The IIARF publishes this document for information and educational purposes only.

IIARF does not provide legal or accounting advice and

makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise,
professional assistance should be sought and retained.

Copyright © 2015 by The Institute of Internal Auditors Research Foundation (IIARF).

All rights reserved. For permission to reproduce or quote, please contact research@theiia.org.
 Practitioner (All) vs. CAE Only
The CBOK 2015 Global Internal Audit
Practitioner Survey Questions
For your reference, here is an overview of the topics that are included in the survey:
1-Your Background (Q1-Q14) 9-Organizational Governance
(Q67-Q72)
2-Your Organization (Q15-Q22) 10-Reporting Lines (Q73-Q77)
3-Your Internal Audit Department (Q23-Q29) 11-Audit Committee (Q78)
4-Staffing (Q30-Q36) 12-Internal Audit Competencies
(Q79-Q88)
5-Internal Audit Department Maturity (Q37-Q47) 13-Value and Performance
Measures (Q89-Q91)
6-Audit Processes (Q48-Q57) 14-Auditing Technology Risks
(Q92-Q94)
7-Risk-General (Q58-Q63) 15-Internal Audit Use of
Information Technology (Q95-Q97)
8-Top 5 Risks (Q64-Q66) 16-Internal Audit Standards
(Q98-Q100)
Language Select a language to take your survey in:
Albanian
Arabic
Bengali
Chinese (Simplified, PRC)
Chinese (Traditional)
Croatian
Czech
English
Estonian
French

2
 German
Italian
Japanese
Korean
Latvian
Lithuanian
Polish
Portuguese
Romanian
Serbian
Spanish
Turkish
Ukrainian
1_Your Background
1_IIA Membership 1. Are you registered as a member of The Institute of Internal Auditors (IIA) Practitioner
or a national IIA organization (whether an individual membership or as an
employee of an IIA corporate member)?
Yes, I am a member
No, I am not a member
1a. How long have you been a member?
1-IIA Approximate number of years: _________ Practitioner
Membership_Years
1-IIA See Calculated Fields tab for more information.
Membership_Years
_Category_ TBD
1_Affiliation_Institut 2. Select the IIA institute with which you primarily identify. (If you are from a Practitioner
e country included in IIA–North America, select your country name.)
Not an IIA member
 Albania

3
 Algeria
 Argentina
 Armenia
 Aruba (IIA–North America)
 Australia
 Austria
 Azerbaijan
 Bahamas (IIA–North America)
 Bangladesh
 Barbados (IIA–North America)
 Belgium
 Bermuda (IIA–North America)
 Bolivia
 Bosnia & Herzegovina
 Botswana
 Brazil
 Bulgaria
 Cameroon
 Canada (IIA–North America)
 Cayman Islands (IIA–North America)
 Chile
 China
 Chinese Taiwan
 Colombia
 Congo (D.R.)
 Costa Rica
 Cote D'ivoire
 Croatia

4
 Curacao (IIA–North America)
 Cyprus
 Czech Republic
 Denmark
 Dominican Republic
 Ecuador
 Egypt (Cairo)
 El Salvador
 Estonia
 Ethiopia
 Fiji
 Finland
 Former Yugoslav Republic of Macedonia
 France
 Georgia
 Germany
 Ghana
 Greece
 Guatemala
 Guyana (IIA–North America)
 Haiti
 Honduras
 Hong Kong, China
 Hungary
 Iceland
 India
 Indonesia
 Israel

5
 Italy
 Jamaica (IIA–North America)
 Japan
 Kenya
 Korea Rep. (South)
 Latvia
 Lebanon
 Lesotho
 Lithuania
 Luxembourg
 Malawi
 Malaysia
 Mali
 Mauritius
 Mexico
 Montenegro
 Morocco
 Mozambique
 Netherlands
 New Zealand
 Nicaragua
 Nigeria
 Norway
 North America
 Oman
 Panama
 Papua New Guinea
 Paraguay

6
 Peru
 Philippines
 Poland
 Portugal
 Puerto Rico (IIA–North America)
 Qatar
 Romania
 Russia
 Rwanda
 Saudi Arabia
 Senegal
 Serbia
 Singapore
 Slovakia
 Slovenia
 South Africa
 Spain
 Sri Lanka
 Swaziland
 Sweden
 Switzerland
 Tanzania
 Thailand
 Trinidad & Tobago (IIA–North America)
 Tunisia
 Turkey
 Turks & Caicos (IIA–North America)
 Uganda

7
  Ukraine
 United Arab Emirates
 United Kingdom & Ireland
 United States (IIA–North America)
 Uruguay
 Zambia
 Zimbabwe
 Member at large — not affiliated with an Institute
 Not applicable
1_Affiliation_Chapte 2a. Please select the IIA chapter with which you primarily identify. (Chapters Practitioner
r_North America will receive Chapter Achievement Program (CAP) points from The IIA based
on participation in the survey.)
Canada
 Maritime #126
 Montreal #10
 Newfoundland & Labrador #227
 Ottawa #94
 Quebec #127
 Toronto #8
 Calgary #72
 Edmonton #92
 Saskatchewan #172
 Vancouver #26
 Vancouver Island #336
 Winnipeg #33
Central
 Central Ohio #38
 Cincinnati #28

8
  Dayton #6
 Northeast Ohio #7
 Pittsburgh #11
 Detroit #2
 Fort Wayne #83
 Lansing (MI) #163
 Michiana #95
 Northwest Ohio #507
 Western Michigan #125
 Central Illinois #73
 Central Kentucky #206
 Indianapolis #31
 Louisville #17
 Springfield #145
 Tri-State #311
 Chattanooga Area #177
 East Tennessee #85
 Memphis #106
 Mountain Empire #508
 Nashville #119
Mid-Atlantic
 Central Virginia #37
 Southwest Virginia #175
 Tidewater #93
 Charlotte #91
 Raleigh-Durham #113
 Triad #116
 Baltimore #22

9
  Northern Virginia #209
 Washington (DC) #27
 Coastal Carolina #194
 Palmetto #108
 Western Carolinas #148
Midwest
 Central Missouri #233
 Kansas City #48
 Ozarks #232
 St. Louis #15
 Topeka #242
 Chicago #3
 Chicago-West #210
 Fox Valley/Central Wisconsin #167
 Madison #189
 Milwaukee #19
 Northwest Metro Chicago #197
 Ak-Sar-Ben #53
 Central Iowa #96
 Heartland-Iowa #260
 Sioux Falls #168
 Central No Dak #237
 Lake Superior #239
 Twin Cities #16
Northeast
 Long Island #241
 New York #1
 North Jersey #43

10
  Northeastern Pennsylvania #185
 Westchester-Fairfield #86
 Central Jersey #230
 Central Penn #88
 Lehigh Valley #144
 Philadelphia #5
 Albany #87
 Central New York #58
 Green Mountain #151
 Rochester #20
 Western New York #24
 Downeast Maine #111
 Granite State (NH) #183
 Greater Boston #13
 Ocean State (RI) #160
 Southern New England #51
South
 Austin #159
 Brazos Valley #506
 Dallas #30
 Fort Worth #55
 Houston #23
 San Antonio #76
 Central Arkansas #107
 North Arkansas #234
 Oklahoma City #36
 Tulsa #18
 Wichita #142

11
  Ark-La-Tex #54
 Baton Rouge #121
 Central Mississippi #134
 Mississippi Gulf Coast #281
 Monroe #225
 New Orleans #35
 Albuquerque #135
 El Paso #152
 Las Vegas #122
 Phoenix #80
 Tucson #112
Southeast
 Birmingham #56
 Mobile #207
 Montgomery #202
 North Alabama #114
 Northwest Florida #156
 Atlanta #29
 Central Savannah River Area (CSRA) #505
 Coastal Georgia #236
 Columbus #161
 Middle Georgia #504
 Central Florida #90
 Florida East Coast #328
 North Central Florida #315
 Northeast Florida #99
 Tallahassee #103
 Florida West Coast (#89)

12
  Miami (#12)
 Palm Beach County (#217)
 Southwest Florida (#226)
West
 Mid-Columbia #255
 Nisqually #176
 Portland #49
 Puget Sound #34
 Salem #291
 Spokane #138
 Alaska #147
 Boise #102
 Colorado Springs #339
 Denver #70
 Salt Lake City #45
 Hawaii #98
 Northern California - East Bay #216
 Northern Nevada #157
 Sacramento #66
 San Francisco #9
 San Jose #79
 Beach Cities #188
 Inland Empire #257
 Los Angeles #4
 Orange County #82
 San Diego #52
 San Fernando Valley #181
 San Gabriel Valley #208

13
1_NA Chapter See Calculated Fields tab for more information.
Regions_
1_Age 3. What is your age? (optional) Practitioner
1_Age_Categories_T
BD
Age: ___
1_Gender 4. What is your gender: Practitioner
 Female
 Male
 Unspecified/I prefer not to answer
1_Education Level 5. What is your highest level of formal education (not certification) Practitioner
completed?
 Secondary/high school education
 Undergraduate diploma or associate degree (less than four years)
 Bachelor's degree/diploma

 Master's degree/graduate degree/diploma

 Doctorate degree (PhD or higher)

 None of the above
1_Region_Individual 6. In which region are you based or primarily work? (If you are retired or Practitioner
Work currently not in the field, refer to your most recent internal audit situation.)
 Africa
 Asia and Pacific
 Europe
 Middle East
 North America
 South and Central America and the Caribbean

14
 The data analyst will collapse reponses to questions 6a to 6h into the
primary CBOK regions, as defined on the global regions tab, DP 9-22-14.
1_Region_Individual 6a. Africa Practitioner
Work_Africa
 Algeria Practitioner
 Angola Practitioner
 Benin Practitioner
 Botswana Practitioner
 Burkina Faso Practitioner
 Burundi Practitioner
 Cameroon Practitioner
 Cape Verde Practitioner
 Central African Republic Practitioner
 Chad Practitioner
 Comoros Practitioner
 Congo, Democratic Republic of the Practitioner
 Cote d'Ivoire (Ivory Coast) Practitioner
 Djibouti Practitioner
 Eastern Africa Practitioner
 Egypt Practitioner
 Equatorial Guinea Practitioner
 Eritrea Practitioner
 Ethiopia Practitioner
 Gabon Practitioner
 Gambia Practitioner
 Ghana Practitioner
 Guinea Practitioner
 Guinea-Bissau Practitioner

15
 Kenya Practitioner
 Lesotho Practitioner
 Liberia Practitioner
 Libyan Arab Jamahiriya Practitioner
 Madagascar Practitioner
 Malawi Practitioner
 Mali Practitioner
 Mauritania Practitioner
 Mauritius Practitioner
 Mayotte Practitioner
 Morocco Practitioner
 Mozambique Practitioner
 Namibia Practitioner
 Niger Practitioner
 Nigeria Practitioner
 Reunion Practitioner
 Rwanda Practitioner
 Saint Helena Practitioner
 Sao Tome and Principe Practitioner
 Senegal Practitioner
 Seychelles Practitioner
 Sierra Leone Practitioner
 Somalia Practitioner
 South Africa Practitioner
 South Sudan Practitioner
 Swaziland Practitioner
 Tanzania, United Republic of Practitioner
 Togo Practitioner

16
  Tunisia Practitioner
 Uganda Practitioner
 Western Sahara Practitioner
 Zambia Practitioner
 Zimbabwe Practitioner
1_Region_Individual 6b. Asia Practitioner
Work_Asia
 Afghanistan Practitioner
 Armenia Practitioner
 Azerbaijan Practitioner
 Bangladesh Practitioner
 Bhutan Practitioner
 Brunei Darussalam Practitioner
 Cambodia Practitioner
 China Practitioner
 Georgia Practitioner
 Hong Kong Practitioner
 India Practitioner
 Indonesia Practitioner
 Japan Practitioner
 Kazakhstan Practitioner
 Korea, South Practitioner
 Kyrgyzstan Practitioner
 Laos Practitioner
 Macao Practitioner
 Malaysia Practitioner
 Maldives Practitioner
 Mongolia Practitioner

17
  Myanmar (ex-Burma) Practitioner
 Nepal Practitioner
 Pakistan Practitioner
 Phillippines Practitioner
 Singapore Practitioner
 Sri Lanka (ex-Ceilan) Practitioner
 Taiwan Practitioner
 Tajikistan Practitioner
 Thailand Practitioner
1_Region_Individual 6c. Pacific Practitioner
Work_Pacific
 Australia Practitioner
 Fiji Practitioner
 French Polynesia Practitioner
 Guam Practitioner
 Kiribati Practitioner
 Marshall Islands Practitioner
 Micronesia Practitioner
 New Caledonia Practitioner
 New Zealand Practitioner
 Papua New Guinea Practitioner
 Samoa Practitioner
 Samoa, American Practitioner
 Solomon, Islands Practitioner
 Tonga Practitioner
1_Region_Individual 6d. Europe Practitioner
Work_Europe
 Albania Practitioner

18
 Andorra Practitioner
 Austria Practitioner
 Belarus Practitioner
 Belgium Practitioner
 Bosnia Practitioner
 Bulgaria Practitioner
 Croatia Practitioner
 Cyprus Practitioner
 Czech Republic Practitioner
 Denmark Practitioner
 Estonia Practitioner
 European Union Practitioner
 Faroe Islands Practitioner
 Finland Practitioner
 France Practitioner
 Germany Practitioner
 Gibraltar Practitioner
 Greece Practitioner
 Guerney and Alderney Practitioner
 Hungary Practitioner
 Iceland Practitioner
 Ireland Practitioner
 Italy Practitioner
 Jersey Practitioner
 Kosovo Practitioner
 Latvia Practitioner
 Liechtenstein Practitioner
 Lithuania Practitioner

19
  Luxembourg Practitioner
 Macedonia Practitioner
 Malta Practitioner
 Man, Island of Practitioner
 Moldova Practitioner
 Monaco Practitioner
 Montenegro Practitioner
 Netherlands Practitioner
 Norway Practitioner
 Poland Practitioner
 Portugal Practitioner
 Romania Practitioner
 Russia Practitioner
 San Marino Practitioner
 Serbia Practitioner
 Slovakia Practitioner
 Slovenia Practitioner
 Spain Practitioner
 Svalbard and Jan Mayen Islands Practitioner
 Sweden Practitioner
 Switzerland Practitioner
 Turkey Practitioner
 Ukraine Practitioner
 United Kingdom Practitioner
 Vatican (Holy See) Practitioner
1_Region_Individual 6e. Middle East Practitioner
Work_Middle East
 Bahrain Practitioner

20
  Iraq Practitioner
 Israel Practitioner
 Jordan Practitioner
 Kuwait Practitioner
 Lebanon Practitioner
 Oman Practitioner
 Palestine Practitioner
 Qatar Practitioner
 Saudi Arabia Practitioner
 United Arab Emirates Practitioner
 Yemen Practitioner
1_Region_Individual 6f. North America Practitioner
Work_North
America
 Bermuda Practitioner
 Canada Practitioner
 Greenland Practitioner
 Saint Pierre and Miquelon Practitioner
 United States Practitioner
1_Region_Individual 6g. South and Central America Practitioner
Work_S and Central
America
 Argentina Practitioner
 Belize Practitioner
 Bolivia Practitioner
 Brazil Practitioner
 Chile Practitioner
 Colombia Practitioner
 Costa Rica Practitioner

21
  Ecuador Practitioner
 El Salvador Practitioner
 Falkland Islands (Malvinas) Practitioner
 French Guiana Practitioner
 Guatemala Practitioner
 Guyana Practitioner
 Honduras Practitioner
 Mexico Practitioner
 Nicaragua Practitioner
 Panama Practitioner
 Paraguay Practitioner
 Peru Practitioner
 Suriname Practitioner
 Uruguay Practitioner
 Venezuela Practitioner
1_Region_Individual 6h. The Caribbean Practitioner
Work_Caribbean
 Anguilla
 Antigua and Barbuda
 Aruba
 Bahamas
 Barbados
 Bonaire, Saint Eustatius and Saba
 British Virgin Islands
 Cayman Islands
 Curaçao
 Dominica
 Dominican Republic

22
  Grenada
 Guadeloupe
 Haiti
 Jamaica
 Martinique
 Monserrat
 Puerto Rico
 Saint-Barthélemy
1_Global See Calculated Fields tab for more information.
Region_Categories
Sub-Saharan Africa
Middle East & North Africa
South Asia
East Asia & Pacific
Europe & Central Asia
Latin America & Caribbean
North America
1_Majors Academic 5a. What were your academic major(s) or your most significant fields of Practitioner
study. (Choose all that apply.)
1_Major_Auditing  Auditing (internal)
Internal
1_Major_Auditing  Auditing (external)
External
1_Major_Accounting  Accounting
1_Major_Finance  Finance
1_Major_Business  Business
1_Major_Economics  Economics
1_Major_Law  Law

23
1_Major_Business  Business management
Management
1_Major_Informatio  Computer science or information technology (IT)
n Technology
1_Major_Math  Mathematics/statistics
1_Major_Engineerin  Engineering
g
1_Major_Other  Other science or technical field (such as physics, chemistry, biology)
Science
1_Major_Humanities  Arts or humanities (such as languages, literature, history, psychology)
1_Major_Other  Other
1_Certificate in 7. Did you earn a certificate (or concentration within your major) in internal Practitioner
Internal Audit auditing from a college or university?
 Yes
 No
1_Profession 8. Choose the one option that best describes your current profession. Practitioner
 I work as an internal auditor within the organization where I am
employed.
 I am self-employed as a provider of internal audit services.
 I provide internal audit services through a professional firm.
 I teach internal auditing at an institution of higher learning.
 I am a student.
 I am retired.
 None of the above.
The data analyst will create a new data column that combines the responses
to 9a, 9b, 9d, 9h, 9i. See notes in "Added Data Points."
1_Staff 9a. What is your position as an internal auditor in the organization? Practitioner
Level_Internal Audit

24
  Chief audit executive (CAE) or head of internal audit (highest ranking
member of the internal audit department)
 Director or senior manager (level below the CAE who manages audit
professionals)
 Manager (level reporting to director who manages staff who perform
audits)
 Audit staff (those who perform audits)
 Other
1_Staff Level_Service 9b. What is your position in the organization? (Answer this question based Practitioner
Provider on your primary, or typical, client.)
 Partner or acting chief audit executive (CAE) (I act as the highest
ranking member of the internal audit department.)
 Director or senior manager (I report to a CAE who manages audits.)
 Manager (I report to a director who manages staff who perform audits.)
 Staff (I perform audits.)
 Other
1_Staff 9c. What is your position at the institution of higher learning? Practitioner
Level_Academic
 Administrator
 Professor (tenured)
 Assistant professor (not tenured)
 Adjunct instructor
 Other
1_Staff 9d. What was your position in the organization immediately before you Practitioner
Level_Retired retired?
 Chief audit executive (CAE) or head of internal audit (highest ranking
member of the internal audit department)
 Director or senior manager (level below the CAE who manages audit
professionals)

25
  Manager (level reporting to director who manages staff who perform
audits)
 Audit staff (those who perform audits)
 Other
1_Retired_Years 9e. How many years ago did you retire? Practitioner
Years: ____
1_Staff 9f. Before you became a student, were you employed as an internal audit Practitioner
Level_Student professional?
 Yes, I worked as an internal auditor within the organization where I was
employed.
 Yes, I provided internal audit services through a professional firm.
 No, I did not have previous employment as an internal audit
professional.
1_Profession_Not 9g. If you do not consider internal audit as your primary profession, choose Practitioner
Internal Auditor one option below that best describes your current profession.
 Compliance professional
 Risk professional
 Public accountant
 External auditor
 Financial analyst
 Legal professional
 None of the above
1_Staff 9h. What was your position as an internal auditor in the organization? Practitioner
Level_Former
Internal Auditor
 Chief audit executive (CAE) or head of internal audit (highest ranking
member of the internal audit department)
 Director or senior manager (level below the CAE who manages audit
professionals)

26
  Manager (level reporting to director who manages staff who perform
audits)
 Audit staff (those who perform audits)
 Other
1_Staff 9i. What was your position in the organization? (Answer this question based Practitioner
Level_Former on your primary, or typical, client.)
Service Provider
 Partner or acting chief audit executive (CAE) (I act as the highest
ranking member of the internal audit department.)
 Director or senior manager (I report to a CAE who manages audits.)
 Manager (I reported to a director who manages staff who perform
audits.)
 Staff (I performed audits.)
 Other
10. Approximately how many years of professional experience do you have Practitioner
as an internal auditor in the following positions:
1_Experience_Intern Chief audit executive or head of internal audit (CAE or highest ranking
al Audit_CAE member of the internal audit department) ________
1_Experience_Intern Director or senior manager (level below the CAE who manages audit
al Audit_Director professionals) __________
1_Experience_Intern Manager (level reporting to director who manages staff who perform audits)
al Audit_Manager __________
1_Experience_Intern Audit staff (those who perform audits) _________
al Audit_Staff
1_Experience_Intern See Calculated Fields tab for more information.
al Audit_Total
Specialization 11. In addition to performing general internal audit activities, do you have an Practitioner
area of technical specialization for which you have had formal training AND
in which you spend a majority of your time working?

27
1_Specialization_Non  I do not have a technical specialization for my internal audit work.
e
1_Specialization_Acc  Accounting
ounting
1_Specialization_Fina  Financial reporting
ncial Reporting
1_Specialization_Fra  Fraud
ud
1_Specialization_Info  Information technology (IT)
rmation Technology
(IT)
1_Specialization_Ethi  Ethics
cs
1_Specialization_Co  Compliance
mpliance
1_Specialization_Leg  Legal
al
1_Specialization_Risk  Risk management
Management
1_Specialization_Ope  Operations
rations
1_Specialization_Ma  Management
nagement
1_Specialization_Engi  Engineering
neering
1_Specialization_Con  Construction
struction
1_Specialization_Envi  Environmental auditing
ronmental Auditing
1_Specialization_Perf  Performance auditing
ormance Auditing

28
1_Specialization_Oth  Other
er
1_Certification_Inter 12. Which professional certifications and/or qualifications do you have related Practitioner
nal Audit to internal auditing? (Choose all that apply.)
1_Certification_CIA  CIA (Certified Internal Auditor)
1_Certification_CMII  CMIIA (Chartered Member of The IIA–United Kingdom and Ireland)
A
1_Certification_PIIA  PIIA (Practitioner of The IIA–United Kingdom and Ireland)

1_Certification_CGAP  CGAP (Certified Government Auditing Professional)

1_Certification_CCSA  CCSA (Certification in Control Self-Assessment)
1_Certification_CFSA  CFSA (Certified Financial Services Auditor)
1_Certification_CRM  CRMA (Certification in Risk Management Assurance)
A
1_Certification_Natio  Other national internal audit certification
nal Internal Audit
1_Certification_Inter  None
nal Audit Other
1_Certification_Inter  QIAL (Qualification in Internal Audit Leadership)
nal Audit None
1_Certification_Not 13. Which professional certifications do you have in areas other than internal Practitioner
Internal Audit auditing? (Choose all that apply.)
1_Certification_Acco  Accounting, technician level (such as CAT, AAT)
unting Technician
1_Certification_Publi  Public accounting and chartered accountancy (such as CA, CPA, ACCA,
c Accounting ACA)
1_Certification_Finan  Financial analyst (such as CFA)
cial Analyst

29
1_Certification_Finan  Financial auditing (such as CIDA, CBA, CSFA, CSCP)
cial Auditing
1_Certification_Frau  Fraud examination (such as CFE)
d Examination
1_Certification_Gove  Government auditing and finance (such as CIPFA, CGFM)
rnment
1_Certification_Infor  Information systems auditing (such as CISA, QiCA, CRISC)
mation Systems
1_Certification_Man  Management and general accounting (such as CMA, CIMA, CGA)
agement
1_Certification_Senio  Advanced or senior professional status (such as FCA, FCCA, FCMA)
r Professional
1_Certification_Risk  Risk management and control self-assessment (such as CRM, CCP,
and Control CCS, CERA, CFRM, CICA, CRCMP, EOCP, PRM)
1_Certification_IT  Security for information technology (IT) (such as CISM, CISSP, CSP,
Security CDP, CISRCP)
1_Certification_Not  Other
Internal Audit Other
1_Certification_Not  None
Internal Audit None
1_Certification_Not  Not applicable
Applicable
14. How many hours of formal training* related to the internal audit Practitioner
profession do you receive per year?
1_Training Hours Hours of training per year: ____
*Formal training meets The IIA criteria for continuing professional education
(CPE), including, but not limited to, seminars, conferences, workshops,
online, or web-based training. Note that you do not need to be certified to
receive formal training.

30
1_Training See Calculated Fields tab for more information.
Hours_Categories_T
BD
2_Your Organization
2_Organization 15. What is the type of organization for which you currently work? Practitioner
Type_General
 Privately held (non-listed) organization
 Publicly traded (listed) organization
 Public sector (including federal, regional, and local government,
government agencies, and government-owned organizations)
 Not-for-profit organization (not related to government)
 Other
2_Organization 15a. In which part of the public sector do you work or provide audit services? Practitioner
Type_Public Sector
 Core government at federal, state, or local level (for example, governing
entities or government departments/agencies)
 Government-operated services (for example, schools, hospitals or mail
delivery)
 Government-owned market enterprise or public sector corporation (for
example, casino, railway, power, or utilities)
 Other
2_Region_Organizati 16. In what region is your organization headquartered? Practitioner
on Headquarters
 Africa
 Asia
 Europe
 Latin America
 United States, Canada, or the Caribbean
 Oceania

31
2_Geographic 17. What is the geographic scope of your organization or government entity? Practitioner
Scope_Organization
 Local (operating in one municipal level body such as a city or county)
 Regional (operating in a province or state within an independent
country)
 National (operating throughout an independent country)
 International or multinational (operating in more than one independent
country)
 Other
2_Industry 18. What is the primary industry classification(s) of the organization for which you Practitioner
work (or your primary client if you are a service provider)?
2_Industry_Agricultu Agriculture, Forestry, Fishing and Hunting
re
2_Industry_Mining Mining, Quarrying, and Oil and Gas Extraction
2_Industry_Utilities Utilities
2_Industry_Construc Construction
tion
2_Industry_Manufac Manufacturing
turing
2_Industry_Wholesal Wholesale Trade
e Trade
2_Industry_Retail Retail Trade
Trade

2_Industry_Transpor Transportation and Warehousing

tation, Warehousing
2_Industry_Informati Information
on
2_Industry_Finance, Finance and Insurance
Insurance

32
2_Industry_Real Real Estate and Rental and Leasing
Estate
2_Industry_Science, Professional, Scientific, and Technical Services
Technical
2_Industry_Manage Management of Companies and Enterprises
ment
2_Industry_Administ Administrative and Support and Waste Management and Remediation Services
ration, Waste
Management
2_Industry_Educatio Educational Services
n
2_Industry_Health Health Care and Social Assistance
Care, Social
Assistance
2_Industry_Arts, Arts, Entertainment, and Recreation
Entertainment,
Recreation
2_Industry_Accomm Accommodation and Food Services
odation, Food
2_Industry_Other Other Services (except Public Administration)
Services
2_Industry_Public Public Administration
Administration
2_Employees_Organi 19. For the entire organization in which you work, what was the approximate Practitioner
zation total number of fulltime equivalent* employees as of the end of the last fiscal
year?
2_Employees_Organi See Calculated Fields tab for more information.
zation_Category
Fulltime equivalent employees: ______

33
 *One fulltime equivalent employee is defined as an individual who works at
the equivalent of the normal working hours expected of an in-house
employee, generally between 1,700 and 2,000 hours per year. Multiple part-
time employees can be combined to equal one full-time equivalent employee.
Revenue, Assets, Expenses
2_Assets 20. What are the approximate total assets* of your organization in U.S. Practitioner
dollars? (Click here for a currency converter.)
(Input whole numbers only, for example, $1 billion would be 1,000,000,000.)
2_Assets_Dollars  Approximate assets in US dollars: _______________________ Practitioner
 Not applicable
 I don't know
*Total assets means the sum of all cash, investments, furniture, fixtures,
equipment, receivables, intangibles, and any other items of value owned by
the organization.
2_Assets_Dollars_Ca See Calculated Fields tab for more information.
tegories
2_Revenue 21. What was the approximate total revenue* of your organization in U.S. Practitioner
dollars for the previous fiscal year? (Click here for a currency converter.)
(Input whole numbers only, for example, $1 billion would be 1,000,000,000.)
2_Revenue_Dollars  Approximate revenue in U.S. dollars: _______________________ Practitioner
 Not applicable
 I don't know
*Total revenue means all the money the organization takes in from its
activities for one year. Public sector or nonprofit organizations, should
answer the question based on their total annual budget.
2_Revenues_Dollars See Calculated Fields tab for more information.
_Categories
2_External Audit Use 22. Does your organization use external auditors to support or perform Practitioner
internal audit work?
 Yes

34
  No
 I don't know
2_External Audit 22a. What were last year's approximate fees paid to external auditors to CAE only
Fees support or perform internal audit work? (Click here for a currency
converter.)
2_External Audit  External audit fees in U.S. dollars: ________ CAE only
Fees_Dollars
 I don't know
2_External Audit See Calculated Fields tab for more information.
Fees_Dollars_Catego
ry
3_Your Internal Audit Department
Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)
3_Age of Internal 23. Approximately how many years has the internal audit department been in CAE only
Audit place at your organization?
3_Age of Internal  Number of years: ____ CAE only
Audit_Years
 I don't know
3_Age of Internal See Calculated Fields tab for more information.
Audit_Years_Categor
y
3_Employees_Intern 24. Approximately how many fulltime equivalent* employees make up your Practitioner
al Audit internal audit department?
3_Employees_Intern  Number of fulltime equivalent employees: ______ Practitioner
al Audit_Number
 I don't know

35
 *One full-time equivalent employee is defined as an individual who works at
the equivalent of the normal working hours expected of an in-house
employee, generally between 1,700 and 2,000 hours per year. Multiple part-
time employees can be combined to equal one fulltime equivalent employee.
3_Employees_Intern See Calculated Fields tab for more information.
al
Audit_Number_Cate
gory
3_Employee 25. From last year to this year, how did your permanent staff levels change? CAE only
Change_Internal
Audit_Past
 Increased
 Decreased
 Remained the same
 Not applicable/I don't know
3_Employee 26. In the next calendar year, how do you anticipate that your permanent CAE only
Change_Internal staff levels will change?
Audit_Future
 Increase
 Decrease
 Remain the same
 Not applicable/I don't know
3_Budget 27. From last year to this year, how did your internal audit department budget CAE only
Change_Internal change?
Audit_Past
 Increased
 Decrease
 Remained the same
 Not applicable/I don't know

36
3_Budget Sufficiency 28. In your opinion, how sufficient is the funding for your internal audit CAE only
department relative to the extent of its audit responsibilities?
 Not at all sufficient
 Somewhat sufficient
 Completely sufficient
 Not applicable/I don't know
3_Audit Policy 29. Which of the following internal audit policies or documents exist in your Practitioner
Documents organization? (Choose all that apply.)
3_Audit Policy  Internal audit charter
Documents_Charter
3_Audit Policy  Mission statement for the internal audit department
Documents_Mission
3_Audit Policy  Internal audit operating manual
Documents_Manual
3_Audit Policy  Internal audit strategy description
Documents_Strategy
3_Audit Policy  Code of conduct/ethics
Documents_Ethics
3_Audit Policy  Description of key process indicators (KPIs)
Documents_Key
Process Indicators
 None
 Not applicable/I don't know
4_Staffing
4_Skills Recruiting 30. What skills are you recruiting or building the most in your internal audit CAE only
Top 5 department? (Choose up to five.)
4_Skills Recruiting  Accounting
Top 5_Accounting

37
4_Skills Recruiting  Analytical/critical thinking
Top 5_Analytical
4_Skills Recruiting  Business acumen
Top 5_Business
Acumen
4_Skills Recruiting  Communication skills
Top
5_Communication
4_Skills Recruiting  Cybersecurity and privacy
Top 5_Cybersecurity
4_Skills Recruiting  Data mining and analytics
Top 5_Data Analytics
4_Skills Recruiting  Finance
Top 5_Finance
4_Skills Recruiting  Forensics and investigations
Top 5_Investigation
4_Skills Recruiting  Fraud auditing
Top 5_Fraud
Auditing
4_Skills Recruiting  Industry-specific knowledge
Top 5_Industry
Knowledge
4_Skills Recruiting  Information technology (general)
Top 5_Information
Technology (IT)
4_Skills Recruiting  Legal knowledge
Top 5_Legal
4_Skills Recruiting  Quality controls (Six Sigma; ISO)
Top 5_Quality
Controls

38
4_Skills Recruiting  Risk management assurance
Top 5_Risk
 Other
4_Third Party 31. In the previous calendar year, were some of your organizations' internal CAE only
Internal Audit audit activities provided by a third party (either internal or external to your
Services organization)?
 Yes
 No
 I don't know
 Not applicable
4_Third Party 31a. What percentage of your organizations' internal audit activities were CAE only
Internal Audit performed by a third party in the past calendar year?
Services_Follow-Up
4_Third Party  Percent of internal audit activities: _______ CAE only
Internal Audit
Services_Percentage
 I don't know
4_Third Party See Calculated Fields tab for more information.
Internal Audit
Services_Percentage
_Category
4_Third Party 32. How do you anticipate that your budget for third-party internal audit CAE only
Internal Audit resources (either internal or external to your organization) will change in the
Services_Future next year?
 Increase
 Decrease
 Remain the same
 Not applicable
4_Evaluation_Staff_ 33. What method of evaluation do you use for individual staff members? CAE only
Methods (Choose all that apply.)

39
4_Evaluation_Staff_B  By supervisor periodically
y Supervisor
Periodically
4_Evaluation_Staff_B  By supervisor immediately after the activity is complete
y Supervisor
Immediately
4_Evaluation_Staff_B  Feedback from those who were audited
y Auditee
4_Evaluation_Staff_B  Assessment by peers or subordinates
y Peers
4_Evaluation_Staff_S  Self-assessment
elf-Assessment
4_Evaluation_Staff_  Other
Other
 Not applicable
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)
4_Bonus 34. Do you have the opportunity to receive a bonus from your employer? Practitioner
 Yes
 No
 Not applicable
4_Bonus_Criteria 34a. What criteria are used to determine the bonus you could receive from Practitioner
your employer? (Choose all that apply.)
4_Bonus_Criteria_Co  Company performance
mpany Performance
4_Bonus_Criteria_Pe  Personal performance
rsonal Performance
4_Bonus_Criteria_Bu  Achieving the budget
dget

40
4_Bonus_Criteria_Au  Completing the audit plan
dit Plan
4_Bonus_Criteria_Ot  Other
her
4_Training for 35. Does your organization have a process in place to rotate staff through the Practitioner
Management_Rotati internal audit department as part of training them for management in other
on parts of the organization?
 No
 Yes, an informal process
 Yes, a formal process
 Not applicable
 I don't know
4_Career Plans 36. In the next five years, what are your career plans related to internal Practitioner
auditing?
 Stay in the internal audit profession (either with my current employer or
with another employer)
 Leave the internal audit profession
 Retire
 Not applicable
 I don't know
5_Internal Audit Department Maturity
The following questions will help to measure the maturity of internal audit
activity in your organization.
Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)

41
5_Maturity 37. How are internal audit resources at your organization divided between CAE only
1_Assurance assurance and consulting*?
Consulting Balance
 All resources are spent on assurance.
 Almost all resources are spent on assurance, and few resources are
spent on consulting.
 Resources are equally divided between assurance and consulting.
 Almost all resources are spent on consulting, and few resources are
spent on assurance.
 All resources are spent on consulting.
 I don't know
*Assurance refers to assessments of governance, risk management, and
control processes.
Consulting refers to counsel, advice, facilitation, and training at the request
of the client.
5_Maturity 2_Audit 38. How would you describe the development of the audit plan at your CAE only
Plan Development organization?
 Developed once each year and not changed during the year
 Developed once each year and updated 1 or 2 times per year
 Developed once each year and updated 3 or more times per year as
risks change
 Highly flexible plan matched to the organisation’s changing risk profile
 Other
 Not applicable
5_Maturity 39. How would you describe internal audit operating procedures at your CAE only
3_Operating organization?
Procedures
 Audit procedures are adhoc and not clearly documented.
 Audit procedures are documented in an internal audit manual.

42
  Audit procedures are documented in an internal audit manual and
monitored with manual checks and controls.
 Audit procedures are documented in an internal audit manual and
monitored manually and with software that conducts automated checks and
controls.
 Not applicable
5_Maturity 4_Skill 40. Which skill background is most dominant within the internal audit staff of CAE only
Mix your organization?
 Traditional accounting and auditing skills
 Knowledge of the business and industry of the organization
 An equal mix of traditional auditing skills and industry knowledge
 Not applicable
5_Maturity 5_Risk 41. What kind of risk assessment does internal audit rely upon at your CAE only
Assessment Scope organization?
 A comprehensive risk assessment done by management
 A comprehensive risk assessment done by internal audit
 Focused risk assessments (e.g., only certain risks, such as financial and
compliance) done by internal audit
 Focused risk assessments done by management
 Other
 Not applicable
5_Maturity 6_Risk 42. How frequently does internal audit conduct a risk assessment? CAE only
Assessment
Frequency
 Annual assessment without formal updates
 Annual assessment with periodic formal updates
 Continuous assessment
 Never (Internal audit does not conduct a risk assessment.)
 Other

43
5_Maturity 7_Risk 43. How is your risk assessment maintained? CAE only
Assessment
Maintenance
 Part of a broader governance, risk, and compliance package
 Stand-alone risk package
 Part of an audit management system
 In spreadsheet or database software
 Other
 Not applicable
5_Maturity 8_Use of 44. How would you describe the use of technology to support internal audit CAE only
Information processes at your organization?
Technology
 Primary reliance on manual systems and processes
 Some use of electronic workpapers or other office information
technology tools
 Audit methodology supported by appropriate technology
 Extensive use of technology across the entire audit process, including
data mining and analysis
 Other
 Not applicable
5_Maturity 45. What is the level of formalization for the training program for internal audit CAE only
9_Training for at your organization?
Internal Audit
 Not developed or ad hoc
 Structured and documented
 Not applicable
5_Maturity 46. What is included in the training program for internal audit? (Choose all CAE only
10_Training for that apply.)
Internal Audit Topics
 Onboarding and orientation for new employees

44
  General business competencies (for example, writing skills)
 Internal audit skills (for example, writing audit reports)
 Business knowledge related to the industry and organization
 Critical thinking skills
 Leadership skills
 Other
 Not applicable
5_Maturity 47. How developed is the quality assurance and improvement program CAE only
11_Quality (QAIP) at your organization?
Assurance
 Nonexistent or ad hoc
 In the process of development
 Well-defined, including external quality review
 Well-defined, including external quality review and a formal link to
continuous improvement and staff training activities
 Not applicable
6_Audit Processes
6_Audit 48. What resources do you use to establish your audit plan? (Choose all that CAE only
Planning_Resources apply.)
6_Audit  A risk-based methodology
Planning_Risk-Based
Method
6_Audit  The previous year's audit plan
Planning_Past Year
Plan
6_Audit  Consultations with divisional or business heads
Planning_Business
Head Meetings

45
6_Audit  Analysis of the organization's strategy or business objectives
Planning_Business
Strategy Analysis
6_Audit  Compliance/regulatory requirements
Planning_Regulatory
Compliance
6_Audit  Requests from management
Planning_Manageme
nt Requests
6_Audit  Requests from the audit committee
Planning_Audit
Committee Requests
6_Audit  Requests from external auditors
Planning_External
Auditor Requests
6_Audit  Consultations with external auditors
Planning_External
Auditor Meetings
6_Audit  Other
Planning_Other
6_Audit 49. What percentage of your 2015 audit plan is made up of the following CAE only
Plan_Categories general categories of risk? (Percentages must add to 100%.)
6_Audit Strategic business risks _____
Plan_Categories_Stra
tegic Risks
6_Audit Risk management assurance/effectiveness _____
Plan_Categories_Risk
Management
6_Audit Corporate governance _____
Plan_Categories_Gov
ernance

46
6_Audit Operational _____
Plan_Categories_Ope
rational
6_Audit Compliance/regulatory _____
Plan_Categories_Reg
ulatory Compliance
6_Audit Information technology (IT), not covered in other audits _____
Plan_Categories_Info
rmation Technology
6_Audit Third-party relationships _____
Plan_Categories_Thir
d Parties
6_Audit Crisis management _____
Plan_Categories_Cris
is Management
6_Audit Fraud not covered in other audits _____
Plan_Categories_Fra
ud
6_Audit Cost/expense reduction or containment _____
Plan_Categories_Cos
t Containment
6_Audit General financial _____
Plan_Categories_Fina
ncial
6_Audit Sarbanes-Oxley testing or support (United States only) _____
Plan_Categories_Sar
banes-Oxley (U.S.)
6_Audit Other (in particular, requests, training, etc.) _____
Plan_Categories_Oth
er Requests

47
6_Audit Focus_Next 50. Compared to 2014, indicate whether audit focus on each of the following CAE only
Year areas will increase, not change, or decrease in 2015.
Response Options: Increase; No change; Decrease; Not applicable/I
don't know
6_Audit Focus_Next 1. Strategic business risks
Year_Strategic Risks
6_Audit Focus_Next 2. Risk management assurance/effectiveness
Year_Risk
Management
6_Audit Focus_Next 3. Corporate governance
Year_Governance
6_Audit Focus_Next 4. Operational
Year_Operational
6_Audit Focus_Next 5. Compliance/regulatory
Year_Regulatory
Compliance
6_Audit Focus_Next 6. Information technology (IT), not covered in other audits
Year_Information
Technology
6_Audit Focus_Next 7. Third-party relationships
Year_Third Parties
6_Audit Focus_Next 8. Crisis management
Year_Crisis
Management
6_Audit Focus_Next 9. Fraud, not covered in other audits
Year_Fraud
6_Audit Focus_Next 10. Cost/expense reduction or containment
Year_Cost
Containment

48
6_Audit Focus_Next 11. General financial
Year_Financial
6_Audit Focus_Next 12. Sarbanes-Oxley testing or support (United States only)
Year_Sarbanes-Oxley
(U.S.)
6_External 51. Approximately how many work weeks did the internal audit department at CAE only
Audit_Support your organization spend last year on activities that supported external
Provided audit?
 Up to 1 week
 1 to 4 weeks
 Between 4 weeks and 8 weeks
 More than 8 weeks
 None
 Not applicable
 I don't know
Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)
6_Follow Up_Audit 52. If an audit report has findings that need corrective action, who has the Practitioner
Findings primary responsibility to monitor that corrective action has been taken?
 The audited entity/process owner
 The internal audit department
 Both internal audit and the audited entity/process owner
 Other
 Not applicable (There is no formal follow up.)
 I don't know

49
6_Access for 53. In your opinion, to what extent does the internal audit department at your Practitioner
Auditing organization have complete and unrestricted access to employees' property
and records as appropriate for the performance of audit activities?
 All of the time
 Most of the time
 Some of the time
 None of the time
 Not applicable/I don't know
6_Performance 54. In the past calendar year, did your internal audit department conduct Practitioner
Auditing_General performance audits (or value-for-money audits)?
 Yes
 No
 Not applicable/I don't know
54a. What percentage of internal audit resources were used to conduct Practitioner
performance audits (or value-for-money audits) in the past calendar year?
6_Performance  Percentage of resources: _____ Practitioner
Auditing_Percentage
6_Performance  I don't know
Auditing_Don't
Know
6_Performance See Calculated Fields tab for more information.
Auditing_Category
6_Fraud Detection 55. What degree of responsibility does internal audit have for detecting fraud Practitioner
in your organization?
 All of the responsibility
 Most of the responsibility
 Some of the responsibility
 None of the responsibility
 Not applicable/I don't know

50
6_Fraud Prevention 56. What degree of responsibility does internal audit have for preventing Practitioner
fraud in your organization?
 All of the responsibility
 Most of the responsibility
 Some of the responsibility
 None of the responsibility
 Not applicable/I don't know
6_Strategic 57. To what extent do you believe your internal audit department is aligned CAE only
Alignment with with the strategic plan of your organization?
Organization
 Fully aligned
 Almost fully aligned
 Somewhat aligned
 Minimally aligned
 Not aligned
 My organization's strategic plan is not clearly defined.
 I don't know
7_Risk — General
7_Risk 58. What is your organization's level of development for its risk management CAE only
Management_Organ processes?
ization Wide
 No risk management processes are in place.
 Risk management processes are informal or just developing.
 Formal risk management processes and procedures are in place.
 The organization has a formal enterprise risk management (ERM)
process with a chief risk officer or equivalent.
 Not applicable
 I don't know

51
7_ERM and Internal 59. What is the relationship between internal audit and enterprise risk Practitioner
Audit Relationship management (ERM) at your organization?
 Internal audit and ERM are separate functions, and they do not interact.
 Internal audit and ERM are separate functions, but they coordinate and
share knowledge.
 Internal audit is responsible for the current ERM function, but
responsibility will be transferred to another department in the future.
 Internal audit is responsible for the organization’s ERM function.
 Not applicable
 I don’t know
7_Risk 60. What areas of responsibility does internal audit have related to risk at Practitioner
Responsibilities your organization? (Choose all that apply.)
7_Risk  Provide assurance on individual risks
Responsibilities_Indi
vidual Assurance
7_Risk  Provide assurance on risk management as a whole
Responsibilities_Over
all Assurance
7_Risk  Provide advice and consulting on risk management activities
Responsibilities_Cons
ulting
7_Risk  My organization doesn't follow a risk-based approach.
Responsibilities_Not
applicable
7_Risk  Other
Responsibilities_Oth
er
Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)

52
 Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)
7_Combined 61. Has your organization implemented a formal combined assurance* Practitioner
Assurance_Impleme model?
ntation
 Yes, implemented now
 Yes, but not yet approved by the board or audit committee
 No, but plan to adopt one in the next 2 to 3 years
 No, and do not have plans to adopt one in the next 2 to 3 years
 Not applicable
 I don't know. I am not familiar with the combined assurance model.
*Combined assurance can be defined as “integrating and aligning assurance
processes in a company to maximise risk and governance oversight and
control efficiencies, and optimise overall assurance to the audit and risk
committee, considering the company’s risk appetite” —From the King Report
on Governance for South Africa and the King Code of Governance Principles
(commonly known as King III)
7_Combined 62. Does internal audit at your organization issue a written combined Practitioner
Assurance_Report assurance assessment as part of the combined assurance initiative?
 Yes
 No
 Not applicable
 I don't know
7_Three Lines of 63. Does your organization follow the three lines of defense model* as Practitioner
Defense_Recognitio articulated by The IIA?
n
 Yes, and internal audit is considered the third line of defense.
 Yes, but internal audit is considered the second line of defense in our
organization.
 Yes, but the distinction between the second and third line of defense is
not clear.

53
  No, my organization does not follow this model.
 No, this model is not applicable for my organization.
 I am not familiar with the three lines of defense model.
 Other
*This model is decribed in The IIA position paper titled "The Three Lines of
Defense in Effective Risk Management and Control" (released January
2013).
8_Top Five Risks
8_Risk_Top 5_Audit 64. Please identify the top five risks on which your audit committee (or CAE Only
Committee equivalent) is focusing the greatest level of attention in 2015.
8_Risk_Top 5_Audit  Strategic business risks
Committee_Strategic
Risks
8_Risk_Top 5_Audit  Risk management assurance/effectiveness
Committee_Risk
Management
8_Risk_Top 5_Audit  Corporate governance
Committee_Governa
nce
8_Risk_Top 5_Audit  Operational
Committee_Operatio
nal
8_Risk_Top 5_Audit  Compliance/regulatory
Committee_Regulato
ry Compliance
8_Risk_Top 5_Audit  Information technology (IT), not covered in other audits
Committee_Informat
ion Technology

54
8_Risk_Top 5_Audit  Third-party relationships
Committee_Third
Parties
8_Risk_Top 5_Audit  Crisis management
Committee_Crisis
Management
8_Risk_Top 5_Audit  Fraud, not covered in other audits
Committee_Fraud
8_Risk_Top 5_Audit  Cost/expense reduction or containment
Committee_Cost
Containment
8_Risk_Top 5_Audit  General financial
Committee_Financial
8_Risk_Top 5_Audit  Sarbanes-Oxley testing or support (United States only)
Committee_Sarbane
s-Oxley (U.S.)
8_Risk_Top 5_Audit  Other
Committee_Other
8_Risk_Top 5_Audit  I'm not sure
Committee_Not Sure
8_Risk_Top 65. Please identify the top five risks on which your executive management is CAE Only
5_Management focusing the greatest level of attention in 2015.
8_Risk_Top  Strategic business risks
5_Management_Stra
tegic Risks
8_Risk_Top  Risk management assurance/effectiveness
5_Management_Risk
Management

55
8_Risk_Top  Corporate governance
5_Management_Gov
ernance
8_Risk_Top  Operational
5_Management_Ope
rational
8_Risk_Top  Compliance/regulatory
5_Management_Reg
ulatory Compliance
8_Risk_Top  Information technology (IT), not covered in other audits
5_Management_Info
rmation Technology
8_Risk_Top  Third-party relationships
5_Management_Thir
d Parties
8_Risk_Top  Crisis management
5_Management_Crisi
s Management
8_Risk_Top  Fraud, not covered in other audits
5_Management_Frau
d
8_Risk_Top  Cost/expense reduction or containment
5_Management_Cost
Containment
8_Risk_Top  General financial
5_Management_Fina
ncial
8_Risk_Top  Sarbanes-Oxley testing or support (United States only)
5_Management_Sar
banes-Oxley (U.S.)

56
8_Risk_Top  Other
5_Management_Oth
er
8_Risk_Top  I'm not sure
5_Management_Not
Sure
8_Risk_Top 66. Please identify the top five risks on which your internal audit department CAE Only
5_Internal Audit is focusing the greatest level of attention in 2015.
8_Risk_Top  Strategic business risks
5_Internal
Audit_Strategic Risks
8_Risk_Top  Risk management assurance/effectiveness
5_Internal Audit_Risk
Management
8_Risk_Top  Corporate governance
5_Internal
Audit_Governance
8_Risk_Top  Operational
5_Internal
Audit_Operational
8_Risk_Top  Compliance/regulatory
5_Internal
Audit_Regulatory
Compliance
8_Risk_Top  Information technology (IT), not covered in other audits
5_Internal
Audit_Information
Technology
8_Risk_Top  Third-party relationships
5_Internal
Audit_Third Parties

57
8_Risk_Top  Crisis management
5_Internal
Audit_Crisis
Management
8_Risk_Top  Fraud, not covered in other audits
5_Internal
Audit_Fraud
8_Risk_Top  Cost/expense reduction or containment
5_Internal
Audit_Cost
Containment
8_Risk_Top  General financial
5_Internal
Audit_Financial
8_Risk_Top  Sarbanes-Oxley testing or support (United States only)
5_Internal
Audit_Sarbanes-
Oxley (U.S.)
8_Risk_Top  Other
5_Internal
Audit_Other
8_Risk_Top  I'm not sure
5_Internal Audit_Not
Sure
9_Organizational Governance
Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)

58
9_Governance 67. In your opinion, how much support does internal audit have from the CAE Only
Review_Board board of directors (or equivalent) to review the organization's governance
Support policies and procedures?
 Complete support
 Some support
 No support
 Not applicable
 I don't know
9_Legal Mandate for 68. Is the existence of an internal audit department mandated by law for your Practitioner
Internal Audit organization?
 Yes
 No
 I don't know
9_Integrated 69. Does your organization plan to create an annual integrated report based Practitioner
Reporting_Status on the International Integrated Reporting (< IR >) Framework?*
 Yes, this year
 Yes, at some point in the next 2 to 3 years
 Yes, at an unspecified point in the future
 No
 I am not familiar with the Integrated Reporting (< IR >) Framework.
 I don't know
*The < IR > Framework (2013) identifies information to be included in an
integrated report.
9_Sustainability 70. Does your organization plan to release a report on sustainability*? Practitioner
Reporting_Status
 Yes, this year
 Yes, at some point in the next 2 to 3 years
 Yes, at an unspecified point in the future
 No

59
  I don't know
*Sustainability is defined as the ability of the organization and its environment
(social, economic, and natural) to survive in the long-term.
9_Governance 71. Which organizational governance documents exist in your organization? Practitioner
Documents (Choose all that apply.)
9_Governance  Organizational ethics policy, code of ethics, or code of conduct
Documents_Ethics
9_Governance  Audit committee charter
Documents_Audit
Committee Charter
9_Governance  Board or supervisory committee charter
Documents_Board
Charter
9_Governance  Organizational governance code
Documents_Governa
nce Code
9_Governance  Long-term strategic plan for the organization
Documents_Strategic
Plan
9_Governance  Other
Documents_Other
9_Governance  None
Documents_None
9_Governance  Not applicable/I don't know
Documents_Not
applicable
9_Governance 72. What is the extent of activity for your internal audit department related to CAE Only
Reviews_ Activity governance reviews?
Level
Response Options: 1-None, 2-Minimal, 3-Moderate, 4-Extensive, Not
applicable/I don't know

60
9_Governance 1. Reviews of governance policies and procedures in general
Reviews_Policies_Ge
neral
9_Governance 2. Reviews of governance policies and procedures related to the
Reviews_Policies_IT organization's use of information technology (IT) in particular
9_Governance 3. Due diligence audits for acquisition and/or divestiture
Reviews_Acquisition,
Divestiture
9_Governance 4. Audits of the internal operations of external providers of major services
Reviews_External
Providers
9_Governance 5. Ethics-related audits
Reviews_Ethics
9_Governance 6. Reviews addressing linkage of strategy and performance
Reviews_Strategy,
Performance
9_Governance 7. Executive compensation assessments
Reviews_Executive
Compensation
9_Governance 8. Environmental sustainability audits
Reviews_Sustainabili
ty
10_Reporting Lines
10_Reporting 73. What is the primary ADMINISTRATIVE* reporting line for the chief audit CAE Only
Line_Administrative executive (CAE) or equivalent in your organization?
 Audit committee, or equivalent
 Board of directors
 General or legal counsel
 Chief executive officer (CEO), president, head of government agency

61
  Chief financial offier (CFO), vice president of finance
 Chief risk officer (CRO), or equivalent
 Chief compliance officer (CCO), or equivalent
 Chief operating officer (COO)
 Controller or financial director
 Other
 Not applicable
 I don't know
*Administrative reporting refers to oversight of day-to-day matters, including
budgeting, human resource administration, communication, internal policies
and procedures.
10_Reporting 74. What is the primary FUNCTIONAL* reporting line for the chief audit CAE Only
Line_Functional executive (CAE) or equivalent in your organization?
 Audit committee, or equivalent
 Board of directors
 General or legal counsel
 Chief executive officer (CEO), president, head of government agency
 Chief financial offier (CFO), vice president of finance
 Chief risk officer (CRO), or equivalent
 Chief compliance officer (CCO), or equivalent
 Chief operating officer (COO)
 Controller or financial director
 Other
 Not applicable
 I don't know
*Functional reporting refers to oversight of the responsibilities of the internal
audit function, including approval of the internal audit charter, the audit plan,
evaluation of the CAE, compensation for the CAE.

62
10_CAE 75. Who makes the final decision for the appointment of the chief audit CAE Only
Appointment_Gener executive (CAE) or equivalent?
al
 Board, or supervisory committee
 Chair of the board or supervisory committee
 Chief executive officer (CEO), president, or head of government agency
 Audit committee
 Chair of the audit committee
 Chief operating officer (COO)
 Chief financial officer (CFO), or vice president of finance
 Other
 Not applicable
 I don't know
10_CAE 76. Who is ultimately responsible for the performance evaluation of the chief CAE Only
Evaluation_General audit executive (CAE), or head of internal audit, at your organization?
 Board, or supervisory committee
 Chair of the board or supervisory committee
 Chief executive officer (CEO), president, or head of government agency
 Audit committee
 Chair of the audit committee
 Chief operating officer (COO)
 Chief financial officer (CFO), or vice president of finance
 Senior management
 The CAE is not evaluated.
 Other
 Not applicable/I don't know
10_CAE 75a. Who makes the final decision for the appointment of the internal audit CAE Only
Appointment_Servic service provider at your organization?
e Provider

63
  Board or supervisory committee
 Chair of the board or supervisory committee
 Chief executive officer (CEO), president, or head of government agency
 Audit committee
 Chair of the audit committee
 Chief operating officer (COO)
 Chief financial officer (CFO), or vice president of finance
 Chief audit executive (CAE), or equivalent
 Other
 I don't know.
10_CAE 76a. Who is ultimately responsible for the performance evaluation of the CAE Only
Evaluation_Service internal audit service provider at your organization?
Provider
 Board, or supervisory committee
 Chair of the board or supervisory committee
 Chief executive officer (CEO), president, or head of government agency
 Audit committee
 Chair of the audit committee
 Chief operating officer (COO)
 Chief financial officer (CFO), or vice president of finance
 Chief audit executive (CAE), or equivalent
 Senior management
 The CAE is not evaluated.
 Other
 Not applicable/I don't know
10_Pressure to 77. During your internal audit career, have you experienced a situation where Practitioner
Change you were directed to suppress, or significantly modify, a valid internal audit
Findings_Incidents finding or report?
 Never

64
  1 to 2 times
 3 to 5 times
 More than 5 times
 Not applicable
 I would prefer not to answer.
10_Pressure to 77a. Would you say you have been directed to suppress, or significantly Practitioner
Change modify, a valid internal audit finding or report on a regular basis (at least once
Findings_Frequency a year)?
 Yes
 No
 I would prefer not to answer
10_Pressure to 77b. What was the source of the pressure when you were directed to Practitioner
Change suppress, or significantly modify, a valid internal audit finding or report?
Report_Source (Choose all that apply.)
10_Pressure to  Audit committee
Change
Report_Source_Audi
t Committee
10_Pressure to  Board of directors
Change
Report_Source_Boar
d
10_Pressure to  Chief compliance officer (CCO)
Change
Report_Source_Com
pliance Officer
10_Pressure to  Chief executive office (CEO)
Change
Report_Source_CEO

65
10_Pressure to  Chief financial officer (CFO)
Change
Report_Source_Fina
ncial Officer
10_Pressure to  Chief risk officer (CRO)
Change
Report_Source_Risk
Officer
10_Pressure to  Legal or general counsel
Change
Report_Source_Legal
10_Pressure to  Operations management
Change
Report_Source_Man
agement
10_Pressure to  Internal audit department
Change
Report_Source_Inter
nal Audit
10_Pressure to  Other internal source
Change
Report_Source_Othe
r Internal
10_Pressure to  Source external to the organization
Change
Report_Source_Othe
r External
10_Pressure to  I prefer not to answer
Change
Report_Source_No
Answer
11_Audit Committee
66
 Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)
11_Audit 78. Is there an audit committee or equivalent in your organization? Practitioner
Committee_Existenc
e
 Yes
 No
 I don't know
11_Audit Committee 78a. Approximately how many formal audit committee meetings were held in CAE Only
Meetings_Follow Up the last fiscal year (including in-person meetings, telephone meetings, online
meetings, and so on)?
 Number of meetings:
11_Audit Committee _________ [input field for number of meetings] CAE Only
Meetings_Number
 I don't know
11_Audit Committee See Calculated Fields tab for more information.
Meetings_Number_C
ategory
11_Audit Committee 78b. Approximately how many formal audit committee meetings was the CAE Only
Meetings with CAE chief audit executive (CAE), or director, invited to attend (entirely or in part)
during the last fiscal year?
11_Audit Committee  Number of meetings: ____ CAE Only
Meetings with
CAE_Number
 I don't know
11_Audit Committee See Calculated Fields tab for more information.
Meetings with

67
CAE_Number_Categ
ory
11_Audit Committee 78c. Does the chief audit executive (CAE), or director, meet at least once per CAE Only
Meetings with CAE, year with the audit committee in executive sessions with no member of
No Management management present?
 Yes
 No
 Not applicable
 I don't know
12_Internal Audit Competencies
This section of the survey has questions about the key competencies of
internal auditing. Estimate your proficiency for each competency using the
following scale:
1- Novice — Can perform routine tasks with direct supervision
2- Trained — Can perform routine tasks with limited supervision
3- Competent — Can perform routine tasks independently
4- Advanced — Can perform advanced tasks independently
5- Expert — Can perform complex advanced tasks independently
Not applicable — This skill is not applicable in my role.
79. Internal Audit Management Competencies:
12_Resource 79-1. Manage internal audit resources (individually or as a manager) Practitioner
Management
12_Advocating 79-2. Advocate the value of the internal audit activity Practitioner
Internal Audit Value
12_Staff 79-3. Foster the professional development of internal audit staff Practitioner
Development
12_Workforce Plan 79-4. Develop and implement an effective workforce plan for the internal Practitioner
audit department
80. The IIA's International Professional Practices Framework:

68
12_Internal Audit 80-1. Maintain knowledge of The IIA's International Professional Practices Practitioner
Standards Framework (IPPF)
Knowledge
12_Internal Audit 80-2. Apply The IIA's International Professional Practices Framework (IPPF) Practitioner
Standards Applied to activities
12_Quality Program 80-3. Maintain a Quality Assurance and Improvement Program (QAIP) for Practitioner
Implemented internal audit
81. Governance, Risk, and Compliance:
12_Governance 81-1. Apply the organization’s governance framework in audit engagements Practitioner
Framework Applied
in Audits
12_Risk Framework 81-2. Apply the organization’s risk framework in audit engagements Practitioner
Applied in Audits
12_Compliance 81-3. Apply the organization’s compliance framework in audit engagements Practitioner
Framework Applied
in Audits
12_Fraud Awareness 81-4. Support fraud risk awareness Practitioner
Supported
12_Regulary 81-5. Maintain knowledge of regulatory standards related to the organization Practitioner
Standards
Knowledge
82. Business Judgment:
12_Internal Control 82-1. Apply understanding of the organization’s internal control risks Practitioner
Risks Applied
12_Strategic Risks 82-2. Apply understanding of the organization’s strategic risks Practitioner
Applied
12_Governance 82-3. Apply understanding of the organization’s governance risks Practitioner
Risks Applied
12_Industry 82-4. Apply understanding of the organization’s industry and economic Practitioner
Knowledge Applied factors affecting it

69
12_Business 82-5. Apply understanding of the organization’s business objectives Practitioner
Objectives Applied
83. Ethics:
12_Ethics Code 83-1. Comply with The IIA’s Code of Ethics Practitioner
Compliance
12_Ethics, Fraud 83-2. Incorporate ethics and fraud considerations in audit engagements Practitioner
Applied in Audits
12_Confidentiality 83-3. Maintain confidentiality Practitioner
Maintained
12_Objectivity 83-4. Maintain objectivity Practitioner
Maintained
84. Communication:
12_Verbal 84-1. Use verbal communication skills effectively Practitioner
Communication
12_Written 84-2. Use written communication skills effectively Practitioner
Communication
12_Listening Skills 84-3. Use listening communication skills effectively Practitioner
85. Persuasion and Collaboration:
12_Collaboration 85-1. Collaborate with others Practitioner
12_Building 85-2. Persuade and build consensus Practitioner
Consensus
12_Demonstrating 85-3. Demonstrate leadership Practitioner
Leadership
12_Building 85-4. Build relationships Practitioner
Relationships
86. Critical Thinking:
12_Data Collection 86-1. Use appropriate data collection tools to create audit efficiency Practitioner
12_Data Analysis 86-2. Use data analysis to reach meaningful conclusions Practitioner
12_Problem-Solving 86-3. Apply problem-solving techniques to address issues Practitioner

70
12_Business Strategy 86-4. Apply understanding of the organization's business objectives and Practitioner
Applied to Issues strategy
87. Internal Audit Delivery:
12_Risk 87-1. Identify and prioritize key risks to prepare for a quality audit Practitioner
Identification, engagement
Prioritization
12_Planning Audit 87-2. Plan the audit work program and timeline Practitioner
12_Collecting 87-3. Collect evidence to effectively meet audit objectives Practitioner
Evidence
12_Using Evidence 87-4. Document and organize audit evidence to support audit engagement Practitioner
to Support Results results
12_Identifying Root 87-5. Identify root causes of issues in the audit engagement Practitioner
Causes
12_Expressing Audit 87-6. Express audit findings effectively Practitioner
Findings
12_Monitoring 87-7. Establish process to monitor completion of management actions Practitioner
Management
Actions
88. Improvement and Innovation:
12_Adapting Audit 88-1. Adapt audit plans to support organizational change Practitioner
Plan to Change
12_Innovation for 88-2. Develop innovative approaches to enhance internal audit activity Practitioner
Internal Audit
12_Personal 88-3. Pursue personal and professional development goals Practitioner
Professional
Development
13_Value and Performance Measures
13_Value_Top 89. In your opinion, which are the five internal audit activities that bring the CAE Only
5_Activities most value to your organization. (Choose up to five.)

71
13_Value_Top 89-1.  Assuring the adequacy and effectiveness of the internal control
5_Internal Control system
Assurance
13_Value_Top 5_Risk 89-2.  Assuring the organization's risk management processes
Management
Assurance
13_Value_Top 89-3.  Assuring the organization's governance processes
5_Governance
Assurance
13_Value_Top 89-4.  Assuring regulatory compliance
5_Regulatory
Compliance
Assurance
13_Value_Top 89-5.  Identifying emerging risks
5_Emerging Risks
13_Value_Top 89-6.  Leading the enterprise risk management process
5_Leading ERM
Value_Top 89-7.  Testing management's assessment of controls
5_Management's
Assessment
13_Value_Top 89-8.  Mining and analyzing data for management
5_Data Analysis
13_Value_Top 89-9.  Investigating or deterring fraud
5_Fraud
13_Value_Top 89-10.  Recommending business improvement
5_Business
Improvement
13_Value_Top 89-11.  Informing and advising management
5_Advising
Management

72
13_Value_Top 89-12.  Informing and advising the audit committee
5_Advising Audit
Committee
13_Value_Top 89-13.  Informing key stakeholders
5_Informing
Stakeholders
13_Value_Top 89-14.  Supporting external auditors
5_Supporting
External Audit
13_Value_Top 89-15.  Other
5_Other
13_Value_Top 5_Not 89-16.  Not applicable
Applicable
13_Performance 90. What specific measures does your organization use to evaluate the CAE Only
Measures Used performance of its internal audit activity? (Choose all that apply.)
13_Performance  Percentage of audit plan complete
Measures_Audit Plan
Complete
13_Performance  Budget to actual audit hours
Measures_Hours
Budgeted
13_Performance  Completion of mandated coverage
Measures_Completio
n of Mandate
13_Performance  Timely closure of audit issues
Measures_Closure
Time for Issues
13_Performance  Cycle time from entrance conference to draft report
Measures_Time to
Create Draft Report

73
13_Performance  Cycle time from end of fieldwork to final report
Measures_Time to
Create Final Report
13_Performance  Client satisfaction goals
Measures_Client
Satisfaction
13_Performance  The fulfillment of specific expectations set and agreed to with key
Measures_Stakehold stakeholders
er Expectations
13_Performance  Performance against the internal audit financial budget
Measures_Financial
Budget
13_Performance  Other
Measures_Other
13_Performance  I don't know
Measures_I don't
know
13_Performance  We have not established formal performance measures.
Measures_None
13_Performance 91. Which of the following methodologies and tools do you use to support CAE Only
Support Methods your quality and performance processes? (Choose all that apply.)
13_Performance  Balanced scorecard
Support_Balanced
Scorecard
13_Performance  Surveys of audit clients
Support_Audit Client
Surveys
13_Performance  Surveys of key stakeholders
Support_Stakeholder
Surveys

74
13_Performance  Internal quality assessments initiated by internal audit
Support_Internal
Quality Assessment
13_Performance  External quality assessments initiated by internal audit
Support_External
Quality Assessment
13_Performance  Peer reviews
Support_Peer
Review
13_Performance  Reviews from external regulators
Support_External
Regulator Review
13_Performance  Reviews by your organization's internal quality assurance function
Support_Quality
Review_General
13_Performance  Other
Support_Other
13_Performance  Not applicable
Support_Not
applicable
14_Auditing Technology Risks
Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)
14_IT (Information 92. For information technology (IT) security in particular, what is the extent of Practitioner
Technology) the activity for your internal audit department related to the following areas?
Security_Activity_Ac
tivity

75
 Response Options: 1-None, 2-Minimal, 3-Moderate, 4-Extensive, Not
applicable/I don't know
14_IT 92-1. Audits of general information technology (IT) risks
Security_Activity_Ge
neral
14_IT 92-2. Audits of the cybersecurity of your organization's electronically held
Security_Activity_Ele information
ctronic
14_IT 92-3. Audits of the physical security of your organization's major data centers
Security_Activity_Ph
ysical
14_IT 92-4. Audits of the management, use, and access of mobile devices owned
Security_Activity_Mo by individuals or your organization
bile Devices
14_IT 92-5. Audits of the organization's procedures for how employees use social
Security_Activity_Soc media
ial Media
14_IT 92-6. Audits of the security of your organization's internal intranet
Security_Activity_Intr
anet
14_IT 92-7. Audits of the security of your organization's external websites
Security_Activity_We
bsites
14_IT (Information 93. In your opinion, what is the level of inherent risk at your organization for Practitioner
Technology)_Emergi the following emerging information technology (IT) areas?
ng Risk Level
Response Options: 1-None, 2-Minimal, 3-Moderate, 4-Extensive, Not
applicable/I don't know
14_IT_Emerging Risk 93-1. Big data reliability
Level_Big Data

76
14_IT_Emerging Risk 93-2. Virtual server reliability
Level_Virtual Server
14_IT_Emerging Risk 93-3. Detection of imbedded malware in hardware
Level_Malware
14_IT_Emerging Risk 93-4. Firewall reliability
Level_Firewall
14_IT_Emerging Risk 93-5. Use of secure coding
Level_Secure Coding
14_IT_Emerging Risk 93-6. Data breaches that can damage organization’s brand
Level_Data Breaches
14_IT_Emerging Risk 93-7. Online disruptions that can damage the organization’s brand
Level_Online
Disruption
14_IT_Emerging Risk 93-8. Service-oriented architecture reliability
Level_Architecture
14_IT (Information 94. In the next two to three years, do you think the internal audit activity Practitioner
Technology) related to these technology areas will increase, decrease, or stay the same?
Audits_Future
Response Options: Increase; Decrease, Stay the same
14_IT 94-1. Audits of the cybersecurity of your organization's electronically held
Audits_Future_Electr information
onic Security
14_IT 94-2. Audits of the physical security of your organization's major data centers
Audits_Future_Physi
cal Security
14_IT 94-3. Audits of disaster recovery, contingency planning, or crisis
Audits_Future_Disast management
er Recovery

77
14_IT 94-4. Audits/project management assurance of major projects
Audits_Future_Proje
ct Assurance
14_IT 94-5. Audits of the organization's procedures for how employees use social
Audits_Future_Social media related to the organization
Media
14_IT 94-6. Audits of the control over the quality of the organization's data
Audits_Future_Data
Quality
14_IT 94-7. Audits of the security of your organization's external websites
Audits_Future_Webs
ites
14_IT 94-8. Audits of IT procurement, including third parties or outsourced services
Audits_Future_IT
Procurement
15_Internal Audit Use of Information Technology
Internal audit service providers are requested to answer questions based on
their primary, or typical, clients. (Message appeared only to internal audit
service providers.)
Retirees are requested to answer questions based on their most recent
professional employment. (Message appeared only to retirees.)
15_Internal Audit 95. What is the extent of activity for your internal audit department related to Practitioner
Use of IT the use of the following information technology (IT) tools and techniques?
(Information
Technology)
Response Options: 1-None, 2-Minimal, 3-Moderate, 4-Extensive, Not
applicable/I don't know
15_Internal Audit 95-1. A software or a tool for internal audit risk assessment
Use of IT_Risk
Assessment

78
15_Internal Audit 95-2. An automated tool for internal audit planning and scheduling
Use of IT_Audit
Planning
15_Internal Audit 95-3. A software or tool for data mining
Use of IT_Data
Mining
15_Internal Audit 95-4. An automated tool for data analytics
Use of IT_Data
Analytics
15_Internal Audit 95-5. Computer-assisted audit technique (CAAT)
Use of IT_CAAT
15_Internal Audit 95-6. Continous/real-time auditing
Use of IT_Continuous
Auditing
15_Internal Audit 95-7. Electronic workpapers
Use of
IT_Workpapers
15_Internal Audit 95-8. Flowchart or process mapping software
Use of
IT_Flowcharting
15_Internal Audit 95-9. Internal quality assessments using an automated tool
Use of IT_Quality
Assessment
15_Internal Audit 95-10. An automated tool to monitor and track audit remediation and follow
Use of IT_Audit up
Remediation
15_Internal Audit 95-11. An automated tool to manage the information collected by internal
Use of audit
IT_Information
Management

79
15_Data Usage 96. Does your internal audit department use data mining or data analytics for Practitioner
the following activities? (Choose all that apply.)
15_Data  Tests of entire populations rather than sampling
Usage_Population
Tests
15_Data  Tests for regulatory compliance
Usage_Regulatory
Compliance
15_Data  Identification of possible frauds
Usage_Fraud
Identification
15_Data Usage_Risk,  Potential issues discovered through risk or control monitoring
Control Monitoring
15_Data  Business improvement opportunities
Usage_Business
Improvement
15_Data  Other
Usage_Other
15_Outsourced Data 97. What percentage of the data analysis activities for internal audit is Practitioner
Analysis performed outside of your internal audit department?
15_Outsourced Data  Percentage: _______ Practitioner
Analysis_Percentage
 Not applicable
 I don't know
15_Outsourced Data See Calculated Fields tab for more information.
Analysis_Percentage
_Category
16_Internal Audit Standards
16_Standards Usage 98. Does your organization use the International Standards for the Practitioner
Professional Practice of Internal Auditing (Standards)?

80
  Yes, all of the Standards
 Partial yes, some of the Standards
 No
 I don't know
16_Standards 99. Is your organization in conformance with the Standards? Practitioner
Conformance
Response options: Yes, full conformance; Yes, partial conformance;
No, not in conformance; I don't know
16_Standards 1000 – Purpose, Authority, and Responsibility
Conformance_1000
16_Standards 1100 – Independence and Objectivity
Conformance_1100
16_Standards 1130 – Impairment to Independence or Objectivity
Conformance_1130
16_Standards 1200 – Proficiency and Due Professional Care
Conformance_1200
16_Standards 1300 – Quality Assurance and Improvement Program
Conformance_1300
16_Standards 2000 – Managing the Internal Audit Activity
Conformance_2000
16_Standards 2100 – Nature of Work
Conformance_2200
16_Standards 2200 – Engagement Planning
Conformance_2200
16_Standards 2300 – Performing the Engagement
Conformance_2300
16_Standards 2400 – Communicating Results
Conformance_2400

81
16_Standards 2500 – Monitoring Progress
Conformance_2500
16_Standards 2600 – Communicating the Acceptance of Risks
Conformance_2600
16_Standards 99a. What are the reasons for not conforming with all of the Standards? Practitioner
Nonconformance_Re (Choose all that apply.)
asons
16_Standards  Standards are too complex
Nonconformance_To
o Complex
16_Standards  Not appropriate for small organizations
Nonconformance_Or
ganization Smallness
16_Standards  Lack of perceived benefit compared to cost
Nonconformance_La
ck of Benefit
16_Standards  Too time-consuming
Nonconformance_Ti
me-Consuming
16_Standards  Superseded by local/government regulations or standards
Nonconformance_Lo
cal Standards
Supercede
16_Standards  Not appropriate for my industry
Nonconformance_No
t Right for Industry
16_Standards  Compliance not supported by management/board
Nonconformance_La
cked Support

82
16_Standards  Inadequate internal audit staff
Nonconformance_St
aff Size
16_Standards  Conformance not expected in my country
Nonconformance_Na
tional Expectations
16_Standards  Not available in my local language
Nonconformance_La
nguage Barrier
16_Standards  Not aware of the Standards
Nonconformance_No
t Aware of Standards
16_Standards  Other
Nonconformance_Ot
her
16_Standards  I don't know
Nonconformance_Do
n't Know
16_Quality Program 100. What components of a Quality Assurance and Improvement Program Practitioner
Components (QAIP) have been implemented in your internal audit department? (Choose
Implemented all that apply.)
16_Quality  Ongoing internal assessment (Standard 1311)
Component_Ongoing
Internal Assessment
16_Quality  Periodic internal assessment (Standard 1311)
Component_Periodic
Internal Assessment
16_Quality  External assessment at least once every five years (Standard 1312)
Component_External
Assessment

83
16_Quality  Reporting on the program to the board at least annually (Standard 1320)
Component_Reporti
ng Quality to Board
16_Quality  Disclosure of nonconformance (Standard 1322)
Component_Disclosi
ng Nonconformance
16_Quality  None
Component_None
16_Quality  Not applicable
Component_Not
Applicable
16_Quality  I don't know
Component_Don't
Know

84
About The IIA Research Foundation
CBOK is administered through The IIA Research Foundation (IIARF), which has provided groundbreaking research for the internal audit
profession for the past four decades. Through initiatives that explore current issues, emerging trends, and future needs, The IIARF has been a
driving force behind the evolution and advancement of the profession.

The IIARF publishes this document for information and educational purposes only. IIARF does not provide legal or accounting advice and
makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise,
professional assistance should be sought and retained.

Copyright © 2015 by The Institute of Internal Auditors Research Foundation (IIARF). All rights reserved. For permission to reproduce or
quote, please contact research@theiia.org.

For more information, visit:

www.theiia.org/Research.

85