Heads of Internal Audit Service Benchmarking Report Document Control Introduction This report contains an analysis of results for the survey entitled: Document Control. The survey asks heads of internal audit to comment on the way their organisations identify, structure, approve, issue and coordinate controlled documents. The results include answers from all respondents who took the survey in the 14 day period from Wednesday, 2 to Tuesday 16. A total of 23 completed responses were received to the survey during this time. The majority of responses have come from organisations based in the UK and Ireland with a 2:1 split between the private and public sectors. Many of the private sector companies operate on an international basis with operations in the European Union (65%), North America (57%) and Asia (52%). The size and turnover of participating organisations is broad. The largest groupings are organisations with 2,500 to 5,000 staff and organisations with annual turnover between 1bn and 5bn, both of which represent 26% of respondents. Organisation wide policies and procedures Most organisations (91%) have a controlled set of policies and procedures that people must adhere to. While Finance and Human Resources are the most likely areas to have detailed policies and procedures there is a wide range of other categories as shown in the chart below. In which categories of risk does your organisation have policies? Finance Human resources Health and safety Compliance Procurement Corporate affairs Sales and marketing Public relations Commercial development Clincial research Pharmacovigilance Other 0 5 10 15 20 25
Programme and project management, customer information, contracts approval and grants make up the other category. We have not discerned any association between the size, structure and type of organisation to the total number of policies per organisation. Nor is there a particular pattern between the type of organisation and specific policies. Organisations appear to create policies according to their specific needs and circumstances. Identification, scope and approval of controlled documents There are mixed results regarding who has responsibility for identifying the need for controlled policies and procedures. For 22% this is done centrally. Most of these organisations are within the public sector. A further 35% rely on subsidiaries and departments to identify the need. Most of these are private sector organisations. The majority, 43%, apply a combination of the two methods. A similar mixed pattern has emerged with regard to who determines the scope and content of controlled documents and who approves controlled documents, as shown in the table below. Designation Determination of the scope and content of controlled documents Approval of controlled documents Board of directors or executive committee Named individuals e.g. Chief executive, Company secretary Head of entity subsidiary or department 11% 11% 11% 23% 11% 0% Combination of the above 61% 50% Not clearly stated 6% 16% It is noticeable that none of the organisations surveyed have specifically indicated that a Head of Entity is allowed to approve a controlled document. Unfortunately, it is not possible to tell from the results whether or not this happens as part of the combination of methods. The approach to updating controlled documents is equally split between periodic reviews and ad-hoc reviews as and when required. Management and communication of controlled documents About one-third (35%) of organisations use some form of software system to manage controlled documents. All of these are private sector organisations, most of which have an annual turnover greater than 500m and more than 1000 staff. There is an equal split between purchased software packages (13%) and tailored software packages (13%) with a slightly smaller number using in-house designed software (9%). Most of the organisations are reasonably satisfied with the approach they have adopted. Organisations tend to use a combination of specific notifications that controlled documents have changed and periodic reminders about the existence of controlled documents to keep people informed. August 2009 Page 2
Compliance with policies and procedures The final section of the survey is concerned with the way organisations gain assurance that controlled documents are being applied. The following chart shows the various methods and the extent of their application: Who provides assurance that entities comply with policies? 22% 13% 4% Internal audit 34% 96% Other internal assurance reviewers Annual sign-off required by line management Other external assurance reviewers 56% 56% On-line testing/self assessment of employee understanding Annual sign-off required by all employees Other All of the organisations, bar one, use internal audit to verify compliance. However, this organisation in the other category pointed out that it uses a three lines of defence model that requires internal audit to provide independent assurance. The other noteworthy aspect is that more than half of all organisations place some responsibility on line managers to provide assurance there is adherence to polices and procedures. Some organisations also highlighted that controlled documents fall within the remit of its quality system and are subject to assurance checks by internal and/or external assurance providers. Conclusions Most organisations have a controlled set of polices and procedures to specify how operations should be conducted. The activities this applies to vary between organisations but as a minimum there likely is to be controlled documentation in the areas of Finance and Human Resources. Approval of the policies and procedures tends to take place at high level such as board of directors, executive committee, chief executive, other senior executive or some combination of this group. Internal audit is the main source of assurance that controlled documents are being applied but most organisations have other forms of assurance and there may be need for internal auditors to develop a working relationship with these providers. In the first instance this may be a simple case of coordination but for some organisations internal auditors may be required to review the reliability of the other assurance providers. August 2009 Page 3
Copy of survey issued to Service members Document Control A member of the Heads of Internal Audit Service (HIAS) is currently reviewing his company s Document Control process. He is particularly interested to learn how other organisations identify, structure, approve, issue and coordinate controlled documents. 1) What is your industry sector (choose one from this list): Banks and building societies Insurance Other financial services Food and drink Manufacturing and engineering Media and leisure Retail Telecommunications Utilities High technology Pharmaceutical/Life Sciences Other private sector Voluntary/charity Education Central government Local government Health Other public sector None of the above 2) Where is your organisation's headquarters? UK Ireland Outside the UK and Ireland 3) What countries/continents do you operate in? UK Ireland Rest of Europe (EU) Rest of Europe (non EU) North America Central America South America Africa Asia Australia/New Zealand Pacific Page 4
Copy of survey issued to Service members 4) What is the turnover or gross revenue spend of your organisation? (provide the worldwide total for multi-national organisations) up to 50 million or 57 million 51m - 100m or 58m - 115m 101m - 200m or 116m - 230m 201m - 350m or 231m - 402m 351m - 500m or 403m - 575m 501m - 1bn or 576m - 1.15bn 1bn - 5bn or 1.15bn - 5.75bn 5bn - 10bn or 5.75bn - 11.5bn Over 10bn or 11.5bn 5) What is the total number of employees in your organisation? (if your organisation is international or has multiple divisions, your answer should cover only that part of the organisation which your internal audit services cover) less than 101 101 to 200 201 to 500 501 to 1,000 1,001 to 2,500 2,501 to 5,000 5,001 to 10,000 10,001 to 25,000 25,001 to 50,000 over 50,000 6) How many entities does your organisation have? (typically a subsidiary for a private company or a department for a public sector organisation) Less than 10 10-50 51-100 101-300 301-500 501-1000 More than 1000 7) Do you have a controlled set of organisation wide/global policies and procedures that all entities must adhere to (Controlled Documents)? Yes No Don't know 8) In which categories of risk does your organisation have policies? Finance Sales and marketing Information technology Compliance (legal, code of ethics, policies) Health and safety Clinical research Human resources Business development Commercial development Procurement Pharmacovigilance Corporate affairs Public relations None Page 5
Copy of survey issued to Service members 9) Are entities responsible for identifying the need for local Controlled Documents (Policy or Standard Operating Procedure)? Yes, entities identify the need for local controlled documents No, the need for controlled documents is established at the global level A combination of the above 10) Who is responsible for determining the scope and content of Controlled Documents in the organisation? Board of directors or executive committee Named individuals e.g Chief executive, Company secretary Head of the entity - subsidiary or departmental head Combination of the above Not clearly stated 11) Who approves the issue of Controlled Documents in the organisation? Board of directors or executive committee Named individuals e.g Chief executive, Company secretary Head of the entity - subsidiary or departmental head Combination of the above Not clearly stated 12) What is the approach for updating Controlled Documents? Ad-hoc, based on identified need for update and development Periodic review of policies None 13) How are people informed about Controlled Documents? Periodic reminders about the existence and location of policies A notification when changes are made to policies Through the induction process for new employees A combination of the above No specific communication 14) Does your organisation use software to manage Controlled Documents? Yes: developed in-house Yes: off the shelf package Yes: tailored package No 15) Please indicate how satisfied you are with the software product very dissatisfied dissatisfied reasonably satisfied satisfied very satisfied highly satisfied 16) Please specify the software product you use Page 6
Copy of survey issued to Service members 17) Who provides assurance that entities are complying with the requirements of Controlled Documents (please tick all that apply)? Annual sign-off required by line management Annual sign-off required by all employees On-line testing/self assessment of employee understanding Internal audit Other internal assurance reviewers Other external assurance reviewers 18) Please provide any further comments about Document Control in your organisation or Document Control in general that may be relevant. 19) If you are willing to be contacted on this subject by the author please include your telephone number or email address below - thank you Data Protection Notice Thank you for completing the survey, your views and opinions are very important. Your response will be treated in total confidence. Completed questionnaires will be processed only by the Institute of Internal Auditors - UK and Ireland (IIA) using Vovici EFM Continuum software and will not be disclosed to any other third parties. By submitting this questionnaire you consent to our processing of your sensitive personal data for these purposes. Page 7
The Institute of Internal Auditors UK and Ireland The IIA is the only body focused exclusively on internal auditing and we are passionate about supporting, promoting and training the professionals who work in it. We have been leading the profession of internal auditing for over 60 years. The IIA plays an active role in the public arena, building awareness of internal auditing, promoting members interests and challenging organisations to reach the highest standards of corporate governance Our International Standards and Code of Ethics unite a global community of 160,000 internal auditors in 165 countries. We are committed to enhancing the recognition and professionalism of internal audit in the UK and Ireland, through: Dynamic leadership of the profession which maximises the reputation and influence of our members, both individually and collectively Setting performance benchmarks and promoting professional integrity through our International Standards and Code of Ethics Continually developing our qualifications so that their high quality and reputation is maintained, Providing technical resources, networking opportunities and support to our members throughout their careers Maintaining our position as the market leader in internal audit training Informing. Inspiring. Assuring. About Heads of Internal Audit Service benchmarking reports The IIA recognises that heads of internal audit need specialist information and support to help them respond to the demands of a competitive and increasingly regulated business climate. The Heads of Internal Audit Service is an exclusive service designed specifically for the leaders of the profession to keep them up to date, provide networking opportunities with like-minded professionals and to discuss successes and concerns in confidence with their peers. Other services include access to technical updates, a monthly e-bulletin, a programme of forum meetings and specifically commissioned research. The benchmarking reports are designed to help members make the most of the Service s networking opportunities. Service members can pose a question to other members to help them identify best practice on a particular issue. Questions for consideration can be emailed to chris.baker@iia.org.uk or technical@iia.org.uk Disclaimer This material is not intended to provide a definitive answer to addressing specific individual circumstances and as such is intended to be used only as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance. www.iia.org.uk The Institute of Internal Auditors UK and Ireland Ltd 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX Tel 020 7498 0101 Fax 020 7978 2492 Email technical@iia.org.uk Registered in England and Wales, no. 1474735 Information can be made available in other formats