

Highly ineffective (explained in

Ineffective (explained in 6.2)

Effective (explained in 6.5)

Highly inefficient (explained in

Inefficient (explained in 7.2)

Efficient (explained in 7.5)

Highly dissatisfied (explained in

Dissatisfied (explained in 8.2)

Moderately satisfied (explained

Satisfied (explained in 8.5)

Yes (explained in 10.1)

10.1: Please explain why you selected Yes:

10.2: Please explain why you selected No: