Institute of Internal Auditors - Audit and Internal Controls Survey - March 2010

The U.S.
Foreign Corrupt Practices Act:

Current internal audit and compliance practices
Type: Executive Summary Report
Date: 3/22/2010
Number of Responses Analyzed: 129
Total number of invitations: 1802 (7.2% response rate)
1: Does your organization perform business transactions outside the United States?
(Respondents could only choose a single response)
Response Chart Frequency Count
Yes 63.6% 82
No 36.4% 47
Valid Responses 129
Total Responses 129
2: How does your organization approach compliance with the FCPA?

We have a robust, formal
program including policies,
46.3% 38
procedures, monitoring, and
training
We have an informal program
including some of the elements noted
18.3% 15
above, but no plans to move to a
formal program
We have an informal program and
are planning on, or in the process of, 24.4% 20
implementing a more formal program
We do not have a companywide
program for FCPA compliance; please 11.0% 9
explain why not (below):
Valid Responses 82
Total Responses 82
1
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2010 The Institute of Internal Auditors
2-1: Why does your organization not have a companywide program for FCPA compliance?
Response
We are a Canadian company.
Does not apply as we are a German company.

FCPA is covered in our Code of Conduct and discussed occasionally. We are planning a more formal
approach.
We have minimal international presence; provide services not financial transactions.
No foreign locations; transactions with entities outside the U.S. are highly structured when they do
occur.
Our activity is only outside the U.S.; non-U.S. company.
Senior management has never seen it as a priority.
Very limited exposure.
We never thought about it.
Responses 9
2
3: Please state what you believe to be the top three organizational practices to ensure
compliance with the FCPA as stated in your organization’s policies and procedures:
Response Count
Employee, vendor, and stakeholder awareness activities and training (e.g., annual training on FCPA
compliance, mandatory training, communication of policy, direct communication from the legal 57
department, code of conduct training)
Implementation of internal processes and controls to ensure compliance in addition to the organization’s
code of conduct or ethics (e.g., the department, officer, employee, or agent acting on behalf of the
company are responsible for maintaining accurate, detailed records of foreign transactions for three
years; segregation of duties; properly recording facilitation payments in books and records; procedures’
documentation, implementation of an FCPA policy; implementation of a conflict of interest policy; legal
policy, approval processes and cash controls; due diligence processes, discouraging and/or requiring 40
legal oversight for higher risk disbursements to government officials and related parties; contractual
safeguards, due diligence on any government interaction activity; ensuring authority for foreign
expenditures resides with the business unit leader after a review by the legal department; increased
oversight and approvals required before entering into business relationships with foreign government
officials and related parties; legal division's continuous interaction with business development function)
Compliance audits and monitoring (e.g., testing of controls; scrutiny of gifts and payments; reviews of
books and records to ensure no issues appear to have occurred; quarterly certifications attesting to
compliance; periodic/ongoing reviews of established protocols; independent monitoring on internal
controls; follow-up monitoring and internal audit verification; including FCPA audit steps in every foreign 37
audit; audit reviews of vendor master records and disbursements at foreign offices; performing audits on
antitrust and corruption activities and insider trading, monitoring of disbursements by foreign subsidiaries,
monitoring via surveys)
Implementation of and annual certification of compliance with business conduct policies (e.g., third-party
certification of compliance employee and third-party compliance certification with the organization’s code 33
of conduct or ethics policies and procedures)
Implementing formal guidelines pertaining to the use of third-party (e.g., written agreements with
business partners; third-party certification of compliance; proper due diligence when hiring agents and
other third parties; using sales intermediaries such as distributors, having formal agent and distributor
guidelines, implementing contractual safeguards and payment and documentation requirements when
12
contracting with third parties who have interactions with foreign government officials; ensuring FCPA
compliance is part of all contractual agreements, such as drafting FCPA compliance wording in select
contracts with suppliers and/or independent contractors; no facilitation or grease payments without
approval by the compliance function)
Tone at the Top and management involvement/support (e.g., oversight, executive-level emphasis on
11
compliance)
Implementing a confidential reporting mechanism for compliance breaches 6
Stating and enforcing clear penalties under the organization’s code of conduct for not complying with the
4
FCPA policy
Audits of accounts payable activities 2
Performing a risk assessment that detects areas of compliance concerns (e.g., risk definition) 2
Performing a background check on key players 1
Use of IT controls (e.g., use of an automated system to run data through) 1
Dealing exclusively with publicly traded foreign companies 1
Ensuring a fair market value for fees and services 1
Implementing an FCPA oversight body (e.g., FCPA steering committee) 1
Translation of policies into all languages the company operates in 1
Organization incentives 1
Not applicable 1
3
4: Over the past three years, has the level of attention that the organization pays to FCPA:
Increased, see 4-1 for
70.7% 58
reason(s):
Decreased, see 4-2 for
2.4% 2
reason(s):
Stayed the same 26.8% 22
Valid Responses 82
Total Responses 82
4-1: For what reasons has the level of attention that the organization pays to FCPA increased?
Response Count
The organization’s international/global growth, existing international operations, or plans to
expand in a foreign or high-risk market has led to an increased focus in FCPA compliance (e.g.,
20
Asian acquisition, business activities are expanding in new countries; more operations in
companies with a high corruption index)
Increased regulatory attention and enforcement (e.g., increased Department of Justice/SEC
12
attention has led to heightened FCPA focus)
Previous incidents have led to a heightened focus on FCPA compliance (e.g., recent and fairly
recent federal research contractor requirements, FCPA violation identified in Latin America 6
operation, a previous agreement may have overlooked the related risks)
Increased media coverage (e.g., increased news coverage for offenders) 4
Overall increased attention to policies and training on FCPA 4
Compliance with the FCPA is mandatory due to the organization’s operations 3
Due to a heightened awareness of the requirements by management, the board, or audit
2
committee
FCPA is now a compliance concerns as the organization is publicly traded 2
The economic slowdown has led to heightened focus on FCPA compliance. 2
To mitigate risks identified in the risk assessment 1
Put an automated system into place 1
We started with zero attention 1
4-2: For what reasons has the level of attention that the organization pays to FCPA decreased?
Response
Lack of time and prioritization by management
Not applicable
Responses 2
4
5: Board-level responsibility for FCPA is executed: (Choose all that apply)
(Respondents were allowed to choose multiple responses)
By the full board 26.8% 22
By the audit committee 59.8% 49
By another board-level committee 7.3% 6

Through receiving regular reports on the state
20.7% 17
of the FCPA program and results
Through receiving reports of any alleged FCPA
26.8% 22
violations
Through internal audit reports on FCPA 26.8% 22
Through receiving reports only of identified
18.3% 15
FCPA violations
Other, explained below: 9.8% 8
Valid Responses 82
Total Responses 82
5-1: How else is board-level responsibility for FCPA executed?

Response
Audits and law reports on subject
Code of Conduct
Not at all
Not reported (2 responses)
Not yet that formalized
Presentation to the audit committee of controls and monitoring
Reporting of known issues
Responses 10
5
6: What role does the internal audit activity have in investigating alleged violations of the FCPA?
Internal auditing is primarily responsible for
24.4% 20
conducting or managing FCPA investigations
Another area of the company is primarily
responsible for investigations; internal
auditing participates with that area in 45.1% 37
investigations or providing support as
needed or requested
Another area of the company is primarily
responsible for investigations; internal auditing
2.4% 2
does not actively participate in the
investigations
Third parties are hired by internal auditing to
2.4% 2
conduct the investigations
Third parties are hired by the area responsible
6.1% 5
for FCPA to conduct investigations
Other, specify below: 19.5% 16
Valid Responses 82
Total Responses 82
6-1: If not listed above, what role does the internal audit activity have in investigating alleged
violations of the FCPA?
Response
Audit or outside audit (language reasons)/law or outside counsel

Audit's involvement is determined by documented protocol for all investigations
CAE leads FCPA steering committee for the audit committee
Combination of internal auditing and third parties hired by internal auditing
Communicating policy
Compliance to Canadian criminal code infraction, not FCPA
Internal auditing audits FCPA compliance; the fraud investigations group performs any investigations.
Issues are investigated by the legal function.
No instances to investigate (6 responses)
Planning on formalizing activities among internal auditing, in-house general counsel, and president on
all international operations.
Third parties hired by audit committee to conduct FCPA investigations.
Would be decided on a case by case basis
Responses 17
6
7: Compared to 2008 and 2009, have FCPA internal audit efforts increased, decreased, or
stayed the same in your organization for 2010?
Increased 45.1% 37
Decreased 2.4% 2
Stayed the same 46.3% 38
Don’t know 6.1% 5
Valid Responses 82
Total Responses 82
7a: Please indicate the percentage by which FCPA internal audit efforts have increased since
2008:
1% to 11% to 26% to 51% to 76% to More than
Total
10% 25% 50% 75% 100% 100%
From 2008 Count 14 3 1 3 4 1 26

to 2009 % by Row 53.8% 11.5% 3.8% 11.5% 15.4% 3.8% 100.0%
From 2009 Count 13 12 0 5 1 3 34

to 2010 % by Row 38.2% 35.3% 0.0% 14.7% 2.9% 8.8% 100.0%
Total Count 27 15 1 8 5 4 60
% by Row 45.0% 25.0% 1.7% 13.3% 8.3% 6.7% 100.0%
7b: Please indicate the percentage by which FCPA internal audit efforts have decreased since
2008:
11% to 26% to 51% to 76% to
1% to 10% Total
25% 50% 75% 100%
From 2008 Count 1 1 0 0 0 2

to 2009 % by Row 50.0% 50.0% 0.0% 0.0% 0.0% 100.0%
From 2009 Count 1 1 0 0 0 2

to 2010 % by Row 50.0% 50.0% 0.0% 0.0% 0.0% 100.0%
Total Count 2 2 0 0 0 4
% by Row 50.0% 50.0% 0.0% 0.0% 0.0% 100.0%
7
8: As part of its planning process, does the internal audit activity complete a risk assessment
that identifies risks pertaining to FCPA compliance?
Yes, please explain how FCPA compliance
74.4% 61
risks are identified (see 8-1):
No, explained below in 8-2: 25.6% 21
Valid Responses 82
Total Responses 82
8-1: Please explain how FCPA compliance risks are identified:

Response Count
By performing a risk assessment that includes FCPA risks (e.g., during the annual audit plan risk assessment or by
assessing risks for each relevant process, assessing risk of fraud) 15
Corruption perception index from Transparency International (e.g., company locations are rated based on the
corruption perception index) 11
Based on the business unit, process, or activity (e.g., based on the business unit to be audited or business activities
associated with agents, reviewing travel activity) 10
Based on geographical location (e.g., of the organization or the activity or process being audited, high-risk country) 10
Based on discussions with senior or executive management (e.g., country risk is evaluated through discussions with
management, risk interviews with leaders of finance team and business unit leaders directing global activities) 9
Based on previous experience (e.g., past FCPA issues, previous allegations, prior knowledge of FCPA issues) 6
Based on questionnaire/checklist responses (e.g., agent questionnaire responses) 4

Compliance testing and monitoring (e.g., entity-level internal control testing, compliance reviews of business conduct
policy, monitoring of contracts and payments, compliance with policies) 3
Based on the audit type (e.g., , FCPA compliance risks are discussed with internal audit stakeholders during the
audit’s planning phase; have FCPA scope incorporated into an audit in the event there is an area with exposure to 2
FCPA risk)
Data mining and interview 2
Financial statement analysis (e.g., reviewing finance general ledgers) 2
Pre-audit planning activities (e.g., research) 2
Working with legal, compliance, and/or international business units 2
List of potential transactions that could result in FCPA issues 1
Country transparency rating 1
CSA approach 1
Discussions with buyers 1
Overall discussions/interviews on FCPA topics 1
By using an external risk list 1
Based on the level of interaction with government officials 1

Process mapping 1
8
8-2: Please explain why the internal audit activity does not complete a risk assessment that
identifies risks pertaining to FCPA compliance as part of its planning process.
Response
Not specifically (2 responses)
1-man shop; no time
Does not apply to German company
Done outside of normal planning process with legal department
Hard to evaluate; inferences are indirect.
Never considered it.
Ongoing program vs. annual risk assessment
Only communicate policy
Probably will, don't know yet.
Risk is considered minimal.

The risk is perceived to be inherent in certain locations of operation. No other specific risk indicator has
been identified.
There is a risk assessment, but no specific consideration of FCPA during that process. There will be for
2011.
Responses 13
9: Does your internal audit activity perform audits surrounding FCPA compliance?
Yes 61.0% 50
No, explained below: 39.0% 32
Valid Responses 82
Total Responses 82
9
9-1: Please explain why your internal audit activity does not perform audits surrounding FCPA
compliance:
Response
No audits are focused solely on FCPA. Specific audits, however, may contain scope including FCPA if
that is a significant risk for the area being audited or for international review. (9 responses)
Has not made it to the high-risk category (3 responses)
Planned for 2011 (3 responses)
1-man shop; no time
Does not apply to German company
Never thought about it
Not formal
Only communicate policy
Only reviews, awareness training, and investigations of potential incidents
Our company's program is not robust, therefore there is little to audit.
Very small component of business, leverage compliance office reviews
We don’t
Responses 24
9a: Please select the response that best describes your internal audit activity’s FCPA compliance
efforts: (Choose all that apply)
FCPA audits are incorporated into other
70.0% 35
internal audits of operating units or processes
Operating units or processes are subject to regular,
32.0% 16
separate audits for FCPA compliance
Operating units or processes are audited for FCPA
compliance if there is some indication of FCPA 28.0% 14
compliance problems
An enterprise wide audit of the FCPA program is
26.0% 13
executed
A continuous monitoring program is conducted to
14.0% 7
assess FCPA compliance
Valid Responses 50
Total Responses 50
9a: If not listed above, how does your internal audit activity comply with the FCPA?
Response
N/A
Quarterly questionnaires
Responses 2
10
10: Please select from the following list the steps necessary to achieve the success of FCPA
internal audit programs: (Choose all that apply)
There is joint coordination between the
internal audit activity and legal department
76.8% 63
on matters pertaining to FCPA compliance
and testing
We use dedicated and properly trained internal
auditors to focus on FCPA compliance and audits;
please specify the number of internal auditors 6.1% 5
dedicated to FCPA compliance: (none of the 5
respondents specified how many)
We perform regular, stand-alone FCPA assessments
22.0% 18
that are solely focused on foreign transactions
We perform FCPA-specific risk assessments for
31.7% 26
proactive location and scope selection
We use third-party expertise to supplement
29.3% 24
resources, knowledge, and tools
We use data analytic tools to identify high risk
29.3% 24
transactions
We execute the documented approach and
methodology under the company’s overarching 30.5% 25
FCPA policy
Other, specified below: 15.9% 13
Valid Responses 82
Total Responses 82
10-1: Please select from the following list the steps necessary to achieve the success of FCPA
internal audit programs:
Response
We do not have FCPA audit programs (4 responses)

Agree with all but will not happen until such work is performed
Audit preparation is 6-8 weeks; onsite execution is 3 weeks
FCPA may be scoped into individual audits on a case-by-case basis depending on assessment of the FCPA
risk in the area being audited.
FCPA testing is performed as part of the operational and financial audits.
Policies, training, etc. are monitored for compliance, including of FCPA.
We build FCPA audit procedures into process audits, for example expense report audits.
We closely review the A/P ledger and look into finder's fee and other transactions that could disguise a
bribe.
Responses 11
11
11: Please select which of the following elements are part of the internal audit activity’s FCPA
compliance responsibilities: (Choose all that apply)
Conducting broad FCPA risk assessments
that identify potential high-risk areas based 47.6% 39
on analysis
Assessing management’s FCPA knowledge
43.9% 36
and compliance activities
Testing policies and procedures for
74.4% 61
awareness and effectiveness
Accumulating electronic data and conducting
37.8% 31
interviews
Applying automated controls and proactive
13.4% 11
data anomaly detection tools
Selecting samples of high-risk transactions
54.9% 45
for further analysis
Testing transactions to determine whether
52.4% 43
FCPA controls are working as intended
Reporting findings to compliance officers,
68.3% 56
audit committees, and legal counsel
Driving policy and procedural change using
37.8% 31
identified risks and gaps
Training foreign employees 23.2% 19
Obtaining or reviewing annual employee
39.0% 32
compliance declarations
Testing employees for FCPA policies and
25.6% 21
requirements
Sharing with employees lessons learned
23.2% 19
from prior FCPA matters
Valid Responses 82
Total Responses 82
11-1: What other elements are part of the internal audit activity’s FCPA compliance
responsibilities?
Response
Internal auditing works closely with the compliance director for anti-corruption matters in all aspects of
the compliance program for anti-corruption.
No FCPA audit programs are in place.
Reviewing at international locations the knowledge and training of individuals.
Will be decided when the time comes.

Responses 4
12
12: Which risks factors are considered during the risk assessment process? (Choose all that
apply)
The history of FCPA violations in the
54.9% 45
industry and company
The company’s geographic location
and its corruption rating from 67.1% 55
Transparency International
The country’s anti-corruption
enforcement level and ongoing 36.6% 30
investigations or schemes
Business unit susceptibility to FCPA
violations related to the use of third 64.6% 53
parties
Employee, vendor, and agent knowledge
and awareness of FCPA rules from
51.2% 42
efforts such as training, surveys, and
certification
Findings from previous transactions
56.1% 46
tests, audits, surveys, and hotlines
Previous internal control deficiencies and
59.8% 49
vulnerabilities
Recent business unit changes in
47.6% 39
management or business composition
Compensation standards for employees
14.6% 12
and executives
International business unit revenues 25.6% 21
The dollar amount and percentage of
37.8% 31
government business activities
The number and dollar amount of
18.3% 15
accounts payable transactions
Payments to third parties including sales
54.9% 45
agents and commercial agents
Payments for professional services 42.7% 35
Discretionary, noninventory spending 20.7% 17
Growth rates 12.2% 10
Budget to actual variances 18.3% 15

The nature of time and expense
19.5% 16
reporting
Valid Responses 82
Total Responses 82
13
12-1: What other risks factors are considered during the risk assessment process?
Response
We do not perform FCPA risk assessments (4 responses)
Commissions paid
Contributions, marketing expense, and accounts payable
Responses 6
13: Which testing procedures are used to confirm whether controls and processes over illegal
payments are working as intended? (Choose all that apply)
Selected general ledger accounts 52.4% 43

Accounts payable data for high-risk
63.4% 52
transactions
Accounts receivable data for US $0
24.4% 20
invoices or credits to customers
Anti-bribery provisions in agreements
50.0% 41
with agents
Activities and payments related to sales
45.1% 37
to government customers
Purchases from partially or wholly
32.9% 27
government-owned entities
Payments to government entities for
goods, services, and other regulatory
59.8% 49
matters such as fines, penalties, licenses,
and permits
Employee expense reports 72.0% 59
Bank statement reconciliations and
36.6% 30
details
Petty cash activities 43.9% 36
Valid Responses 82
Total Responses 82
14
13-1: What other testing procedures are used to confirm whether controls and processes over
illegal payments are working as intended?
Response
Have never done an audit for FCPA violations or have an audit FCPA program (3 responses)
To be determined when applicable.
Quarterly questionnaires
Logs of gifts given on behalf of the company to government officials
Valid Responses 6
DEMOGRAPHICS
14: What is the size of your internal audit activity (calculated in total full-time equivalents)?
1–2 14.0% 18
3–6 39.5% 51
7–15 30.2% 39
16–20 4.7% 6
21–30 3.9% 5
More than 30 7.8% 10
Valid Responses 129
Total Responses 129
15: Select the annual revenue range that best fits your organization:
Less than USD 10 million 2.3% 3

USD 10 million to less than USD 50 million 1.6% 2
USD 500 million to less than USD 1 billion 24.8% 32
USD 1 billion to less than USD 10 billion 41.1% 53
USD 10 billion or more 8.5% 11
Valid Responses 129
Total Responses 129
15
16: What best describes your title or is equivalent to your current position or role within your
organization?
Chief audit executive (CAE) 75.8% 97
Internal audit director or direct report to CAE 11.7% 15
Manager or supervisor 8.6% 11

Internal audit professional with 3 or more
2.3% 3
years of internal audit experience
Internal audit professional with less than 3
0.0% 0
years of internal audit experience
Not Answered 1
Valid Responses 128
Total Responses 129
16-1: If not listed above, what best describes your title or is equivalent to your current position
or role within your organization?
Response
director erm
Responses 1
16
17: Which category best describes your organization's primary industry?
Aerospace and defense 0.8% 1

Agriculture / forestry / fisheries 0.0% 0
Communication / telecommunication
1.6% 2
services
Construction / engineering /
1.6% 2
architecture
Consulting services 0.0% 0
Consumer packaged goods 0.8% 1
Distribution 0.0% 0
Educational services 5.6% 7
Energy / oil and gas 2.4% 3
Financial services / banking / real
10.4% 13
estate
Gaming / lotteries 0.0% 0
Health services 6.4% 8
Hospitality / entertainment /
3.2% 4
restaurant
Insurance carriers / agents 9.6% 12
Local government 1.6% 2
National / federal government 0.0% 0
Manufacturing 26.4% 33
Mining 0.8% 1
Nonprofit sector 1.6% 2
Pharmaceuticals 4.0% 5
Public accounting / accounting
0.8% 1
services
State / provincial government 3.2% 4
Technology 4.8% 6
Transportation 1.6% 2
Utilities 4.0% 5
Wholesale / retail 5.6% 7
Other 3.2% 4
Not Answered 4
Valid Responses 125
Total Responses 129
17
18: Is your organization listed in the:
Fortune 100 3.7% 4
Fortune 250 3.7% 4
Fortune 500 8.3% 9
Fortune 1000 22.2% 24
Global 2000 2.8% 3
Other 59.3% 64
Not Answered 21
Valid Responses 108
Total Responses 129
19: In approximately how many countries does your organization do business outside of your
own? (Respondents could only choose a single response)
1–10 47.0% 47
11–20 23.0% 23
21–30 9.0% 9
More than 30 21.0% 21
Not Answered 29
Valid Responses 100
Total Responses 129
18

Institute of Internal Auditors - Audit and Internal Controls Survey - March 2010

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Institute of Internal Auditors - Audit and Internal Controls Survey - March 2010

Hochgeladen von

Copyright:

Verfügbare Formate

The U.S.

Foreign Corrupt Practices Act:

Valid Responses 129

Total Responses 129

2: How does your organization approach compliance with the FCPA?

We are a Canadian company.

Does not apply as we are a German company.

Senior management has never seen it as a priority.

Very limited exposure.

We never thought about it.

Lack of time and prioritization by management

By the full board 26.8% 22

By the audit committee 59.8% 49

By another board-level committee 7.3% 6

5-1: How else is board-level responsibility for FCPA executed?

Audits and law reports on subject

Not reported (2 responses)

Not yet that formalized

Presentation to the audit committee of controls and monitoring

Reporting of known issues

Audit or outside audit (language reasons)/law or outside counsel

Stayed the same 46.3% 38

Don’t know 6.1% 5

From 2008 Count 14 3 1 3 4 1 26

From 2009 Count 13 12 0 5 1 3 34

% by Row 45.0% 25.0% 1.7% 13.3% 8.3% 6.7% 100.0%

From 2008 Count 1 1 0 0 0 2

From 2009 Count 1 1 0 0 0 2

% by Row 50.0% 50.0% 0.0% 0.0% 0.0% 100.0%

8-1: Please explain how FCPA compliance risks are identified:

Based on questionnaire/checklist responses (e.g., agent questionnaire responses) 4

Financial statement analysis (e.g., reviewing finance general ledgers) 2

Pre-audit planning activities (e.g., research) 2

Working with legal, compliance, and/or international business units 2

List of potential transactions that could result in FCPA issues 1

Country transparency rating 1

Discussions with buyers 1

Overall discussions/interviews on FCPA topics 1

By using an external risk list 1

Based on the level of interaction with government officials 1

Not specifically (2 responses)

1-man shop; no time

Does not apply to German company

Done outside of normal planning process with legal department

Hard to evaluate; inferences are indirect.

Never considered it.

Ongoing program vs. annual risk assessment

Only communicate policy

Probably will, don't know yet.

Risk is considered minimal.

No, explained below: 39.0% 32

We do not have FCPA audit programs (4 responses)

Reviewing at international locations the knowledge and training of individuals.

Will be decided when the time comes.

Discretionary, noninventory spending 20.7% 17

Growth rates 12.2% 10

Budget to actual variances 18.3% 15

We do not perform FCPA risk assessments (4 responses)

Contributions, marketing expense, and accounts payable

Selected general ledger accounts 52.4% 43

Total Responses 129

Less than USD 10 million 2.3% 3

Chief audit executive (CAE) 75.8% 97

Internal audit director or direct report to CAE 11.7% 15