Chapter 2-3-4

Figure 2-8: A Six-step Guide to Process Reengineering
Step #1 •Reduce cost.
Identify the Process's

•Minimize cycle time.
Customer
•Eliminate defects.
driven Objectives
Step #2 •What is the process?
Map and Measure the •How much does it cost?

Existing Process
•How long dose it take?
•What type of results are we experiencing?
Step #3 Step #4
Analyze & Modify the Benchmark for

Existing Process Innovative, Proven
Internal External
Step #5
Reengineer the
Process
Step #6 •Train employees.
Roll Out the New •Pilot the process.

Process
•Implement full-scale.
•Monitor the results.
Source: Furey, Timothy R., "A Six-step Guide to Process Reengineering,"
Planning Review (March/April 1993): 20-23. Reprinted with Permission.

The Institute of Internal Auditors Research Foundation
Internal Audit Reengineering. Survey, Model, and Best Practices
Without alignment of these projects, a series of problems may appear The shift to reengineering can be facilitated by efforts to
align multiple, discreet operating macro improvement projects with broader programs, plans, and visions. Each specific project can
be assessed and modified to ensure
compatibility with other infrastructure
standards, and long- Figure 2.9: Micro vs Macro Reengineering term business plans.
Parameter Micro Macro

Figure 2-9 highlights some
of the differences in
Objective Optimization Transformation
focus between micro-level and
macro-level reengineering
Timeframe Short Long
Local Senior
Leadership
Infrastructure Diverse Integrated
Performance focus Financial Multiple Benefit Paths
Focus Single Process Enterprise
Small Massive
Scale
Projects Multiple Single Focus

Source:
Davidson, W.H., "Beyond Reengineering: The Three Phases of Business

Transformation." Copyright 1993. International Business Machines
Corporation Reprinted with Permission from IBM Systems Journal, Vol. 32,
No. 1.
As is evident from Figure 2-9, the scope of a reengineering proiect expands as we

move from a process to the organizational renewal orientation, and the goals,
expected outcomes, focus and leadership style change. No matter what
methodology. framework or orientation is used by the
Chapter 2: Reengineering: Theory and Practice
potential organizations or business units in implementing reengineering, based on the worlds experience up
to this point it is clear that reengineering is not a fad.
Preconditions for a Successful Reengineering

It is commonly said in business circles that the effort associated with the deployment of a new business
philosophy or technique is 10 percent while the effort that is invested in change management activities to
make the philosophy and the techniques work is 90 percent. This statement indicates the critical importance
of change management practices while initiating reengineering in an organization. Therefore, before
embarking on any reengineering initiative it is recommended that as many of the following preconditions as
possible be put in place if the reengineering initiative is to have a successful outcome. A number of these
preconditions were identified by Bashein, Markus, and Riley in a 1994 study of 60 leading consultants in the
area of business process reengineering. 13 These are summarized below:
 Senior management's commitment and strong support of the reengineering initiative. This
commitment and strong support should not only exist at the initiation of the project, but should
continue and be visibly demonstrated throughout its duration. The project sponsor should be either
the CEO of the corporation or a member of the senior management team who is ultimately
responsible for the success of the process.
 Reengineering projects should be initiated in the context of a clear and shared vision about the
goals and objectives of the organization going forward. This implies that vision should not only be
clearly articulated, but there should also be four-way communication of its elements and strategies
to be put in place to achieve it. According to Hammer and Stanton (1995, p. 151), the top principles
of communication on a reengineering project are: segment the audience, use multiple channels and
multiple voices, be clear, communicate, communicate, communicate, honesty is the only policy, use
emotions — not just logic, heal, console, and encourage, make the message tangible, and listen,
listen, listen.
 Reengineering projects should be initiated in the strategic context of growth and expansion. In other
words, organizational members are more enthusiastic and less resistant of reengineering projects
when they are meant to increase market share, grow revenues, become more competitive, or
expand into the new lines of business rather than when they are designed to result in cost cutting,
downsizing, or outsourcing. At times, the outcome of a reengineering initiative might be just that and
it is perfectly fine, but to frame the project in terms of such emotionally negative goals would not
bring the best out of the reengineering team participants.
13 Barbara J. Bashein M. Lynne Markus, and Patricia Riley, "Preconditions for BPR Success and
How to Prevent
S, Information Systems Management, Spring 1994, pp. 7-13.

38 Internal Audit Reengineering; Survey. Model, and Best Practices
 The sponsor of the reengineering project should set realistic expectations or goals for the
Reengineering team. In order to achieve this, the sponsor should have a deeper under standing of
the diseased process and the time and effort required to fix it. Agreeing to realistic expectations
does not mean that the reengineering team should be absolved from radically redesigning the
business process to achieve the dramatic improvements but rather the team should be accorded
realistic time and resources to successfully complete the task at hand.
 Collectively, the members of the reengineering team must have a process-orientation holistic
perspective, creative mind-set, enthusiasm and restlessness, optimism, optimism, persist ence,
team spirit, excellent communication skills, and tactfulness.
 A reengineering team should be sufficiently empowered along with proper accountability and
responsibility to deliver the best-suited solution to the diseased process. As the reengineering
project gets underway, there is a growing tendency among the project sponsors to either completely
forget about the reengineering project or to micro-manage each and every aspect, thereby killing
the opportunity to develop a well-thought-out business process. Both extremes are unproductive
and detrimental to the business process reengineering. The appropriate approach lies somewhere
between the two extremes.
 The cross-functional reengineering team should be comprised of adequately trained, full time
personnel from the various parts of the organization. It is important that the reengineering project
have the undivided attention of the reengineering team during its entire duration. The real-life
experience indicates that all too often reengineering projects are add-ons to team members' regular
job responsibilities. Such an approach, for whatever reasons, sends conflicting signals to the other
organizational participants that indicate lack of commitment, resources, or direction on the part of
the senior management to the reengineering initiatives in the organization.
 Senior management (along with the reengineering team) must understand that they will encounter resistance
during the implementation stage. Resistance is only natural, and everyone concerned with the success of
reengineering must find and confront the disguised resistance, understand it, and have a plan in place to
manage it by employing one or all of the following mechanisms: incentives, information, intervention,
indoctrination, and involvement.
 Overall Hammer and Champy (1993, p. 80) view a business system in terms of four .business
processes, jobs and structure, management and measurement systems values and beliefs. Since
all of these components of a business system are hey all should be simultaneously managed and
changed to be success at reengineering the entire organization.

By no means is the above list of preconditions or enablers comprehensive, but it does capture the ones that are deemed to be of
critical importance by the practitioners in this field. Just like one needs to be aware of positive preconditions" for a successful
reengineering initiative, Bashein , Markus, and Riley (1994) also highlight a number of negative preconditions that can derail a
reengineering effort. Some of these are as follows:
 The Wrong Sponsor: A well-intentioned reengineering project will fail if sponsored by the wrong
person or team in the organization. All of us are well aware of the political ramifications of any
change in an organization, and when change is initiated by the wrong sponsor, our experience
suggests that the project is doomed for failure from the very beginning. According to Bashein,
Markus, and Riley (1994, p. 11), “The wrong sponsor could be too low in the management ranks,
too technically focused, getting ready to retire or change jobs, lacking in credibility or leadership
abilities, unable to develop a good working relationship with internal or external BPR consultants,
and insistent on going ahead with reengineering when major change is unnecessary or excessively
risky."
 A "Do It To Me" Attitude: A reengineering project will fail if the sponsor in the organization is not
willing to get involved and is interested only in hiring consultants to do the reengineering for him or
her.
 Cost-Cutting Focus: If a reengineering initiative is presented to the people in the organization with
the cost-cutting focus, the effort is not going to succeed because "costcutting focus usually restricts
the creativity of redesign team...they may not seek out the opportunities for growth...and may avoid
radical changes that threaten to eliminate their own and others' jobs." (p. 11)
 Narrow Technical Focus: If a reengineering project is driven by the goal of incorporating technology
in the process rather than by any strategic thrust, the project would be more likely to fail because
mere automation translates into the computerization of the existing inefficient process rather than
starting from a clean slate to create a value-added process.
 Unsound Financial Condition: Since reengineering projects can be time-consuming and all
encompassing, it is not a good idea to undertake an organizational renewal type of reengineering
perspective and focus in times of financial difficulty. Inasmuch as organizational renewal may seem
to be the appropriate strategy during such times, the more immediate needs are generally focused
on turning the organization around as quickly as possible.

40 Internal Audit Reengineering: Surve
Audit Reengineering: Survey, Model, and Best Practices
ok style among workers is
Consensus Management: "Although a collaborative work style am positive precondition, a culture of consensus decision making at
the top tion can delay reengineering efforts and even make completing them impo
of the organiza possible" (p. 11)
ment Projects Underway: In an organization where to improvement projects are underway at any given time, a reengineering
initiate be considered another flavor of the month program. According to Bashein Riley (1994. p. 11). "Diverse improvement
projects may be poorly planned integrated, and even mutually self-defeating. When multiple projects are take same time their
effectiveness may be diluted, making significant improvement possibility and breakthrough improvements an impossibility."
ring initiative may just o to Bashein, Markus, and
rly planned, badly projects are taken on at the efficient improvements a remote
Fear and Lack of Optimism: If an organization is suffering through a period of fear and lack of optimism due to the failure of
previous total quality improvement or other organizational renewal efforts, it is not a good time to start a reengineering project
Rather, senior management should first work on reestablishing employee morale and confidence by building a culture of trust and
hope in the organization. “A certain amount of optimism is essential for creativity in redesign efforts and successful
implementation." (p. 12)
To assist in evaluating whether an organization is ready for reengineering, Hammer and Stanton (1995, pp. 86-88) provide
a self-diagnostic instrument which is presented in Figure 2-10. This diagnostic can be easily adapted to evaluate the
readiness of an internal audit function for reengineering. There are three basic dimensions of this diagnostic:
Reengineering Leadership, Organizational Readiness, and Style of Implementation.14
Commonly Encountered Obstacles in Implementing Reengineering
As mentioned above, even though reengineering methodology is usually context-specific, the implementation experience
of the last decade has taught us the potential obstacles that one might face in implementing business process
reengineering. In a field study of the members of the Planning Forum, an international business organization focusing on
strategic management and planning, Grover, Jeong, and Teng (1998, pp. 53-59) found that a majority of the obstacles in
business process reengineering implementation fall into the following six categories:15
Category 1: Management Support Problems: Problems associated with the top management's commitment and
leadership for reengineering.
**Refer to source mentioned in Exhibit 2-10 to view the complete set of instructions and scoring guidelines to complete
the self-assessment diagnostic.
For a full-length discussion of these problems, see "Survey of Reengineering Challenges" by Varun Grover, Seung R.
Jeong, and James T. Teng, published in Information Systems Management, Spring 1998, pp. 53-59.

Figure 2-10: The Self-Assessment Diagnostic
REENGINEERING LEADERSHIP
1. The leader of reengineering is a senior executive who is strongly committed to reengineering and
who possesses the title and authority necessary to institute fundamental change. Score:
2. The reengineering leader truly understands the nature of reengineering and the magnitude of the
change - organizational change in particular that it entails. Score:
3. The reengineering leader has a vision of the kind of organization he or she wishes to create and
is able to express that vision clearly and simply in operational terms. Score:
4. The reengineering leader is ready and able to exercise leadership - through communications,
personal behavior, and systems of measurement and reward -- in order to make reengineering succeed.
Score:
5. The reengineering leader is prepared to commit both the organizational resources and personal
attention that reengineering requires. Score:
6. The entire senior management team shares the leader's enthusiasm for reengineering.
Score:
ORGANIZATIONAL READINESS
7. The organization as a whole recognizes the need for reengineering and fundamental change.
Score:
8. The organization understands the nature of reengineering, including the fact that it results in
multidimensional change that impacts processes, jobs, organizational structure, management

responsibilities, etc. Score:
9. The organization believes that the reengineering leader and the senior management team are truly
committed to reengineering, and that this commitment will be long lasting. Score:
10. The organization has none of the complacency and arrogance that often follow a sustained period
of success. Score:
11. The organization is free of the skepticism, mistrust, and ambivalence that often follow a program
of downsizing or restructuring. Score: -

12. The organization has the financial and human resources needed to implement reengineering
Score:
13. Key staff organizations - human resources, finance, and information systems - are positive about
the prospect of reengineering and capable of innovative responses to its demands. Score:
14. The organization's experience with total quality management (TQM) has created an environment
that is receptive to reengineering. Score:
15. The organization places a high value on serving customers and has a solid understanding of
customer needs. Score:
STYLE OF IMPLEMENTATION
16. The organization is comfortable with the way in which reengineering proceeds through risk
taking, learning, and ambiguity. Score:
17. The members of reengineering teams will feel empowered to "break the rules and to challenge
long-standing assumptions. Score:
18. The reengineering effort is directed at key business processes rather than organizational units.
Score:
19. Managers have been given end-to-end responsibility for the processes to be reengineered and are
motivated to assure that the processes are successfully reengineered. Score:
20. Measurement systems and performance goals have been established to chart the progress of
reengineering. Score:
Score each one of the above statements on a scale of 1 to 5: 1 representing strong disagreement
and 5 representing strong agreement. Minimum suggested scores are printed against each
statement. If you score lower than these scores, you need to take remedial steps before proceeding
on to reengineering.
Source: Hammer, Michael, and Steven A. Stanton, The Reengineering Revolution: A Handbook
(New York: Harper Collins), 1995, pp. 86-88. Reprinted with Permission.
 Category 2: Technological Competence Problems: Problems related to their technology expertise

and infrastructure.
 Category 3: Process Delineation Problems: Problems in defining attributes and require ments of
process reengineering.
 Category 4: Project Planning Problems: Problems in planning for reengineering.
 Category 5: Change Management Problems: Problems in getting people to respond positively to
change.
 Category 6: Project Management Problems: Problems related to managing the reengineering team
and project.
All in all, these researchers identified a total of 64 commonly encountered problems. These problems are
listed in Figure 2-11 under each of the six major categories.
Since a number of these obstacles are self-explanatory, we will discuss here only the major conclusions of
this research. According to this research (p. 55), the five most severe problems were:
1. Need for managing change is not recognized.
2. Top management's short-term view and quick-fix mentality.
3. Rigid hierarchical structures in the organization.
4. Line managers in the organization unreceptive to innovation.
5. Failure to anticipate and plan for the organizational resistance to change.
A review of Figure 2-11 points to the fact that out of the five most severe problems, all except #2 fall in
Category 5 that clusters all the change management related problems. Obstacle #2 falls in Category 4,
Project Planning Problems. These findings confirm the observations made in the previous section that
deployment of a new business philosophy and techniques is 10 percent of the effort in any organization,
while orchestration of the related change management activities is the remaining 90 percent of the work.
On the potential causes and reasons of these obstacles, Grover, Jeong, and Teng (1998) observe that:
Often reengineering implementation is considered a highly political process where stakeholders are more
concerned about furthering their own self-interests than about contributing to their organization. This could
be partly attributed to the rigid hierarchical structure (the third most severe problem) since organizations
with this structure tend to be functional and hence parochial. Even with a high level of awareness of change
issues, careful change management is needed to handle issues of turf and politics. In many cases,
presenting employees with a prototype of how the reengineered organization will work and conveying a
sense of project's urgency to employees may prove useful in overcoming resistance (p. 56).

Figure 2-11: Commonly Encountered Problems in Implementing Reengineering
Category 1: Management Support Problems

1. Manager's failure to support the new values and beliefs d
redesigned process.
2. Insufficient understanding about the goals of top manager reengineering.
3. Lack of senior management leadership for reengineering efforts
4. Top management's insufficient understanding about business reengineering.
5. Lack of top management support in business reengineering efforts 6. Lack of reengineering project
champion.
out business reengineering.
Category 2: Technological Competence Problems
1. Insufficient understanding about existing data, applications, and IT across the organization
2. Limited database infrastructure.
3. Lack of expertise in IT in the organization.
4. Limited IS application portfolio.
5. Failure to aggressively use IT enablers.
6. Failure to continually assess emerging IT capabilities.
7. Lack of IS participation and assistance in the reengineering project.
8. Limited telecommunication infrastructure.
Category 3: Process Delineation Problems
1. Difficulty in establishing performance improvement goals for the redesigned process.
2. Failure to identify process owners who are responsible for the entire business process.
3. Difficult to forecast human resources, financial, and other resource requirements.
4. Focusing only on evaluation criteria that are easily measured and quantifiable.
5. Failure to include process owners throughout the reengineering efforts.
6. Scope of the reengineered process was defined inappropriately.
7. Proposed changes to the process were too incremental, not radical enough.
8. The approach to reengineering was too radical.
Institute of Internal Auditors Research Foundation

Category 4: Project Planning Problems
1. Top management's short-term view and quick-fix mentality.
2. Lack of alignment between corporate planning and IT planning.
3. Lack of strategic vision.
4. Lack of experience in business reengineering.
5. Failure to commit the required resources (financial, human resources, etc.)
to reengineering efforts.
6. Lack of authority given to reengineering team.
7. Difficulty in financially justifying benefits of reengineering.
8. Identification of candidate process for reengineering not based on strategic
planning
9. Difficulty in finding business reengineering team members who have the
required skills and knowledge.
10. Lack of appropriate planning.
11. Absence of appropriate training for reengineering team members.
12. Failure to understand customers' viewpoints in the reengineering efforts.
13. Lack of external consultant support for reengineering efforts.
Category 5: Change Management Problems
1. Need for managing change is not recognized.
2. Rigid hierarchical structures in the organization.
3. Line managers in the organization unreceptive to innovation.
4. Failure to anticipate and plan for the organizational resistance to change.
5. Failure to consider politics of the business reengineering efforts.
6. Failure to build support from line managers.
7. Unreasonable expectations attributed to business reengineering as a
solution to all organizational problems.
8. Absence of management systems (e.g., incentive, training system) to
cultivate required values.

9. Difficulty in gaining cross-functional cooperation.
10. Senior management's failure to commit to new values.
11. Lack of appropriate employee compensation incentives in the new process.
12. Failure to communicate reasons for change to members of the organization.
13. Inadequate training for personnel affected by the redesigned process.
14. Necessary changes in human resource policies for reengineering
implementation were not made.
15. Failure to consider existing organizational culture.
16. Not enough time to develop new skills for the redesigned process.

Category 6: Project Management Problems
responsibilities and members and other
ording to the
1. The reengineering effort took too much time.
2. Uncertainty about reengineering project time-frame.
3 Difficulty in measuring reengineering project performance
4 Reengineering team members' conflict between team
functional responsibilities.
5 Poor communication between reengineering team member
organizational members.
6. Ambiguity in job expectations for team members.
7. Failure to effectively monitor progress of project according to the schedule,
8. Difficulty in gaining control of reengineering efforts.
9. Difficulty in modeling and simulating the proposed changes to the
process.
10. Failure to assess project performance in the early stage of regina
efforts to provide feedback.
11. Too much emphasis on analyzing the existing process.
12. Lack of appropriate reengineering methodology.
13. Poor communication among reengineering team members.
to the business
Source: Grover, Varun, Seung Ryul Jeong, and James T.C. Teng, "Survey of
Reengineering Challenges," Information Systems Management (Spring 1998): 53-59.

Reprinted with Permission from CRC Press.
On the problem of top management's short-term view and quick-fix mentality, Grover, Jeong, and
Teng (1998, p. 57) observe that, "In the absence of a broad long-term vision, it is difficult to
conceptualize a reengineering program aimed at radical improvements in productivity, service, and
quality. The resulting reengineering efforts may become fragmented and stunted." The
researchers further observe the prominent absence of information technology as a major problem,
which reinforces the concept of technology audit as espoused by Bennis and Mische (1995).
Relatively lower rankings of the IT-related obstacles is contrary to the popular belief held by die
practitioners of reengineering that IT is a major and critical variable in the reengineering og tion.
These findings should not be interpreted to belittle the importance of IT to any teen ing efforts, but
should be construed to mean that mere existence of strong IT will not successful reengineering
project if the other important preconditions are missing.
16"As mentioned early in this chapter, a great deal of material has been published on reengineering in as practitioner-
oriented journals. The above discussion only attempts to summarize the broad issues contextual background for
someone just starting in this area. Readers who are interested in le of the areas discussed in this chapter are
encouraged to read various references listed at the end of this chapter

Summary
Undoubtedly, there is much more to reengineering than has been summarized in this chapter.
Many authors have written extensively on this topic, and a number of academic and practitioner
oriented journals have published and continue to publish case study experiences on this
management phenomenon of the 21st century. Although, unfortunately, there is not much written
in this area yet for internal auditing, the internal auditor practitioners can learn extensively from this
generic and non-internal auditing related literature base. A study of this literature can serve as a
strong foundation from which one can confidently embark on internal audit reengineering. It would
certainly be a fatal mistake for an internal audit practitioner to undertake internal audit
reengineering without first learning important lessons from the existing literature. Absence of such
an action would only increase the probability of failure in this arena.
References
Adams, J.D., Transforming Work (Alexandria, VA: Miles River Press) 1984.
Bashein, Barbara J., M. Lynne Markus, and Patricia Riley, "Preconditions for BPR Success and
How to Prevent Failures," Information Systems Management (Spring 1994): 7-13.
Bennis, Warren, and Michael Mische, The 21st Century Organization: Reinventing Through
Reengineering (San Francisco, California: Jossey-Bass Publishers) 1995.
Camp, Robert C., Benchmarking: The Search for Industry Best Practices That Lead To Superior
Performance (Milwaukee, Wisconsin: ASQC Quality Press, 1989.
Carr, David K., and Henry J. Johansson, Best Practices in Reengineering (New York: McGraw
Hill) 1995.
Chandler, G. Donald, "The Restructuring of Corporate America: Are Banks Next?" The McKinsey
Quarterly (Spring 1990): 119-125.
Davenport, Thomas H., and Donna B. Stoddard, "Reengineering: Business Change of Mythic
Proportions?" MIS Quarterly (June 1994): 121-127.
Davidson, W.H., "Beyond Reengineering: The Three Phases of Business Transformation," IBM
Systems Journal (Vol. 32, No. 1) (1993): 65-79.

.
Grover, Varun, Seung Ryul Jeong,and James T.C. Teng, "Survey of Reengineering Challenges
Information Systems Management (Spring 1998): 53-59.
Hammer, Michael, and James Champy, Reengineering the Corporation (New York;Harper Collins)
1993
Hammer, Michael, and Steven A. Stanton, The Reengineering Revolution: A Han York: Harper
Collins) 1995.
Hammer, Michael, "Reengineering Work: Don't Automate, Obliterate," Harvard Review

(July/August 1990): 104-112.
Klein, Mark M., "Reengineering Methodologies and Tools: A Prescription for Enhar Success,"
Information Systems Management (Spring 1994): 30-35.
Klein, Mark M., "Tips for Aspiring Reengineers," Planning Review (January/February 1996):40. 41.
Mische, Michael A., and Warren Bennis, "Reinventing Through Reengineering: A Methodology for
Enterprisewide Transformation," Information Systems Management (Summer 1996): 58-65.
Rigby, Darrel, "The Secret History of Process Reengineering," Planning Review (March/April
1993): 24-27.
Stone, Romuald A., "Mission Statements Revisited," SAM Advanced Management Journal (Winter
1996): 31-37.
Teng, James T.C., Varun Grover, and Kirk D. Fiedler, "Business Process Reengineering: Charting
a Strategic Path for the Information Age," California Management Review (Spring 1994): 9-30.
Teng, J.T.C., V. Grover, and K.D. Fiedler, "Developing Strategic Perspectives on Business
Process Reengineering: From Process Reconfiguration to Organizational Change," Omega,
International Journal of Management Science (Vol. 24, No. 3) (1996): 271-294.
CHAPTER 3 REENGINEERING AND INTERNAL AUDITING
Introduction
In this chapter we specifically deal with the issue of internal audit reengineering. After developing
the definition of internal audit reengineering and its elements, we identify its major drivers. Building
upon the generic reengineering literature as summarized in the previous chapter, we then identify
the critical elements of successful internal audit reengineering. We propose that for any internal
audit function to embark on internal audit reengineering, it is necessary to adopt a process-
oriented mind-set and organize around a set of core and support internal audit business
processes. In other words, the internal audit function must operate like a business. To accomplish
this transition, an internal audit change integration framework is proposed.
Internal Audit Reengineering: A Definition
Hammer and Champy (1993, p. 32) defined reengineering as:
Fundamental rethinking and radical redesign of business processes to achieve dramatic

improvements in critical contemporary measures of performance such as cost, quality of service,
and speed. [emphasis added]
In spite of the myths surrounding it, as discussed in Chapter 2, this definition has served well and
has guided a great deal of action in a large number of business enterprises. In the same sense of
the spirit, internal audit reengineering can be defined as:
Optimal restructuring of the internal audit function to re-relevance its core and support business
processes to help organizations achieve their business objectives in risk intelligent ways.
"...in helping the organization achieve its business objectives" should not be construed to imply the
exclusion of traditional "controls monitoring" by the internal auditing function because "compliance
with and maintenance of effective organizational controls" is also considered an important
business objective by "world-class corporations.

in other words, reengineering within the context of an internal audit functid
following:
 Fundamental rethinking of internal audit's role in the organization role or a value-added

"strategic partner with management).
 Reestablishment of the internal audit function's audit focus and approach in light of its new
role.
 Adoption of a process-oriented approach to managing the internal identification and

establishment or redesign of the internal audit fun support business processes rightfully
aligned with its new role and the new focus
 Redesign of the internal auditing department's organizational structure to promote
innovation and agility.
 Operating the internal audit function like a business in itself.
If we compare and contrast Hammer and Champy's (1993) definition of reengineering proposed
definition of internal audit reengineering, not a single phrase overlaps. Ho some differences, the
basic intent and purpose of the two "reengineerings” remain
ion is the notion of starting all over again. They Implicit in Hammer and Champy's (1993) definition
is the notion of starting all over propose to abandon the old and adopt the new; rightfully so, given
the objectives of ree ing in transforming "Taylorian-based" organizations. This is neither
recommended nor is in the case of internal auditing. The purpose of reengineering internal
auditing is to sufficient discontinuity in its history and experience to enable it to think outside the
box and perceiving itself in a much broader role. Therefore, the intended objective of internal.
reengineering is to transform the traditional internal auditing function from a mere protector of
shareholder value to one which would carefully balance its dual role of protecting and enhancing
the shareholder value. Figure 3-1 illustrates the conceptual model of the "reengineered” state of
internal auditing
It is important to note that in Figure 3-1, the emphasis is on the balance between the shareholder
value protection and shareholder value enhancement rather than have the internal audit function
camp on any one side. There is no way that a reengineered internal audit function can (or should)
totally abandon its oversight role and thereby jeopardize the entire corporate governance structure
of the modern-day business corporation. Neither can it afford to completely lose sight of the value-
added demands being placed on it by the senior management of the business organization. In
discussing the findings from a recent survey of internal audit directors and the CFOs of 60 leading
companies, Deloitte & Touche (1998), a leading provider of internal audit co-sourcing services,
observed that:

Figure 3-1: Reengineered Internal Audit Function
A Conceptual Model
Protect Shareholder Enhance Shareholder

Value; Shareholder Value Value: Teaming for joint
and Internal Audit objectives Best
Control
practices transference
Monitor Function Facilitate knowledge
transfer Proactive
Identify solutions Create
operational efficiencies
Report
Optimal Balance Protect/Enhance
Source: Deloitte & Touche Enterprise Risk Services, Internal Audit: The Nature of Transition,(New
York: Deloitte & Touche), 1998. Reprinted with Permission.
While providing value-added consultation is beneficial to any organization, and can greatly support
the internal audit function's primary charter of enterprise value protection, the original risk
mitigation and organizational protection charter cannot be assigned any lesser importance (p. 3)
In other words, a reengineered internal audit function would have duality of roles. At times there
may even be conflict in these two roles because the audit committee of the board of directors often
emphasizes shareholder value protection with a great deal of attention to the control structure of
the business organization, while senior management may exclusively focus on the enhancement
of the shareholder value role. It is up to the reengineered internal audit function how best it can
discharge the two seemingly conflicting roles and still be perceived as an ally as opposed to an
adversary by both equally important customers. The findings discussed in the survey chapter as
well as the case study described in the latter chapters also lend strong support to this role of the
reengineered internal audit function.

Drivers of Internal Audit Reengineering
It is quite evident from the earlier discussion in this chapter that an increasing num panies are
either going through a massive organizational transformation process or are frantical-Iy
reengineering their core and support business processes. Their goal is to create house
organizations that are able to quickly adapt and deliver cheaper, better, and faster pro services to
their customers in a globally competitive economy. All of this change is for single segment of these
organizations to rethink their role, place, and value-add. organization of the 21st century. What
should an internal auditing function do in light of these changes? Some of the questions follow:
1. Should internal auditing continue to be a policeman” or should it completely aba
this role and proactively seek and deliver new services and products that suit customers' changing
business demands?
2. Should internal auditing learn from the organizational transformation experience of its
own organization and reengineer its own processes and activities to deliver what is demanded by
its customers — cheaper, better, and faster?
3. Should internal auditing maintain its independence as it always has or should it align
itself with the business unit managers to help them achieve their goals and objectives?
4. Should internal auditing align its mission and vision to its organization's strategic plans
or should it remain an outsider without a voice as it has in the past?
5. Should internal auditing work to become a core competency of the broader organization
just like other core functions or should it continue to operate like a support or a shadow function as
it has done in the past?
These and many other related questions are being asked by an increasing number of internal
auditing functions around the globe. As found in a 1995 IIA Research Foundation (IIA RF) study by
Gupta and Ray, a large number of internal auditors responded to some of these challenges by
applying total quality management (TQM) principles, tools, and techniques to improve ing
functioning of their internal auditing departments. There is ample evidence in the that a project-
based quality improvement program can redeem an "old" organization limited time before it slips
back into the Dark Ages. However, to meet the market test soorten employed today by the senior
management of most business organizations, internal auditors learn from the reengineering
experience of their own organizations. They must reeng internal auditing to add value at an
unprecedented rate to the business of their customers, wing at the same time preserving
independence and objectivity.

AT the fundamental level there are three major factors that are driving internal auditing organi
to reengineer their core and support business process:
 Changing business risk profiles and the related control structure of business organizam
tions.
 Threat of outsourcing due to increased competition from alternative service providers, such
as public accounting and other internal audit consulting firms.
 Continuously being asked to deliver more and more with less and less resources (i.e., staff
downsizing, budget cuts, lack of experienced internal auditors, etc.).
Each one of these drivers is discussed below.
Changing Organizational Business Risk Profiles and Related Control

Structure
Business process reengineering and organizational transformation have thrust risk and control
issues to the forefront as never before. Consider the following three excerpts from various
publications:
1. In the 1993 editorial "Control without Command" published in CA Magazine, Nelson
Luscombe observes:
[The changing business environment] has accelerated downsizing and the introduction of new
methods such as "empowerment and "total quality management." Layers of middle management
have been removed and the hierarchical, bureaucratic approach abandoned... Where does that
leave the directors, management, and auditors who have to satisfy themselves and others that an
organization continues to be under control. [We are) in need of a fundamental rethinking of what
control is and how it can be achieved?
2. Gibbs and Keating, in their 1995 Internal Auditor article titled "Reengineering
Controls," observe that:
Control environments have been shaken and shifted (in a majority of the business organizations)
as a result of downsizing, flattening, and decentralization... Many of the controls on which auditors
have traditionally relied, such as separation of duties and authorizations, actually tend to work at
cross-purposes to the goals of the reengineered, virtual corporation (p. 46).
3. Robert Simon, in a 1995 Harvard Business Review article titled "Control in an Age of
Empowerment," observes that:

A fundamental problem facing managers in the 1990s is how to ere. control in organizations that
demand flexibility, innovation, and creativity businesses with demanding and informed customers
must rely on emplo seek out opportunities and respond to customer needs. But pursuing some
opportunities can expose businesses to excessive risk or invite behaviors that can damage a
company's
integrity (p. 80).
The above observations are valid because hardly a day goes by when we de the popular business
press about an organization that has been either slapped on the heavily by one or more
governmental oversight agencies for failing to protect the int stakeholders. At a larger level, the
control breakdown issues and concerns are often raised under the banner of “corporate
governance" with a "goal to tighten control over wayward managers
(Pound, 1995, p. 89).
All of such control breakdowns, whether intentional or unintentional, occur either because there
are no controls in place or employees are able to bypass or circumvent the existing control
mechanisms put in place by the organization. The cost of these control breakdowns is enormous
to the companies in terms of "damaged reputations, fines, business losses, missed opportunities.
and diversion of management attention to deal with the crisis” (Simon, p. 80).2 In other words, the
reengineering of business processes at every level has increased organizations' risk exposure
enormously. Organizations now face a whole host of new risks, such as information technology
risks, customer information privacy risks, risks related to all aspects of e-commerce, and so forth.
Traditionally, risk was always thought of as financial and compliance. However, in today's
changing business environment, the concept of "risk" has assumed a larger framework. Risk is
now perceived in terms of "business risk" rather than only "financial and compliance Risk.
Business risk implies any threat or obstacle that would stop an organization from achieving its
business objectives. Therefore, if this increased risk exposure is not managed effectively w
integrated risk management process, all the gains that have accrued to business organizations to
the business process reengineering" could not only potentially disappear, but could a ardize the
very survival of an organization. Similarly, even though COSO (1994, P internal control as a
process designed to provide reasonable assurance that an organ objectives are being achieved in
the areas of effectiveness and efficiency of operations, ty of financial reporting, and compliance
with applicable laws and regulations, con cally have been thought to relate only to the "financial
and compliance trat business.
assurance that an organization's
and regulations, controls historians compliance" transactions of a
2in support of his comments, Simon (1995) points our attention to the well-publicized
control breakdown decade such as fictitious booking of profits by a trader in Kidder.
Peabody and Company, an admittance Roebuck and Company that its automobile service
business recommended unnecessary repairs banning of Standard Chartered Bank from
trading on the Hong Kong stock scheme, and recent improper booking of revenues by a
number of Internet and dot com companies.

financial and compliance controls have been traditionally under the jurisdiction of internal audi
Tors who primarily worked as "policemen" to protect shareholder value. Proactively speaking, me
to their historical involvement in the financial and compliance risks and controls, who bene When
the internal auditors to help organizations manage these new and unfamiliar business risks To
discharge this broadened function and increased responsibility diligently, internal auditors
ed to change their "mental models") as espoused by Peter M. Senge in his seminal book The Dah
Discipline: The Art & Practice of the Learning Organization (1990, p. 8). He describes at length the
importance of organizational learning to survive and compete in today's business environment.
And this mind-set change about the role of internal auditing in this new economy will come only by
radically reengineering the traditional internal audit processes and other related activities of the
traditionally focused internal audit function. Bojan, a partner with Arthur Andersen's world-class
internal audit practice, describes the progression of internal auditing from a pure "control-based"
perspective" to the "risk-based" perspective in Figure 3-2.
According to Bojan, there are four distinct phases that capture the progression of internal auditing
from a mere "control-based" activity to a "risk-based" activity. During Phase I, the internal auditing
profession was primarily engaged in control-based auditing with an emphasis on auditing
operational effectiveness and compliance. Phase II saw internal auditing profession's involvement
with the financial and compliance risk-based auditing with the goal of controlling only financial and
compliance risks in an organization. For the so-called "world-class" internal auditing organizations,
Phase III of this journey saw a shift from emphasis on financial and compliance risks to business
risks. In this phase, internal auditing starts with an understanding of the various business risks and
focuses on controls that should be in place, auditing for design, operational effectiveness, and
compliance with these controls. In Phase IV, the internal auditor does the same thing, but rather
than focusing on controls, he or she determines what business risk management process should
be in place to block and tackle" the business risks. The auditor then proceeds to audit for design,
operational effectiveness, and compliance within each of the components of the business risk
management process.
According to Bojan, realizing the importance of effectively managing business risks in this volatile
environment, the innovative business organizations of the 21st century will proactively lead the
integration of internal auditing into their business risk management process. In turn, the business
risk management process-based internal auditing functions will contribute more than ever before
in helping their organizations balance the shareholder value protection and shareholder value
enhancement concerns.
According to Senge (1994. p. 8). "Mental models are deeply ingrained assumptions,
generalizations, or even pictures or images that influence how we understand the world and how
we take action. Very often, we are not consciously aware of our mental models or the effects they
have on our behavior."

The Evolution of Internal Auditing
Control-Based Financial/ Business Risk

Business Risk-Based
Compliance Risk- Management
Auditing
Auditing Based Auditing Process
Based Auditing
- Start with a thorough - Start with an

- Start with financial/ understanding of the
understanding of the
compliance risks. business and the various business and the various
business risks. business risks.
- Start with existing - Determine controls that
processes, procedures, should be in place. - Determine controls that - Determine the BRMP
and control activities should be in place. that should be in place
- Audit for design, to effectively manage
- Audit operational operational effectiveness, - Audit for design, the key risks.
effectiveness/ and compliance. operational effectiveness,
compliance. and compliance. - Audit for design,
operational
effectiveness, and
compliance within each
of the BRMP
components.
Phase 1: Phase 1: Phase II:

Phase II:
Stand-Alone Stand-Alone Integrated Risk

Integrated Risk
Risk Risk Assessment
Assessment
Assessment Assessment
Source: Bojan, William, presentation slides at Risk-Based Auditing: Enterprise-

Wide Risk Mapping and Management Strategies Conference, (Minneapolis:
Arthur Andersen). 1998. Reprinted with Permission .
The Outsourcing Threat
According a 1997 IIA RF study by Rittenberg and Covaleski, internal audit outsourcing is a road
term which can mean from total elimination of the services of the internal audit department and the
performance of the similar services at a lower cost by an outside provider (1.e., public accounting
firm), to "utilizing the services of an outsourcing provider to meet temporary needs of the internal
audit department or to maintain flexibility in staffing" (p. 3). According to Rittenberg and Covaleski
(1997):
By all estimates the amount of outsourced internal audit work to date has barely scratched the
surface. There are not sufficient data points to establish a defined trend, but given that the term
"outsourcing internal auditing" was a nonexistent term just a few years ago, the extent to which
organizations have had some experience with the outsourcing of internal auditing is astounding.
Our review of The IIA's GAIN 1995 database indicated that 305 of the internal auditing
departments in that database had some experience with outsourcing. However, our survey of
organizations in 1996 indicates that the experience with outsourcing has risen to approximately
39% (p. 4).
This was four long years ago. Today, outsourcing is sweeping corporate America like
reengineering did in the 1990s. It would not be an understatement to say that there is a very real
threat of outsourcing to many internal auditing functions in large and small organizations alike.
Rose E. Wescott (1995), an internal auditor with the Portland General Electric Company, is quite
up front in declaring to his cohorts that "reengineering the internal auditing will save your job."
Wescott (1995) strongly recommends that internal auditing departments consider reengineering
either just their internal audit process or better yet the entire internal auditing function. According
to Wescott:
Reengineering the audit department will be the first step in saving your job. Audit managers must
rethink their strategic value to the organization. To compete today, audit departments must be as
productive as the operating areas. Managers must change the way they do business in a way that
does not put them out of business. They must organize their structure and performance in a way
that responds effectively and quickly to the business changes without loss of effective control (p.
43-44).
in spite of the increasing trend toward outsourcing the internal auditing function, many
nonbelievers argue against the merits of doing so. According to Rittenberg and Covaleski (1997),
some of the arguments by this group revolve around issues such as:
They Institute of Internal Auditors Research Foundation

 The individual employee's allegiance is to the outsourcing provider and not to the client
 Corporate governance is a management function that can not be outsourced
 Since internal audit outsourcing services are generally provided by the external
serious impairment of the independence of the external auditor that detrimental to the
welfare of the entire organization
 Institutional knowledge is lost and the best practices are stolen.
 There is a potential loss of confidentiality as in some cases the internal audit work by a CPA
can be subpoenaed in a lawsuit.
 Management and the audit committee lose an objective source of information if the same
auditor discharges both the external and the internal auditor's role and responsibilities
Some of these arguments may very well have merit, but rather than fighting the inevitable and
trying to stop the tide with arguments, the internal auditing function should concentrate on
becoming a value-added partner with the organization's management. Rittenberg and Covaleski
(1997) quote the feelings of an internal auditor who participated in their survey:
If you truly add value to your company, by improving productivity, cutting costs, increasing
profitability, and training the next round of company management, everybody will tell you about it.
There are a lot of good companies who miss the opportunity to add a strong internal audit function.
It is one of the essential tools in management's kit when trying to go from a good company to a
great company. The trick to avoiding the outsourcing dilemma for me is to always provide cheaper,
faster, and more insightful services than my company could get elsewhere, at any price. If I can't
do this, I should be outsourced.
Commenting on adding value, Wescott (1995) observes that "value" or "value-added," at least in
the case of internal auditing, is extremely subjective because what is considered valuable today
may be useless tomorrow. He challenges the internal auditing departments to continually define
the value-added of the internal auditing function to endure it in the minds of its customers. He
pronounces that:
The valued history of the audit department is not enough to sustain it in the turbulent future.
Business thinking is fickle and with a change in organizational leadership, the subjective value of
the audit department may be lost. That is why we must redefine, reshape, and retool value to
prove ourselves. We can no longer rely upon our rich history to fortify the future. We cannot rely
on past performance for security and must repeatedly prove our value. Proper reengineering will,
at a minimum, show good faith that the

audit department is willing and able to become a valued business partner. A valued business
partner is more difficult to eliminate when push comes to shove in a reorgani zation or outsourcing
situation (p. 44).
In other words, reengineer internal auditing to change not only its name but also its orientation
from problem finders to solution providers.
Do More with Less
Even if you become a value-added partner or a change agent with management to assist in
managing business risks effectively and offering innovative state-of-the-art services, you will not
be given a great deal of liberty with the budget. In other words, inasmuch as senior management
and boards of directors would appreciate your contribution toward protecting and enhancing
shareholder value, you still have to do your job with less budget dollars than you did the previous
year. As we discussed earlier in this chapter, due to the globalization of the capital as well as
producer and consumer markets, barring a monopoly, every corporation is learning to operate in
an environment of ever declining profit margins. In all the core competencies that an organization
needs to succeed in today's markets, cost management is also an important competency that
every organization must possess. Whether it is the engineering department engaged in designing
new products, a manufacturing function engaged in mass customization, a shared services unit, or
an internal audit function, each segment of the organization has an unspoken directive to get the
biggest bang for the buck.
Such pressures for internal auditors are similar to the pressures facing their organizations, which
have responded by reengineering their core and support business processes. Internal auditing
should learn lessons from its environment and set out to reengineer its various core and support
internal audit processes. Wescott (1995) confidently declares that "If reengineering effort is
successful and you become a valued business ally, the demand for the audit department's new
products and methods will increase. Why shouldn't it?" His observation is empirically valid as the
survey results and the Allstate Case Study presented in the later chapters unequivocally point to
the same conclusion. Further, it is true that the new demands for internal auditing services will not
be in the traditional areas of financial and compliance auditing; rather they will be in new and
challenging areas, such as supply chain audits, participation in quality improvement projects,
Integrated risk management, control and risk self-assessment, process improvement consulting,
and so forth.
In addition to the three major forces leading internal auditing into reengineering, a recent Deloitte «
Touche survey (1998, p. 2) of CFOs and internal audit directors of 60 leading organizations
fund the following important drivers of change in internal auditing:
 Stronger board interest in corporate governance and control.

 Business partnering creating virtual organizational structures.

 Ubiquity of information technology and networking.
 Commonized business processes and enterprise application solutions.
 Access to virtually boundless sources of information.
 Emergence of the Internet, electronic commerce, and the digital economy.
 Reengineering business processes and control structures.
 Increasing management complexity; breakdown in control structures.
 Increasing software-based information services.
This reengineering or re-relevancing of internal auditing would require a number of changes within
the internal auditing function. These changes could be in internal audit's focus, its response to
organizational needs and demands, its approach to risk assessment and risk manage ment,
internal audit tests and methodology, type and quality of its recommendations and audit reports,
and its overall role in the organization (McNamee and Selim, 1998, p. 5). Figure 3-3 compares and
contrasts the characteristics of internal auditing in this paradigm shift.
According to McNamee and Selim (1998):
The implications of this paradigm shift are enormous. It turns the focus of audit away from the past
and toward the present and future. Focusing on controls over transactions buried the internal
auditor in the details of the past, limiting the value of any information derived. By focusing on risks
to present and future transactions, the auditor is working at a level above the details and dealing
with the obstacles for organization success. The information derived from such exploration has
great value to the management governance team.
There are different success factors in this new environment. The detailed checker may not have
the experience to adequately stimulate the imagination to identify all material risks. The new
auditor may need more strategic skills in visioning, planning, and communications. Definitely the
new internal auditor must move from the accounting and finance bias to more of a general
management bias (with a thorough understanding of the finance and accounting processes) (p. 5).
Overall, these drivers of change are real and should be taken seriously by the internal auding
functions, which are still considerably behind the curve in reinventing themselves. Any further
delays in this direction will only make it harder for such internal audit functions to legama
relevance lost.
Critical Elements of Successful Internal Audit Reengineering
Whenever we talk about change of any kind, such as reengineering, implementation of the TQM
process, or supply chain optimization, a common question arises in the mind of a practitioner:

Characteristic Old Paradigm New Paradigm
Internal Audit
Focus
Internal Control Business Risk
Reactive, after-the-fact, Coactive, real-time, continuous
Internal Audit discontinuous, observers of strategic monitoring, participants in strategic
Response planning initiatives plans
Scenario Planning
Risk Assessment Risk Factors
Internal Audit
Important Controls Important Risks
Tests
Internal Audit
Emphasis on the Completeness of Emphasis on the Significance of
Methods
Detail Controls Testing Broad Business Risks Covered
Internal Control: Risk Management: .
Internal Audit • Strengthened . • Avoid/Diversify Risk
Recommendation
• Cost benefit • Share/Transfer Risk
s
• Efficient/Effective • Control/Accept Risk
Internal Audit Addressing the Process Risks

Reports Addressing the Functional Controls
Internal Audit Role
in the Integrated Risk Management and
Organization Independent Appraisal Function Corporate Governance
Source: McNamee, David, and Georges M. Selim, Risk Management: Changing the Internal
Auditor's Paradigm (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation), 1998. Reprinted with Permission.
Figure 3-3: Changing the Internal Auditor's Paradigm

how do I do that? There is nothing worrisome about the question itself because in the end we are i
interested in the implementation of change. However, it becomes worrisome when someone ing
the question implies that there is one "canned" or "structured" methodology that he or she can buy
and deploy quickly to effect change in the desired unit of the organization and be ready to coast
again.
Similarly, there are internal audit practitioners who recognize that they need to change to meet the
new demands of their organizations but are not ready to accept the challenges that come along
with the implementation of change. They keep on searching, albeit in the name of "best practices,"
for a canned solution to their problem. It is important to recognize that just like any other
reengineering effort, successful internal audit reengineering methodology is also context specific.
Its success to a great extent depends upon creating an alignment between the internal audit
function and the overall mission, goals, objectives, strategy, and competencies of the business
organization. However, this should not be implied to mean that there is no way to draw generic
conclusions or identify any best practices that can sufficiently guide an aspiring internal audit
function to reengineer itself. Therefore, rather than concentrating on a sequential set of micro-
steps, presented below are some of the critical elements (or steps) of any successful internal audit
reengineering effort. Figure 3-4 presents these critical elements.
Critical Element 1: Assess the Inherent Level of Complexity in Your

Organization
The first critical element of a successful internal audit reengineering initiative is to assess the
inherent level of complexity in an organization. It is the nature and change propensity of an
organization, besides its strategy and mission, that dictates the ultimate vision and goals of an
internal auditing function and thereby its role as a reengineered internal audit function. In other
words, internal audit reengineering must be a function of the inherent complexity of its business
organization. In this regard, a recent Deloitte & Touche study (1998, p. 6) suggested that business
organizations can be placed on a continuum with two extremes being "contained" and "complex."
A contained business organization is typically characterized by:
 Centralized business structure.

 Domestically driven business focus on supply and demand.
 Fewer external relationships. Operating in stable industry(ies).
 Revenue streams that do not extensively rely on technologically driven sourcing, such as
Internet, e-commerce based sales and systems, etc.
 Fewer core businesses.
On the contrary, a complex business organization is typically characterized by:
 Decentralized and empowered organizational structure.

 Increasingly global network of operations and sales, etc.
 Multiple external relationships that have an ongoing impact on core business
operations.
 Operating in industry(ies) with high growth focus.
 Increasingly technologically driven revenue streams.
 Multiple core businesses.
Deloitte & Touche, 1998, "Internal Audit: The Nature of Transition." Research conducted by
Deloitte & Touche Cosourcing Practice.

Figure 3-4: Critical Elements of Successful Internal Audit Reengineering
Assess the Identify Develop a Take a

Inherent Level Internal Audit Mission and Process View
of Complexity Customers Vision for the of the Internal Reengineered
in Your and their Internal Audit Audit Function
Organization Needs Function Learn How to Internal Audit
Market the
Internal Audit
Function Function
Develop Develop Make Utilize
Internal Audit Internal Continuous Information
Busness Audit's Improvement
Technology
Model Strategic Plan a Habit
as an Enabler

The management of a contained organization, a priori, might expect internal auditing to more
traditional role, while in a complex business organization internal auditing may not only asked to
protect shareholder value, but also to involve itself in enhancing and maximizing holder value.
Before proceeding with internal audit reengineering, each internal audit function must an analyses
of the "containment" vs. "complexity" of its organization by analyzing its extern environment and
industry in terms of the degree of rivalry among industry participants, threat of new entrants and
substitutes, and bargaining power of customers and suppliers (Porter, 1985 1996). This analysis
would help the internal auditing function determine the place of its business organization along this
continuum, which in turn would help it understand the extent to which the internal auditing
conducted by it should emphasize the shareholder value "protection" vs. shareholder value
"enhancement." In other words, should internal auditing be the policeman" to protect the
shareholder value or should it also be a "partner" with management and a "consultant," helping
them enhance shareholder value? The growing trend in internal audit organizations is no longer an
either/or decision, but rather how to balance the two roles while maintaining objectivity and
independence. There is no easy answer in creating this balance because to a great extent it
depends upon not what the internal audit function can deliver, but what is needed by its
customers. The framework that creates an alignment between the role of the internal auditing
function and the complexity level of its business organization is presented in Figure 3-5.
According to this figure, organizations are becoming more complex. Therefore, internal auditing in
general needs to put more emphasis on enhancing shareholder value by assuming more of a
consultative management partnering role in the new organization.
Critical Element 2: Identify Internal Audit Customers and Their Needs
The second critical element in any successful internal audit reengineering is the clear identification
of internal audit's customers and an accurate mapping of their needs and wants. There is a lot of
help available in this area. The proliferation of TQM in the early 1990s made us extensively
familiar with the notion of an internal customer as opposed to an all-too-familiar end customer.
Typically, internal auditing may have three primary customers: audit committee of the board of
directors, corporate senior management, and auditee senior or operating management. In some
cases there may be other customers (primary or secondary), such as regulatory agencies and
external auditors. However, on the critical importance of the audit committee and senior
management as internal audit customers, Wescott (1995) observes:
Without executive management support the audit department loses touch with the needs of its
most valued "customer." Without customer support, the audit "product" loses perceived value.
When there is a loss of perceived value, the customer looks elsewhere for service. When the
customer looks elsewhere for service, you look for another job (p.
44).

Complex
Traditional Audit Roles &

Responsibilities Trend Consultative Management Partnering
"Protect" Shareholder Value Trend "Enhance" Shareholder Value
- Teaming for joint objectives

- Control
- Monitor - Best practices transference
- Identity - Facilitate knowledge transfer
- Report - Proactive solutions
- Create operational efficiencies
Organizations characterized by
- Stable growth
- More centralized structures
- Single or few core businesses
- Limited geographical focus
- Few, if any, external partners
Contained
Source: Deloitte & Touche Enterprise Risk Services, Internal Audit: The Nature of Transition,
(New York: Deloitte & Touche), 1998.

Therefore, it is extremely important that the internal auditing department makes every effort to
clearly understand who its customers are and cluster them in appropriate groups to understand
their needs and demands. During such an exercise it may not come as any surprise if the needs
and demands of two of the most important customers may be at cross-purposes or in direct
conflict. For example, senior management usually wants internal auditors to assume a consul.
tant's role to enhance shareholder value, while the audit committee of the board of directors may
emphasize shareholder value protection to save itself from any serious control breakdowns and
public embarrassment. However, this does not imply that in the minds of these two important
customers the goals of shareholder value protection and shareholder value maximization are
mutually exclusive. Rather, it is more likely that the relative weights assigned by these two
customers to the two objectives may be considerably different for obvious reasons. Further,
understanding customer needs is not a one-time process. Since these needs and demands
continuously change, an internal audit director must maintain regular contact with internal audit's
customers to continuously refocus its audit department .
Critical Element 3: Develop a Mission and a Vision for the Internal Audit Function
The third critical element of any successful internal audit reengineering is the creation of a mission
and a vision for the internal audit function. However, prior to creating its own mission, the internal
audit function should expend a sufficient amount of time understanding the mission and vision of
its business organization. Successful internal audit reengineering not only requires an alignment
between the mission of the internal audit function and its business organization, but demands that
the internal audit mission support its larger organization's mission to demonstrate value-added.
According to Stone (1996, p. 32):
A mission statement is the starting point for an (internal auditing function's) entire planning
process. Establishing the mission requires (internal audit's) top management to sit down and
seriously consider where the internal audit function) is now and where it should be in the future. A
mission statement provides a sense of direction, focus, and unity and in Chester Barnard's words,
"a spirit that overcomes the centrifugal forces of individual interests or motives" (Barnard, 1968, p.
283). It contains both a strategic and a cultural perspective. Strategically, the mission statement is
a tool that defines the (internal audit function's) business and target (customers). Culturally, the
mission statement serves as the "glue" that binds the (internal audit organization) together through
shared values and standards of behavior (Campbell and Nash, 1992). (parentheses added)
Stone (1996, p. 32) further comments on the importance of mission statements as the motivational
tool by quoting from Bennis and Nanus (1985) as follows:
When the internal auditing function) has a clear sense of purpose, direction, and desired future
state, and when this image is widely shared, individuals are able to find

their own roles... This empowers individuals and confers status upon them because they see
themselves as part of a worthwhile enterprise. They gain a sense of importance, as who are
transformed from robots blindly (executing canned audit programs) to human beings engaged in a
creative and purposeful venture (p. 90). (parentheses added)
ilarly. Moore and Diamond (1995, p. 31) view a mission was a statement of shared purpose and
shared values." According to them:
Shared purposes provide a focus that integrates the services provided by the organization with the
needs of its external stakeholders. Shared values convey the spirit that permeates the
relationships between the organization and its external stakeholders and within the service-
providing team itself.
It is erroneous to think that mission statements are only appropriate at the overall organizational
level and shared service units such as internal auditing do not benefit from having a clear vision,
mission, or a sense of purpose. The participatory exercise undertaken to develop a mission and
vision would force the internal audit group to confront such basic questions as "Why do we exist in
this organization in the first place? How are we creating value ourselves or helping others create
value? Are we contributing to the overall goal and purpose of this organization? Why would
someone want to use the output of internal auditing? What does our output help others
accomplish? And, above all, would our users be willing to pay for our output, etc?6 Our experience
suggests that such an exercise inevitably starts a healthy dialog among the internal auditing staff
members — the first step to overcoming the internal resistance to change.
Critical Element 4: Take a Process View of the Internal Audit Function
The fourth critical element of internal audit reengineering is the process orientation. The internal
audit function in a majority of the business organizations resides as part of the finance function
because it often reports to the CFO in an administrative arrangement. Functionally, it may report to
the audit committee of the board of directors, but for day-to-day management, it is treated as a
department within the larger finance function. That structure may fit the needs of the finance
organization, but internally, a reengineered internal audit function should be nothing more than a
conglomeration of various core and support internal audit business processes. Barring any pirical
validation (which is presented in the survey results chapter), the following core and
oft business processes may exist in a reengineered internal audit function:

Core Internal Audit Processes
 Overall annual audit planning and company-wide risk assessment process.

 Process to conduct individual internal audit engagements.
Support Internal Audit Processes
 Internal audit human resource process i.e., hire to rotate, promote, or fire)
 Internal audit staff performance evaluation process.
 Process to assess the overall performance of the internal audit function in ligh vision,
mission, goals, and objectives.
 Internal audit continuous improvement process (i.e., customer feedback, benchmark with
peer internal audit functions, etc.).
 Process to coordinate and interact with the external auditors.
 Process to continuously interact with the audit committee as well as corporate senior
management to ensure that these key customers are getting what they need from the
internal audit function.
By no means is it meant to be a boilerplate process classification for all of the internal auditing
functions aspiring to reengineer. The intention is that to move from a traditional "policeman" type
of role to a "consultative" type of role, internal auditing should also follow some of the principles
that it would use while conducting internal audits in this capacity. Therefore, in the spirit of
establishing a process-oriented internal audit function, each process should have a process owner
at the audit manager level or higher, and each process should be clearly mapped and flowcharted.
This process orientation can be of tremendous help in making internal audit reengineering
successful. Citing some micro-level examples of internal audit reengineering outcomes, Wescott
(1995, p. 44) observes that:
There is nothing sacred about how auditors do their jobs. Professional standards are broad
enough to allow for ordinary, notable, or even radical means of accomplishing audits. Review how
the audit engagement might be streamlined and simplified. Should auditors handle some entrance
meetings with e-mail instead of face-to-face? Should scopes of audits move beyond company-
specific tradition to target high-risk areas. Should final reports include management
recommendations and still make a two-week post-audit deadline... Think about the comparative
value of a recommendation on the
The newly approved definition of internal auditing from The IIA, which proves Wescott's view,
reads as follo Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, discipl approach to evaluate and improve effectiveness of
risk management, control, and governance processes.

need for increased management sign-off versus that of a retooled business process. The
value goes toward process. Your organization is thinking this way. Are you? Often overJoked are
the internal processes that the audit customers do not see: time tracking, scheduling, planning,
training, and record management to name a few. How might you
dify these to best use technology advances, increase productivity, and enhance auditor job
satisfaction?
there it is also important to note that to be effective, the relevant processes within internal diting,
such as human resources and performance evaluation, be properly cascaded with the finance
function's related processes as well as with those of the larger organization. Synergies with the
larger organization's processes will lend longevity and legitimacy to the internal audit's rocesses,
which is always desirable while implementing change.
Critical Element 5: Develop Internal Audit Business Model
The internal audit function should develop a business model for itself, based on its understanding
of internal audit's customer needs and wants, the various core and support internal audit
processes, and the external environment and the change drivers leading it to reengineer. A
sample business model template is proposed in Figure 3-6.8
As part of developing this business model, the reengineered internal auditing function would
develop an understanding of the following:
 Who are its suppliers? For example, the finance function is a supplier of internal auditing in
the sense that it approves the internal auditing function's budget. The human resource
function is a supplier because it supplies it with trained internal auditors to execute its vision
and mission. The external auditors are suppliers because they provide "canned" audit
programs or other assistance. And other outsourcing service providers are suppliers
because they supply temporary staff during peak periods of activity.
The objective of identifying and understanding suppliers and their role in the success of the
internal auditing function will enable the internal audit function to understand the degree of
dependence it has on these constituencies. This understanding will help it ascertain the
extent to which these suppliers can enable or disable internal auditing in achieving its
business objectives and what it can do to control these risks.

What kind of core and support services and products will internal audit offer? For example, while
trying to balance its shareholder value "protection" vs. shareholder value "enhancement" role,
what percentage of its time or audits would focus on traditional areas of financial and compliance
controls and audits? What percentage of its time will be spent teaming with business units for joint
objectives, best practices transference, and creating operational efficiencies in the business
processes? According to the 1998 Deloitte & Touche survey (p. 9), the following are some
examples of the shareholder value protection vs. shareholder value enhancement activities that a
reengineered internal audit function can engage in:
Protective Activities
 Managing audit committee expectations.

 Control over increased organizational relationships (i.e., extended enterprise).
 Control self-assessment.
 Early warning methods/data mining,
 Exception-based auditing.
 Quality assurance of the internal audit function.
 Monitoring corporate governance compliance.
 Internal audit efficiencies through automated applications.
Enhancing Activities
 Solutions-driven audits, reports, recommendations.

 HR configuration: optimal skill craft for consultative role.
 Proactive control over organizational relationships (i.e., extended enterprise).
 Positioning internal audit for proactive risk management.
 Internal audit and management partnering: virtual teaming and varying levels of joint
accountability.
 What kind of alliances or partnerships can it develop with its customers to better execute its
mission and goals and develop new opportunities for internal auditing to add value? For
example, internal audit may consider joint audits, joint control and risk selfassessments,
control and risk-oriented training and development, and internal audit staff rotation to the
business units.

The existence of such a business model ensures that every member of the internal audit fun
operates from the "level-playing-field" understanding of the role and responsibilities of the in nal
audit function. It also helps internal audit staff become sensitive to the external force might call for
change in any one dimension of the internal audit business model. 10
Critical Element 6: Develop Internal Audit's Strategic Plan
Thompson and Strickland (1993, p. 18) define a strategic plan as the "statement outlining an
organization's mission and future direction, near-term and long-term performance targets, and
strategy in light of the organization's external and internal situation." Consequently, strategic
management tasks must involve environmental analysis, goal formulation, internal resource
analysis, strategy formulation, strategy implementation, performance evaluation, and continuous
strategy monitoring and control (Shrivastava, 1994). Generally, when one hears the word
"strategy" or "strategic planning," one normally tends to focus on the entire organizational level.
But there is no reason, except for our own tunnel vision, why the internal auditors cannot apply
these concepts or thoughts to their activities to unleash the power of the internal auditing function
in today's organizations. As a starting point, Figure 3-7 provides a "generic" change integration
framework that can be utilized to develop an internal audit strategic plan (Moore and Diamond,
199511).
Its centerpiece is the mission of an internal audit function as discussed in Critical Element 3. Other
elements of this strategic plan are:
 Distinctive capabilities, which are core competencies or special attributes that add value to
internal audit customers. These are capabilities that would underlie the future performance
of the internal auditing function, enabling it to deliver value on a sustainable basis. For
example, in the case of internal auditing being a service organization at a collective level,
the audit staff can be viewed as a distinctive capability that must be TMAclass" in terms of
its experience, maturity, business savvy, and skills. In its absence, the value-added of the
reengineered internal auditing would be highly questionable.

Figure 3-7: Internal Auditing Change Integration Framework
Distinctive Capabilities Measures Strategies

Core competencies required to Indicators for achieving Internal Critical things Internal Audit
Mission fulfill Internal Audit's mission Audit's distinctive capabilities must do to achieve its
distinctive capabilities
Shared Purposes
Shared purposes provide
focus by driving strategy
Shared Values
Shared values provide

control by guiding
execution
Measures of
Success
Indicators of success in
fulfilling our mission
measurement strategies and actions
goal area strategy

measurement operational action step/result data responsibility
category specifics

 Measures are quantitative and qualitative indicators that are continuously meas, tracked by
the internal audit function to determine whether it is successful in achie its mission, goals,
and objectives. It is important that these measures be co-develope the internal auditing
function in complete transparency and continuous consultation wi its customers. If the
customers of the internal auditing function do not find the measures creditable, then it
becomes an exercise in self-padding with no real impact great deal of literature is available
in this area to help internal audit practitioners deve the needed measures. 12
 Strategies are critical initiatives that a reengineered internal auditing function needs to
undertake to achieve its mission. At this stage in the reengineering process, it is important
that the broad mission and vision be broken down into actionable items because strategies
incorporate a number of coordinated actions to accomplish these specific goals and
objectives. The establishment of strategies implies committing resources to achieve a
specific end. Implicit in developing strategies is the assumption of identifying potential
obstacles and estimating their impact on the achievement of the internal auditing function's
mission, goals, and objectives and developing appropriate "tackle" plans.
Critical Element 7: Make Continuous Improvement a Habit
It is all too common to see participants in the reengineering initiative proclaim victory at the end of
a long and arduous reengineering project only to see new problems arise or a misalignment to
occur to disturb their recently achieved equilibrium. Unfortunately, that is the irony of the real world
with which we all are too familiar. As mentioned earlier, since internal auditors now operate in a
continually changing business environment, they cannot afford to rest on their laurels. Rather, a
major internal audit reengineering initiative should be supported with an ongoing continuous
improvement process. Emphasizing the importance of following internal audit reengineering with a
continuous improvement mind-set, Wescott (1995) observes:
Revisit everything periodically and look for changes that will improve those things already done.
Continuous evaluation will bring moderate improvements until the next radical reengineering
effort. The audit department cannot afford to become secure and content. That is, after all, what
caused the whole reengineering effort in the first place (p. 46).

review any recommended incremental changes and a plan should be quickly developed to deploy
the agreed-upon changes. Implied in the continuous improvement effort is the presumption that
engineering has also resulted in creating an agile internal auditing function that is capable of
ponding to the changes in its environment on a real-time basis. Simultaneously, the internal
editing function should also guard against the mind-set that might stalk any continuous
Improvement efforts based on the feeling that it is too soon to change anything anymore.
Critical Element 8: Utilize Information Technology as an Enabler
Internal audit reengineering can be greatly facilitated by utilizing state-of-the-art information

technology (IT). It is not the objective of this study to support or endorse any particular IT tool, but
there are numerous IT-based tools available that can help an internal audit function all the way
from identifying and prioritizing an audit universe to audit follow-up - and everything in between.
Virtually all Big 5 public accounting firms (as well as a number of other IT consulting firms) have
technology that can make it easier to perform many of the activities that were once hurdles in
transforming an internal audit organization to make it faster, better, and cheaper. However,
Wescott (1995) offers the following caveat on information technology usage:
Whether you are using computer-assisted audit techniques, specialized audit software,
mainframe, workgroup, or local area networks, each member of the audit staff should have access
to and be proficient in some aspects of its use. Notice that this is a three-part "how." The
availability of technology (hardware and software), training for its use, and the opportunities to
apply it, is critical. The three are highly integrated and one cannot go without the other two.
Training without application is shallow. Access without training is frustrating. An application
without access or training collects dust (p. 46).
It is important that information technology be used to support and enhance the reengineered
internal audit processes rather than drive them. Improvements in various internal audit processes
should not be made to fit the processes to the available technology, rather the available IT tools
should be altered to fit the processes. Therefore, the IT vendor for audit tools and systems should
be selected systematically and methodically.
Critical Element 9: Learn how to "Market" the Internal Auditing Function
Although marketing the internal auditing function, per se, may not be considered a critical lement
of internal audit reengineering, it is perhaps the most important activity that a reengineered internal
auditing function ought to undertake. Based on the field study interviews onducted as part of this
research, marketing of the internal audit function's activities and "valueuded" must go hand-in-
hand along with internal audit reengineering. As ironic as it may sound, today's environment of
"faster, better, cheaper," "do more with less, and "outsourcing." interauditors, just like all other
functional areas, have no choice but to be proactive in marketing

the value-added of the internal audit function to their organizational consti internal customer
dictates that if your output is somebody else's input in ti had better demonstrate the value of the
output, otherwise the big guy at the your activity as non-value-added and recommend that scarce
organizati deployed elsewhere to increase the "top as well as the bottom line." It is we auditing
profession in general and internal auditors in particular suffer from an Traditionally, auditing was
nothing but a mere attestation function and shad auditor. Given the emergence of management
philosophies, such as activity-base total quality improvement, reengineering, process-oriented
organizations, and emn erment, it is not surprising that organizations tend to perceive "mere
attestation" as value-added activity. For example, consider The IIA's recently issued definition of
interuy at the top might think organizational resources It is well known that the or from an image
stereotype tion and shadow of an extern alactivity-based management stions, and employee
empowattestation" as a totally nond definition of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designe to add
value and improve an organization's operations. It helps an organization accom. plish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes. [emphasis added]
A close examination of this definition will reveal that the profession of internal auditing is clearly
repositioning itself as a value-added partner with management as opposed to being perceived just
an overhead. Given these perceptions and stereotypes, it is imperative that as the internal audit
function reengineers itself, it should also engage in a proactive way to educate its organization's
members about its new focus and mission and how it can help organizational members and
business units achieve their goals and objectives in a "risk intelligent" way. Without an explicit
marketing effort, you may not be able to realize the full potential of the internal audit reengineering
effort that is add-value to the larger organization.
Summary
As one can see, in more ways than one, the above mentioned nine critical elements are al building
blocks of internal audit reengineering. These critical elements should not be in ed as sequential
steps in the internal audit reengineering road map because some of the can be acted upon
concurrently. In the end, Wescott (1995) appropriately comments:
(Internal audit) reengineering is neither easy, free, a quick fix, nor always successful. It is
realistically quite difficult, will come at a cost, and must be a a long-term perspective. Short-term
results are fleeting and can discourage ev best of the intentions. However, [internal audit)
reengineering can succeed and p superior results. The radical approach may not be entirely
necessary, but its an discourage even the ecessary, but its elements

are worth thinking about... Reengineering your own thinking is the first essential element in
leading change. Reengineering how your staff thinks about their profession and job is the second
element in meeting the competitive challenge... With all these in place, internal auditing can
secure for itself a vital place in the brave new world of globalization, the information superhighway,
business consolidations, deregulation, and competition for resources. Try it!
And if you are still not convinced, here is what Charles Darwin had to say: "It is not the strongest of
the species that survive, nor the most intelligent, but the one most responsive to change." So, here
is a message to internal auditors: Do not become extinct!
References
Barnard, C.L., The Functions of the Executive (Cambridge, MA: Harvard University Press) 1968.
Bell, Timothy, Frank Marrs, Ira Solomon, and Howard Thomas, Auditing Organizations Through a
Strategic-Systems Lens (Montvale, NJ: KPMG Peat Marwick) 1997.
Bennis, W., and B. Nanus, Leaders: The Strategies for Taking Charge (New York: Harper & Row)
1985.
Campbell, A., and L.L. Nash, A Sense of Mission (Reading, MA: Addison-Wesley Publishing
Company) 1992.
Committee of Sponsoring Organizations of the Treadway Commission, Iniegrated Control

Framework (Jersey City, NJ: AICPA) 1994.
Deloitte & Touche, Internal Audit: The Nature of Transition, (New York: Deloitte & Touche) 1998.
Gibbs, Jeff, and Patrick Keating, "Reengineering Controls," Internal Auditor (October 1995): 4649.
Gupta, Parveen P.. and Manash R. Ray, Total Quality Improvement Process and the Internal
Auditing Function (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation) 1995.

Hammer, Michael, and James Champy, Reengineering the Corporation (New York: Harper
Collins) 1993
Luscombe, Nelson, "Control without Command," CA Magazine (May 1993): 3.
McNamee, David, and Georges M. Selim, Risk Management: Changing the Internal Audi
Paradigm (Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation
1998.
Moore, Michael R., and Michael A. Diamond, The Challenge of Change in Business Education
(New York: Ernst & Young Foundation) 1995.
Porter, Michael E., Competitive Advantage (New York: The Free Press) 1985.
Porter, Michael E., "What Is Strategy?" Harvard Business Review, (November-December 1996):
61-78.
Pound, John, "The Promise of the Governed Corporation," Harvard Business Review (March/April
1995): 89-98.
Rittenberg, Larry E., and Mark A. Covaleski, The Outsourcing Dilemma: What's Best for Internal
Auditing (Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation)
1997.
Senge, Peter M., The Fifth Discipline: The Art and Practice of the Learning Organization (New
York: Currency Doubleday) 1990.
Shrivastava, Paul, Strategic Management (Cincinnati, Ohio: South-Western Publishing) 1994.
Simons, Robert, "Control in an Age of Empowerment," Harvard Business Review (March/April

1995): 80-88.
Stone, Romuald A., "Mission Statements Revisited," SAM Advanced Management Journa (Winter
1996): 31-37.
Thompson, Arthur A. Jr., and A.J. Strickland, Strategic Management: Concepts and Cases
(Homewood, IL: Irwin) 1993.
Wescott, Ross E., “Radical Reengineering for Internal Audit," IS Audit and Control Journal (Vol.
III) (1995).

CHAPTER 4 SAMPLE PROFILE ANALYSIS
Introduction
Consistent with the overall objectives of this exploratory research, the data for this project was
collected using a number of research methods, including extensive literature review, a survey
questionnaire, in-depth on-site interviews with key members of several world-class and
reengineered internal auditing departments, and analysis of company-specific archival information.
This chapter discusses the sample profile in terms of the participating firms as well as individual
internal auditors (of course, in aggregate and on an anonymous basis). The purpose of presenting
this background information is to define the proper context for the readers within the confines of
which they should interpret these research findings.
Analysis of Respondents and Firm Characteristics
This section evaluates and analyzes the characteristics of the respondents in terms of their level of
overall experience, the specific accounting and auditing experience, and the level of their
educational background and professional qualifications. Background information on the
organizations included in the sample and on the characteristics of the internal auditing function is
also provided. This background information is provided to help the readers of this study develop
an overall sense of the context within which to interpret the results and arrive at conclusions best
suited to their organizations. Further, where appropriate, respondent and firm demographics are
also compared with the findings of The Institute of Internal Auditors Research Foundation (IIA RF)
1995 research study by Gupta and Ray.
Analysis and Comparison of Survey Respondent Characteristics
A total of 382 surveys were mailed to current and former members of The IIA. Of these, 112
surveys2 were completed and returned, yielding a response rate of about 32.4%. Table 4-1
provides information on the titles of the respondents who completed the survey. As can be seen,

Out of the 112 surveys, 82 (73%) were completed by senior members of the
internal audit func-tion Of these 82 surveys, 34% were completed by the managing
director, senior directo color of internal or corporate auditing, 16% were completed
by the senior vice president Vice president of internal or corporate auditing, and
23% were completed by the general auditor alone, and the senior vice president or
vice president and general auditor. The remaining 70 were completed by
respondents holding a variety of titles. Viewed differently, of the 112 resnone es,
88% were from the ranks of senior audit management and the remaining 12% were
from the ranks of the senior manager or manager of internal auditing. For the entire
sample, approximately 88% of the respondents were males and the remaining 12
percent were females.
Table 4-1: Title of Respondents Who Completed the Survey

Number of Respondents
Professional Title
Holding the Title
Managing Director or Senior Director or Director of Internal
or Corporate Auditing 38
Sr. Vice President or Vice President of Internal or
Corporate Auditing 18
General Auditor 13
Sr. Vice President or Vice President and General Auditor 13
Sr. Internal Audit Manager or Audit Manager or Audit
Supervisor 12
Assistant Vice President or 2nd Vice President of Auditing 6
Vice President Internal Audit and Process Review 1
Vice President Audit Services and Chief Ethics Officer 1
Vice President and Corporate Auditor 1
Vice President Corporate Financial Auditor 1
Vice President and Auditor Vice President and Controller 1
Executive Director Audit Services 1
Director of Business Risk 1
Director of Internal Auditing and Compliance 1
Assistant Director of Internal Auditing 1
Deputy Auditor 1
Manager of Global Internal Controls 1
Total 112
A further review of Table 4-1 and its comparison with the 1995 IIA RF study (pp. 79-81) reveals
some interesting developments. First, an increasing number of senior internal auditing executives
hold a dual title, such as vice president and general auditor. Second, a number of new titles are
amerging, such as vice president internal audit and process review, vice president and chief ethics
officer, director of business risk, and manager of global internal controls. Some of these titles
reflect the emerging orientation or value-added repositioning of the internal audit function into the
areas of process improvements, risk management, and control assessment. Third, even though
insignificant, it is encouraging to see that since the 1995 IIA RF study there is an increase from
10% to 12% in the number of females employed as senior audit executives.
The average age of the respondents was 46, with a range from 31 to 64. On average, the
respondents had an overall work experience of about 24 years, of which about half of their
experience came from being an internal auditor. Further, on average, the respondents had been
working with their present company for the last 14 years, which includes an average of five years
in their current position in the present company. Based on this information, we can observe that,
on average, the respondent pool represents internal promotions from within the internal auditing
department. Given the dynamic changes in the current internal auditing environment, it is expected
that within the next five to 10 years, one would expect to find an increasing number of non-
traditional internal auditors occupying the positions of senior internal audit executives, whether
they were appointed from within or outside their present organizations. From a research
methodology viewpoint, since we have an experienced pool of respondents, there is considerable
legitimacy and real-life value in the findings of this study.
Similarly, the respondent pool is also a well-educated group. It is evident from the fact that more
than half the respondents (51%) had master's degrees, predominately MBAs with a concentration
in accounting or finance. It is interesting to note that of the remaining respondents who held only
bachelor's degrees, a little less than half (45%) had degrees in non-accounting areas such as
finance, marketing, economics, mathematics, industrial engineering, computer science,
psychology, and literature. This compares impressively well with the 1995 IIA RF study (p. 80) in
which about 65% of the respondents had only bachelor's degrees and only 35% of the
respondents had master's level education. These data suggest that an increasingly large number
of Fortune 500 firms are recognizing the importance of master's level education for their internal
audit executives.

Also, when compared with the 1995 IIA RF study, a similar upward u
dy a similar upward trend is evident with respect o the number of respondents having a formal
certification. Of the 112 respondents, only 12 about 15%) had no formal certification. Of the
remaining 95 respondents (85% of the sample 08 (80%) were CPAs and 25 (29%) were CIAs.
Further, 27 respondents (more than 30%) hela uual certification Ge. CPA. CIA. CMA. CISA, CA,
etc.). In contrast, the 1995 study in 701
Ported 83% of the respondents having a formal certification: 26% CIAS, 75% CPAs, and 250
holding more than one certification.
The above discussion and analysis clearly point to the fact that the respondent pool for this study
is well qualified and more than adequately experienced. This provides a strong backdrop for
analyzing the findings of Section II of the survey, which are discussed in the next chapter. The
next section presents the findings and discussions on firm characteristics.
Analysis and Comparison of Survey Respondent Firm Characteristics
As discussed earlier, 112 respondents completed the survey. Out of these 112 respondents, 102
were from Fortune 500 companies and 10 were from non-Fortune 500 companies. Since the
financial metrics data (i.e., assets, revenue, profits, stockholder's equity, market capitalization,
etc.) were not available for the non-Fortune 500 entities, this information is presented only with
respect to the 102 respondents to provide additional context for interpreting the results and
assessing the applicability of various practices to firms of various sizes.
On an average, the 102 responding firms had total assets of $26,615 million and sales of about
$12,760. For the same year, these firms had an average profit of $782 million on an average
stockholder's equity of $5,115. These firms employed an average of 50,000 employees and had
an average market capitalization of $20,721 million. This profile is a fair representation of the
Fortune 500 when compared with its overall average assets of $25,763 million, average revenue
of $11,037 million, average profits of $648 million, average stockholder's equity of $4,152 million,
and average market capitalization of $16,221 million. In other words, our sample more than
adequately represents the Fortune 500 firms on the frequently reported financial metrics.
Panel A and Panel B of Table 4-2 provide information on the annual budget of the responding
internal audit functions. In such studies, respondents are usually not willing to disclose the exact
information on their budgets, etc.; therefore, intervals starting with $0 to more than $20 million
were used to collect data on this sensitive variable. According to Panel A, of the 109 respondents
who provided information on this question, more than 65% had internal audit budgets ranging from
$0 to $4 million dollars, and the remaining 35% had internal audit budgets ranging from $4 million
to more than $20 million. Panel B of Table 4-2 reveals some interesting information: about 52% of
the responding internal audit functions experienced an increase in their internal The percentages
would not add up to 100% due to double counting.

audit budgets during the last five years, and approximately the same percentage (54%) of internal
audit functions expect their internal audit budgets to increase over the next five years. The range
of expected increase is anywhere from as low as 1% to as high as 125%, with an overall average
of about 20%. Similarly, those expecting a decrease in their internal audit budget over the next five
years expect it to decline an average of 7%, with a low of 2% to a high of 20%.
Table 4-2: Internal Audit Annual Budget Excluding Outside CPA Fees
PANEL A: Internal Audit Budget of Survey Respondents

Percentage of
Range of Internal Audit Budget
Times Mentioned
1. $0-$500,000 6%
2. $500,001-$1,000,000 6%
3. $1,000,001-$2,000,000 25%
4. $2,000,001-$4,000,000 28%
5. $4,000,001-$6,000,000 11%
6. $6,000,001-$8,000,000 8%
7. $8,000,001-$10,000,000 6%
8. $10,000,001-$15,000,000 5%
9. $15,000,001-$20,000,000 3%
10. More than $20,000,000 2%
panel B;Change in the internal audit budget

Percentage of Percentage of
Respondents Respondents Expecting
Experienced Change During the Next 5
Change Years
Increase 52% 54%
Decrease 34% 14%
No Change 14% 33%
Average Expected % Increase in Internal Audit Budget

during the next 5 years Average Expected % Decrease in
Internal Audit Budget during the next 5 years 20%
Average Expected % Increase in Internal Audit Budget

during the next 5 years Average Expected % Decrease in
Internal Audit Budget during the next 5 years 7%

However, there appears to be an interesting thip were appears to be an interesting flip occurring
when we compare the percentag internal audit functions that experienced either a decrea
ease (34%) or no change (14%) in their internal audit budgets with the percentage
audit budgets with the percentage of internal audit functions expecting either a deor
or no change (33%) over the next five years. Overall, these statistics point to the fact th for about
half the sample, the internal audit budget is trending upwards, while for the other half of the
sample the trend toward decreasing the internal audit budget is een
ternal audit budget is either slowing down or the trend toward "staying put" or not changing the
internal audit budget is accelerating. Based on this Tinding, one can speculate that an increasing
number of senior management within the Fortuna 300 firms are allocating more resources to their
internal audit functions because they perceive them as value-added partners more than ever
before. If this were not the case, in the current world of outsourcing one would expect to find
across the board an overall declining trend in the bndo. ets of internal audit functions.
Table 4-3 provides information on the average number of hours that are spent on continuing
professional education or training by the various internal auditing departments. Panel A of Table 4-
3 provides mean, median, mode, standard deviation, and range for the entire sample, while Panel
B of Table 4-3 further analyzes the desegregated data as it relates to the budget of the internal
auditing department.
According to Panel A of Table 4-3, on an average about 65 hours are spent by a typical member
of the internal audit staff on continuing professional education or training during a year. For the
entire sample the range of training hours varied from a low of eight hours per auditor per year to a
high of 200 hours per auditor per year. When compared with the 1995 IIA RF study, it appears that
the time spent on training by internal audit professionals has essentially remained unchanged:
from an average of 63 hours in 1995 to an average of 65 hours in the current study.? This is a
perplexing finding given the fact that during the same period, the internal auditor's responsibilities
expanded into a number of new areas (i.e., increased involvement in the total quality and business
process improvement initiatives, business risk and control-related audits, etc.). Further
examination of Panel B of Table 4-3 suggests that about 78% of the respondents provide
anywhere from 20 to 80 hours of training per auditor per year. It is not clearly evident from the
results presented in Table 4-3, but further analysis of the segmented results for various budget
groups reveals the expected: there is an increase in the number of hours of training available to
the internal audit staff as the budget of the internal audit departments increases.8

Table 4-3: Internal Auditing Budget and Hours Spent on Continuing
Professional Education
PANEL A: Hours Spend Continuing Professional Education
 Average Number of Hours Spent on CPE 65

 Median Hours 60
 Mode 40
 Standard Deviation 44
 Range Minimum 8 hours Maximum 200 hours
PANEL B: Does Internal Audit Budget Influence CPE Hours
Less 41- 61- More

Internal Audit than 20 20-40 60Hour 80Hour 80-100 H than100
Department Budget Hours Hours s s ours Hours Total
1. $0-$500,000 1 3 1 1 0 1 7
2. $500,001-$1,000,000 1 2 2 0 2 0 7
3. $1,000,001-$2,000,000 2 14 3 7 0 0 26
4. $2,000,001-$4,000,000 0 5 8 10 2 5 30
5. $4,000,001-$6,000,000 0 6 2 2 2 0 12
6. $6,000,001-$8,000,000 0 3 2 1 1 1 8
7. $8,000,001-$10,000,000 0 1 1 3 2 0 7
8. $10,000,001-
$15,000,000 0 0 1 2 0 1 4
9. $15,000,001-
$20,000,000 1 1 0 1 0 0 3
10. More than
$20,000,000 0 0 0 1 1 0 2
total 5 35 20 28 10 8 N=106

table 4-4 provides information on the various types of information technology tools utiliz the
responding internal audit departments. In descending order, the noteworthy tool Microsoft Office
Suite (92%), Microsoft Power Point (84%), ACL, SIMS, IDEA. SAS LAATS (77%). Web Based
Ouery Tools, Web Based Intrusion Detection Tools, World Wide Internet, Intranets (74%),
Microsoft Access (72%), and Flowcharting or Process Man Software (70%). It is also encouraging
to note that more than 50% of the respondents are using some kind of automated audit tool or
automated workpaper system. Additionally. abom. one-third of the responding internal auditing
departments have some kind of in-house developed software to help them conduct their business
effectively and efficiently. Besides the above mentioned information technology tools, few
respondents reported using a number of other tools. Microsoft Project, Microsoft Exchange,
FOCUS, Groupwise, Culprit, Kane LAN Security Analyst, Workforce, etc.
Table 4-4: Information Technology Tools Utilized by Internal Auditing Departments
Percentage of
Respondents
Information Technology Tool Using the IT Tool
Microsoft Office Suite 92%
Microsoft Power Point 84%
ACL, SIMS, IDEA, SAS or other CAATS 77%
WWW, Web-Based Query Tools, Web-Based Intrusion Detection

74%
Tools, Intranet, Internet
Microsoft Access 72%
Flowcharting/Process Mapping Software 70%
Automated Audit or Automated Workpaper System 55%
Lotus Notes 50%
In-House Developed Software 33%
Audit Decision Support System 10%
Corel Word Perfect 7%
Audit Expert System 6%

Just as many new information technology tools have gained widespread acceptance and use,
there appears to be a noteworthy decline in the use of audit expert systems and audit decision
support systems (a mere 16% use these two tools). However, given the changes in the role of the
internal auditor (a shift from pure controls-oriented auditing to business and risk-focused auditing)
and the methodology of internal auditing (rather than selecting an appropriate sample size hased
on some expert decision model to the option of reviewing the entire population quickly and
efficiently to determine the control weaknesses), it is not at all surprising to find this decline. As
expected, all of the responding internal auditing departments reported that 100% of their internal
auditors have individual personal computers or laptops for use in their audit work. Overall, these
findings indicate that a larger percentage of internal auditing departments are utilizing various
types of information technology tools in completing their audit and non-audit related work.
Table 4-5 provides information on the reporting relationship of the sample internal audit functions.
Panel A of Table 4-5 provides information on the percentage of respondents experiencing each
type of reporting relationship. A review of these results points to two major groups to whom the
internal audit function typically reports: chief financial officer and the audit committee of the board
of directors.
Further analysis of internal audit's reporting relationship as reported in Panel B of Table 4-5
provides additional insights. Panel B of Table 4-5 develops the clusters from the frequency count
underlying Panel A in Table 4-5. Primarily three clusters emerge: single reporting relationship, dual
reporting relationship, and more than dual reporting relationship. These clusters were further
classified according to whether the internal auditing function had a solid-line or a dottedline
relationship. What emerges from this clustering is the fact that about 74% of the responding
internal auditing departments have one or the other kind of dual reporting relationship, while the
remaining 26% either have a single or more than dual reporting relationship with the various
members of the senior management team and audit committee of the board of directors.
Overall, upon comparing the detailed findings of this study with the 1995 IIA RF study and the
1978 Conference Board study (Macchiaverna 1987), one can observe the following trends in the
internal auditing function's reporting relationship within the organization's hierarchy:
 Over the years the internal auditing function's reporting relationship with the corporate
controller has consistently declined.
 The internal auditing function's reporting relationship with the corporate treasurer has
virtually disappeared.
 There is a substantial decline in the internal auditing function's reporting relationship to any
single reporting authority in the organization, such as only the CFO or an equivalent senior
financial executive, or only the CEO or an equivalent senior corporate executive.

Table 4-5: Reporting Relationship of the Internal Auditing function
Panel A: Solid vs. Dotted-Line Reporting Relationship
Percentage of Times
1. Solid-Line Reporting Mentioned
• Solid-line reporting to corporate CFO or anequivalent senior financial
59%
executive
• Solid-line reporting to company CEO or equivalent senior corporate officer 9%
• Solid-line reporting to corporate controller 12%
• Solid-line reporting to audit committee of the BOD 32%
• Solid-line reporting to other corporate executives 11%
2. Dotted-Line Reporting
• Dotted-line reporting to audit committee of the BOD 56%
• Dotted-line reporting to corporate controller 20%
• Dotted-line reporting to other corporate executives 23%
• Other 3%

Panel B: Single vs. Dual Reporting Relationship
Percentage of Times
Mentioned
1. Single Solid-Line Reporting 10%
2. Dual Reporting 74%
• Dual Solid Line 17%
• One Solid Line - One Dotted Line 57%
3. More than Dual Reporting 16%
• One Solid Line - Two Dotted Lines . 12%
Two Solid Lines - One Dotted Line 2%
• Three Solid Lines 2%


 There is a significant increase in the internal auditing function's dual reporting relationship
with any two reporting authorities in the organization, such as CFO and the audit committee
of the board of directors, CEO and the audit committee of the board of directors, and audit
committee and any one of the following: chief administrative officer, general counsel, chief
risk officer, senior control officer, and legal and risk management executive, etc.
 Within the dual reporting responsibility of the internal auditing function, the combination of
CFO with the audit committee of the board of directors is the most prevalent combination.
 Interestingly, there appears to be an increase in the internal auditing function's reporting
relationship from dual reporting to more than dual reporting. There were none reported by
the 1978 Conference Board study, and only eight such relationships were reported in the
1995 IIA RF study. In the current study the number of respondents having more than dual-
reporting relationships has increased to 18 (16%). Of these 18 responses, eight report a
solid-line relationship to the CFO with a dotted-line relationship to the corporate controller
and CEO; five report a solid-line relationship to the corporate controller with a dotted-line
relationship to the audit committee of the board of directors and the CEO. In a rare case,
the internal auditing function also reports to the chief operating officer.
 There appears to be a dramatic upward shift in the internal auditing function's reporting
relationship with the audit committee of the board of directors. While in the 1978
Conference Board study only 4% of the respondents reported having any reporting
relationship to the audit committee of the board of directors, in the 1995 IIA RF study the
same percentage increased to 62%, and in the current study it is now 80%. Based on this,
one can conclude that during the last two decades an increasing number of companies are
placing a higher emphasis on the independence of their internal auditing function, perhaps
as part of the overall increased emphasis on various aspects of corporate governance and
risk management.
 The last but not the least important trend is that more and more CEOs are involving
themselves either in a solid-line or a dotted-line relationship with their internal auditing
function. Although the CEO involvement is still relatively low, it has increased from no
involvement in the 1978 Conference Board study, to about 12% involvement as reported in
the 1995 IIA RF study, to 20% as found in the current study. One can only speculate that
this upward trend will continue, as an increasing number of internal auditing functions
reengineer themselves to become value-added partners with the CEOs of their respective
organizations.

The newly issued Competency Framework for Internal Auditors RF, 1998), provides detailed
guideline
*), provides detailed guidelines on the skills and competencies needed for the em and changing
role of the internal auditor as the profession enters et Table 4-6, which is organized in three
panels, rank orders the skill set by the av
he extent to on these skills are found in the professional internal audit start of the participating
internal auditing departments.
Panel A of Table 4-6 provides ranking of the skills that exist to a great or sufficient extent in the
audit staff of more than 50% of the participating internal audit functions, which are listed below.
 Strong interpersonal skills (71%)

 Analytical skills (70%)
 Understanding of business processes (64%)
 Client or customer focus (62%)
 Ability to work in the interdisciplinary teams (61%)
 Objectivity without rigidity (56%)
 Good oral and written communication skills (55%)
 Knowledge of alternate internal controls (54%)
 Value-added orientation (52%)
 Continuous improvement mind-set (52%)
Panel B of Table 4-6 provides ranking of the skills that exist only to a moderate extent in the audit
staff of more than 50% of the participating internal audit functions, which are listed below:
 Knowledge of the alternate risk management strategies (65%)

 Understanding of information technology enablers (64%)
 Strong facilitation skills (64%)
 Leadership ability (60%)
 TQM/reengineering knowledge (57%)
Interestingly, when we examine Panel C of Table 4-6, which again provides a ranking of the skills
that exist only to some extent in the audit staff of the participating internal audit functions, almost
the same set of skills emerges again. They are listed below:
 TQM/reengineering knowledge (35%)

 Knowledge of alternate risk management strategies (20%)
 Understanding of information technology enablers (14%)
 Strong facilitation skills (13%)
Comparison of the results presented in Panel A with Panel B and Panel C of Table 4-6 points to
three observations and conclusions. First, since the rankings of the skills highlighted in Panel A

Table 4-6: Skill Set of the Internal Audit Staff
PANEL A: Rank Ordered Skills that Exist to a Great or Sufficient Degree in the Internal
Audit Staff
Skill Sets Percentage of Times Mentioned
1. Strong interpersonal skills 71%
2. Analytical skills 70%
3. Understanding of business processes 64%
4. Client or customer focus 62%
5. Ability to work in interdisciplinary teams 61%
6. Objectivity without rigid independence 56%
7. Good oral and written communication skills 55%
8. Knowledge of alternative internal controls 54%
9. Value-added orientation 52%
10. Continuous improvement mind-set 52%
11. Creativity and open-mindedness 49%
12. Leadership ability 38%
13. Strong facilitation skills 22%
14. Understanding of information technology enablers 21%
15. Knowledge of alternate risk management strategies 13%
16. TOMreengineering knowledge 8%
PANEL B: Rank Ordered Skills that Exist to a Moderate Extent in the Internal Audit Staff
Percentage of Times Mentioned
5. TOM/reengineering knowledge 56%
10. Knowledge of Alternative Internal Controls 40%
14. Understand of business process 34%

Table 4-6: Skill Set of the Internal Audit Staff (Cont.)
PANEL C: Rank Ordered Skills That Exist To No Or Some Extent In The Internal Audit State
Percentage of Times
Mentioned
1. TQM/Reengineering knowledge 35%
7. Knowledge of alternative internal controls 4%
14. Understand of business process 1%
vs. Panel B and Panel C are mutually exclusive, there appears to be consensus among the
respondents on the existing strengths and weaknesses of the skills possessed by their internal
audit professionals. Second, when we combine the results presented in Panel B and Panel C, a
worrisome picture emerges: 91% of the internal audit functions feel that their internal audit staff
lacks the sufficient skills in the area of TQM/reengineering; 85% report lack of sufficient knowledge
of the alternate risk management strategies; 78% report lack of sufficient understanding of
information technology enablers; and 77% report lack of sufficient preparation in facilitation skills.
The reason these findings are worrisome is because these are the very basic skills that would be
needed of the internal auditing profession as a whole to deal with the emerging opportunities, such
as integrated risk management, risk assessment, control self-assessment, business process
reengineering, and total quality improvements in the next millennium. Third, an examination of
rankings in Panel A points to the fact that over the years internal auditors have succeeded in
acquiring some of the soft skills, such as interpersonal skills, the ability to work in the
interdisciplinary teams, good oral and written communication skills, client or customer focus,
valueadded orientation, and a continuous improvement mind-set.
Overall as a profession we are moving in the right direction by developing a portfolio of skills that
contains the hard and soft skills. However, due to the rapidly changing business environment and
the speed-of-light infusion of information technology in the business, we need to leapfrog in

Customer Type Percentage of Times Mentioned
Corporate Senior Management 98%
Audit Committee of BOD 97%
Auditee Management and Staff 85%
External Auditors 74%
Internal Audit Employees 37%
Regulatory Agencies 32%
Vendors or Suppliers 20%
Others 9%
Table 4-7: Customers of Internal Auditing
acquiring the emerging skills that we lack as profession as a whole. In the absence of these skills,
internal auditors could very well lose on the value-added proposition that is so often espoused by
the senior management of almost all the organizations. Further, in the future, these are the skills
(among others) that will differentiate a world-class internal audit function from a not so worldclass
internal audit function.
Table 4-7 presents a ranking of the internal audit customer base as reported by the participating
internal audit functions. The top four internal audit customers are corporate senior management,
the audit committee of the board of directors, auditee management and staff, and the external
auditor. Other less noteworthy internal audit customers are internal audit employees, regulatory
agencies, and vendors or suppliers. Rarely, business partners or joint venture management,
company shareholders, and external customers are also perceived as customers by some internal
audit departments.
Two observations can be made from the data presented in Table 4-7. First, there appears to be an
equal emphasis by the internal audit functions on serving the needs of corporate senior
management as well as the audit committee of the board of directors in spite of each group's
unique needs and demands (senior management's emphasis on business-focused auditing vs. the
audit committee's emphasis on controls). Second, even though external auditors rank as the fourth
largest customer of the internal auditors, various case study interviews indicate mixed results.
le many internal auditing departments are trying to distance themselves from the external itors and
establish themselves as independent and creditable entities within their organizaons, at the same
time others are forging partnerships with them to ensure that the new roles adopted by internal
auditing are not sabotaged by external auditors by auditing the deserted areas nd increasing their
external audit fees. Overall, it is very comforting to note that the notion of

"customer" is quite deeply ingrained in almost all of the responding internal auditing functie No
matter where these internal auditing functions may be today in their journey to TOM reengineering,
having a customer focus indicates that they are certainly on the right course an catering to the real
thing in their organizations.
Summary
Overall, the findings presented in this chapter provide sufficient evidence that there have been lot
of structural changes in the way the internal auditing functions are organized across corporate
America today as opposed to three decades ago. Some of the major conclusions emerging from
this chapter are as follows:
 An increasing number of senior internal audit executives are holding dual titles. Some of
these dual titles reflect the emerging orientation of internal auditing on value-added
consulting type activities.
 There are significant changes in the reporting relationship of internal auditing with the
corporate controller, corporate treasurer, CEO, CFO, and the audit committee of the board
of directors.
 Although slight, it is encouraging to see an increase in the number of female senior internal
audit executives.
 A majority of the senior internal audit executives still come from within the rank and file of
the internal audit function, indicating that professionals with traditional accounting and
auditing backgrounds are still the preferred choice for these positions within the companies.
 Increasing numbers of internal auditors are holding master's degrees, more so than ever
before.
 For half the sample, the internal audit budget has trended upwards during the last five
years, while for the other half the trend is either toward not decreasing the internal audit
budget or at best slowing the pace of reductions in the budget. This indicates that, at least
within the Fortune 500 group, more and more senior corporate managers are beginning to
see the value-added of the internal audit function.
 Even though over the years internal auditors have taken on new responsibilities (1.C.,
process improvements, total quality management, etc.) and adopted new audit approach es
(i.e., risk-based internal auditing), there has not been a significant change in number of
hours spent on annual training or continuing professional education.
 In spite of the increased responsibilities of internal auditors in general in many new areas,
there is widespread perception that internal auditors lack sufficient skills or knowledge in
areas of total quality management, integrated risk management, information technology,
leadership, and facilitation skills.
 More than ever a larger number of internal auditors are now using extensive information
technology-based tools, from Microsoft Office Suite, to automated audit tools and
workpaper systems, to Web-based query and intrusion detection tools.
 The top four internal audit customers are corporate senior management, audit committee of
the board of directors, auditee management and staff, and the external auditors.
Overall, it is clear from many of the above findings that since internal auditing is primarily a people-
oriented function, its success greatly depends upon the kind of people it is able to attract, train,
and retain within the ranks. With the expansion of internal auditing into many new areas, it has
now become extremely important to think outside the box in developing human resource strategies
for the internal auditing function (i.e., attracting employees with more business background,
understanding of the business processes and technology, etc.). The progressive internal auditing
functions are doing exactly that.
References
Gupta, Parveen P., and Manash R. Ray, Total Quality Improvement Process and the Internal
Auditing Function (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation) 1995.
The Institute of Internal Auditors, Competency Framework for Internal Auditors (Altamonte
Springs, Florida: The Institute of Internal Auditors Research Foundation) 1998.
Macchiaverna, P., Internal Auditing (New York: Conference Board) 1987.

Chapter 2-3-4

Uploaded by

Copyright:

Available Formats

You might also like

Chapter 2-3-4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2-3-4

Uploaded by

Copyright:

Available Formats

Figure 2-8: A Six-step Guide to Process Reengineering

Step #1 •Reduce cost.

Identify the Process's

Step #2 •What is the process?

Map and Measure the •How much does it cost?

•What type of results are we experiencing?

Analyze & Modify the Benchmark for

Step #6 •Train employees.

Roll Out the New •Pilot the process.

•Monitor the results.

Source: Furey, Timothy R., "A Six-step Guide to Process Reengineering,"

Planning Review (March/April 1993): 20-23. Reprinted with Permission.

Internal Audit Reengineering. Survey, Model, and Best Practices

Parameter Micro Macro

Infrastructure Diverse Integrated

Performance focus Financial Multiple Benefit Paths

Focus Single Process Enterprise

Projects Multiple Single Focus

Davidson, W.H., "Beyond Reengineering: The Three Phases of Business

As is evident from Figure 2-9, the scope of a reengineering proiect expands as we

Preconditions for a Successful Reengineering

S, Information Systems Management, Spring 1994, pp. 7-13.

The Institute of Internal Auditors Research Foundation

The Institute of Internal Auditors Research Foundation

The Institute of Internal Auditors Research Foundation

Audit Reengineering: Survey, Model, and Best Practices

ok style among workers is

of the organiza possible" (p. 11)

ring initiative may just o to Bashein, Markus, and

Commonly Encountered Obstacles in Implementing Reengineering

The Institute of Internal Auditors Research Foundation

Figure 2-10: The Self-Assessment Diagnostic

change - organizational change in particular that it entails. Score:

attention that reengineering requires. Score:

multidimensional change that impacts processes, jobs, organizational structure, management

of downsizing or restructuring. Score: -

that is receptive to reengineering. Score:

customer needs. Score:

taking, learning, and ambiguity. Score:

long-standing assumptions. Score:

motivated to assure that the processes are successfully reengineered. Score:

 Category 2: Technological Competence Problems: Problems related to their technology expertise

1. Need for managing change is not recognized.

2. Top management's short-term view and quick-fix mentality.

3. Rigid hierarchical structures in the organization.

4. Line managers in the organization unreceptive to innovation.

5. Failure to anticipate and plan for the organizational resistance to change.

The Institute of Internal Auditors Research Foundation

Category 1: Management Support Problems

Institute of Internal Auditors Research Foundation

1. Top management's short-term view and quick-fix mentality.

2. Lack of alignment between corporate planning and IT planning.

3. Lack of strategic vision.

4. Lack of experience in business reengineering.

5. Failure to commit the required resources (financial, human resources, etc.)

6. Lack of authority given to reengineering team.

7. Difficulty in financially justifying benefits of reengineering.

8. Identification of candidate process for reengineering not based on strategic