Moving Internal Audit Back into Balance

Moving Internal Audit Back into Balance A Post-Sarbanes-Oxley Survey Fourth Edition

Table of Contents Introduction... 1 Executive Summary... 2 Overview of Rebalancing Initiatives... 4 Current Status of Sarbanes-Oxley Compliance... 4 State of Rebalancing... 5 Making Progress... 6 Primary Benefits... 7 Key Activities by Organizations Seeking to Rebalance... 8 Addressing IT Audits... 9 Sarbanes-Oxley Compliance Strategies as Part of Rebalancing Efforts... 10 Addressing IT Audits... 12 Primary Ownership... 13 Impact of SEC S Interpretive Guidance and PCAOB AS5... 14 Rebalancing Efforts... 14 Changes in Efforts/Hours... 15 Quantity and Scope of Processes and Controls... 20 Impact of Rebalancing Initiatives... 22 Internal Audit Responsibilities in Sarbanes-Oxley Compliance... 22 Allocating Internal Audit Efforts for COSO Internal Control Objectives... 23 Rebalancing the Skills Gap... 24 Internal Audit Staffing, Hours and Budget Allocations... 25 Impact of SEC s and PCAOB s Guidance... 26 Outsourcing Sarbanes-Oxley Compliance Activities... 27 External Quality Assessments... 28 Changing Landscape Demands Ongoing Rebalancing... 30 Methodology... 31 survey Demographics... 32 About Protiviti INC... 34

Introduction Unless commitment is made, there are only promises and hopes... but no plans. Peter Drucker Without question, much has changed in the seven years since the U.S. Sarbanes-Oxley Act became law. We conducted our first Internal Audit Rebalancing study in 2005 to assess how organizations were relying on their internal audit departments for Sarbanes-Oxley compliance-related activities while seeking to rebalance these functions to also address more traditional internal auditing responsibilities. (For the purposes of this survey, rebalancing is defined as the process of moving activities away from Sarbanes-Oxley compliance to a broader coverage of business objectives as defined by the COSO framework.) In subsequent years of the study, we noted how the landscape continued to change, with organizations becoming more familiar with the Sarbanes-Oxley compliance process and thus streamlining their efforts. Perhaps most notably, in 2007, a potential paradigm shift was introduced with the U.S. Securities and Exchange Commission s (SEC) interpretive guidance to management on implementing Section 404 of Sarbanes-Oxley, along with a new standard, Auditing Standard No. 5 (AS5), from the Public Company Accounting Oversight Board (PCAOB). Both of these were intended, in part, to alleviate some of the time and cost burdens associated with the compliance process. The results of our 2008 Rebalancing survey suggested that both the SEC s interpretive guidance and PCAOB AS5 were having their intended effect. In our 2009 Rebalancing survey, one of the more interesting trends emerging from our analysis of the data is an apparent drop among organizations in activities and perceived benefits relating to these regulatory pronouncements. Both were designed to ease compliance burdens among companies and facilitate a more efficient and streamlined attestation by external auditors of internal control over financial reporting. There could be several reasons behind this trend. Certainly there is a heightened regulatory environment in the wake of the many well-publicized bank and corporate failures worldwide. There also could be a general aura of compliance conservatism because of the global financial crisis that is impacting virtually every organization around the world. It also could be that the rate of changes being implemented by companies has slowed since it has now been two years since the SEC s and PCAOB s announcements. We explore these and other themes further throughout this report. This year s survey, which was modified slightly from previous years, consisted of questions grouped into two divisions: Rebalancing Strategy and Internal Audit Organization and Focus. More than 600 respondents a majority of whom are chief audit executives, audit directors and audit managers took part by completing the survey in person or online. We would like to extend our appreciation to all of the chief audit executives and internal audit professionals who participated in our 2009 Rebalancing survey. We also want to recognize The Institute of Internal Auditors for its continued leadership and guidance for the profession. We are very appreciative of the continued positive feedback on this study that we receive from chief executive officers, chief financial officers, board members and other executives, as well as internal audit leaders. We are certain our 2009 report will again be of interest to any organization assessing how to balance ongoing Sarbanes-Oxley compliance with traditional internal auditing responsibilities. Protiviti June 2009 Moving Internal Audit Back into Balance 1

Executive Summary Impact of the SEC s Interpretive Guidance and PCAOB Auditing Standard No. 5 While approximately half of survey participants reported the SEC s guidance and PCAOB AS5 are enabling them to increase rebalancing efforts significantly or moderately, the response was down from 2008. Hours for external audit, internal company and other external resources have decreased, but not as much as reported last year. A majority of respondents reported decreases in the number of key controls and total controls documented and tested. One of the more notable trends in this year s results is an apparent lessening in the positive effects of the SEC s interpretive guidance and PCAOB AS5, with a general across-the-board decrease in their respective impact. This could be a result of many factors, including the global economic crisis, heightened regulatory environment, continued significant reliance on manual processes and controls, growing conservatism among companies in order to maintain the status quo, or a belief among organizations that they already have implemented changes in response to these regulatory rulings and are not planning further adjustments. Primary Benefits of Rebalancing Internal audit being able to perform more traditional audits and more appropriate coverage of risk rank as the top benefits. Reduced Section 404 and 302 compliance costs is the third-highest ranked benefit, yet the response was down 7 percent from 2008. After 2005 (the first year of the survey), there is a clear trend showing more traditional audits to be a top benefit of rebalancing, which is understandable given the interest in shifting internal audit away from a Sarbanes-Oxley-only emphasis. Such a shift enables organizations to achieve more appropriate coverage of their risks. Sarbanes-Oxley Compliance: Current Status Most respondents are in or beyond their fourth year of Sarbanes-Oxley compliance, generally mirroring the compliance timeline since the act went into effect for large accelerated filers. These results are similar to those from the 2008 Rebalancing study. Of note, there was a year-over-year increase in the number of organizations identifying themselves as in either the first year or pre-first year of compliance. This is the result of the pending deadline for smaller companies to comply with the auditor attestation requirement of Section 404 (beginning for fiscal years ending on or after December 15, 2009). Rebalancing Status: One Year Ago Versus Today Nearly three out of four organizations have achieved or moved beyond rebalancing, or have rebalancing underway or in the planning stages. This is very consistent with results from the 2008 and 2007 Rebalancing surveys. These results clearly show that even with the ongoing requirements for Sarbanes-Oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks. 2 Moving Internal Audit Back into Balance

Strategies: Current Versus Planned As in 2008, reducing the number of key controls and using a risk-based testing approach were the top two strategies, but percentages for both were down year-over-year. Reduction in number of key controls leads the strategies that organizations are currently employing, followed by use of a risk-based testing approach, greater reliance on internal auditors by external auditors and reduction in total population of controls. However, when comparing this year s results to those from 2008, there was a consistent decrease in the percentage of responses for each category. This may be a signal that some companies believe they have completed making adjustments in response to the SEC s and PCAOB s pronouncements, or be further indication of an apparent hesitancy among organizations to fully implement practices based on the SEC s interpretive guidance and PCAOB AS5. It also could mean that some organizations believe they have applied a top-down, risk-based approach, consistent with the SEC s guidance. Based on our experience, we believe many organizations with this point of view continue to rely heavily on manual financial reporting processes and controls. Activities as Part of Rebalancing Risk-based testing and rescoping workloads are the top rebalancing activities. Implement risk-based testing, added to the Rebalancing survey this year, ranked as the top activity, with two out of three organizations including this as part of their rebalancing efforts. Rescope workloads has ranked first or second in the past three studies. Also of note, just one in five respondents cited add additional resources this year, continuing a downward trend from 2005 (62 percent). Moving Internal Audit Back into Balance 3

Overview of Rebalancing Initiatives Current Status of Sarbanes-Oxley Compliance: Most in their Fourth Year or Beyond A majority of respondents are in or beyond their fourth year of Sarbanes-Oxley compliance, generally mirroring the compliance timeline since the act went into effect for large accelerated filers. Similar to the results from the 2008 Rebalancing study, among all respondents, a majority are at least in their fourth year of Sarbanes-Oxley compliance, and 40 percent are beyond the fourth year. Of note, there was a yearover-year increase in the number of organizations identifying themselves as in either the first year or pre-first year of compliance (22 percent this year versus 16 percent in 2008). This could be the result of the pending deadline that smaller companies or nonaccelerated filers, as defined by the SEC must comply with the auditor attestation requirement of Section 404 beginning in fiscal years ending on or after December 15, 2009. This group of companies includes those that underwent initial public offerings in 2007. Year of Sarbanes-Oxley Compliance Year of Sarbanes-Oxley Compliance 4 Beyond 4th year of compliance 2 4th year of compliance 16% Pre-1st year of compliance 11% 3rd year of compliance 6% 1st year of compliance 7% 2nd year of compliance 4 Moving Internal Audit Back into Balance

State of Rebalancing Most organizations recognize the importance of rebalancing their internal audit departments to focus more on traditional responsibilities. Respondents were asked the following two questions: One year ago, how would you have described your organization s efforts to rebalance internal audit priorities away from Sarbanes-Oxley compliance projects? Today, how would you describe your organization s efforts to rebalance internal audit priorities away from Sarbanes-Oxley compliance projects? Nearly three out of four organizations today 73 percent have achieved or moved beyond rebalancing, or have rebalancing underway or in the planning stages. This is very consistent with results from the 2008 and 2007 Rebalancing surveys. These results clearly show that even with the ongoing requirements for Sarbanes-Oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks. State of Rebalancing State of Rebalancing 4 One year ago Today 3 32% 27% 2 21% 12% 15% 15% 13% 17% 13% 6% 8% 7% 7% 7% Beyond rebalancing Rebalancing achieved Rebalancing underway Rebalancing planned Haven t started planning, but intend to rebalance Doesn t apply not yet under first year of S-O Act compliance Not intending to rebalance Moving Internal Audit Back into Balance 5

Overview of Rebalancing Initiatives (cont.) Making Progress Most organizations consistently report moderate progress in their rebalancing efforts. Over the past three years of the Rebalancing study, results on the progress of rebalancing efforts have been very consistent, with 71 percent to 73 percent of respondents reporting their rebalancing projects are making significant or moderate progress. Results related to expectations also have been consistent, with a growing number of respondents noting progress has met or exceeded them. These trends show that once an organization initiates rebalancing efforts, it is likely to achieve significant or moderate progress toward its goals in other words, there is a strong chance of success. Rebalancing Progress Made So Far: Rebalancing Three-Year Progress Comparison Made So Far (Base: Rebalancing Underway) (Base: Rebalancing Underway) 6 5 59% 56% 53% 2009 2008 4 2007 3 2 14% 17% 18% 27% 26% 26% Significant Moderate Minimal 1% 3% None Expectations of Rebalancing Progress to Date: Three-Year Comparison Expectations of Rebalancing Progress to Date (Base: Rebalancing Underway) (Base: Rebalancing Underway) 6 5 59% 54% 2009 2008 48% 2007 4 3 29% 36% 2 24% 11% 11% 5% 5% 5% Much less than expected Somewhat less than expected About the same as expected Somewhat more than expected 1% 1% 1% Much more than expected 6 Moving Internal Audit Back into Balance

Primary Benefits Consistent with previous years results, the top two benefits of rebalancing are having internal audit perform more traditional audits and achieving more appropriate coverage of risk. The top responses for 2009 internal audit being able to perform more traditional audits and more appropriate coverage of risk have been relatively consistent over the four years of the Rebalancing study. However, one notable change this year was a drop in the benefit of having reduced Section 404 and 302 compliance costs. While this may be unexpected to some given that the SEC s interpretive guidance and PCAOB AS5 were intended to facilitate a reduction in efforts and costs for reporting companies, some organizations were of the view that they were already applying a top-down, risk-based approach when the 2007 guidance was issued, while other companies may have the view that they have completed their implementation of the new guidance and standard. Again, significant reliance on manual financial reporting processes and controls can limit the potential benefits from implementing the SEC interpretive guidance and PCAOB AS5. Primary Benefit of Rebalancing: 4-Year Comparison Primary Benefit of Rebalancing: Four-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing) (Base: All respondents except those not engaged in or planning rebalancing) Internal audit able to perform more traditional (operational and nonfinancial reporting-related) audits 18% 36% 35% 47% More appropriate coverage of risk 15% 25% 25% 29% 2009 2008 2007 Reduced Section 404 and 302 compliance costs 12% 15% 19% 18% 2005 Increased reliance by external auditors on work of internal audit (PCAOB AS5) Increased effectiveness and efficiency of operations Increased objectivity of the internal audit department Other No benefit 1% 3% 3% 5% 2% 1% 3% 3% 3% 2% 9% 7% 8% 8% 4% 7% 12% 13% 12% 5% 15% 2 25% 3 35% 4 45% 5 Moving Internal Audit Back into Balance 7

Overview of Rebalancing Initiatives (cont.) Key Activities by Organizations Seeking to Rebalance Risk-based testing and rescoping workloads stand out as the top rebalancing activities. Implement risk-based testing was added to the Rebalancing survey this year and ranked as the top activity, with two out of three organizations including it as part of their rebalancing efforts. Rescope workloads has ranked first or second in the past three studies. Both application of (PCAOB) AS5 by the company s external auditors and increase testing and reliance on monitoring controls were cited by half of respondents. Of note, the latter activity coincides with the recent release of the new COSO Monitoring Guidance, which further indicates the higher priority being placed on the monitoring of controls. Notable four-year trends in the findings for this category include the following: Nearly two out of three respondents 62 percent cited add additional resources in 2005, but just 22 percent did so in 2009, continuing a four-year decline for this rebalancing activity. Reallocate existing resources received approximately half of the response in 2005 and 2007, but just 32 percent in 2009. Rescope workload has increased over the past four years as a rebalancing activity, from 41 percent in 2005 to 65 percent this year. Key Rebalancing Activities Key Rebalancing Activities (Base: all respondents except those not engaged in or planning rebalancing) (Base: All respondents except those not engaged in or planning rebalancing) Implement risk-based testing*** 66% Rescope workload 65% Increase testing and reliance on monitoring controls*** Application of AS5 (vs. AS2) by the company s external auditors* 5 49% Conduct an enterprisewide risk assessment Automating more controls (moving more controls from manual to automated)*** Increased ownership by process owners** 39% 41% 45% Utilize more self-assessment and self-audits by process owners and executives Reallocate existing resources 34% 32% Company s effort in applying the SEC s interpretive guidance* Add additional resources Use third parties to complete certain work to assist in the rebalancing effort Create a separate risk and controls function to focus primarily on Section 404 26% 22% 21% 18% * Not applicable in 2005 and 2007 surveys ** Not included in 2005 survey *** Not included in previous surveys Other 2% 2 3 4 5 6 7 8 Moving Internal Audit Back into Balance

Addressing IT Audits Respondents specifically were asked how IT audits not related to Sarbanes-Oxley compliance were being addressed as part of their rebalancing efforts. Consistent with last year, the most common response was no change. However, collectively over half of all respondents reported they are increasing IT audits when it comes to rebalancing efforts. This year s results show that technology remains an important part of the rebalancing process. Now that organizations have more experience with Sarbanes-Oxley, IT audit efforts might be shifting toward maintaining compliance efforts while also working to lower compliance costs and improve the balance of audit coverage for other areas of risk. Protiviti s 2009 Internal Audit Capabilities and Needs Survey supports the continued importance of technology as a critical enabler of virtually all business processes and helping organizations achieve objectives and address risks. 1 In this study, technology skills hold a prominent place in the need to improve category of general technical knowledge. The recent changes to The IIA Standards also corroborate the importance of technology audits. For example, IIA Standard 2110.A2 now includes the word must when providing guidance to internal audit in its role related to assessing IT governance. As organizations adopt the new and revised Standards as of January 1, 2009, we will monitor whether IT audits continue to hold an important role in rebalancing efforts, and it is quite possible the survey results for this category will change next year. IT (IT audits not IT related (IT audits to not Sarbanes-Oxley) related to Sarbanes-Oxley) Assessed Assessed as Part of as Part Rebalancing: of Rebalancing: Four-Year Comparison Four-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing) (Base: All respondents except those not engaged in or planning rebalancing) 5 4 3 44% 41% 37% 31% 2009 2008 2007 2005 25% 25% 26% 26% 2 2 2 2 14% 12% 13% 15% 15% Increase(d) It audits >25% Increase(d) It audits 10-25% Increase(d) It audits < no change 4% 5% 4% decrease(d) It audits 3% 1 For more information, read Protiviti s 2009 Internal Audit Capabilities and Needs Survey, available at www.protiviti.com. Moving Internal Audit Back into Balance 9

Overview of Rebalancing Initiatives (cont.) Sarbanes-Oxley Compliance Strategies as Part of Rebalancing Efforts As in 2008, reducing the number of key controls and using a risk-based testing approach were the top two strategies, but percentages for both were down year-over-year. Similar to last year, reduction in number of key controls leads the strategies organizations are currently employing, followed by use of a risk-based testing approach, greater reliance on internal auditors by external auditors and reduction in total population of controls. For each of these strategies, there also was a significant increase compared to the percentage of respondents who reported in 2008 that they were planning to employ it in the coming year. This shows that, in one sense, the SEC s interpretive guidance and PCAOB AS5 are having their intended effect. However, when comparing the current results with the prior year, there was a consistent decrease in the percentage of responses for each category in 2009. In last year s survey, for example, 47 percent of respondents reported they were currently reducing the number of key controls, versus 33 percent this year. For use of a risk-based testing approach, the 2008 currently response was 45 percent versus 30 percent this year, and for reduction in total population of controls the numbers were 43 percent versus 26 percent. These findings could be a further indication that some organizations have already taken steps to reduce their control populations, and thus no longer see a need to incorporate these specific strategies as part of their rebalancing efforts. However, it is also possible that some organizations have an apparent hesitancy in 2009 to implement practices based on the SEC s interpretive guidance as well as PCAOB AS5. This could be attributed to a more conservative approach in order to preserve the status quo. Also of note, increase in number of automated controls leads the strategies organizations are planning to employ in 2009, followed by use of data mining and analytics to better understand process performance, reduction in manual controls, increase in number of monitoring controls and consolidation of redundant IT platforms and systems. These strategies are key because, for many organizations, they represent the last frontier for improving the cost-effectiveness of financial reporting controls, reducing financial reporting risks and streamlining Sarbanes-Oxley compliance. The notable increase in focus on these strategies indicates that some organizations understand their importance in this regard. 10 Moving Internal Audit Back into Balance

Strategies: Current vs. Planned Strategies: Current vs. Planned reduction in number of key controls use of a risk-based testing approach* greater reliance on internal auditing by external auditors reduction in total population of controls tightening of overall scope centralization of common processes and functions Increase in testing within key risk areas reduction in number of in-scope locations** consolidation of redundant It platforms and systems Increase in number of monitoring controls accelerate timing of selected control tests** Increase in number of automated controls reduction in manual controls use of self-assessment techniques Improvement in quality and compression of time in business processes affecting financial reporting reduction of independent tests of controls use of data mining and analytics to increase understanding of process performance other** no specific strategies considered or employed** * Not included in 2007 survey ** Not included in 2007 and 2008 surveys don't know** 2% 2% 4% 4% 9% 11% 13% 14% 14% 12% 14% 14% 21% 18% 12% 16% 18% 11% 13% 18% 9% 11% 9% 15% 13% 15% 14% 14% 14% 13% 12% 14% 12% 18% 18% 14% 16% 16% 13% 13% 18% 19% 21% 2 23% 26% 25% 27% 3 33% currently Employing 2009 Planning to Employ 2009 Planning to Employ 2008 26% 27% 29% 5% 15% 2 25% 3 35% Moving Internal Audit Back into Balance 11

Overview of Rebalancing Initiatives (cont.) Addressing IT Audits When asked what percentage of IT audits were related to Sarbanes-Oxley for each year of compliance, respondents reported that most IT auditing activity occurs in Years Two and Four. Organizations continue to express that these audits do not have a prominent role in the first year of Sarbanes-Oxley compliance, even though their importance increases significantly in Year One when compared to the precompliance period. As organizations become more experienced with Sarbanes-Oxley, they come to realize the important role IT plays in managing related risks and processes. More than 60 percent of respondents whose organizations are beyond Year Four reported that they spend at least 20 percent of their time on IT audits. This is consistent with the 2008 study. Over the years, organizations have acknowledged the benefits of automating internal controls: increased reliability, lower error rates, and less time and effort required to test compared to manual controls. The bottom line is that technology, when used appropriately, improves risk coverage and test results, leading to an improved internal control environment and effective compliance strategy. This is in line with the intention of the SEC s interpretive guidance and PCAOB AS5. As noted earlier (see page 9), changes this year to IIA Standard 2110.A2, which states that internal audit functions must assess IT governance, reinforce the importance of technology audits. In next year s Rebalancing survey, there may be notable changes in the results for this category. Beyond 4 th year of compliance 4 th year of compliance 3 rd year of compliance 2 nd year of compliance 1 st year of compliance Pre-1 st year of compliance IT Audits Related to SOX Compliance Percentage of IT Audits Related to Sarbanes-Oxley Compliance 3% 4% 5% 4% 6% 5% 5% 4% 9% 9% 9% 9% 9% 9% 11% 13% 13% 12% 13% 13% 13% 17% 13% 17% 13% 13% 16% 23% 18% 21% 18% 18% 23% 26% 25% 29% 2 3 4 5 6 35% 35% Don t know None < 10-19% 20-49% 50-75% >75% 52% 12 Moving Internal Audit Back into Balance

Primary Ownership Internal audit owns the rebalancing process in most organizations. A review of Rebalancing survey results over the past three years shows that internal audit departments consistently have primary ownership of rebalancing activities in their organizations. This year, in fact, there was an even larger gap between internal audit and other business owners in the organization. Respondents also were asked to indicate, in terms of rebalancing efforts, the level of involvement of different groups and individuals in the organization. More than half reported that executive management, the audit committee, management and/or process owners, and the external auditor are involved to a significant or moderate extent. Primary Ownership for Rebalancing: Three-Year Primary Comparison Ownership of Rebalancing (Base: Beyond Rebalancing, Rebalancing (Base: Beyond Achieved, Rebalancing, Underway, Rebalancing Planned and Achieved, Intended) Underway, Planned and Intended) 7 6 67% 69% 2009 2008 5 49% 2007 4 3 2 Internal audit staff 7% 7% 5% Executive management 14% Management 6% 3% 9% 6% 8% Audit committee Other 12% 4% 5% 3% 3% 3% No one primary owner Don t know Moving Internal Audit Back into Balance 13

Impact of SEC s Interpretive Guidance and PCAOB AS5 Similar to results from the 2008 Rebalancing study, this year s response shows a continued positive impact as a result of PCAOB AS5 and the SEC s interpretive guidance for Section 404. However, across all sections in this category of the study, there is a noticeable decrease in the positive impact responses compared to 2008. These findings are interesting given that guidance from both organizations was intended to increase the emphasis on applying a top-down, risk-based approach and enable organizations to reduce the time and costs required for compliance. It also would be expected that rebalancing efforts would be sustained. Rebalancing Efforts Efforts have decreased, but less so than in 2008. While nearly 40 percent of respondents reported that the impact of the SEC s interpretive guidance is enabling them to increase rebalancing efforts significantly or moderately, the cumulative increase figures dropped from 60 percent in 2008. Similarly, while 56 percent of respondents last year said that, as a result of PCAOB AS5, they were increasing rebalancing Impact activities of SEC s significantly Interpretive or Guidance moderately, on Rebalancing the response dropped to 44 percent this year. Impact of SEC s Interpretive Guidance on Rebalancing: Two-Year Comparison 7 6 5 4 3 2 6% 14% Significantly increased rebalancing efforts 32% 46% Impact of PCAOB AS5 (vs. AS2) on Rebalancing Moderately increased rebalancing efforts 61% 2009 2008 37% No change 1% 3% Moderately decreased rebalancing efforts Impact of PCAOB AS5 (vs. AS2) on Rebalancing: Two-Year Comparison 6 5 4 3 35% 52% 42% 4 2009 2008 2 9% 14% Significantly increased rebalancing efforts Moderately increased rebalancing efforts No change 4% 4% Moderately decreased rebalancing efforts 1% *Sign decr rebalanc 14 Moving Internal Audit Back into Balance

Changes in Efforts/Hours Organizations are being more conservative in reducing hours and activities. A large percentage of respondents reported that as a result of the SEC s interpretive guidance and PCAOB AS5, external audit hours have decreased, as have the hours required of other external and internal resources. However, these charts do illustrate slight drops in the percentages of decrease in all three categories. For example, this year a combined 40 percent of respondents reported a decrease in external audit hours as a result of the SEC s guidance, whereas 50 percent reported such a decrease in 2008. Similar changes are evident in the other two categories. We will continue to monitor these trends and determine why these changes might be occurring. Changes in Efforts/Hours SEC s Interpretive Guidance SEC s Interpretive Guidance Change in External Audit Efforts (Hours) Between the Year in Effect and the SEC s Prior Interpretive Year: Two-Year Guidance: Comparison Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year 6 55% 5 49% 2009 4 2008 3 26% 2 16% 18% 2 4% 6% Decreased >25% Decreased 10-25% Decreased < No change 5% 1% Increased Moving Internal Audit Back into Balance 15

Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) SEC s Interpretive Guidance: Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year SEC s Interpretive Guidance Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison 6 5 49% 4 44% 2009 2008 3 2 18% 15% 17% 17% 14% 11% 5% Decreased >25% Decreased 10-25% Decreased < No change Increased SEC s Interpretive Guidance: Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year SEC s Interpretive Guidance Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison 8 7 7 6 6 2009 2008 5 4 3 2 8% 12% 8% 14% Decreased >25% Decreased 10-25% Decreased < No change 4% 4% Increased 16 Moving Internal Audit Back into Balance

Are Companies Failing to Take Full Advantage of Revised Regulations? This year s findings that suggest a diminished positive impact of PCAOB AS5 and the SEC s interpretive guidance on Section 404 are worth further commentary. Both of these standards relaxed previously stringent guidelines for companies and external auditors with regard to establishing and attesting to internal control over financial reporting, as mandated by Section 404. Among the new guidance from each of these regulatory bodies were opportunities to rely more heavily on the work of others, such as the internal audit function. For example, as detailed in Protiviti s Guide to Internal Audit: Frequently Asked Questions About Developing an Effective Internal Audit Function: The PCAOB encourages greater use of the work of others in AS5 by requiring auditors to (1) understand the relevant activities of others and determine how the results of that work may affect his or her audit, and (2) evaluate whether and how to use their work to reduce audit testing. There is no reason why the external auditor should not do this, particularly if an effectively functioning internal audit function is in place. AS5 emphasizes the importance of assessing the competency and objectivity of the persons who the (external) auditor plans to use to determine the extent to which the (external) auditor may use their work. The higher degree of competence and objectivity, the greater use the (external) auditor may make of the work. The guidance included in AS5 applies the principles in AU 322 to focus the auditor s use of the work of others more specifically on altering the nature, timing and extent of the external auditor s work than otherwise would have been performed to test the operating effectiveness of controls as part of an integrated audit of the financial statements and internal control over financial reporting (ICFR). The basic premise of AS5 is that the external auditor may use work performed by, or receive assistance from, internal auditors, other company personnel (in addition to internal auditors) and third parties working under the direction of management or the audit committee that provides evidence about ICFR effectiveness. In assessing the results from this year s Rebalancing study, it is possible that some companies are being too conservative. There could be a variety of reasons at play to explain why, among them: If it isn t broken, don t fix it Without question, achieving Sarbanes-Oxley compliance was an engrossing and time-consuming process for most reporting companies. Many failed to plan properly or begin their compliance efforts early enough, resulting in organizational fire drills. It is possible that as a result of these trials and tribulations, some companies may have little appetite to rescope workloads or otherwise change processes that currently have them in compliance. This, of course, defeats the purpose of the SEC s guidance and AS5. We have also seen circumstances where managers responsible for Sarbanes-Oxley compliance are rewarded for compliance and not for cost-effectiveness; therefore, there is little incentive for them to alter the status quo. Law of diminishing returns We see many companies continuing to rely heavily on manual processes and controls. The SEC interpretive guidance and PCAOB AS5 can only take a company and its auditors so far until the process reaches the point where there is a declining impact from applying the SEC guidance and the PCAOB standard. There is a strong linkage between (a) improving process quality, time and cost performance, and (b) strengthening the effectiveness of ICFR. A simple, more streamlined and automated process is easier to control than a complex, cumbersome and manual one. Many companies continue to have opportunities to improve their process performance by building in (versus inspecting in) quality, reducing costs and compressing time within their processes and all of this while simultaneously reducing financial reporting risks and the costs of Sarbanes-Oxley compliance. Still figuring it out The difference between this year s results and last year s could be a reflection of companies still determining exactly where and how to achieve time and cost savings by rescoping workloads, reducing controls (key and total number) and increasing their rebalancing efforts. If this year s results indicate a swing back as companies, through trial and error, continue to define how to accomplish these objectives, we might expect higher positive impact responses in the 2010 Rebalancing survey. Moving Internal Audit Back into Balance 17

Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) Changes in Efforts/Hours (cont.) Changes in Efforts/Hours PCAOB AS5 PCAOB AS5 Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior PCAOB Year: AS5: Two-Year Comparison Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year 5 48% 4 3 32% 35% 2009 2008 2 19% 23% 25% 5% 8% Decreased >25% Decreased 10-25% Decreased < No change 3% 2% Increased Are Companies Failing to Take Full Advantage of Revised Regulations? (cont.) More small companies beginning the compliance process Beginning for fiscal years ending on or after December 15, 2009, nonaccelerated filers must comply with the auditor attestation requirement of Section 404. It is possible that this year s results reflect the fact that 7 percent of respondents are in the smaller public company category and would not be initiating rebalancing or other cost- and time-saving activities as of yet. Lack of knowledge Despite the SEC s and PCAOB s well-publicized announcements of their respective actions in 2007, it could be that many companies are not fully aware of these new guidelines and the potential opportunities to reduce time and costs involved with compliance. It could be expected in most cases that the external auditor would provide such knowledge; however, there could be some hesitancy among the auditors to leverage the revised guidelines, which could be attributable to custom and habit, the perceived reporting risks, or lack of support for certain AS5 principles such as the use of the work of others to ascertain the effectiveness of an organization s ICFR. Regardless of the reasons, the bottom line is that it behooves any company to acquire a full understanding of the SEC s interpretive guidance and PCAOB AS5, and to talk to its external auditor about activities internal audit and other departments can perform to assist in the ICFR attestation process. 18 Moving Internal Audit Back into Balance

PCAOB AS5 Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior PCAOB Year: AS5: Two-Year Comparison Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year 5 4 46% 4 3 2009 2008 2 9% 17% 17% 17% 19% 15% 15% 5% Decreased >25% Decreased 10-25% Decreased < No change Increased PCAOB AS5 Change in Use of External Resources (Hours) Between the Year in Effect and the Prior PCAOB Year: AS5: Two-Year Comparison Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year 7 67% 6 59% 5 4 2009 2008 3 2 9% 11% 14% 12% Decreased >25% Decreased 10-25% Decreased < No change 4% 4% Increased Moving Internal Audit Back into Balance 19

Impact of SEC s Interpretive Guidance and PCAOB AS5 (cont.) Quantity and Scope of Processes and Controls Decreases were reported, but not as much as in 2008. Respondents were asked about the impact of the SEC s guidance on numerous compliance-related processes and controls in the organization. They also were asked about the impact of the application of PCAOB AS5 by their external auditors on these same processes and controls. Similar to 2008, there are several positive trends, including a majority of respondents reporting decreases in key controls and total controls documented and tested. However, in most compliance-related process and control categories, the percentage of decreased Impact of SEC s Interpretive Guidance responses dropped compared to 2008, while the increased response percentages rose year-over-year. (Base: all respondents ) Impact of SEC s Interpretive Guidance: Two-Year Comparison 2009 Decreased No Change Increased 2008 Decreased No Change Increased 2009 Number of key controls documented and tested 2008 Number of key controls documented and tested 6 35% 5% 75% 23% 2% 2009 Number of total controls documented and tested 2008 Number of total controls documented and tested 56% 39% 5% 68% 3 2% 2009 Number of key in-scope processes 2008 Number of key in-scope processes 45% 5 5% 58% 4 2% 2009 Number of total risks identified 2008 Number of total risks identified 44% 5 6% 58% 38% 4% 2009 Number of in-scope locations 2008 Number of in-scope locations 24% 7 6% 36% 61% 3% 2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach 15% 5 35% 18% 41% 41% 2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring and/or entity-level controls 15% 56% 29% 17% 41% 42% 2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the external auditor 15% 47% 38% 14% 4 46% *2009 Increased reliance on self-assessment techniques 9% 75% 16% * Not included in 2008 survey 2 3 4 5 6 7 8 9 10 20 Moving Internal Audit Back into Balance

The Importance of Understanding Risk The real key in Year Four and beyond of Sarbanes-Oxley compliance is how to keep things fresh and keep people vigilant. The recent financial collapse of so many companies shows that Sarbanes-Oxley was not the be all and end all to prevent loss of shareholder wealth. While companies were spending significant time and money ensuring things were recorded properly, they lost sight of the business risks that could bring down a company or an industry, wiping out billions of dollars in shareholder wealth in the process. The real key for investors (and employees) is around understanding risk: What are the risks? Are they independent or dependent? If they are dependent, what are they dependent on? How can they impact the company? What is the magnitude and likelihood? Are they being monitored properly? This is where internal audit can best assist the audit committee and management, and where we must strengthen our skill set as a profession hence the importance to rebalance resources. Without understanding risk, we can be auditing the wrong areas at the wrong time. The bottom line is that businesses face far greater risks today than Sarbanes-Oxley, and internal audit must not only rebalance but also retool to meet the current requirements. There is going to be a sea change in internal audit, and each of us has a choice be ready, willing and able, or become obsolete. Impact of PCAOB AS5 (Base: all respondents ) Larry Harrington, Vice President, Internal Audit, Raytheon Company Impact of PCAOB AS5: Two-Year Comparison 2009 Decreased No Change Increased 2008 Decreased No Change Increased 2009 Number of key controls documented and tested 2008 Number of key controls documented and tested 55% 4 5% 64% 34% 2% 2009 Number of total controls documented and tested 2008 Number of total controls documented and tested 51% 44% 5% 6 39% 1% 2009 Number of total risks identified 2008 Number of total risks identified 39% 57% 4% 53% 46% 1% 2009 Number of key in-scope processes 2008 Number of key in-scope processes 42% 54% 4% 51% 48% 1% 2009 Number of in-scope locations 2008 Number of in-scope locations 24% 72% 4% 36% 62% 2% 2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach 12% 53% 35% 17% 44% 39% 2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring and/or entity-level controls 12% 56% 32% 16% 45% 39% 2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the external auditor 48% 42% 15% 38% 47% *2009 Increased reliance on self-assessment techniques 7% 16% 77% * Not included in 2008 survey 2 3 4 5 6 7 8 9 10 Moving Internal Audit Back into Balance 21

Impact of Rebalancing Initiatives Internal Audit Responsibilities in Sarbanes-Oxley Compliance Lead responsibility remains the most common role for internal audit. Findings regarding internal audit s role in Sarbanes-Oxley compliance have been consistent over the course of the Rebalancing studies. Of note, control design evaluation and testing of operational effectiveness decreases with each year of compliance, as do serving as members of compliance teams and steering committees, and developer of documentation. This could indicate that process owners are taking more direct ownership and responsibility for their processes and controls, as permitted under PCAOB AS5. (Please note that in the interest of simplicity, the chart below illustrates internal audit s primary roles in the first year of Sarbanes-Oxley compliance and beyond the fourth year of compliance. Percentages of responses for Years Two to Four consistently fall in the gap between these two trend lines.) Internal Audit Primary Roles Internal Audit Primary Roles 35% 3 25% 1st year of compliance Beyond 4th year of compliance 2 15% 5% Control design evaluation and testing of operational effectiveness Lead responsibility Member of compliance team/steering committee Developer of documentation Advisor to compliance team/steering committee Limited to testing of operational effectiveness Limited to control design evaluation None Don t know Other 22 Moving Internal Audit Back into Balance

Allocating Internal Audit Efforts for COSO Internal Control Objectives Consistent with the past three surveys, reliability of financial reporting remains the top COSO objective of focus for internal audit activities. The continued concentration on reliability of financial reporting is an interesting trend given that one in three respondents reported that they had achieved rebalancing or were beyond rebalancing. Remember, the purpose of rebalancing is to move internal audit activities away from Sarbanes-Oxley compliance toward broader coverage of the COSO framework. We would expect these rebalanced, or soon to be rebalanced, internal audit organizations to have established a better balance among all aspects of the COSO model by now. Organizations also should be aware that the internal audit landscape is changing. According to The IIA, financial reporting is only part of the internal control picture. As of January 1, 2009, the internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach (Standard 2100). Another Standard (2120.A1) notes that internal audit must evaluate risk exposures regarding reliability and integrity of financial and operational information; effectiveness and efficiency of operations; safeguarding of assets; and compliance with laws, regulations and contracts. Internal Audit Efforts Internal Allocated Audit Efforts Against Allocated COSO Objectives Against COSO of Internal Objectives Control of Internal Control 6 5 4 1st year of compliance 2nd year of compliance 3rd year of compliance 4th year of compliance Beyond 4th year of compliance 3 2 Effectiveness and efficiency of operations Reliability of financial reporting (including Sarbanes-Oxley compliance) Compliance with applicable laws and regulations Safeguarding of assets Note: Chart does not include Other and Don t know responses. Moving Internal Audit Back into Balance 23

Impact of Rebalancing Initiatives (cont.) Rebalancing the Skills Gap While down slightly from the 2008 results, a substantial percentage of this year s respondents perceive a significant or moderate skills gap among Sarbanes-Oxley-experienced auditors for other internal audit projects. Survey participants were asked to what extent there is a skills gap in their organizations among Sarbanes-Oxleyexperienced auditors for other internal audit projects, such as operational and nonfinancial reporting audits. Four out of 10 respondents perceive either a significant or moderate gap. This is consistent with Protiviti s Internal Audit Capabilities and Needs Survey. 2 Over the past three years, this study has identified traditional internal audit skills such as enterprise risk management and fraud risk management as competencies most in need of improvement. One troubling finding in this category is the 17 percent Don t know response. The revised IIA Standards (which became effective in January 2009) require the CAE to report any resource constraints to management and the board of directors. More definitive results in this category of the survey would be expected in light of this Standard, as there should not be a lack of knowledge about skills within the internal audit function. Also of note, 43 percent of respondents reported there is no skills gap in their departments with regard to Sarbanes-Oxley auditors performing other types of internal audit activities. Perceived or Real Skills Gap Sarbanes-Oxley-Experienced Auditors for Other Prerceived Internal or Audit Real Projects: Skills Gap: Two-Year Sarbanes-Oxley-Experienced Comparison Auditors for Other IA Projects (Base: All respondents) No skills gap 43% 49% Moderate skills gap 31% 36% Significant skills gap 9% 8% 2009 Don t know 7% 17% 2008 5% 15% 2 25% 3 35% 4 45% 5 2 For more information, read Protiviti s 2009 Internal Audit Capabilities and Needs Survey, available at www.protiviti.com. 24 Moving Internal Audit Back into Balance

Changes to The IIA Standards On January 1, 2009, The IIA formally released its revised International Professional Practices Framework, which includes revisions to the organization s International Standards for the Professional Practice of Internal Auditing. Key changes to the Standards include the following: Six new Standards have been added. In virtually all of the Standards, The IIA has revised its wording, replacing should with must. Additional requirements have been added to existing Standards. Interpretations have been added, incorporating components that previously were part of The IIA s practice advisories. With the change from should to must in most of the Standards and the addition of six new Standards, internal audit functions must take action to achieve or remain in compliance. For some, only minimal adjustments may be necessary. For others, however, there may be a need for substantial changes to their internal audit plans and structures. Without question, the internal audit rebalancing activities of organizations could be among the many areas affected by the new and revised Standards. Of particular note, IT governance and fraud risk management are key areas The IIA addresses in all-new Standards. We plan to monitor and report on key trends related to the Standards in next year s Rebalancing survey report. Internal Audit Staffing, Hours and Budget Allocations During Year One of Sarbanes-Oxley, most internal audit departments spend a majority of their time on compliancerelated activities. This year s results are consistent with previous Rebalancing surveys. After Year Two, there is a relative level of consistency in internal audit hours dedicated to Sarbanes-Oxley compliance, indicating that internal audit departments are planning or implementing rebalancing efforts to address more traditional responsibilities. Internal Audit Hours Dedicated to Each Year of Sarbanes-Oxley Compliance Internal Audit Hours Dedicated to Each Year of Sarbanes-Oxley Compliance 5 4 3 1st year of compliance 2nd year of compliance 3rd year of compliance 4th year of compliance Beyond 4th year of compliance 2 > 75% 50-75% 20-49% 10-19% < None Don t know Moving Internal Audit Back into Balance 25

Impact of Rebalancing Initiatives (cont.) Impact of SEC s and PCAOB s Guidance These regulations continue to have a positive impact on internal audit hours dedicated to Sarbanes-Oxley compliance. However, as indicated in many of the findings from this year s Rebalancing survey, respondents noted less of a decrease compared to what was reported in 2008. Internal Audit Hours, SEC s Interpretive Guidance: Two-Year Comparison 5 IA Hours, SEC s Interpretive Guidance 4 43% 42% 37% 42% 2009 2008 3 2 1% 3% 8% 3% Significantly increased Moderately increased No change Moderately decreased 11% Significantly decreased Internal Audit Hours, PCAOB AS5: Two-Year Comparison 5 IA Hours, PCAOB AS5 4 46% 38% 43% 2009 2008 3 31% 2 2% 1% 11% 11% Significantly increased Moderately increased No change Moderately decreased 7% Significantly decreased 26 Moving Internal Audit Back into Balance

Outsourcing Sarbanes-Oxley Compliance Activities Most outsourcing takes place in Year One and gradually decreases in subsequent compliance years. For Year One, approximately four out of 10 organizations outsource half of their Sarbanes-Oxley compliance activities to external service providers. While this is down slightly from previous years, overall these findings have been very consistent over the course of the Rebalancing study. Sarbanes-Oxley Work Outsourced Sarbanes-Oxley Work Outsourced 5 4 3 1st year of compliance 2nd year of compliance 3rd year of compliance 4th year of compliance Beyond 4th year of compliance 2 > 75% 50-75% 20-49% 10-19% < None Don t know Moving Internal Audit Back into Balance 27

Impact of Rebalancing Initiatives (cont.) External Quality Assessments Approximately one in three organizations has conducted an external quality assessment of the internal audit function as mandated by The IIA. Respondents were asked whether they had completed an external quality assessment of their internal audit function since the effective date of IIA Standard 1312. Consistent with last year, most internal audit organizations 71 percent had not accomplished this at the time of the 2009 Rebalancing survey. It will be interesting to see if the recent changes to The IIA Standards will impact this trend. Standard 1312 now includes the word must when it comes to having an external quality assessment conducted every five years. It also emphasizes the importance of CAE and board communications focused on the external assessment process. Standard 1320 continues to support this type of communication by requiring the CAE to report on the quality assurance and improvement program results (internal and external) to senior management and the board. Impact of Degree of Reliance Placed on Internal Audit by Organization s External Auditors: Two-Year Comparison Impact of Degree of Reliance Placed on IA by Organization s External Auditors (Base: Completed External (Base: Quality Completed Assessment) External Quality Assessment) 8 79% 82% 7 2009 2008 6 5 4 3 2 16% 12% 4% 4% Significantly increased reliance Moderately increased reliance No change 1% 2% Moderately decreased reliance 28 Moving Internal Audit Back into Balance

Among the survey results for organizations that have conducted an external quality assessment review: Respondents were split on the method used for the assessment just over half said their organizations conducted a full-scope review, while just under half self-assessed with independent validation. Consistent with the 2008 study, 90 percent reported their internal audit functions generally conform to The IIA Standards. With regard to how the results of external quality assessment reviews impact the degree of reliance placed on internal audit by the organization s external auditors in connection with an assessment of internal control over financial reporting, nearly 80 percent of respondents indicated there was no change. Compared to last year s survey results, there was a slight improvement in the number of respondents who reported such reliance had increased moderately or significantly (20 percent in 2009). Despite this improving trend, why are major accounting firms still hesitant to consider the value of an external quality assessment in determining whether to increase their reliance on the work of the internal audit department? PCAOB AS5 is clear in encouraging external auditors to rely on the work of qualified internal audit functions. Leading internal audit activities have studied, evaluated and honed their processes to near-perfection to ensure they are efficient and highly productive. The best functions measure themselves relentlessly in areas such as cycle time, recommendation status, customer feedback and individual productivity. These groups adhere to The IIA Standards, including having an independent external quality assessment review at least every five years. Clearly, leveraging the work of these top performers is an opportunity to increase the efficiency of the Sarbanes-Oxley compliance process. Given the changes effective in 2009 to IIA Standard 1312 which now states that an external assessment must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization there is a good possibility that the results for this category of the Rebalancing survey will change next year. Moving Internal Audit Back into Balance 29

Changing Landscape Demands Ongoing Rebalancing The Sarbanes-Oxley Act continues to become further ingrained in corporate America, with more and more companies moving beyond Year Four of compliance and, in one sense, nearing completion of their rebalancing activities. In this year s survey, two out of three companies reported that rebalancing has been achieved or is underway, or that they have moved beyond rebalancing. However, most organizations likely would agree that their rebalancing efforts will not end completely any time soon. In fact, numerous factors are coming into play that could make this an ongoing process for organizations. In the short term, thousands of smaller companies or nonaccelerated filers, as defined by the SEC must begin to comply with the auditor attestation requirement of Section 404 beginning for fiscal years ending on or after December 15, 2009. 3 As our Rebalancing survey has proven over the past four years, this will result in their internal audit functions if they have them devoting significant time and effort to the compliance process. Provided that the SEC does not issue another extension of the deadline for small companies to comply with the Section 404 auditor attestation requirement, we can expect many more organizations to begin the rebalancing process over the next few years. Other longer-term factors in the marketplace that are likely to fuel ongoing rebalancing efforts in the years to come include: The global economic crisis Not surprisingly, the crisis is impacting virtually every company worldwide. Most are reassessing a broad range of financial and operational processes in their organizations in order to become more efficient and achieve cost savings. Internal audit is playing a key role in these efforts, the priority of which is compelling internal audit leaders to take a renewed look at their efforts to rebalance further away from Sarbanes-Oxley activities. Changes to The IIA Standards On January 1, 2009, The IIA released its revised International Professional Practices Framework, including revisions to the International Standards for the Professional Practice of Internal Auditing. Changes include the addition of six new Standards and, more notably, replacing the word should with must in virtually all of the Standards. These revisions, which are an effective complement to the COSO internal control model, could have many implications for internal audit functions. From a rebalancing perspective, the new and revised Standards very likely will compel companies to adopt a more balanced approach to their audit plans, which could require them to revisit or reignite their rebalancing efforts. More changes to Section 404 compliance requirements On the other side of the rebalancing spectrum, the SEC and PCAOB may introduce new guidance or requirements that could increase or decrease the effort required for compliance with Section 404. Companies will need to monitor any regulatory pronouncements and respond accordingly. These and many other variables create an environment in which rebalancing is not a project that can be completed with certainty. Rather, it should be viewed as an ongoing process that, once its initial stages are completed, should be monitored by management, the board of directors and internal audit leaders to ensure the function is properly balanced and addressing the needs and priorities of the organization. As the global landscape continues to change and evolve, we look forward to monitoring developments and ascertaining how they are impacting the internal audit rebalancing efforts of organizations. 3 For more information, read Protiviti s white paper, Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect, available at www.protiviti.com. 30 Moving Internal Audit Back into Balance

Methodology More than 600 executives and professionals participated in Protiviti s Moving Internal Audit Back into Balance: A Post-Sarbanes-Oxley Survey, which was conducted from October 2008 through December 2008. Total responses for individual questions varied. Survey participants also were asked to provide demographic information about the nature, size and location of their businesses, and their titles or positions within the internal audit department. These details were used to help determine whether there were distinct trends based on an organization s progress with rebalancing. All demographic information was provided voluntarily by respondents. Sources of Respondents The IIA All-Star Conference in Las Vegas, Nevada (October 20-22, 2008). This event featured speakers rated highest by attendees of select IIA headquarters-sponsored conferences throughout the year. Survey forms were distributed to the attendees at the conference. Completed forms were returned to the Protiviti booth at the conference. Web-based survey at KnowledgeLeader SM. Electronic surveys were made available online to KnowledgeLeader subscribers, including those with trial subscriptions. KnowledgeLeader is a subscription-based Protiviti website designed to assist internal audit professionals with finding information, tools and best practices they can use to improve the efficiency and quality of their work. Electronic surveys. Surveys were forwarded to other internal audit professionals who expressed an interest in participating. Moving Internal Audit Back into Balance 31

Survey Demographics More than 600 respondents participated in the survey. All demographic information was provided voluntarily and not all participants provided data for every demographic question. Position Chief Audit Executives, Audit Directors and Audit Managers represented a majority of the respondents. Chief Audit Executive 19% Audit Director 18% Audit Manager 27% General Auditor 18% Other 18% Industry Manufacturing was the most-represented industry group in the study. Manufacturing 16% Financial Services 14% Healthcare 9% Insurance 7% Distribution 6% Technology 6% Energy 5% Utilities 5% Retail 5% Government/Education/Not-for-profit 4% Telecommunications 3% Hospitality 2% Real Estate 2% Life Sciences/Bio-tech 2% CPA/Public Accounting/Consulting Firm 1% Media 1% Other 12% Type of Organization A vast majority of participants were from publicly held companies. Public 73% Private 16% Not-for-profit 6% Government 5% Other 32 Moving Internal Audit Back into Balance

Size of Organization (by gross annual revenue) Overall, the greatest representation was by organizations with gross annual revenues of $1 billion to $4.99 billion, with more than 60 percent of organizations at $1 billion or higher. $20 billion and above 9% $10 billion - $19.99 billion 8% $5 billion - $9.99 billion 11% $1 billion - $4.99 billion 33% $500 million - $999.99 million 17% $100 million - $499.99 million 15% Less than $100 million 7% Full-Time Equivalent Personnel in Internal Audit Department Most organizations represented in the study have 10 or fewer full-time internal audit personnel. More than 50 8% 21-50 9% 11-20 16% 1-10 67% Formation Date of Internal Audit Department More than 10 years ago 4 6-10 years ago 15% 1-5 years ago 39% Less than 1 year ago 6% Engaged in Co-Sourcing Yes 35% No 65% Fiscal Year-End Most respondents (68 percent) reported a fiscal year-end in December for their organizations. January 3% February March 6% April 2% May 1% June 8% July 1% August 1% September 9% October 1% November December 68% Moving Internal Audit Back into Balance 33

About Protiviti Inc. Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. We help solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Our highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for our clients in the Americas, Asia-Pacific, Europe and the Middle East. Protiviti is proud to be a Principal Partner of The IIA. More than 1,000 Protiviti professionals are members of The IIA and actively involved with local, national and international IIA leaders to provide thought leadership, speakers, best practices, training and other resources that develop and promote the internal audit profession. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Internal Audit and Financial Controls We work with audit executives, management and audit committees at companies of virtually any size, public or private, to assist them with their internal audit activities. This can include starting and running the activity for them on a fully outsourced basis or working with an existing internal audit function to supplement their team when they lack adequate staff or skills. Protiviti professionals have assisted hundreds of companies in establishing first-year Sarbanes-Oxley compliance programs as well as ongoing compliance. We help organizations transition to a process-based approach for financial control compliance, identifying effective ways to appropriately reduce effort through better risk assessment, scoping and use of technology, thus reducing the cost of compliance. Reporting directly to the board, audit committee or management, as desired, we have completed hundreds of discrete, focused financial and internal control reviews and control investigations, either as part of a formal internal audit activity or apart from it. One of the key features about Protiviti is that we are not an audit/accounting firm, thus there is never an independence issue in the work we do for clients. Protiviti is able to use all of our consultants to work on internal audit projects this allows us at any time to bring in our best experts in various functional and process areas. In addition, Protiviti can conduct an independent review of a company s internal audit function such a review is called for every five years under standards from The Institute of Internal Auditors. Among the services we provide are: Internal Audit Outsourcing and Co-Sourcing Financial Control and Sarbanes-Oxley Compliance Internal Audit Quality Assurance Reviews For more information about Protiviti s Internal Audit and Financial Controls solutions, please contact: Robert B. Hirth Jr. Executive Vice President Global Internal Audit Protiviti Inc. +1.415.402.3621 (direct) robert.hirth@protiviti.com 34 Moving Internal Audit Back into Balance

Other Relevant Publications and Resources from Protiviti Guide to Internal Audit: Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function (Second Edition) Internal Audit Capabilities and Needs Survey (conducted and published in 2006, 2008 and 2009) Internal Auditing Around the World series Internal Auditing in Higher Education: Profiles of Top Performers Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements (Fourth Edition) Performance/Risk Integration Management Model (PRIM 2 ): The Convergence of Enterprise Performance Management and Risk Management Guide to Enterprise Risk Management: Frequently Asked Questions Enterprise Risk Management in Practice: Profiles of Companies Building Effective ERM Programs Enterprise Risk Management: Practical Implementation Ideas Partnering with the Rest of the Board Guide to U.S. Anti-Money Laundering Requirements: Frequently Asked Questions (Third Edition) Spreadsheet Risk Management: Frequently Asked Questions In addition, Protiviti publishes The Bulletin, a periodic newsletter covering key corporate governance and risk management topics of interest to internal auditors, board members and C-level executives; and the Global Financial Crisis Bulletin, an ongoing newsletter series addressing current trends and developments in the global economic crisis. To obtain a complimentary copy of any of our publications, please visit www.protiviti.com. Moving Internal Audit Back into Balance 35

Protiviti s Governance Portal for Internal Audit Protiviti s Internal Audit Portal is a web-based audit management system designed to improve the efficiency and effectiveness of your audit department. The Internal Audit Portal is an electronic work paper package that facilitates the audit process from risk assessment through issue tracking. Our advanced reporting engine will provide transparency, real-time status updates and a streamlined audit reporting experience. Our clients are able to configure the solution to fit their approach and methodology, positioning both small and large internal audit functions to meet their objectives. With our Internal Audit Portal combined with our professionals and content, Protiviti will help you create a personalized response to your audit tool needs. The Internal Audit Portal is an integrated module within the Protiviti Governance Portal that can be used independently or in conjunction with other modules to create a true governance, risk and compliance (GRC) platform. This enterprise solution allows you to leverage frameworks and build a common language and repository that brings internal audit information into a GRC context. Additional modules of the Governance Portal include: Controls Management A framework that supports control documentation (e.g., Sarbanes-Oxley), evaluation, documentation and testing. Risk Management A framework for assessing inherent, tolerable and residual risk across defined enterprise categories. Assessment Management An integrated survey engine that supports a sustainable self-assessment process across multiple GRC programs and modules of the Governance Portal. Incident Management A system that captures actual, near-miss and potential events that can result in operational and financial losses. For more information about Protiviti s Governance Portal for Internal Audit, please contact: Scott Gracyalny Managing Director, Risk Technology Solutions Protiviti Inc. +1.312.476.6381 (direct) 36 Moving Internal Audit Back into Balance

KnowledgeLeader SM is a subscription-based website that provides information, tools, templates and resources to help internal auditors, risk managers and compliance professionals save time, stay up-to-date and manage business risk more effectively. The content is focused on business risk, technology risk and internal audit, and is updated weekly. The tools and resources available on KnowledgeLeader include: Audit Programs A wide variety of sample internal auditing work programs and IT functional audit work programs are available on KnowledgeLeader. These programs, along with the other tools listed below, are provided in downloadable versions so they can be repurposed for use in your organization. Checklists, Guides and Other Tools There are more than 600 checklists, guides and other tools available on KnowledgeLeader. They include questionnaires, best practices, templates, charters and more for managing risk, conducting internal audits and leading an internal audit department. Policies and Procedures KnowledgeLeader provides hundreds of sample policies to help you in reviewing, updating or creating your company policies and procedures. Articles and Other Publications KnowledgeLeader features informative articles, survey reports, newsletters and booklets produced by the KnowledgeLeader team, Protiviti professionals and other content providers (including Compliance Week, Auerbach, Taylor & Francis and The IIA). The content is focused on business and technology risks, internal auditing and finance. Performer Profiles Numerous interviews with internal audit executives and chief risk officers from corporations around the world are featured on the site. These leaders share their tips, techniques and best practices for managing risk and running their internal audit functions, or developing and managing their enterprise risk management initiatives. Key topics covered by KnowledgeLeader: Business Continuity Management Control Self-Assessment Corporate Governance COSO Enterprise Risk Management Financial and Credit Risk Fraud and Ethics Internal Audit Sarbanes-Oxley Act Security Risk Technology Risk KnowledgeLeader has an expanding library of methodologies and models including the robust Protiviti Risk Model SM, a process-oriented version of the Capability Maturity Model, the Six Elements of Infrastructure Model and the Sarbanes-Oxley 404 Service Delivery Model. With a KnowledgeLeader membership, subscribers have access to AuditNet Premium Content; discounted certification exam preparation material from ExamMatrix; discounted MicroMash CPE Courses to maintain professional certification requirements; audit, accounting and technology standards and organizations; and certification and training organizations, among other information. To learn more, sign up for a complimentary 30-day trial by visiting www.knowledgeleader.com. Protiviti clients and alumni, and members of The IIA, ISACA and AHIA, are eligible for a subscription discount. Additional discounts are provided to groups of five or more. KnowledgeLeader members have the option of upgrading to KLplus SM (KL+). KL+ provides all of the benefits of KnowledgeLeader, plus full access to Protiviti s suite of online CPE courses and risk briefs. Moving Internal Audit Back into Balance 37

Protiviti Internal Audit and Financial Controls Practice Contact Information Robert B. Hirth Jr. Executive Vice President Global Internal Audit +1.415.402.3621 robert.hirth@protiviti.com AUSTRALIA Garran Duncan +61.3.9948.1205 garran.duncan@protiviti.com.au BELGIUM Carl Messemaeckers van de Graaff +31.20.346.04.00 carl.messemaeckers@protiviti.nl Brazil Waldemir Bulla +55.11.5503.2020 waldemir.bulla@protiviti.com.br CANADA Carmen Rossiter +1.647.288.4917 carmen.rossiter@protiviti.com CHINA Philip Yau +86.755.2598.2086, ext. 888 philip.yau@protiviti.com FRANCE Francis Miard +33.1.42.96.22.77 f.miard@protiviti.fr GERMANY Michael Klinger +49.69.963.768.155 michael.klinger@protiviti.de India Adithya Bhat +91.22.6626.3310 adithya.bhat@protiviti.co.in ITALY Giacomo Galli +39.02.6550.6303 giacomo.galli@protiviti.it JAPAN Yasumi Taniguchi +81.3.5219.6600 yasumi.taniguchi@protiviti.jp MEXICO Roberto Abad +52.55.5342.9100 roberto.abad@protiviti.com.mx THE NETHERLANDS Carl Messemaeckers van de Graaff +31.20.346.04.00 carl.messemaeckers@protiviti.nl SINGAPORE Philip Moulton +65.6220.6066 philip.moulton@protiviti.com South Korea Sang Wook Chun +82.2.3483.8200 sangwook.chun@protiviti.co.kr SPAIN Diego Rodriguez Roldan +34.91.206.2000 diego.rodriguezroldan@protiviti.es UNITED KINGDOM Andrew Clinton +44.20.7024.7570 andrew.clinton@protiviti.co.uk UNITED STATES Robert B. Hirth Jr. +1.415.402.3621 robert.hirth@protiviti.com 38 Moving Internal Audit Back into Balance

The Americas Europe United States Alexandria Atlanta Baltimore Boston Charlotte Chicago Cincinnati Cleveland Dallas Denver Fort Lauderdale Houston Brazil São Paulo Canada Kitchener-Waterloo Toronto Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento Mexico Mexico City Peru Lima* Salt Lake City San Francisco Seattle Silicon Valley/ Santa Clara Stamford St. Louis Tampa Vienna Woodbridge Venezuela Caracas* belgium Brussels France Paris Germany Düsseldorf Frankfurt Munich Middle East BAHRAIN Bahrain* Kuwait Kuwait City* Italy Milan Rome Turin spain Madrid OMAN Muscat* United Arab Emirates Abu Dhabi* Dubai* THE NETHERLANDS Amsterdam UNITED KINGDOM London Asia-Pacific Australia Brisbane Canberra Melbourne Sydney China Beijing Hong Kong Shanghai Shenzhen India Bangalore Mumbai New Delhi Indonesia Jakarta** Japan Osaka Tokyo Singapore Singapore South Korea Seoul * Protiviti Member Firm ** Protiviti Alliance Member Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. protiviti.com 2009 Protiviti Inc. An Equal Opportunity Employer. PRO-0609-101022.