toc
 

toc

Table of Contents
Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition........1

Foreword
Forewo rd.......
...............
...............
..................................................
.......................................................................................................................................1
..............................................................................................1

Prefacee.......
Prefac ..............
......................................................................................................
....................................................................................................................................................1
.....................................................1
Standing at the Rubi Rubicon con!!....
......
......................................
..........................................................................
.............................................................................
.........................................1
..1

Part I: Fundamentals of the Internal Auditing Function........................................................................................................

...............................................1
.........1
Chapter List
List.......
..............
..............
..............
..............
.........................................
.........................................................................
.........................................................................1
..................................1
..............................................
.................................................................................
..........................................................................
.........................................................................1
..................................1

Chapter 1: Background
Background...................................
..................................................
...................................................................................................1
....................................................................................1
1.1 Introduction..........................................................
.......................................................................................................................................1
.............................................................................1
1.2 History of Auditing
Auditing [1] [1].......................................
........................................................
...............................................................................1
..............................................................1
1.3 History of Internal
Internal Auditing......................................
..................................................
.........................................................................4
.............................................................4
1.4 Auditing Government
Government Agencies.........................
Agencies...................................
...............................................................................8
.....................................................................8
1.5 History of Information
Information Systems Auditing...................................
Auditing.................................................................
......................................................8
........................8
a. Birth of Information
Information Systems Auditing Auditing..................................
............................................................
......................................................9
............................9
b. Commercialization
Commercialization of Computers.................
Computers.......................................................
.............................................................................
.........................................9
..9
c. AUDITAPE: Breakthrough for Information Systems Auditors Auditors.......................................................10
...........................................10

d. Equity Funding
e. Systems, Fundi ng Scandal:
Auditability, andAbuse
Control of Information
Infor
Researchmation Technology....................................................
Technology.............
Study—Institute .......................................11
of Internal
of Interna l Audito
Auditors rs.......
.............. 11
..........12
...12
f. Electronic Data Data Processing Auditors Association.........................
A ssociation.......................................................................13
g. Emerging Technologies
Technologies.................................
.......................................................................
.............................................
.......................................14
................................14
1.6 History of Federal
Federal Regulations
Regulat ions RelatedRelat ed to Auditing....... .........
.................................................................19
...............................................................19
a. Income Tax Law (Sixteenth Amendment): 1913 1913.......................................
.......................................................................19
................................19
b. Securities and and Exchange Commission Acts: Acts: 1933, 1934 1934.................................
...........................................................20
..........................20
c. Foreign Corrupt
Corrupt Practices Act: 1977 1977......................................
....................................................
....................................................20
......................................20
d. Copyright Laws: Laws: 1976 et al.............................
al........................................................................................................21
...........................................................................21
e. Sarbanes-Oxley
Sarbanes-Oxley Act: 2002...................................
....................................................................
.......................................................................21
......................................21
1.7 Professional Organizations
Organizations Related to t o Internal Auditing................................................................21
Auditing................................................................21
a. Institute of Internal
Internal Auditors.....
Auditors....................................
.................................................................................................22
..................................................................22
b. Information Systems Audit and Control Association Association.................................
.................................................................22
................................22
c. American Institute
Institute of Certified Public Accountants........... ...................................................................23
........................................................23
d. American Accounting
Accounting Association...................................
.......................................
..........................................................24
......................................................24
e. Financial Executiv
Executives es International...
International.........................................
.............................................................................
....................................................24
.............24
f. Association
Ass ociation of Government Accountants...................................................................................
Accountants...................................................................................25 25
g. Association
Association of Certified Fraud Examiners Examiners........................
.................................................................................25
.........................................................25
Endnotess.......
Endnote ............
......................
........................................................
.............................................................................
.............................................................................
.......................................26
26

Chapter 2: Auditing Standards

Standards and and Responsibilities
Responsibilities.......................................
.............................................................................
...............................................1
.........1
Overview...................................................................................
Overview................. ................................................................................................................................1
..............................................................1
2.1 Introduction
Introdu ction.......
.............................................
..........................................................................
..........................................................................
......................................................1
..................1
2.2 Ethics....................................................................
Ethics.................................................................................................................................................1
.............................................................................1
a. Institute of Internal
Internal Auditors (IIA) [2]............
[2].........................................................................................2
.............................................................................2
b. Information Systems Audit and Control Association (ISACA) [3] [3]...........
.............................................3
..................................3
2.3 Professional Auditing
Auditing Standards......................................
..............................................................
..................................................................4
..........................................4
a. Institute of Internal Auditors.....
Auditors............................................
.........................................
............................................................4
..........................................................4
b. Information
Information Systems Audit and Control Control Association [5] [5].................................
.............................................................6
............................6
c. American Institute of Certified Public Accountants...................................
.....................................................................8
..................................8
2.4 Systems
S ystems Development Life Cycle Standards S tandards......................................
............................................................................
...............................................9
.........9
2.5 Professional Development
Development..................................
........................................................................
.............................................................................
.......................................12
12

i
 

toc

Table of Contents
Contents
Auditing
Chapter 2: Auditin g Standards and Responsibilities
Responsibilities
2.6 Responsibilities
Responsibilities of a Corporate Auditor..........................................................................................12
Auditor..........................................................................................12
a. Nature.........................
Nature.............................................................
..........................................................................
............................................................................1
......................................13
3
b. Objective
Objective and Scope.............................................
Scope....................................................................................
......................................................................13
...............................13
c. Responsib
Responsibility
ility and Authority......................................
.............................................................................
................................................................13
.........................13
d. Independence.....................................
...........................................................................
.............................................................................
...................................................13
............13
e. Regulat
Regulatory ory Issues
Issues.......
..............
..............
...........................................
.........................................................................
................................................................14
.........................14
Endnotes.......
Endnotes..............
.........
...................................
........................................................................
.............................................................................
.........................................................15
...................15

Chapter 3: Internal
Internal Control System......................
System............................................................
.............................................................
.....................................................1
..............................1
Overview.................................................................................................
Overview.... .............................................................................................................................................1
................................................1
3.1 Definition
Definition...................................
.........................................................................
...................................................
..................................................................1
.....................................................1
3.2 Fundamental
Fundamental Assumptions in Establishing an Internal Control System.................................... ............................................2
........2
a. Business
Business Reasons for a Strong S trong Internal Control System S ystem..................
..............................................................3
............................................3
b. Legal
Legal Reasons for a Strong Internal Control Control SystemSystem..................................
...................................................................3
.................................3
c. Basic
Basic Assumptions for the Internal Control Co ntrol System............................
System...................................................................
........................................4
.4
d. Evolution
Evolution of Attacks and Intruders' Technical Knowledge.........................................................4
Knowledge.........................................................4
e. Cost-Benefit
Cost-Benefit Analysi
An alysiss of Controls....
Controls................................................................................................5
............................................................................................5
3.3 Effective
Effective Internal Control Models....................
Models.....................................................................................................5
.................................................................................5
a. The COSO Model (AICPA, AAA, FEI, FEI, IIA, and IMA)..............................................................5
IMA)..............................................................5

b. The
c. The
T CobiTand
he SAC ModeleSAC
eSAC (ISACA)....................................................
(ISACA)....................
Reports (IIA) .....................................................................................7
(IIA).................................... .....................................................7
..........................................................................
...........................................................8
.....................8
d. SysTrust
SysTrust (AICPA and CICA).....................................
.................................................
..................................................................9
......................................................9
e. Conclusion:
Conclusion: Comparing and Contrasting the Models..................................
.................................................................13
...............................13
3.4 Regulations..............................................
Regulations......................................................................................................................................15
........................................................................................15
a. Securities
Securities and Exchange Commission (1933, (1933, 1934)
1934)...................................
..................................................................15
...............................15
b. Foreign
Foreign Corrupt Practices Act (1977) (1977).....................................
............................................................................
...................................................16
............16
c. Copyright
Copyright Laws (1976 et al.) al.)......................................
.............................................................................
................................................................16
.........................16
d. Environmental
Environmental Laws Law s (Various)
(Various).............................
..................................................................................................16
.....................................................................16
e. Sarbanes-Oxley
Sarbanes-Oxley Act (2002) (2002)..........................
........................................................................................................17
..............................................................................17
3.5 Policies [7].........................
[7]..........................................................
........................................................................
.............................................................................1
......................................177
a. Systems
Systems Development Life Life Cycle Policy Policy.......................................
.............................................................................
............................................18
......18
b. Systems
Systems Usage Policy (End Users) Users)...................................
.........................................................................
.........................................................19
...................19
c. Security
Security Policy
Policy.......
..............
..............
...............
..........
...............................................................................................19
.............................................................................................19
d. Password
Password Policy.............................................
Policy...................................................................................
............................................................................1
......................................199
e. E-Mail
E-Mail Policy
Poli cy.......
..............
...........................................
..........................................................................
............................................................................2
......................................200
f. Business
Business Recovery Policy Policy..................................
...........................................................................................................20
.........................................................................20
g. Privacy
Privacy Policy....................................
.....................................................
.........................................................................................21
........................................................................21
3.6 Risk Assessment...............
Risk Assessment..................................................
.........................................................................
............................................................................2
......................................222
a. Risk Assessment:
Risk Assessment: Internal Perspective Perspecti ve.................
.......................................................................................23
......................................................................23
b. Risk Assessment:
Risk Assessment: External Perspective.................. ......................................................................................24
....................................................................24
3.7 Control Strategies.................................
Strategies............................................................................................................................28
...........................................................................................28
a. Fourf old
old Perspective of Controls Controls Model Model.................................
........................................................................
...................................................28
............28
b. Information
Information Systems and Controls Controls Model............................................................................
..................................................................................30
......30
c. An Internal
Internal Audit FunctioF unction n.....
.........................................
...........................................................................
................................................................34
.........................34
d. Corporate
Corporate Governance.......
Governance.............. ..........
..................................................................................................34
...............................................................................................34
e. Logs
Logs and Auditability...........................................
Auditability..................................................................................
......................................................................38
...............................38
f. Segregation
Segregation of Duties
Duties......................................
.........................................
............................................................................38
.........................................................................38
g. Investigation
Investigation Procedures......
Procedures........................................
......................................................................................................38
....................................................................38
3.8 Malicious Activities
Activities......................................
.............................................................................
.............................................................................
............................................39
......39
a. Crime and Misappropriation
Mis appropriation of Assets Assets....................................
...........................................................................
...................................................39
............39
b. Unauthorized Access and Authentication......................................................................
Authentication..................................................................................41
............41

ii
 

toc

Table of
of Contents
Controll System
Chapter 3: Internal Contro
3.9 Specific Controls/Caatts......................................
Controls/Caatts..................................................................................................................43
............................................................................43
a. Monitoring Systems
Systems.......................................
..................................................
.............................................................................43
..................................................................43
b. Firewalls..................
Firewalls........................................................
............................................................................
.............................................................................
.......................................43
43
c. Generalized
Generalized Audit Software......
Software.............................................
..............................................................................
..........................................................43
...................43
d. Other Potential Controls/CAATTs
Controls/CAATTs...................................
..........................................................................
..........................................................44
...................44
References.......................................
References ...................................................................
.......................................................................................................45
...........................................................................45
Endnotess.......
Endnote ............
.........................
........................................................
..........................................................................
.............................................................................
.......................................45
45

Part II: Management and Administration..................................................................................

Administration.......................................................................................................1
.....................1
Chapter List..........................................................
..............................................................................................................................................1
....................................................................................1
....................................
...........................................................................
.............................................................................
.............................................................................
.........................................1
..1

Chapter 4: Department Organizat

Organization ion.......
..............
.............
.................................................................................................1
...........................................................................................1
Overview....................................................................
Overview................. ................................................................................................................................1
.............................................................................1
4.1 Introduction
Introdu ction.......
......................................................................................
................................................................................................................................1
...................................................1
a. Strategic Objectives
Objectives.......................................
.......................................................................................................................1
b. Essence of Internal
Internal Auditing
Auditing....................
........................................................................................................2
....................................................................................2
c. Quality Assurance
Assurance Reviews of Internal Audit..............................................................................3
Audit...... ........................................................................3
d. Outsourcing
Outsourcing Internal Audits................
Audits.........................................................................................................3
.........................................................................................3

e. Control Self-Assessment...................
f. IntegratingSelf-Assessment..............................................................................................................5
...........................................................................................5
the Auditing Process...........................
the ...................................................................................................6
........................................................................6
4.2 Corporate Audit Charter...................................................
Charter....................................................................................................................6
.................................................................6
4.3 Company Organization................................
Organization......................................................................................................................8
......................................................................................8
a. Audit Department
Department Organization...................................................................................................9
Organization...................................................................................................9
b. Job Classifications
Classifications and Descriptions..........................................................................................10
Descriptions..........................................................................................10
4.4 Audit Department
Department Policies Policies..................................
.................................................
.............................................................................24
..............................................................24
a. Confidentiality
Confidentiality..................................
.......................................................
..........................................................................................24
.....................................................................24
b. Orientation
Orientation (Training)...
(Training).........................................
.............................................................................
.......................................................................25
................................25
c. Days Off for Extensive Travel Policy........... Policy.................................................
.............................................................................
.......................................26
26
d. Professional
Professional Certification Policy Policy......................................
..........................................
..........................................................26
......................................................26
Endnote............. .................
........................................................
.............................................................................
.............................................................................
.......................................26
26

Chapter 5: Personnel, Administration,

Administration, and Recruiting Recruiting...................................
.........................................................................
...............................................1
.........1
Overview..................................................
Overview................. ................................................................................................................................1
...............................................................................................1
5.1 Introduction
Introdu ction.......
.........................................................................
................................................................................................................................1
................................................................1
a. Sources of Personnel...............
Personnel..................................................
.........................................................................
..................................................................1
............................1
b. Recruitment
Recruitment Aids Aids.......
..............
..............
..............
.........
..............................................................................................3
............................................................................................3
c. Management Development Programs.................
Programs........................................................
.........................................................................5
..................................5
d. Certifications......................
Certifications.......................................................
........................................................................
.........................................................................6
..................................6
5.2 Personal Development.....................................
Development.......................................................................................................................6
..................................................................................6
a. Introduction...........................................................
Introduction..................................................................................................................................6
.......................................................................6
b. Objectives................................
Objectives...................................................................
.........................................................................
..................................................................7
............................7
c. Coordinator of of Education....
Education................
.........................................................................................................7
.............................................................................................7
d. Corporate Audit
Audit Training
T raining Model Model...................................................................................................7
e. Core Program
Program.......
..............
..............
..........
.........................................
............................................................................
..................................................................8
............................8
f. Advanced Program
Program..................................
.........................................................................
...........................................................
...............................................9
...........................9
g. Record-Keeping
Record-Keeping......................................
.............................................................................
.............................................
...............................................9
.........................................9
5.3 Personnel Files
Files.......................................
.....................................................................
..........................................................................................11
............................................................11
a. Corporate Audit Department Background Information Form F orm.......................................
....................................................13
.............13
b. Corporate Audit Department Interest Questionnaire..................................
..................................................................13
................................13
5.4 Periodic
P eriodic Performance Evaluation Review.............................................................
Review.......................................................................................13
..........................13

iii
 

toc

Table of Contents
Chapter 5: Personnel,
Personnel, Administration, and and Recruiting
a. Performance
Performance Evaluation Review Review Guidelines for Preparation of Report.....................................16
.....................................16
5.5 Annual
Annual Staff Meeting/Conference
Staff Meeting/Conference...................................
..........................................................................
................................................................19
.........................19
a. Group Discussions
Discussions...................................
..........................................................................
.............................................................................
............................................19
......19
5.6 New Staff Orientation............
Orientation................................................
...........................................................................
......................................................................21
...............................21
Endnotess.......
Endnote ..............
............
..........................................
...........................................................................
.............................................................................
...................................................24
............24

Part III: Technical Procedures

Procedures.....................................
............................................................................
.............................................................................
..............................................1
........1
Chapter List
List.......
..............
..............
.............
..........................................
...........................................................................
..............................................................................
........................................1
.1
.......................
........................................................
........................................................................
.............................................................................
...........................................................1
.....................1

Chapter 6: Audit Planning

Planning....................................
.................................................................................................................................1
.............................................................................................1
Overview...............................
Overview.... ..............................................................
..........................................................................
..............................................................................
........................................1
.1
6.1 Corporate
Corporate Audit Planning, Scheduling, Scheduling, and Staffing.................................
........................................................................
........................................1
.1
a. Three-Year
Three-Year Operating
Ope rating Plan Pl an......
.........................................
..........................................................................
..................................................................2
...........................2
b. Risk Analys
Risk Analysis is.......
..............
..............
..............
..............
...........
.............................................................................................3
.........................................................................................3
c. Annual
Annual Budget and Plan Plan..................
...............................................................................................................4
.............................................................................................4
d. Six-Month
Six-Month Audit Plan...................................
Plan..........................................................................
..............................................................................
........................................5
.5
e. Three-Month
Three-Month Audit Audit Schedule
Schedule.....................................
............................................................................
..................................................................5
...........................5
f. Two-Month
Two-Month Staff Schedule Schedule...................................
..........................................................................
........................................................................5
.................................5

6.2
6.3 Internal
MaterialControls..............................................
Controls................................................................................................................................5
Materiality........................... ..................................................................................5
ity........................... .......................................
..............................................................................
........................................................................6
.................................6
6.4 Types of Audits
of Audits.......................................
..........................................
...........................................................................................8
........................................................................................8
a. High-Level
High-Level Review of Procedures.......................
Procedures..............................................................
........................................................................8
.................................8
b. Financial
Financial Audit..............................................
Audit.....................................................................................
..............................................................................
........................................8
.8
c. Operational/Manager
Operational/Managerial ial Audit
Audit....................................
...........................................................................
..................................................................9
...........................9
d. Complianc
Compliancee Audit..............
....... .........
...................................
........................................................................
......................................................................10
...............................10
e. Contract
Contract Audit.........
Audit.........................................
...................................................................................................................10
...................................................................................10
f. Desk Review.........................
Desk Review...............................................................
.............................................................................
................................................................11
.........................11
(g) Follow-Up
Follow-Up Audits Audits..............
...............................................
........................................................................
......................................................................11
...............................11
h. Information
Information Systems Audits [3] [3].................................
........................................................................
................................................................11
.........................11
i. E-Commerce
E-Commerce Audits Audits.................................
........................................
...................................................................................15
............................................................................15
 j. International
International Audits.....................................................................................................................15
Audits.....................................................................................................................15
6.5 Time Reporting
Reporting.......................................
..................................................
.........................................................................................16
..............................................................................16
a. Form:
Form: Corporate Audit Audit Time Report Report.................................
.......................................................................
.........................................................16
...................16
b. Report
Report for the Period Ending......................................
.............................................................................
................................................................16
.........................16
c. Auditor's
Auditor's Name/Employee
Name/Employee Number...........................
Number..................................................................
................................................................16
.........................16
d. Job Number....
Number.......................................
.........................................................................
.............................................................................
...................................................17
............17
e. Audit
Audit Codes
Codes.....................
..........................................................
............................................................................
......................................................................17
...............................17
f. Task Codes............................
Task Codes............................ ......................................
.............................................................................
................................................................18
.........................18
g. Hours..................................
Hours....................................................................
.........................................................................
......................................................................18
...............................18
h. Productive
Productive Time Time............
...................................................
..............................................................................
......................................................................18
...............................18
i. Nonproductive
Nonproductive Time.............................................
Time....................................................................................
......................................................................18
...............................18
 j. Summarizi
Summarizing ng Time
Time...................................
..........................................................................
.............................................................................
............................................19
......19
6.6 Expense Reporting
Reporting..................................
........................................................................
.............................................................................
...................................................19
............19
a. Travel Expenses......
Expenses..............
..........
......................................
...........................................................................
......................................................................20
...............................20
Endnotess.......
Endnote ..............
.........
...................................
........................................................................
.............................................................................
.........................................................20
...................20

Chapter 7: Audit Performance

Performance...................................
..........................................................................................................................1
.......................................................................................1
Overview..................................
.........................................................................
..............................................................................
........................................................................1
.................................1
7.1 Corporate Audit Performance
P erformance Process Matrix Matrix.....................................
...........................................................................
..............................................1
........1
a. Assignment Log and Checklist..........................................................................
.....................................................................................................2
...........................2

iv
 

toc

Table of Contents
Contents
Performance
Chapter 7: Audit Performa nce
b. Description of
of Notice
Notic e to Auditee
Audi tee......
..................................................................................................3
............................................................................................3
c. Preliminary Survey
Survey.................................
.......................................................
......................................................................................4
................................................................4
d. Planning Memo...............
Memo...................................................
...........................................................................
.........................................................................7
..................................7
e. Audit Status Report.......
Report.............................................
.............................................................................
.......................................................................11
................................11
f. Developing Audit
Audit Recommendations
Recommendations.....................................
............................................................................
....................................................11
.............11
7.2 Workpapers........
Workpapers............................
.......................................................
..........................................................................
.......................................................................17
................................17
a. Control.............................................................................
Control........................................................................................................................................17
...........................................................17
b. Retention....................................................................
Retention....................................................................................................................................18
................................................................18
c. Headings..............................................
Headings.....................................................................................................................................18
.......................................................................................18
d. Permanent Files: Files: Contents and Format......................................................................................19
Format......................................................................................19
e. Current Files:
Files: Contents and Format.............. ....... ...............
..............................................................................20
......................................................................20
f. General Organization............
Organization............ ......................................
............................................................................
................................................................20
..........................20
g. Detailed Workpaper
Workpaper Section Organization Organization....................................
..........................................................................
.............................................20
.......20
h. Indexing and Cross Referencing......
Referencing............................................
.............................................................................
....................................................21
.............21
i. Referencing
Referencing... ............
..........................................
........................................................................
.............................................................................
.............................................23
.......23
 j. Standard Tick Marks Marks......................................
............................................................................
.............................................................................
.......................................23
23
7.3 Audit Objectives..........
Objectives.................................................
.............................................................................
.............................................................................
.......................................24
24
Cash
Cas h...................................
..............................................
.............................................
........................................................................
................................................................24
..........................24
Endnote............. .................
........................................................
.............................................................................
.............................................................................
.......................................26
26

Chapter 8: Audit Reporting..........................

Reporting.......................... ...................................
.........................................................................
..................................................................1
............................1
Overview................................................
Overview................. ................................................................................................................................1
.................................................................................................1
8.1 Corporate Audit Report Process............
Process................................
............................................................................................1
........................................................................1
a. Draft Reports............................................................
Reports................................................................................................................................2
....................................................................2
b. Draft to Auditee
Auditee......................................
..........................................................
......................................................................................3
..................................................................3
c. Inclusion of Auditee Comments...................................................................................................4
Comments...................................................................................................4
d. Issue Final
Final Report to Management
Man agement....... ..........
........................................................................................7
.....................................................................................7
e. Open Audit Results and Comments..................................
.........................................................................
..........................................................14
...................14
8.2 Report
Report to Managem
Management ent...............
....... ...............
..............
................................................................................................15
8.3 Report to Audit
Audit Committee
Committee.................................
.......................................................................
.............................................................................
.......................................18
18

Part IV: Long-Term Effectiveness

Effectiveness.....................................
...........................................................................
.............................................................................
.........................................1
..1
Chapter List............................................................................
........................................................................................................
..................................................................1
......................................1
....................................
...........................................................................
.............................................................................
.............................................................................
.........................................1
..1

Chapter 9: Managing the the Effectiveness of the Audit Department Department.....................................

.................................................................1
............................1
Overview..............................................
Overview.......... .......................................................................................................................................1
...................................................................................................1
9.1 Introduction
Introdu ction.......
.............................
.......................................................
..........................................................................
.........................................................................1
..................................1
9.2 Corporate Governance
Governance [1]................................................
......................................................................................
..................................................................1
............................1
9.3 Quality Assurance...............
Assurance.....................................................
.............................................................................
.........................................................................4
..................................4
a. Objecti
Ob jective
ve.......
.........................
.......................................................
............................................................................
.........................................................................5
..................................5
b. Responsibility.....................................
Responsibility..................................... ..........................................................................................5
c. Method............................................................
Method..........................................................................................................................................5
..............................................................................5
d. Repor
Re ports
ts...
...................................................................................................
.......................................................................................................................................9
.......................................9
e. Summary of Review...............................
of Review.....................................................................................................................9
......................................................................................9
f. Quality Assurance
Assurance Checklist.......................................................................................................10
Checklist.......................................................................................................10
9.4 Continuous Improvement
Improvement Systems for Internal Internal Auditors
Auditors......................................
................................................................10
..........................10
a. Balanced Scorecard
Scorecard [5].................................
...............................................................................................................10
..............................................................................10
b. Value-Based Metrics Metrics.....................................
...........................................................................
.............................................................................
.......................................12
12
c. Activity-Based Costing..................................
........................................................................
.............................................................................
.......................................12
12
d. Total Quality Management.........................................................................
.........................................................................................................13
................................13

v
 

toc

Table
Table of Contents
Chapter 9: Managing
Managing the Effectiveness
Effectiveness of the Audit Department
e. ISO
ISO 9000 Family [7].......................
...................................................................................................................13
............................................................................................13
f. Baldrige
Baldrige National Quality Program/Baldrige
Program/Baldrige Award [8] [8]...................................
............................................................14
.........................14
g. Conclusions.........................................
Conclusions................................................................................................................................14
.......................................................................................14
9.5 Marketing
Marketing the Audit Function
Functi on.......
..............
..............
.............................................................................................15
a. What Is Marketing?
Marketing?...........
..............................................
..........................................................................
......................................................................15
...............................15
b. Understanding
Understanding the the Customers........................
Customers..............................................................
............................................................................1
......................................16
6
c. Getting
Getting the the Audit Message Out Out..................................
.........................................................................
................................................................16
.........................16
d. Human Resources....................................
...........................................................................
.............................................................................
............................................16
......16
e. Summary.....................................
............................................................................
.............................................................................
.........................................................17
...................17
Endnotes...
Endnote s....................................
........................................................................
..............................................................................
......................................................................17
...............................17

Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
A....
.......
......
.......
.....................................
........................................................................
..............................................................................
........................................................................1
.................................1

Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
C..............
C.......... .....................................
........................................................................
..............................................................................
........................................................................1
.................................1

Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
E.............
E.......... .....................................
.........................................................................
..............................................................................
........................................................................1
.................................1

Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
F..............
F.......... .....................................
........................................................................
..............................................................................
........................................................................1
.................................1

Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
G....
.......
......
......
.....................................
.........................................................................
..............................................................................
........................................................................1
.................................1

Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
I..............
I........... .....................................
.........................................................................
..............................................................................
........................................................................1
.................................1

Index............................
Index.............................................................
.......................................................................
.............................................................................
..................................................................1
...........................1
S.....................................................
S.......... ............................................................................
........................................................................
........................................................................1
.................................1

List of Tables
Tables..................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
Chapter 6: Audit
Audit Planning....................
Planning...........................................................
.............................................................................
...........................................................1
.....................1
Chapter 7: Audit Performance
Performance..................................
...............................................
..............................................................................1
.................................................................1

List of Exhibits............................................................
Exhibits....................................................................................................................................................1
........................................................................................1
Chapter 2: Auditing Standards and Responsibilities.................
Responsibilities..............................................................................1
.............................................................1
Chapter 3: Internal Control System......................................
System.............................................................................
..................................................................1
...........................1
Chapter 4: Department Organization
Organization.... ......................................................................................................1
..................................................................................................1
Chapter 5: Personnel, Administration,
Administration, and Recruiting Recruiting...................................
..........................................................................
........................................1
.1
Chapter 6: Audit Planning....................
Planning...........................................................
.............................................................................
...........................................................1
.....................1
Chapter 7: Audit Performance
Performance.................................
........................................................................
..............................................................................
........................................2
.2
Chapter 8: Audit Reporting......................................
.............................................................................
..............................................................................
........................................2
.2

vi
 

Managing the Audit Function—A Corporate Audit

Department Procedures
Procedures Guide, Third Edition
Michael P. Cangemi
Tommie Singleton

John Wiley & Sons, Inc.

This text is printed on acid-free paper.

Copyright © 2003 by John Wiley & Sons, Inc.

All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under
Section 107 or 108
108 of the 1976 United
United States Copyright Act, without either the prior written permission of the
Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance
Center, Inc., 222 Rosewood Drive, Danvers,
Danvers, MA 01923, 978-750-840
978-750-8400,0, fax 978-750-4470, or on the web at
www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax
<permcoordinator@wiley.com>.
201-748-6008, e-mail: <permcoordinator@wiley.com >.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in
preparing this book, they make no representations or warranties with respect to the accuracy or completeness
of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a
particular purpose. No warranty may be created or extended by sales representatives or written sales materials.
The advice and strategies contained herein may not be suitable for your situation. You should consult with a
professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any
other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer
Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993, or fax
317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content th at appears in print
print may not
be available in electronic books.

For more information about Wiley products, visit our web site at www.wiley.com.

 Library of Congress Cataloging-in-Publication Data:

Cangemi, Michael P., 1948-

Managing the audit function : a corporate audit department procedures
guide/by Michael P. Cangemi, Tommie Singleton.&"isbn">ISBN 0-471-28119-0 (pbk. : alk. paper)

Managi
Managing
ng the
the Audit
Audit Funct
Function
ion—A
—A Corp
Corpora
orate
te Audi
Auditt Depart
Departmen
mentt Proced
Procedure
ures
s Guide,
Guide, Thir
Third
d Editio
Edition
n 1
 

2 Managi
Managing
ng the
the Audit
Audit Fun
Functi
ction
on—A
—A Corpo
Corporat
rate
e Audit
Audit Depa
Departm
rtment
ent P
Proc
rocedu
edures
res Guid
Guide,
e, Third
Third Edit
Editio
ion
n
1. Auditing,
Auditing, Inte
Internal—H
rnal—Handbo
andbooks,
oks, manuals,
manuals, etc
etc.
. 2. Corporation
Corporations—
s— Auditing—Ha
Auditing—Handbook
ndbooks,
s, manua
manuals,
ls, etc. I. Si

HF5668.25 .C37 2003

657' .458—dc21 2002153133
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
Dedicated to our mutual friend Belden Menkus for always providing encouragement and confidence in us.

ABOUT THE AUTHORS

Michael P. Cangemi is President and Chief Executive Officer and Director of Etienne Aigner Group Inc., a leading designer
Mr. Cangemi has served as Director of the New York Region Computer Audit Program at Ernst & Young. He is currently serv
Mr. Cangemi is a Certified Public Accountant and a Certified Information Systems Auditor. He is a member of the Financial E
Mr. Cangemi has published many articles that have appeared in publications including Internal Auditing, Datamation, New Ac
Mr. Cangemi received his Bachelor of Business Administration in Accountancy Practice degree from Pace University. In 2000
Mr. Cangemi and his wife, Maria, and two children, Michael Jason and Marc Ignatius, have residences in both Edison, New Je
Tommie Singleton is professor of Accounting and Computer Information Systems (CIS) at the University of North Alabama
Since becoming an academic in 1994 at UNA, Dr. Singleton has been eminent scholar (1996–1997), Chair—Department of CI
Dr. Singleton has earned several accounting certifications: Certified Public Accountant (CPA), Certified Information Systems
Dr. Singleton has published numerous articles related to auditing and systems in publications such as EDP Auditor Journal, In
Over the last few years, Dr. Singleton has led several seminar sessions on systems and auditing subjects, many for CPE credit.
Dr. Singleton received his Bachelor of Science in Accounting (1977) and MBA (1979) from the University of North Alabama.
Tommie and his wife Rebecca reside in Muscle Shoals, AL. They have three grown children: Shayne, Krissie, and AJ.

2 Managi
Managing
ng the
the Audit
Audit Fun
Functi
ction
on—A
—A Corpo
Corporat
rate
e Audit
Audit Depa
Departm
rtment
ent P
Proc
rocedu
edures
res Guid
Guide,
e, Third
Third Edit
Editio
ion
n
 

Foreword
At the turn of the century, copper mining companies such as Phelps Dodge Corporation were the darlings of 
Wall Street. They were growth plays at the dawn of the new age of electricity and communications. The
demand for wiring throughout the country seemed endless. By the early 1900s, Phelps Dodge Corporation had
already achieved a proud heritage. Formed in the early 1800s as a trading company, it wisely invested its
profits in the copper mining business.

By the late 1970s when I joined Phelps Dodge Corporation as Chief Financial Officer, much had changed. I
was asked by my good friend, then Chairman and CEO, George B. Munroe, to assist him and the Company in
meeting the challenges ahead. The Management Information Systems (MIS) operating areas and the Internal
Audit function were to receive special attention.

George and I found that the audit resource should be more consistently applied across company operations,
and that the reputation of the audit function and the results of its efforts could be improved.

Michael Cangemi joined Phelps Dodge as Director of Internal Audit. My background as a Public Accountant
and Chairman of BDO Seidman CPAs helped me to recognize the need for a strong internal audit function.
Internal auditing is a difficult function to develop in a company. To allow it to contribute to the company, the
internal audit management must be empowered with wide-ranging authority. The director of audit must
possess integrity, initiative, and excellent communication skills.

Michael Cangemi
audit personnel had the
would personal
be trained in traits we were
the areas looking for.
of information In addition,
technology andhethe
hadapplication
a programoftothe
ensure that all
technology
to the audit function. Based on his work as Director, Computer Audit at the New York Office of Arthur
Young & Company (now Ernst & Young LLP), Michael decided to integrate EDP audit and financial audit.
His audit personnel team was designed to be capable of advancing with the Company into the information
age.

Over the next two years, Michael proceeded, with the help of his audit team, to produce an audit methodology
that resulted in a most successful audit function at Phelps Dodge Corporation. This book outlines the
methodology that was implemented, and much more.

After those two years, Michael was promoted to General Auditor of Phelps Dodge Corporation. This was a
high honor in a company that had a very lean corporate management structure. At the age of 33, he was one of 
the youngest officers in the history of the company. More importantly, he had gained the respect of the senior

management team and the board of directors.

Procedures properly implemented produce the guideposts necessary to ensure that a function such as audit
stays on course. Developing budgets for each audit assignment, preparing status reports, and planning
documents are essential to efficient audit performance. Audit reports containing a summary report limited to
two pages that give the scope of the report, key background information, and a conclusion and summary of 
findings in a concise bulleted format were created for directors. Detailed reports were prepared for use by
those responsible for implementation.

Michael was fond of saying that "good people using good procedures will produce an audit product with a
reliable, high-quality level." This was the result at Phelps Dodge Corporation.

Personnel development was a very high priority of the new audit program. Audit conferences were serious
training and key team-building events.

The audit group was also assigned to activities such as contract, acquisition, and disposition audits. Contract
audits alone have saved the company millions of dollars a year in contracting fees.

Foreword 1
 

2 Foreword

Once Michael had the audit function organized and had built a team that was capable of proper succession, he
moved on to become a successful corporate vice president with responsibility for all of the company's
information systems and benefit plans as well as internal audit.

You can take the methodology outlined in this book and improve your own company's audit program or use it
as a basis for forming a new, modern audit program. Any chapter in this book provides ideas that are worth
the price of the entire publication.

L. WILLIAM SEIDMAN, CPA

November 1995
Washington, DC

2 Foreword
 

Preface
Standing at the Rubicon!
The Emperor Julius Caesar had to cross a river to launch a civil war against General Pompey in the year 49
B.C. The description of that act has become a metaphor meaning standing at a point at which there is no
turning back or new beginnings. The world of internal auditing is now at the Rubicon!

The first edition of this book was published in 1991. At that point, internal auditing outsourcing was on the
rise. Could this trend have been a symptom of the decline in corporate governance and the rise of aggressive
accounting to boost earnings? Enron Corp., at times, outsourced their internal audit functions. WorldCom,
Inc.'s accounting issues were discovered by an internal auditor.

The theme of this book is very simple. Quality internal auditors utilizing tested and proven procedures in a
proactive way will produce beneficial tangible results.

Auditing is as exciting as the world in which we audit. In fact, anticipating and preparing for the changes that
constantly take place in the business world makes auditing even more challenging. Coexisting with other
management and partnering in the company's mission, while maintaining a healthy dose of skepticism,
provides a significant interpersonal and intellectual challenge. However, many auditors have attempted to live
in a slow-paced, reactive world.

As a profession, internal auditing has been evolving for less than one hundred years. The profession continued
to grow steadily through the 1950s and into the 1960s. The business community was changing dramatically,
with technological leaps and global expansion leading the way. Internal control, as it was known, was
destined to change to address the issues and complexities of the modern day.

The first wake-up call came in 1977 with the passage of the Foreign Corrupt Practices Act. Passed to address
the practices of paying bribes in foreign countries, the law had requirements that adequate systems of internal
control be maintained. Internal audit's role in management rose to new heights. The internal auditing
professionals reacted swiftly and implemented new programs to strengthen internal controls and checks and
balances. Those internal audit departments that were capable and proactive produced solid returns on
investments for their organizations. Many branched out into operational audit areas that were heretofore only
discussed. All audit functions addressed information technology in one way or another. Auditors met at
conferences and shared information and best practices in a way that should be the envy of all professional
groups.

In the 1990s, internal control was redefined. The Committee of Sponsoring Organizations (COSO) issued its
landmark definitional study of internal control. The product amounted to a five-volume publication which has,
for the first time ever, attempted to define all of the intricacies and the subtleties of internal control and
achieve agreement among leading professional organizations.

The 1990s also saw the profession of internal auditing as a candidate function for outsourcing. Is internal
auditing a core capability? Can professionals from outside the organization perform studies of internal control
without a thorough understanding of the personality of the organization? The debate on outsourcing is an
interesting challenge for the profession of internal auditing.

During these decades, internal auditing groups that were proactive and worked hard to create excellent
internal audit programs, have continued to satisfy their management. They searched for new requirements,
responsibilities, and ways to contribute to their organization. The first thing that all successful audit

organizations have done is to organize themselves. It has always been my hope that this book would help
audit departments improve their organization and operations so that they can improve their overall
performance.

Preface 1
 

2 Preface

As noted above, internal auditing is a very challenging profession, and once the fundamentals of an audit
organization are established through the development of a policies and procedures manual, the audit
department can focus more of its energies on the delivery of internal audit services.

This third edition of Managing the Audit Function greatly expands on the prior edition. In addition to a
general update, a new chapter on internal controls has been added. This chapter defines internal control, risk 
assessment, control strategies and malicious activities. The subject should be studied and understood not just
by internal auditors but all managers and board members as well. The recent developments with accounting
irregularities demonstrates a clear need for an education on the complex subject of internal control! In
addition, a section on the history of audit was greatly expanded and integrated into the background materials.

As the finishing touches were being made to this edition of  Managing the Audit Function, the U.S. Congress
passed the Sarbanes-Oxley Act of 2002. This act makes reporting on internal control a requirement for public
companies registered with the Securities and Exchange Commission (SEC). The law requires annual reports
to contain an assessment of the effectiveness of internal control over financial reporting. In addition, it
requires the adoption of standards for independent auditors to attest to management's report on internal
control. Separately, the act requires a company's CEO and CFO to certify quarterly and annual reports. These
developments will focus senior management's attention on ensuring the adequacy and effectiveness of their
internal audit department to assist management with these requirements. Senior management can use this
book as a primer on the elements of a modern internal audit function.

As the original author, there is little doubt that I am fascinated with auditing in general, and specifically the
internal auditing profession! I first observed internal and external auditing as a member of the operations staff 
of a brokerage house in my college years. I then spent a number of years in public practice at Ernst & Young
before joining a large corporation as Director, Internal Audit. After rising to General Auditor, I moved out of 
internal auditing and into a financial officer position. Internal auditing continued to report to me during this
period, and I attended all audit committee meetings. I then rejoined the public practice at BDO Seidman as
National Director of EDP Auditing and Internal Audit Services. I joined Aigner Group, Inc. in a senior
management position and after eight years as CFO, I am currently the President and Chief Executive Officer
of the company.

I have seen internal control and auditing from a number of interesting vantage points. My current position
affords me one of the best views from the standpoint of how internal auditing should fit in to and contribute to
an organization. All corporate managers have a desire to run a well-controlled operation. We need to be able
to rely on the integrity of the data and results of our operations. However, I am now further convinced of the
need for the audit department to be proactive and seek out ways to contribute positively to the corporate
mission.
As pointed out in this book, the audit function does not have the same performance measurements available to
them as do other line functions within the organization. I am also now more aware than ever of the need for
cost justification for every dollar spent, especially dollars that are not spent in the direct pursuit of revenue.
Internal audit departments must have the disciplines and measurements proposed in this book. These issues
have come more clearly into view, and as a result of my current position, I am certain that the methodologies
suggested in this book are essential principles of internal audit management.

To add new dimensions and perspective to this methodology, I asked Tommie Singleton to join with me on
this third edition. After a career in industry, Tommie Singleton went back to school and devoted himself to
accounting and auditing all the way to the PhD level. We met while working on publishing segments of his
dissertation on the history of IS auditing in the IS Control Journal, where I am to this day the Editor-in-Chief.

Dr. Singleton
Alabama. is Professor
He added of Accounting
tremendously and Computer
to this book Information
as co-author, Systems
giving his insightsatand
the knowledge
University of
onNorth
the
complex subject of internal control and sharing his vast acumen on our profession's history.

2 Preface
 

Preface 3

We are both very active with professional associations, which keeps us at the forefront of developments
affecting internal auditing. We owe a debt of gratitude to our colleagues at the IIA and ISACA who keep us
connected to this interesting world of auditing. We are also very busy with our "real" jobs and rely heavily on
our co-workers. We would especially like to thank Deb Urquhart, my Executive Assistant, for her untiring
efforts and dedication to this book project.

I would also like to thank my associates at ISACA, Susan Caldwell, Jennifer Blader and Jane Seago, who care
so much about the profession's response to technological developments and who work to make IS Control
 Journal a significant contributor to the expansion of the professional literature. Finally, last but certainly not
least, I'd like to thank Sheck Cho, our editor, who guided me through editions one, two, and now three and is
always there for support and encouragement.

MICHAEL P. CANGEMI

November 2002
Edison, New Jersey

Preface 3
 

4 Preface

4 Preface
 

Part I: Fundamentals of the Internal Auditing

Function
Chapter List
Chapter 1: Background
Chapter 2: Auditing Standards and Responsibilities
Chapter 3: Internal Control System

Part I: Fundamentals of the Internal Auditing Function 1

 

2 Part I: Fundamentals of the Internal Auditing Function

2 Part I: Fundamentals of the Internal Auditing Function

 

Chapter 1: Background

1.1 Introduction
It is the goal of this manual to provide a broad scope of information in assisting you in developing your
auditing function into a well-respected contributor to the company's mission and a world-class audit
department.

This manual will serve to document approved departmental procedures. It will be the basis for establishing
methods to ensure the highest level of performance and quality in the department. These procedures
procedu res should be
evaluated and updated on an ongoing basis to keep pace with changing conditions.

This book has been set up in the format of a procedures manual. Beginning with Chapter 2, 2, each page has a
heading consisting of the company name, the title of the manual (Corporate Audit Department Procedures
Manual, if appropriate), the section number, the revision number (if you choose to keep track of the number of 
changes made in a particular section), and the date of the revision. Much of the text has been written so that it
can be considered boilerplate and be used with your modifications to easily create your own manual.

The manual is based on a methodology employed very successfully at Phelps Dodge Corporation.
Corporati on.
Subsequently, the methodology was used as a basis for audit management
management workshops
workshops and consulting projects.
Through these processes,
processes, the
the material contained in the methodolo
methodology
gy was analyzed and improved over
over a
10-year period. The methodology
methodology is brok enen down into four main components: Part One:
One: Fundamentals
Fundamentals of the
Internal Auditing Function (Chapter 1, 1, "Background";
"Background"; Chapter 2,
2, "Auditing Standards
Standards and Responsibilities";
Chapter 3,
3, "Internal Control System"), Part Two
Two:: Management
Management and Administration (Chapter
(Chapter 4,
4, "Department
Organization"; Chapter 5 5,, "Personnel Administration and Recruiting"), Part Three
Three:: Technical Procedures
(Chapter 6,
6, "Audit Planning"; Chapter 7, 7, "Audit Performance"; Chapter 8,
8, "Audit Reporting"), and Part Four:
Four:
Long-Term Effectiveness (Chapter
(Chapter 9,
9, "Managing the Effectiveness of the Audit Department"). Other
programs can be added to your manual. The technical chapters all begin with a matrix that outlines the various
tasks or functions addressed in that chapter.

In order to achieve the above goals, a brief overview of historical events affecting the audit is beneficial. Thus
this chapter is written to familiarize auditors with historical events that directly relate to audits, audit planning,
and in particular the management of a world-class audit function. This section will review the history of 
auditing before information systems (IS), the history of IS auditing, the history of federal regulations related
to auditing, and professional organizations related to auditing. An understanding of these events and
organizations should provide substantial benefits in managing your auditing function.

1.2 History of Auditing [1]

The ancient history of accounting and auditing left sparse documentation, but possibly did predate the
invention of writing, circa 8,500 B.C. The earliest surviving records in double-entry form are those of the
Medici family of Florence, Italy, from 1397.

The "modern" era of accounting dates from the year 1494, when a monk named Luca Pacioli published the

first book on accounting.

dissemination of his bookHe
andbecame known asHowever,
its information. the "Father of Accounting"
Pacioli because
was a typical monkof ofthe
thewidespread
fifteenth
century—educated in a wide variety of disciplines, and served as tutor and mentor to the wealthy. In fact, the
book itself contains more than accounting, including arithmetic. All Pacioli really did was to explain existing

Chapter 1: Background 1
 

2 Chapter 1: Background

accounting principles.

Auditing, too, is one of the oldest professions. Writing was invented in part to satisfy the need for audits.
Zenon papyri record the application of audits on the Egyptian estate of the Greek ruler Ptolemy Philadelphus
II as early as 2,500 years ago. Early Greek and Roman writers such as Aristophanes, Caesar, and Cicero make
mention of accountants, auditors, and auditing accounts and audit rooms. As early as the Middle Ages, a form
of internal auditing existed among the manor houses of England where the lord served as manager of the audit
function.

The earliest external audit by an independent public accountant was in 1720 by Charles Snell as a result of the
South Sea Bubble scandal in England. The total market value of the South Sea Company, chartered in 1710,
eventually exceeded the value of all money in England. Thus when the company crashed, it was an extremely
significant public event in the English economy. Fictitious entries were discovered in the books. This event
set a precedent in the history of auditing. In fact, many, if not most, major auditing events, improvements, and
standards tend to follow public exposure of scandals and/or fraud.

Later, the industrial revolution in England resulted in factory systems that were financed by stockholders. This
situation necessitated the need for auditors, both internal and external. To protect the public, the British
Companies Act of 1844 provided for mandatory audits. Soon afterward, in 1853, organizations of chartered
accountants were formed in Scotland. Then in 1880, five organizations were melded into the unified Institute
of Chartered Accountants in England and Wales. By 1881, it had a membership of more than 1,000 members.

The same industrial revolution was occurring across the Atlantic in the United States. By the late nineteenth
century, British auditors were being sent to audit American companies. For example, the British firm Price
Waterhouse was sending over auditors as early as 1873. Soon, New York offices existed for British firms
Price Waterhouse, Peat Marwick & Company, and Arthur Young & Company. Thus it was the British who
built the infrastructure for professional auditing in the United States.

One of the first key events in the history of the U.S. audit profession was the establishment of what was the
forerunner of the American Institute of Certified Public Accountants (AICPA) in 1887. In 1896, New York 
law provided for the issuance of CPA certificates to those who could pass a qualifying examination. Initially,
experienced practitioners were "grandfathered" in by being granted CPA certificates without having to take
the examination. Eventually, all states passed CPA laws. At first, each state prepared its own CPA
examination, but in 1917 the American Institute of Accountants began preparing a uniform CPA examination
that could be used by all states.

Another early event of note is the 1913 passage of the Sixteenth Amendment legalizing income taxes. [2] One
provision of the law required all companies to maintain adequate accounting records. Thus, even small firms
that did not need accounting for management control purposes suddenly had to have accounting records.

The audits of the late 1800s and early 1900s were largely devoted to the accuracy of bookkeeping detail. In
most cases, all vouchers were examined and all footings verified. Hence, items omitted from the records were
overlooked by the auditors, and the result was an auditing profession that was viewed by outsiders as more
clerical than professional.

This view was to change between 1900 and 1917, because bankers became more important as sources of 
financing and because practice began to catch up with the auditing literature. The change in philosophy
mirrored the recommendations in the leading auditing book of the time, which was written by Robert
Montgomery. Bankers were less concerned with clerical accuracy than with balance-sheet quality. Thus, as
bankers became major users of audited financial statements, the objective of the audit became more concerned

with the valuation of assets on the balance sheet.

This new direction culminated in the 1917 issuance of  Uniform Accounting, a joint publication of the

2 Chapter 1: Background
 

Chapter 1: Background 3

American Institute and the Federal Trade Commission, which also had the endorsement of the Federal
Reserve Board. This publication was reissued, with minor changes, in 1918 under the title Approved Methods
 for the Preparation of Balance-Sheet Statements. This document was the first formal declaration of generally
accepted accounting principles and auditing standards. It outlined a complete audit program, instructions for
auditing specific account balances, and a standardized audit report. In 1929, another revision included more
emphasis on the income statement and internal controls. Still another revision in 1936 placed equal emphasis
on the balance sheet and income statement. The 1917 document and its revisions became the bible of the
auditing profession for more than two decades.

The recent history of external auditing is more events-oriented. In other words, little has occurred in recent
years that was not brought about by some catastrophic event such as a lawsuit, financial disaster, or a major
fraud case. One of the earliest important auditing cases was that of  Ultramares Corporation v. Touche, Niven
& Company (1931). Ultramares had loaned money to Fred Stern and Company in 1924 on the basis of 
financial statements prepared by Touche. On those statements, accounts receivable had been overstated.
Subsequently, in 1925, Fred Stern and Company filed for bankruptcy. A lower court found Touche guilty of 
negligence, but the firm was declared not liable to Ultramares because there was no privity of contract
between the auditor and Ultramares. The New York Court of Appeals agreed that third parties could not hold
an auditor liable for ordinary negligence, only for fraud. However, gross negligence could be construed as
fraud, which opened up the auditor to lawsuits even though there was no way of knowing who was going to
rely on the misleading financial statements. Thus, the auditor became subject to almost infinite third-party
liability. This liability was further expanded at the federal level in the securities acts of 1933 and 1934.

By the time of the 1929 stock market crash, external auditing had become a somewhat standardized
profession, but not a particularly large profession. Since bankers were the primary users of financial
statements, the only companies needing audits were those that depended on banks for capital. Companies that
depended on stockholder financing were not required to have audits. Consequently, even companies listed on
the New York Stock Exchange often did not issue audited financial statements. That was to change because of 
Ivar Kreuger—one of the greatest swindlers the world has ever seen.

The most widely held securities in the United States—and the world—during the 1920s were the stocks and
bonds of Kreuger & Toll, Inc., a Swedish match conglomerate. The company was founded and headed by Ivar
Kreuger, supposedly the richest man in the world. Kreuger's securities were popular because they sold in
small denominations and paid high dividends and interest (often 20% annually). Financial reporting as we
know it today was in its infancy; stockholders based their investment decisions solely on dividend payments.
Kreuger's dividends were paid, however, out of capital, not profits. Kreuger was essentially operating a giant
pyramid scheme, which was hidden from the investing public by Kreuger's insistence that financial statements
not be audited. He advocated that financial secrecy was paramount to corporate success. In Kreuger's defense,
some amount of secrecy was needed because he was often dealing with foreign kings and dictators about
government monopolies and taxes on wooden matches. Subsequently, it was discovered that many of his
companies' assets were in the form of intangible monopolies.

The stock market crash of 1929 made it more difficult for Kreuger to sell new securities to fuel his pyramid
scheme. Thus, he committed suicide in March 1932. Within three weeks, his companies were in bankruptcy as
it became apparent that there were few assets to support the unaudited financial statements that had been
issued over the years. The bankruptcy was the largest on record up to that time and resulted in numerous
changes in financial reporting.

Newspaper articles kept U.S. citizens aware of the extent of Kreuger's fraud at the same time that Congress
was considering passage of the federal securities laws. Thus, the timing of the bankruptcy and the
corresponding media coverage made it politically expedient to pass laws that would make similar schemes

difficult
providedinthe
themedia
future. A single
event of theevent, the corruption of Ivar Kreuger, had shaken investors' confidence and
decade.

Chapter 1: Background 3
 

4 Chapter 1: Background

As a result, the Securities Act of 1933 was passed, and the New York Stock Exchange issued rules mandating
audits of listed companies. Even a movement toward uniformity in accounting principles can be laid at the
feet of Kreuger. Auditors thus owe much of their livelihood to the fraud perpetrated by Ivar Kreuger. In fact,
some might say that because of the resulting improvements to financial reporting, Kreuger did more good than
harm for the financial community. A person of his ilk was needed to show the world that auditors are
necessary and can make a contribution to a regulated securities market.

The 1936 version of the American Institute's 1917 joint pronouncement with the Federal Trade Commission
on auditing standards suggested that auditors might want to observe inventories and confirm receivables, but
there was no requirement for these procedures. Many auditors had long opposed observing inventories under
the theory that CPAs were not skilled appraisers and that a statement that they had physically inspected
inventories might be construed as a guarantee of the inventory valuation. This lack of a requirement for
inventory observations and receivable confirmations proved to be an embarrassment to the profession when
the McKesson & Robbins scandal surfaced in 1938. The senior management of McKesson & Robbins had
used a facade of false documents to conceal the fact that $19 million in inventory and receivables were
nonexistent. A Securities and Exchange Commission (SEC) investigation concluded that Price Waterhouse &
Company had adhered to generally accepted auditing procedures as recommended in the 1936 Institute
pronouncement. The auditors had obtained management assurances as to the value of the inventories and had
test-checked the inventories to purchase orders (which were fabricated to conceal the fraud). But the SEC
concluded that although general accepted procedures had been followed, those procedures were inadequate.

As a result, in 1939 the American Institute issued Statement on Auditing Procedure (SAP) No. 1 that required
auditors to observe inventories and confirm receivables. The McKesson & Robbins case was a turning point
in auditing history. No longer was the auditor responsible for auditing the accounts of management;
responsibility was extended to an audit of the business itself. And the profession began to issue promulgated
statements and standards related to the specific procedures and standards of audits.

Other cases have influenced auditors in recent years, but none to the extent of the frauds associated with
Ultramares, Kreuger, and McKesson & Robbins. Continental Vending Machine Corporation (1968) was
unusual in that it marked the first instance of an external auditor being criminally convicted for fraud. The
overriding conclusion of all of this activity is that the (external) auditing profession has long been reactive
rather than proactive. On the whole, the recent history of auditing has been centered on reacting to adverse
events affecting the profession.

[1]Special
thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing Before
EDP," The EDP Auditor Journal, Vol. III, 1993, pp. 38–47. Most of this section came from this article.

[2]Interestingly
enough, a similar law was passed during the Civil War but was later ruled to be
unconstitutional by the U.S. Supreme Court.

1.3 History of Internal Auditing

Some types of internal audits date back thousands of years. As mentioned earlier, the Greeks, Romans, and
Egyptians were conducting audits before the birth of Christ. Interestingly, the scope of these early audits was
in many ways akin to that of modern internal audits; both included an examination of the correctness of 
accounting records and an evaluation of the propriety of activities reflected in the accounts. Emphasis was on
improving management control over the activities of the organization. Such broad emphasis was not to
reappear on a wide scale until after World War II. [3]

4 Chapter 1: Background
 

Chapter 1: Background 5

In the United States, there was little need for internal auditing in the colonial period because there was little in
the way of large industry. In fact, accounting textbooks of the period never referred to the subjects of internal
auditing or internal control. In government, however, the need for an audit function was recognized. The first
U.S. Congress in 1789 approved an act that included a provision for the appointment of a secretary of the
treasury, a comptroller, and an auditor. The auditor's job, basically a clerical function, was to receive all
public accounts, examine them, and certify the balances.

Despite the aforementioned early references, railroad companies are usually credited with being the first
modern employers of internal auditors. It was during the latter part of the nineteenth century that these first
real internal auditors became commonplace. The title applied to these employees was traveling auditors, and
their duty was to visit the railroads' ticket agents and determine that all the accounting for all monies was
properly handled.

Other early industries to use internal auditors included the large Krupp Company in Germany. Krupp
apparently employed some type of internal audit staff at least as early as 1875 since there is a company audit
manual dated January 17, 1875, which includes the following provisions:

• The auditors are to determine whether laws,

l aws, contracts, policies and procedures have been properly
observed and if all business transactions were conducted in accordance with established policies and 
with success. In this connection, the auditors are to make suggestions for the improvement of existing
 facilities and procedures, criticisms of contracts with suggestions for improvement, etc.

Although the roots of internal auditing do date back into the nineteenth century, real expansion did not occur
until the early part of the twentieth century with the growth of the large corporate form of business. The major
factor in the emergence of internal auditing was the extended span of control faced by management in
business employing thousands of people and conducting operations in many locations. Defalcations and
improperly maintained accounting records were major problems, and the growth in the volume of transactions
resulted in a substantial bill for public accounting services for the organization that tried to maintain control
by continuing the traditional form of audit by the public accountant.

The objectives of early internal auditors were primarily built around the protection of assets. The National
Industrial Conference Board's study of internal auditing explained the early motives as follows:

• Protection of company assets and detection of fraud were the principal objectives. Consequently, the
auditors concentrated most of their attention on examinations of financial records and on the
verification of assets that were most easily misappropriated. A popular idea among management 
 people a generation ago was that the main purpose of an auditing program was to serve as a
 psychological deterrent against wrongdoing by other employees.

That same study recognized the internal auditor of yesteryear did not perform the same duties as the
modern-day internal auditor. In addition, there was no need for the pioneer internal auditor to perform all of 
the functions that are handled by today's internal auditors.

• In less complicated times, of course, management frequently maintained control over company
operations by personal supervision. There were not so many levels
level s of authority separating policy
makers from production workers, and demands on senior executives' time
ti me were neither so numerous
nor so urgent.

Prior to 1941, internal auditing (IA) was essentially a clerical function with no organization and no standards
of conduct. Because of the nature of accounting record keeping at the time (i.e., manual), auditors were
needed to check the records after they were created for accuracy—for errors in postings or footings. Auditors

were also concerned with the possibility of fraud. Thus, the internal auditor was a verifier, or a "cop," to
protect organizational assets.

Chapter 1: Background 5
 

6 Chapter 1: Background

The old concept of internal auditing can be compared to a form of insurance: The major objective was to
discover fraud more quickly than it could be discovered by a public accountant during an annual audit. That
is, the internal auditor was performing a function similar to a police officer or detective. The modern concept
of internal auditing is that of an arm of management. Today, internal auditors are an integral link in the
management process and are just as concerned with waste and inefficiency as with fraud. Part of the
development probably can be attributed to the change in technology. As accounting became mechanized and
computerized, records became subject to automatic checking procedures. Thus, the need to check every
transaction declined, giving internal auditors time to reach beyond the historical clerical limits.

The year 1941 marked a turning point in the development of internal auditing as two significant events
occurred. One of those events was the publication of the first major book on the subject—Victor Z. Brink's
 Internal Auditing. Also in 1941, 24 individuals joined together to form The Institute of Internal Auditors
(IIA).

During the 1940s, internal auditors began to expand their audits to encompass more than the traditional
financial audit. The shift to a war economy in the early 1940s was the primary cause for the expansion of 
internal audit scope. Management became more concerned with production scheduling, shortages of materials
and laborers, and compliance with regulations. Also, cost reporting became more important than external
reporting. As a result, internal auditors began directing their efforts toward assisting management in whatever
way possible. Following the war, the benefit of the auditor's assistance was so obvious to management that
there was no consideration of reducing the auditor's scope to prewar levels.

The term operations or operational auditing was adopted to describe the expanded activity. In March 1948,
Arthur H. Kent's work, "Audits of Operations," published in The Internal Auditor , was the first article to
describe the expanded-scope audit. In that piece, Kent made frequent mention of an operations audit. Other
authors had discussed the subject, but had referred to non-accounting matters, instead of operational subjects.
The first technical paper to use the phrase operational auditing in the title was published in The Internal
 Auditor in June 1954 and written by Frederic E. Mints.

By the mid-1950s, others were using the term in speeches, articles, and technical publications. At about the
same time, accounting became more mechanized and computerized, and records became subject to automatic
checking procedures once performed by internal auditors. That trend was reflected in the 1957 Statement of 
 Responsibilities of Internal Auditing , published by the IIA.

The growth in the internal auditor's scope of responsibility can be observed through a comparison of the 1947
Statement of Responsibilities of the Internal Auditor and the 1957 revision of the same document. The 1947
version stated that internal auditing dealt primarily with accounting and financial matters but may also
properly deal with matters of an operational nature. That emphasis was to change in just one decade. The IIA
described the broad role of internal auditing with its 1957 Statement of Responsibilities of the Internal
 Auditor . Whereas the 1947 Statement said that an auditor might also deal with operating matters, the 1957
Statement stated that the auditor should be concerned with any phase of business activity. The 1957 Statement 
included these internal auditor (IA) duties:

• Reviewing and appraising the soundness, adequacy, and application of accounting, financial, and
operating controls
• Ascertaining the extent of compliance with established policies, plans, and procedures
• Ascertaining the extent to which organizational assets are accounted for, and safeguarded from, losses
of all kinds
• Ascertaining the reliability of accounting and other data developed within the organization
• Appraising the quality of performance in carrying out assigned responsibilities

As previously mentioned, there were two significant events in 1941—the publication of the first major book 
on internal auditing and the founding of the IIA. Interestingly, the latter event was related to the former.
Victor Z. Brink's doctoral dissertation was published in January 1941 by Ronald Press. At the same time, John

6 Chapter 1: Background
 

Chapter 1: Background 7

B. Thurston, internal auditor for the North American Company in New York, had been contemplating
establishing an organization for internal auditors. Thurston and Robert B. Milne had served together on an
internal auditing subcommittee formed jointly by the Edison Electric Institute and the American Gas
Association. These two had decided that further progress in bringing internal auditing to its proper level of 
recognition would be difficult in the two organizations. Instead, what was needed was an independent
organization for internal auditors. When Brink's book came to the attention of Thurston, the two men got
together and found they had a mutual interest in furthering the role of internal auditing.

Only 11 members were present at the first annual meeting of the IIA. Thurston was elected as its first
president. Membership grew quickly. The original 24 increased to 104 by the end of the first year, to 1,018 at
the end of five years, and to 3,700 by 1957, with 20% of the latter figure located outside the United States.

The new group was quick to begin its activities to further the development of its members. A director of 
research approved in January 1942 the first book published under the IIA auspices, and it was issued in March
1943. A journal, The Internal Auditor , was begun in September 1944. Membership was divided into local
chapters beginning in December 1942, when the New York chapter was formed. The Detroit, Chicago, Los
Angeles, and Philadelphia chapters followed in 1943. Additional chapters were formed the following year in
Dayton, Cleveland, and Toronto, the first outside the United States. By the end of 1947, 19 chapters operated
throughout North America. The first chapters outside North America were formed in London and Manila in
1948 to begin the trend toward true internationalization.

Other developments would further focus IA on operational audits. In 1963, the National Industrial Conference
Board studied 177 organizations' objectives for their internal auditing programs. The Board concluded with
five primary objectives:

1. Determine the adequacy of the system of internal control

2. Investigate compliance with organizational policies and procedures
3. Verify the existence of assets, ensure that proper safeguards for assets are maintained, and prevent or
discover fraud
4. Check on the reliability of the accounting and reporting system
5. Report findings to management and recommend corrective action where necessary

In 1975, the IIA found that 95% of all respondents to a survey conducted operational audits for purposes of 
 judging efficiency, effectiveness, and economy. The same study found that 51% of the total audit time was
spent on operational auditing activities. Thus the shift from financial to operational had become profound and
permanent. The modern work of the internal auditor had become auditing for efficiency and effectiveness
more than financial propriety. The internal auditor had also become an integral part of the management team.
Another dramatic change in the IA function in the United States occurred in 1987 with the Treadway
Commission report. The Commission was organized by five accounting organizations—IIA, AICPA,
American Accounting Association (AAA), Institute of Management Accountants (IMA), and Financial
Executives International (FEI)—known as the Committee of Sponsoring Organizations (COSO). The
commission was formed to study the cause of fraudulent financial reporting. The committee concluded: (1) an
internal audit function should exist in every public corporation, and (2) there should be a corporate audit
committee composed of non-management directors of the corporation. These conclusions not only enhanced
the IA profession but also brought fraud to the forefront of IA functions, like it had been before 1941.

Also in the 1990s, one trend caused a change in the way the IA function was carried out. Outsourcing became
a popular way for organizations to employ the IA function. The role of the IA function was served by public
accounting and other providers. The IIA Standards and Statement have evolved further and now have the
cornerstone of risk assessment.

Chapter 1: Background 7
 

8 Chapter 1: Background

The internal auditing function has undergone significant changes in the last century. The main objective of the
IA function has moved from that of fraud detection to assisting management in making decisions beginning
with a risk assessment. The IA staff of today is considered a good training ground for management-level
personnel, but many organizations have out-sourced the entire IA function.

[3]Someof the material from this section was taken from The Institute of Internal Auditors: 50 Years of 
Progress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 Maitland
Avenue, Altamonte Springs, FL 32701-4201. Reprinted with permission.

1.4 Auditing Government Agencies

Various governmental audit agencies throughout the world have played a role in the movement toward the
modernization of internal audit procedures. In the United States, the General Accounting Office (GAO) has
played a major part in broadening the role of the auditor. The GAO's publication, Standards for Audit of 
Governmental Organizations, Programs, Activities and Functions (commonly called the "Yellow Book"
because of the color of its cover) explains the metamorphosis in the following manner:

• This demand for information has widened the scope of governmental auditing so that such auditing no

longer
now is a function
is also concerned
concerned primarily
with whether with financial
governmental operations.
organizations areInstead, governmental
achieving auditing
the purposes for which
 programs are authorized and funds are made available, are doing so economically and efficiently,
and are complying with applicable laws and regulations.

Basically, the recommended standards encompass those standards that have been adopted by the AICPA for
use in audits to express an opinion on the fairness of financial statements. Governmental audits, however, go a
step beyond those standards that are applicable to audits of financial statements. The scope of a governmental
audit (e.g., an audit of or for a government agency) is composed of three elements:

1. Financial compliance,
2. Economy and efficiency, and
3. Program results.

The typical definition of a financial audit would not include elements 2 and 3. These are operational auditing
techniques.

1.5 History of Information Systems Auditing

The technology revolution in accounting and auditing began in the summer of 1954 with the first operational
business computer. Information technology (IT) changed the way accounting data was stored, retrieved, and
handled. These new systems led to radically different audit trails, if one at all. The revolution became a
dynamic evolution as the computer industry sustained continuous, rapid technical innovations.

In addition to the introduction of computers to the business world, other IT-related events have also had a
profound effect on the auditing profession and the way audits are conducted. These events included: (1) the
commercialization of computers; (2) the introduction of AUDI-TAPE; (3) the Equity Funding scandal; (4) the

8 Chapter 1: Background
 

Chapter 1: Background 9

emergence of Information Systems Audit and Control Association (ISACA); (5) the Systems, Auditability,
and Control (SAC) studies by the Institute of Internal Auditors (IIA); and (6) constant emerging technologies.

Information technology affected, and continues to affect, auditing. It became necessary to add new standards,
affecting the body of auditing standards. The audit process itself has become different from traditional audits
prior to 1954 (e.g., audit tools and techniques). It was possible for an auditor to retire in the 1950s having used
similar audit programs throughout one's career. That will never happen again! The effects of IT on auditing
have culminated in a set of knowledge, skills, and standards necessary to conduct the contemporary audit that
were nonexistent in 1954.

a. Birth of Information Systems Auditing

The introduction of computer technology into accounting systems disrupted the routine auditors had been able
to establish to properly audit accounting systems. General Electric is attributed with the first operational
electronic accounting system, a UNIVAC computer, in the summer of 1954. Because of the new knowledge
necessary to understand computers and electronic data processing (EDP), the auditing profession struggled to
develop a new set of tools, techniques, and systems knowledge—and the training and standards to accompany
them.

A seminal event occurred very early in the history of business computers. This notable example of early
innovation was an article, "Using a Computer to Reconcile Inventory Counts to Books," published in N.A.C.A.
 Bulletin (National Association of Cost Accountants) in June 1956. In the article, the author, Frank Howell,
member of the Auditor General's staff for the United States Air Force (USAF) in Washington, D.C., described
how an organization used the computer to reconcile inventory counts to books. The computer was
programmed to print out major differences between counts and inventory records while automatically
adjusting the books to the count for minor differences. The program even evaluated the effectiveness of 
inventory operations in various departments and determined which supervisors were doing the best job of 
counting inventory. Taking into account the length of publication cycles, this technique was being used as
early as 1955, that is, at the beginning of IT history. Some nascent articles and discussions deliberated the
possibility of using information technology (i.e., the computer) as an audit tool, but Howell at the USAF was
actually using technology as an audit tool. At the time, this idea was radical and innovative. Thus, one early
effect of information technology was to provide the very tools auditors would need to adequately audit
accounting data. This effect became perpetual as future technologies would also be used as tools in audits of 
EDP systems.

Not all creative tools and techniques were delivered using emerging technologies. As early as 1961, the U.S.
Air Force adapted traditional separation of duties between programmers, systems designers, and keypunch
operators. Other traditional auditing principles would be similarly altered to accommodate the effects of IT on
auditing.

In the beginning, IT itself provided an inherent protection. From 1955 to the mid-1960s, the computer world
included only mainframes. During this time, few people had the knowledge and expertise to program a
computer. This situation prevented most accountants from preparing programs to audit through the system. It
also provided its own form of security, because few people knew enough to violate the systems.

b. Commercialization of Computers
Beginning in 1963, the escalation of computer usage in accounting systems caused auditors to think about
how they were going to deal with this new technology. Several organizations had begun to manufacture
computers to be used in business during the late 1950s and early 1960s. Some manufacturers, such as Singer
and General Electric, soon exited the computer market. Others, such as Burroughs and IBM, became major
suppliers of business computers. Up until then, all of the computers were mainframes. The cost of these
machines made it prohibitive for most companies to purchase one.

Chapter 1: Background 9
 

10 Chapter 1: Background

The use of computers in accounting began to escalate in 1963 with the introduction of a new, lower-cost
computer by IBM—the IBM 360. The plan at IBM was to introduce smaller machines at more affordable
costs to businesses. The IBM 360 accomplished this objective, and a rapid increase in sales of commercial-use
computers ensued. This increase in computer sales was instrumental in creating a greater need for EDP
auditing concepts in businesses and a need for auditors skilled and knowledgeable about EDP. And the spiral
of better IT, cheaper IT, and smaller-size IT was off and running.

c. AUDITAPE: Breakthrough for Information Systems Auditors

From the beginning, external auditors had a difficult time in auditing through the computer. First, the majority
of auditors audited around the computer ignoring, for the most part, the effect of EDP on the audit. In the
1960s, those auditors who audited through the system had to rely on expensive, time-consuming, and
continuously changing custom audit programs. For example, Keagle Davis undertook a study at Touche Ross
that showed that their programmers had written 150 to 250 customized audit programs in 1967 alone. While
75% of these were effective, 80% required major programming changes the next year because of changes in
the computer system or changes in audit needs.

Meanwhile, the number and variety of financial accounting systems and clients with computers greatly
increased in the last half of the 1960s. The need for skills required to handle the audit of computerized data
significantly increased beyond those of an EDP technician. Together, these needs drove the development of 
generalized audit software (GAS).

A series of events and projects at Haskins & Sells (H&S) led to the initial GAS package. In the late 1950s,
Kenneth Stringer began to develop a statistical sampling plan. In 1962, H&S formerly adopted the plan,
Probability Proportional to Size Sampling (PPS). PPS was a precursor to AUDITAPE, but it was not the only
motivation, or even the primary motivation, in developing AUDITAPE. Stringer and the management at H&S
were also motivated by the fact that the more clients computerized their accounting, the more dependent
auditors would become on computer expertise. The growth of computerized accounting systems would create
an environment in which auditors would be unable to perform the audit steps once done manually. That is,
access to data was gradually slipping away from auditors.

The introduction of AUDITAPE in October 1967 by Haskins & Sells at the American Accounting Association
(AAA) annual meeting in Portland, Oregon, was a key event for external auditors in particular (at that time),
and internal auditors (later). Practitioners were excited when they saw the potential of AUDITAPE because
external auditors who were not highly technical could now run the computer and use it as an audit tool. Very
few auditors had yet acquired a high level of technical skills in 1967.

As a direct response to the introduction of AUDITAPE, several GAS packages were developed from 1968 to
the early 1970s. Every Big Eight public accounting firm developed its own proprietary GAS package during
this time. Independent organizations, such as Computer Audit Systems, Inc. (Joseph Wasserman, CARS
software) and, in the late 1970s, P.J. Corum (later Pansophic, Panaudit software), also developed GAS
packages.

The development and use of GAS was a breakthrough in audit tools. In 1967, very few audit tools existed, and
there was a meager use of the tools that did exist. AUDITAPE was the impetus that led to the development
and use of audit tools, specifically GAS, in EDP audits. AUDITAPE also affected other aspects of auditing.
Although statistical sampling preceded AUDITAPE by several years, AUDITAPE affected the use of 
statistical sampling as much as it affected anything. Thus, AUDITAPE was born from a need to audit through
the computers (information technology) in a simple, efficient, and effective manner. Information technology's
effect on access to data by external auditors (i.e., difficult to examine) drove the need for better audit tools. To
this day, GAS is perhaps the most valuable tool an auditor has to audit data embedded in IT.

The AICPA added its contribution to EDP audits, even though it was without official standards or guidance.
In 1968, Robert Trueblood of Touche Ross, president of the AICPA, pursued the theme of computers in

10 Chapter 1: Background
 

Chapter 1: Background 11

accounting during his term. Trueblood used his influence to have the AICPA hire Gordon Davis to both assist
CPAs in the use of computers and codify EDP auditing. Dr. Davis, a professor at the University of Minnesota,
accepted the responsibility and took a leave of absence to be de facto chairman of the committee appointed by
the AICPA. Each of the Big Eight firms was invited by the AICPA to participate on the committee in the
development of this project, and seven firms provided representatives. The major result of the project was a
book entitled Auditing & EDP. This popular book went through many printings and a revision in 1983. It
included examples of how to document an EDP audit and a sample questionnaire for processing internal
control review.

The Auditing & EDP project led to several changes in the auditing profession. Although the book itself did
not present the official position of the AICPA (i.e., it was not promulgated standards), it did present a number
of audit and control concepts and procedures as an unofficial document. Perhaps the most important chapter
was one dedicated to explaining when and how to audit around the computer. In the 1960s, auditors could
officially audit input and output and still be in compliance with AICPA standards. If auditors did choose to
audit around the computer, the chapter recommended that an evaluation of internal control be made to both
review and test the system. Auditors could not simply ignore the presence of EDP in the accounting system.
This recommendation was essentially the context of Statement on Auditing Standards (SAS) No. 3: The
 Effects of EDP on the Auditor's Study and Evaluation of Internal Control, promulgated six years later in
December 1974.

Another result of the Auditing and EDP Task Force was the establishment of a permanent EDP auditing
committee within the AICPA. The committee's efforts eventually led to the issuance of several audit guides
and SAS No. 3.

d. Equity Funding Scandal: Abuse of Information Technology

Oddly enough, the abuse of information technology—to falsify accounting data and hide a fraud—was one of 
information technology's most significant influences on auditing. The Equity Funding financial fraud scandal
 jolted both the accounting profession and management—including audit management—from a stodgy,
traditional audit ideology. Managers who believed that the computer was a black box and it did not really
matter what went on inside began to change their minds. Audit managers who believed the computer was a
fad or a fancy calculator began to take more seriously the implications of using EDP in accounting. The
atmosphere, in general, was ripe for change.

Managers at Equity Funding Corporation of America used a series of frauds beginning in 1964 to show false
profits, thus increasing the company's stock price. The primary fraud was the use of phony insurance policies.
Equity Funding used several tactics to perpetrate the fraud. One was to use different external auditors in order
to confound the audit process and prevent detection of the fraud. The company used another deceptive tactic
during confirmation of receivables. When the external auditing firm tried to confirm receivables (policies) by
phone, the Equity Funding switchboard operator simply patched them through to Equity Funding employees
in the building. That is, EF employees were in on the fraud and actually provided external auditors with false
information. The most amazing fact of the case is that it went undetected for so long. Many people inside the
company knew about the fraud, and yet the fraud was a better-kept secret than some of our military secrets of 
the time. The fraud was exposed when a disgruntled ex-employee blew the whistle. In March 1973, the SEC
suspended trading of Equity Funding stock.

The subsequent audit by Touche Ross was definitely not traditional. First, the auditors were trying to prove
that the insurance policies did not exist. Second, it was a fraud audit, not a financial audit. Touche Ross
auditors used the opportunity to apply a variety of new techniques to satisfy audit requirements in terms of 
information and how the system reports and files data. The audit took two years to complete. Touche Ross
found about $2 billion of phony insurance policies—two-thirds of the policies Equity Funding claimed to
have in force.

Chapter 1: Background 11
 

12 Chapter 1: Background

For the most part, the external auditors before Touche Ross failed to follow up on numerous clues that
indicated something was wrong. The use of audit software could have detected the fact that the policy file was
fraudulent. For example, all bogus policies were coded to department "99." The auditors also did not review
system flowcharts or program code but treated the computer as a black box. Not only did the external auditors
overlook the clues, but the SEC could be accused of the same thing. An SEC staff member wrote memos 15
months prior to Equity Funding's collapse reporting rumors of irregularities. The SEC, however, dropped the
investigation shortly after receiving the memos.

The popular press treated the fraud as a computer fraud, but it really was not—it was a management fraud.
Still, the fact is that Equity Funding management probably could not have perpetrated the fraud without the
use of computers. The public's perception of the part that the computer played in the fraud caused a new wave
of interest in audit procedures where computers were a component of the accounting system. The prevailing
belief at this time was that traditional audits (those that audited around the computer) were sufficient to detect
the existence of material and significant frauds, such as the Equity Funding fraud. Others, primarily EDP
auditors, had espoused the need for auditing through the computer. These people were now receiving attention
from accountants, auditors, and management.

This financial fraud affected a wide range of constituencies. These included insurance regulators, bank 
regulators, postal inspectors, the FBI, and the U.S. Attorney's office. At least 12 different federal and state
agencies were involved in the aftermath of exposure of the scandal. Equity Funding did more for the rise of 
EDP auditing (i.e., more EDP auditor jobs) than any other single event. For example, Harold Weiss was
credited with providing the only major EDP auditing training during the late 1960s and early 1970s. He said
that his activity increased so significantly after Equity Funding that he had trouble filling all of the requests.
He also said most of the managers that had previously told him "no" to his requests of EDP audits or the use
of EDP audit techniques were now calling and asking for his help to institute computer controls and EDP
audit techniques.

The Equity Funding scandal had a domino effect in the auditing community. The attitude of isolating the
computer system from the EDP auditors, held by some corporate management, changed after Equity Funding.
In addition, auditing procedures were being challenged; some of the customary policies and procedures that
had been acceptable began to be questioned. Equity Funding highlighted the need for audit standards that
apply directly to EDP auditing (these were non-existent at the time). Security became an increasingly
significant issue for all auditors—up until Equity Funding, auditors were absorbed with accounting-related
issues in EDP.

Auditing literature was also affected. An analysis of citations prior to 1973 show an insignificant amount of 
research and publications on EDP auditing issues by such organizations as the AICPA, Big Eight firms, and
IIA. From 1955 through 1970 (16 years), the AICPA published only 21 articles, two chapters in a book, and
Auditing & EDP, according to Accountants' Index published by the American Institute of Accountants. The
IIA published 10 articles and no books in the same period. State societies published 25 articles. None of these
institutions averaged two articles per year. The more active Big Eight published about 40 articles (some
overlap with the AICPA publications in The Journal of Accountancy and state society publications).

Between 1973 and 1977, however, numerous activities followed Equity Funding: publications, standards,
research, and seminars. Even IBM changed; management at IBM decided to make a substantive effort to
change the image of the computer from a villain to a hero. A comparison of the EDP auditing profession prior
to 1973 and immediately thereafter leads to the conclusion that the Equity Funding scandal was the single
most important event in EDP audit history.

e. Systems, Auditability, and Control Research Study—Institute of

Internal Auditors
By 1973, IBM had established a close working relationship with the public accounting community. In 1965,
IBM helped establish a users group, Accountant Computer Users Technical Exchange (ACUTE), in New

12 Chapter 1: Background
 

Chapter 1: Background 13

York City. After Equity Funding, IBM established a liaison position to cooperate with the public accounting
community.

As a result of these relationships, IBM instituted auditability and security programs for its computers and for
auditors, a two-way communication line intended to benefit both parties. For example, every IBM computer
had a technical guide on the security and auditability features of that particular computer. Auditors benefited
from these guides when conducting their audits. Also, IBM invited accountants to training, even if they did
not own an IBM computer (IBM normally required training attendees to be owners of IBM equipment). While
other computer manufacturers were offering only technically oriented training, IBM offered training that was
less technical, and thus more useful to accountants. In return, feedback from auditors led to improvements in
the security and auditability features of IBM computers, and the referrals from accountants led to sales.
Auditors were assisting IBM, to some degree, in becoming the leading manufacturer of computers.

Members of the IIA staff had been planning a large-scale research project into information systems and
auditing called Systems, Auditability, and Control (SAC). In 1973, the IIA formally approached the IBM
liaison, Sam Albert, about the possibility of IBM's financial support for the SAC research. Albert eagerly
agreed to pursue possible financial support from IBM and was able to convince IBM management to invest in
the project. Albert unilaterally decided it was in the best interests of IBM to be the sole sponsor of the project,
and he secured a financial commitment of $500,000 from IBM.

In 1975, no entity had been able to define EDP auditing precisely and communicate that definition nationally.
State-of-the-art tools, techniques, and procedures also suffered from a lack of exposure and codification. The
SAC study had the ambitious goal of making a definitive evaluation of EDP auditing. In 1977, SAC was
published. Due to this effort, SAC managed to define EDP auditing because SAC provided some prescription
of how to approach EDP auditing. In addition, SAC codified tools and techniques into a benchmark or
standard. That is, SAC established what effective EDP audit shops were doing, especially best practices.
Others believed SAC legitimized the need for an EDP auditing staff and function. SAC's contributions made
an impact, moving EDP auditing forward significantly.

SAC was a landmark study in changing the audit profession and controlling computer systems. The IIA and
IBM gave away hundreds and thousands of copies for free. The prestige of IBM, the notoriety of the
individual members of the Advisory Committee, and the IIA lent credibility to SAC. At least up until the
mid-1980s, SAC was probably the most widely publicized, read, accepted, and applied publication that
encapsulated a comprehensive set of principles for EDP auditing. SAC has been updated several times since
its initial publication (in 1991, 1994, and eSAC 2001). It is currently referred to as eSAC (Electronic Systems
Assurance and Control), and available online from the IIA.

f. Electronic Data Processing Auditors Association

By the late 1960s, many EDP auditors were ready for an organization dedicated to EDP auditing. At that time,
there was no authoritative source for EDP audits that would provide information, standards, tools, and
techniques. From the efforts of a handful of interested auditors in Southern California, the Electronic Data
Processing Auditors Association (EDPAA) was organized in 1969. Its first conference was held in January
1973, just before the exposure of the Equity Funding scandal, and its first regular publication, The EDP
 Auditor , began in May of the same year.

In 1977, the EDPAA's Foundation (EDPAF) published its first edition of  Control Objectives, a compilation of 
guidelines, procedures, best practices, and standards for conducting EDP audits. It was intended to provide a
normative model for EDP auditors in performing their duties. The publication was revised and updated
frequently in the subsequent years (1980, 1983, 1990, and 1992). Between 1992 and 1996, Control Objectives
underwent a major revision. Since 1996, the document goes by the title CobiT (Control Objectives for
Information and Related Technology). CobiT was revised in 1998 and 2000 (third edition), and is available on
CD-ROM and online. CobiT has become an authoritative, up-to-date, international set of generally accepted

Chapter 1: Background 13
 

14 Chapter 1: Background

IT control objectives for day-to-day use by business managers, users of IT, and IS auditors.

In June 1978, the EDP Auditors Foundation (EDPAF) introduced its certification program—Certified
Information Systems Auditor (CISA). Because of information technology, some internal and external auditors
wanted a separate certification for auditors of Information Technology; the CISA provided the vehicle. The
first CISA exam was given in 1981 and offered in two languages. In 2002, more than 10,000 candidates
around the world took the CISA exam in their choice of nine languages: English, Dutch, French, German,
Italian, Japanese, Spanish, Chinese, or Korean. The introduction of the CISA certification program brought a
standard for IS auditors that came to be respected throughout the auditing profession. Today, more than
27,000 professionals in dozens of countries have become certified through the CISA program.

By 1984, the international growth of the EDPAA began to accelerate. Many international chapters were
chartered beginning about this time. For example, in 1985, Region 10—encompassing Japan, Hong Kong,
Singapore, Malaysia, India, and the Philippines—was activated. The EDPAA began to translate key
documents into foreign languages. When Control Objectives was translated into Japanese in 1986, it soon
became a best seller—selling more than 10,000 copies. By 1988, the CISA exam and other documents were
also translated into foreign languages. In 1989, the EDPAF issued its 10 worldwide General Standards for IS
Auditing, and its first two worldwide Statements on IS Auditing Standards. In 1991, the EDPAA elected its
first international president living outside North America—Deepak Sarup. The Information System, Audit and
Control Association (ISACA) has become the only true international professional auditing organization, with
international members, international chapters, and international standards (applicable on an international
scale)—all within a single entity.

In June 1994, the EDPAA formally changed its name to Information Systems Audit and Control Association
(ISACA). Over the years, EDPAA/ISACA has held training seminars, sponsored technical journals, and
assumed sponsorship of Computer Audit, Control and Security conferences (CACS) begun by Harold Weiss
in the 1960s. The activities of EDPAA/ISACA have contributed to the emergence of the large number of IS
auditing experts today.

ISACA is known today for its CobiT project, its services, CISA certification, training, information—topics
such as corporate governance and Global Knowledge Network (Global Information Repository)—and it
continues to publish its technical journal, Information Systems Control Journal. ISACA has more than 26,000
members internationally in more than 100 countries.

g. Emerging Technologies
Technology continued to change at a rapid pace until the introduction of the microcomputer in the late 1970s.
At that time, information technology became portable and distributed, carrying with it new control problems.
While the pioneers did blaze a trail for others to follow (in the mainframe area), all the trails seemed to change
by 1979, and the walls around the data center were no longer secure. In addition, EDP auditing had even
evolved into a separate function in many organizations, or at least a separate position in IA: audit manager/IS
audit.

The breadth of IT also began to compound the knowledge and expertise needed to perform audits and audit
projects. The 1980s saw many new technologies incorporated into accounting systems. Some had been in the
process of developing, but the proliferation of IT in the 1980s and 1990s drove the need for better IS products
as well as new technology. The emerging technologies included microcomputers or personal computers (PCs),
database management systems, electronic data interchange (EDI), bar coding, artificial neural systems (ANS)
or neural networks, expert systems (ES), decision support systems (DSS) and group decision support systems
(GDSS), executive information systems (EIS), online analytical processing (OLAP), enterprise resource
planning (ERP), and—most important of all—the Internet and World Wide Web (WWW). In addition,
changes in telecommunication technologies affected nearly all accounting information systems.

14 Chapter 1: Background
 

Chapter 1: Background 15

i. Microcomputers and Networks

Microcomputers date back to 1975 with a group of young experts (e.g., Bill Gates) who built the first
microcomputer called the Altair. Several attempts to mass market microcomputers followed from
then-maverick companies such as Apple and Commodore, and traditional companies like Radio Shack. In
1977, Apple introduced its Apple II, followed in 1979 with Radio Shack's TRS-80. Also in 1977, Xerox
developed a microcomputer with a mouse, graphical display, and other "windows"-like features. It was not
until 1979 when VisiCalc (an electronic spreadsheet) hit the market, however, that micros really began to sell.
In the fall of 1981, IBM began to sell its version of the microcomputer—the personal computer (PC).

Early in the 1980s, IS auditors were becoming concerned about the controls in microcomputer systems (e.g.,
spreadsheets used in accounting and financial accounting packages). Microcomputer software advances
(financial accounting) had led to many installations on PCs. The widespread use of PCs dispersed the IS
function within organizations. One result of micros was a loss of control of the security of computing
activities. That is, computer processing, which had once at least been centralized at the mainframe computer
in a single room, was now distributed throughout much of the organization.

Information system auditors quickly determined the need for new tools to audit the data that were resident on
microcomputer systems. Yet the micro also provided IS auditors with the opportunity to develop new tools to
take advantage of the power of micros for audit purposes. This potential led to the birth of the need for
micro-based computer-assisted audit tools (CAATs), a major turning point because these tools enabled IS
auditors to start doing their own micro work, instead of needing an IS expert as a go-between. Thus, the
growth of PC-based CAATs was, in fact, driven by IS auditors. The PC was a greater tool for auditors than for
 just spreadsheets and word processing. The automation of work papers and micro-driven analytical tools were
major innovations.

The 1980s also saw the growth of networked PCs. With networks, several applications and numerous users
have access to the same data and resources. During transmission along network lines, data often were exposed
to loss or theft (e.g., sniffers, hackers). Maintaining the security of the users connected to the network and
their physical location (nodes) was also difficult because users could be frequently added or moved on a
network. That is, the network a manager brings up in the morning may not be the same one brought up
yesterday. This volatility creates havoc for the network manager and can be a nightmare for IS auditors—it is
virtually impossible to audit an environment when the environment keeps changing, and doing it so often.

These two developments (PCs and networks) have resulted in information systems that have become more
difficult to audit. Technology continues to change and expand rapidly. Meanwhile, the structure of the
organizational system has drastically changed (exactly where are the data and controls?), and the locus of 
control for data processing continues to expand. However, microcomputers (and CAATs developed for them)
have also provided a powerful tool that IS auditors can use to improve or facilitate the audit process.

ii. Database Management Systems

Use of relational databases grew in the early 1980s. The expanding base of PCs created a new market for
application software, such as databases. Data integrity problems existed because several different applications
(and users) had access to the same information. Databases (and PCs) eliminated much of the traditional
separation of duties that had been established for mainframe systems. Information System auditing had to
address these issues.

The introduction of products such as the series of DBASE products, ACCESS, FoxBase, and so on, gave end
users the ability to perform tasks previously restricted to the IS group: that is, they could develop their own
applications. With much of IS programming suffering from large backlogs, end users saw a way to achieve
their goals much quicker. Because of this situation, databases were popular with users. This phenomenon
drove end-user computing (EUC). EUC, too, expanded the scope and exposures of information systems, again
leading to changes in IS auditing.

Chapter 1: Background 15
 

16 Chapter 1: Background

The proliferation of databases as the foundation of Accounting Information Systems (AIS) caused both
problems and a simplification. Systems such as DB2 (from IBM) and Oracle began to dominate the market in
the 1990s. The good news is that if an IS auditor understands database management systems concepts and
technical issues, there is a good chance the organizational data resides within one. The basic concepts among
database systems are fairly common. Also, the two most popular packages dominate IS in the larger
businesses.

iii. Electronic Data Interchange

I nterchange and Electronic Commerce

EDI technology provided users with many benefits in the delivery and production of products and services.
The use of EDI, however, exposes data during telecommunications between the two systems. Because of 
incompatible EDI systems, some organizations use a third party to provide EDI services and introduce another
source of exposure. Therefore, EDI (computerized) audit trails have become even more difficult to follow.

Universal product code (UPC) bar coding was first used in 1973 in grocery stores. Bar coding increased input
accuracy and permitted fast data capture. Bar coding and scanning had advantages to management beyond
inventory control. For example, Toys 'R Us uses bar coding and scanning for sales analysis: to know the hot
toy first and order the entire supply!

Quick response systems integrate EDI, bar coding, and just-in-time (JIT) inventory management. The basic
element of the JIT philosophy is to carry only enough inventory to meet customers' orders for a short time
frame (ideally one day). Wal-Mart has fine-tuned its quick response system so well that its system has become
one of its major competitive advantages. For example, the elimination of local warehouse storage at branch
locations reduced costs enough to pay for the quick response system in about six months.

The security of data has not only escaped the confines of the IS central location within an organization, but it
is now virtually open to exposure to anyone in the external environment who has enough knowledge and
criminal intent to disrupt the information traveling over phone lines and networks. The increase in users of 
EDI has expanded the risks to transmission of data. Encryption and virtual private networks (VPN) became
some of the controls used for these risks and exposures.

iv. Artificial Intelligence and Decision Support Systems

Other major innovations in information technology provide additional opportunities for its use, sometimes as
a competitive edge, by management in the area of artificial intelligence (AI), decision support systems (DSS),
and group decision support systems (GDSS). Artificial neural systems (ANS) are a special type of AI systems.
ANS emulate the functioning of the human brain in model building and decision-making. Neural nets appear
to be well suited to problems of pattern recognition, classification, nonlinear feature detection, and nonlinear
forecasting.

One good example of an emerging technology and how it affects IS auditing is executive information systems
(EIS). EIS are computerized systems that support top management in their strategic decision-making. An EIS
must be easy to use by relatively unskilled users. Because internal auditing is supposed to review the
reliability and integrity of financial and operating information, the emergence of new EIS has had an impact
on internal auditors. Information system auditors should define the control risks and internal controls of 
EIS—as well as all other information technologies. Internal controls should be "seamless" to ensure the
flexibility necessary. Thus, IS auditors can contribute to the development of EIS in a variety of ways—but
especially in defining controls, auditability, and security for the systems.

All of these emerging technologies led to constantly changing systems, with new information technologies
being implemented frequently. Many times, systems are changed with input from IS auditors regarding audit,
control, and security. Management and staff are often so enthralled with the features of the new IT that it can
be easy to overlook important control and auditing attributes. But if IS auditors do participate in the systems

16 Chapter 1: Background
 

Chapter 1: Background 17

development, the controls, auditability, and security probably will be adequate. CISA guidelines suggest that a
CISA be involved in every systems development life cycle (SDLC) project.

v. Telecommunications

In the mid-1960s, modems and acoustical couplers began to appear. Again, it was the growth of the PC that
propelled the use of this technology. The 1980s saw global competition begin to affect many more
organizations, driving a need for telecommunications. With this expansion of telecommunications came risks
and exposures. One problem that arose with telecommunications was computer crime. For example,
vandals—hackers and crackers—began to steal or corrupt data from long distance. With the legal system not
ready to handle these types of crimes, many organizations could do nothing even if they caught the criminal.
The nature of telecommunications and information technology makes it difficult, if not impossible, to identify
computer criminals. Using viruses, hackers also vandalized information systems.

During the last decade, the impact of viruses has grown and is now considered dramatic. [4] Viruses entered
the public limelight in the fall of 1987. But the military had been aware of viruses since 1978 (according to
the head of information security at SRI International, Donn Parker). Modern accounting systems, especially
due to the expansion of telecommunications, are vulnerable to the detrimental effects of viruses. Most auditors
are convinced viruses present a real threat to IS security and control that must be addressed by IS auditors. It
is estimated that viruses cost companies $12.3 billion in 2001.

vi. Expanded Interfacing/Scope of Accounting Systems

Other advances caused significant changes in existing accounting information systems (AIS). One major
change was enterprise resource planning (ERP), in which AIS was interfaced with all, or most, of the other
systems in the organization. For example, in common ERP systems, human resource systems are interfaced
with the payroll system, and sales systems are interfaced with the accounts receivable system. In recent years,
ERP is being expanded to include customer relationship management (CRM), supply chain management
(SCM), and other functions. In addition, data needs resulted in software such as online analytical processing
(OLAP), data warehousing, data mining, and a host of extraction software to create value and draw benefits
from AIS and operational data captured over time in systems.

vii. The Internet and the World Wide Web

The most dramatic of advances has been the proliferation of the Internet and the World Wide Web (WWW).
With it have come new security problems, new risks, and new challenges for auditing. Suddenly, data is
exposed to the entire world! Organizations want to use the 24/7 access to increase sales, improve customer
relations, and achieve other business objectives. The increased risk of fraud and damage is considerable.

The growth of commerce over the Internet has been phenomenal. It has been estimated that between 2002 and
2005, the number of consumers using online account management will more than double, reaching 45% of the
U.S. adult population. On the retail sales side business-to-consumer (B2C), electronic commerce, or
e-commerce, sales grew 92% from 1999 to 2000, with a total of $29 billion. On the wholesale side
business-to-business (B2B), e-commerce transactions increased 17% from 1999 to 2000, with a total of $213
billion. In the service sector, sales increased 48% from 1999 to 2000, with a total of $37 billion. Retail sales
for 4Q 2001 were up 13% over 2000 at $10 billion. It is estimated that sales for the year of 2001 were $32.6
billion, an increase of 19% from 2001.

The Internet and WWW have changed commerce worldwide in both the nature of transactions and AIS.
Electronic commerce makes it possible to better compete on a global scale and find the best suppliers without
regard to geographic location. It also facilitates more efficient and flexible internal operations, better (closer)
relationships with suppliers, and improved customer service, with better response to customer needs and
expectations. Indeed, e-commerce has become a critical success factor for modern business, strategic needs,
and economical development. Firms are changing their organizational and commercial processes to take full

Chapter 1: Background 17
 

18 Chapter 1: Background

advantage of the opportunities that e-commerce offers.

Yet the electronic systems and infrastructure commensurate with effective e-commerce present significant
exposures and risks related to abuse, misuse, and failure. Risks extend to all connected parties: merchants,
customers, finance entities, and service providers. Risks from attacks range from hackers who are on a
cyberspace joy ride to crackers who are out to kill, steal, and destroy. The risks also include viruses and
intelligent agents (e.g., distributed denial of service (dDoS) agents). To a lesser extent, it includes those
objects whose intent is to clog bandwidth: urban legends, hoax viruses, and chain letters. Those responsible
for information security (InfoSec), operational audits, and internal controls have a very difficult task 
managing the risks associated with the Internet. In general, the most common adverse consequences include
the following types of exposures:

• Financial loss as a result of a fraud

• Destruction of important financial records
• Compromise of valuable confidential information to an unauthorized party
• Loss of business opportunities through a disruption of service
• Unauthorized use of resources
• Loss of confidentiality or customer relationship

Some of these consequences can be minimized through appropriate practices of internal control within the
organization. For example, in order to minimize possible losses because of disruption of service, contingency
planning and physical security measures could be taken. However, the risks may not always be minimized
through the traditional security and/or preventative methods.

In addition, security threats have become a ubiquitous problem and an ever-evolving challenge for those
responsible for information systems. There is a seemingly endless barrage of attacks from computer criminals
with the intent to destroy systems, data, and information assets. Mailing lists such as those from BugTraq,
CERT, and SANS Institute put out a continuous stream of warnings about emerging risks, from new viruses to
vulnerabilities in operating systems and browsers. The costs of these security problems appear to outweigh
even those of Internet fraud. The Computer Security Institute and FBI conducted a study of organizations that
experienced security breaches. Respondents who could put a dollar amount on the cost of a security breach
averaged more than $2 million in financial losses.

The rate of the growth of the Internet and e-commerce may have slowed, but the scope of this exposure is
approaching 100% because it affects both suppliers (hosts/servers) and users (clients). Whether it is web
servers (hosts), e-commerce systems, extranets, or just access to the Internet (clients/browsers), firms are
exposed to a plethora of possible attacks if they are connected in any way to the Internet. Obviously, those
firms with servers (hosts) have a much greater risk. Theoretically, data can be accessed by anyone.

In order to respond to these and other critical factors within the implementation strategy of electronic
commerce, the role and responsibility of the IA is crucial in establishing auditing procedures and IS
specifications that will, at least, minimize risks.

viii. Paradoxical Evolution of Information Technology

The effects of emerging technologies have been paradoxical. On one hand, emerging technologies have
created a more difficult system to audit effectively. On the other hand, auditors have managed to use emerging
technologies as audit tools and thus become more effective and efficient. The microcomputer innovation in
the early 1980s epitomizes this phenomenon.

An example of hindrances caused by emerging technologies is distributed data. Emerging technologies,

especially the Internet, decentralized the control points. No longer could an auditor go to a single location and
audit the major control points of an EDP system—usually a mainframe in a single, glass-enclosed room. This
distribution and multiplication of control points exasperated the audit process. Coupled with the scope change

18 Chapter 1: Background
 

Chapter 1: Background 19

was new technology. Not only did the control points move away from a central location and expand in
numbers, but they became different because the technology changed. Thus general controls and application
controls were significantly different.

One current, actual example of using emerging technologies is the use of laptops and customized generalized
audit software to audit credit unions long distance using telecommunications, never interrupting daily
operations (Weber, 1994). One developing example is embedded audit modules: For example, an artificial
neural system (ANS) could be developed to "sit" in the IS and warn auditors of transactions or events that are
"outliers"—that is, fraud or irregularity is suspected. This type of warning system is possible because ANS
can "learn" to recognize errors and possible fraud by exposing the system to actual errors and frauds. This tool
would amount to 100%, real-time, on-line verification. Today several computer-assisted audit tools (CAATs)
already exist that perform a 100% verification.

Despite the existence of IDEA, ACL, Panaudit Plus and other micro-based CAATs, these tools are apparently
greatly underutilized at present. This situation is attributed to serious cost constraints within audits, the
expertise to use them effectively, combined with a misconception that CAATs are cost effective only for large
audits.

One thing the future holds for certain is more rapid change in information technology. One source says:

• The task will require ingenuity, special training, and, of course, experience to be efficiently
accomplished. Unlike the auditors of the early 1900s, today's auditor is faced with a dynamic
situation in which time is of the essence. The increased volume of data being handled, the speed with
which these data are processed and the centralization of accounting functions have by no means
reached their zenith, nor will the pace in technology diminish. The modern-day auditor must not only
meet the challenge quickly, but parallel its future growth. To do otherwise will render the role he
 plays ineffective, if not futile.

Sound familiar? This statement was written decades ago (USAF, 1966)! The challenge is to use the lessons of 
the past to solve problems of the present and future.

[4]See Journal of Corporate Accounting & Finance , Vol. 13, Issue 4, 2002, pp. 29–39, for more on viruses.
"Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton.

1.6 History of Federal Regulations Related to Auditing

A review of relevant federal regulations follows to provide the IA department and its members a general
understanding of these laws. Each regulation has had an impact on audits.

a. Income Tax Law (Sixteenth Amendment): 1913

One of the first major regulations that was passed by the U.S. Congress was the Sixteenth Amendment in
1913. This law legalized income taxes and had a direct impact on internal auditing. One provision of the law
required all companies to maintain adequate accounting records. Thus, even small firms that did not need
accounting for management or financing purposes suddenly had to maintain accounting records for income
tax purposes. This change meant a need for more accountants and internal auditors—who had to review travel

and business
audit expenses
reports during forexaminations.
their income tax returns and who would respond if the Internal Revenue Service solicited

Chapter 1: Background 19
 

20 Chapter 1: Background

b. Securities and Exchange Commission Acts: 1933, 1934

The main impact of the Securities Act of 1933 and the Securities Exchange Act of 1934 was on public
accounting. In fact, some have referred to this legislation as the "full employment acts for external auditors."
The purpose of the acts was to make accountants liable for purchases of securities containing material
misstatements in the portions of the registration statement for which the CPA is responsible. The registration
had to include audited financial statements. Essentially, plaintiffs must only establish that they suffered
investment losses and that the relevant financial statements contain material errors or omissions. If a plaintiff 

establishes those elements

used "due diligence" of proof, the
in performing the audit.
defendant
This auditor
purposeassumes the burden
was a result of proving
of the Ivar that
Kreuger its employees
scandal mentioned
previously.

The Supreme Court has made it clear that the plaintiff must prove more than mere negligence to impose
liability on the CPA. Plaintiffs must prove scienter [5] ("a mental state embracing intent to deceive,
manipulate, or defraud")—Section 10(b), Rule 10(b)-5 of the 1934 SEC Act. Most criminal cases brought
against CPAs involve this section.

Perhaps the most significant fact about the SEC acts is the legal authority it gives the SEC for setting
accounting and standards. The SEC has in effect delegated that authority to the Financial Accounting
Standards Board (FASB). Because of its membership makeup and the influence the AICPA tends to have in
the rule-making process, the SEC has basically delegated rule making to the accounting profession, allowing
it to monitor and police itself generally. The SEC does issue Staff Accounting Bulletins that are authoritative
for publicly traded companies.

For IA, the SEC acts provide impetus for financial accounting responsibilities for publicly traded companies.
The acts also require all corporations that report to the SEC to maintain a system of internal control that is
evaluated as part of the annual external audit. The responsibility for this system of internal control generally
falls on the IA function.

c. Foreign Corrupt Practices Act: 1977

Although the primary purpose of the Foreign Corrupt Practices Act (FCPA) in 1977 was supposedly to
eliminate payments by U.S. corporations to foreign officials, the secondary purpose of enhanced internal
controls is more important to internal auditors. Organizations were required to have sufficient internal controls
so that any illegal payments would be uncovered by the accounting system or internal controls. Thus, if a

corporation
by claiming was guilty
a lack of making If
of knowledge. anaillegal payment,
corporation triedmanagement could
that approach, thennot (supposedly)
it would escape
be guilty conviction
of having a
system of internal controls that could not uncover illegal payments; that is, the organization would be out of 
compliance with a federal law.

FCPA required two things that affect auditing and IA:

1. SEC registrants must establish and maintain adequate books, records, and accounts.
2. SEC registrants must maintain an internal control system that provides reasonable assurance the
organization's objectives are being met:

a. Transactions are executed in accordance with management's general or specific authorization.

b. Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to
maintain accountability.
c. Access to assets is permitted only in accordance with management authorization.
d. Recorded assets are compared with existing assets at reasonable intervals.
e. Internal controls are capable of detecting illegal foreign payments.

20 Chapter 1: Background
 

Chapter 1: Backgroun
Background 21

Penalties for violations include fines (up to $2 million), imprisonment (up to five years), and, in some cases,
both. [6]

d. Copyright Laws: 1976 et al.

Also affecting internal auditing is the series of copyright laws beginning in 1976, relating to intellectual
property. The acts have the following implications for IA:

•
• U.S. intellectual
The acts have beenproperty is protected.
amended numerous times.
• Management is legally responsible for violations of the organization, even if executives did not know
of any illegal activities.
• The U.S. government has continually sought international agreement on terms for protection of 
intellectual property globally, but without complete success (especially in areas of the Far East and
Middle East).

e. Sarbanes-Oxley Act: 2002

The Sarbanes-Oxley Act passed by the U.S. Congress in the summer of 2002 will have a dramatic effect on
both external and internal auditing. Section 301 (Public Company Audit Committee) requires an audit
committee for listed companies and describes the functions and oversight the audit committee should have
over the audit processes. The new law requires the committee to have a great deal of interaction with major

facets of audit, including

302 (Corporate IA auditors.
Responsibility It also Reports)
for Financial requires members of the
calls for the committee
certification ofto be independent.
financial Section
reports submitted
to the SEC by the principal executive officer and principal financial officer. Section 406 (Code of Ethics for
Senior Financial Officers) requires a code of ethics for certain executive officers and requires disclosures
when a code does not exist. Section 407 (Disclosure of Audit Committee Financial Expert) adds further
requirements of the audit committee, specifically that at least one member should have financial accounting
expertise.

But it is Section 404 (Management Assessment of Internal Controls) that will have the greatest impact on
internal auditing. This section requires an annual report to management of the internal controls and their
effectiveness. Internal audit is clearly in the optimum position to deliver this required service, and the law is
therefore good news for the IA profession. Fulfilling this regulation is an excellent motivation to have an IA
department in house. The scope of this section was amplified by the NYSE when it actually required, for the
first time, an internal audit function for all NYSE-listed companies (Section 303A.7(c)). (See also Sections

3.4(e) and 9.2 for more on the Sarbanes-Oxley Act.)

[5]Per case: Ernst & Ernst v. Hochfelder (First Securities Co. of Chicago) 1976.

[6]See full text of FCPA at www.usdoj.gov/criminal/fraud/fepa/fepastat.htm.

1.7 Professional Organizations Related to Internal Auditing

Several organizations furnish professional services, certification, and continuing education that relate to IA.
The following list summarizes some of these major organizations. A summary of each organization—mostly
derived from information at their web site—follows.

Organization Certification Web Site

Chapter 1: Background 21
 

22 Chapter 1: Background

CIA, CGAP,
Institute of Internal Auditors (IIA) www.theiia.org
www.theiia.org
CFSA, CCSA
Info
Inform
rmat
atio
ion
n Syste
Systems
ms Aud
Audit
it and
and Con
Contr
trol
ol Asso
Associ
ciat
atio
ion
n (I
(ISAC
SACA)
A) CI
CISA
SA www.isaca.org
Amer
Americ
ican
an In
Insti
stitu
tute
te of Ce
Cert
rtif
ifie
ied
d Pub
Public
lic Accou
Account
ntan
ants
ts (AIC
(AICPA)
PA) CPA,
CPA, CI
CITP
TP www.aicpa.org
American Accounting Association (AAA) n.a. www.aaa-edu.org
Financial Executives International (FEI) n.a. www.fei.org
Association of Government Accountants (AGA) CGFM www.agacgfm.org

Association of Certified Fraud Examiners (ACFE) CFE www.cfenet.com

a. Institute of Internal Auditors

The Institute of Internal Auditors

247 Maitland Avenue
Altamonte Springs,
Springs, FL 32701-4201
32701-4201
Phone: (407) 830-7600
Fax: (407) 831-5171
E-mail: <iia@theiia.org>
Web: www.theiia.org

The IIA focuses on the internal audit function. Its certification is the Certified Internal Auditor (CIA).

Established in 1941, the IIA serves more than 75,000 members in internal auditing, governance and internal
control, IT audit, education, and security from more than 100 countries. The world's leader in certification,
education, research, and technological guidance for the profession, the IIA serves as the profession's watchdog
and resource on significant internal auditing issues around the globe.

Presenting important conferences and seminars for professional development, producing leading-edge
educational products, certifying qualified auditing professionals, providing quality assurance reviews and
benchmarking, and conducting valuable research projects through the IIA Research Foundation are just a few
of the Institute's many activities.

The IIA also provides internal audit practitioners, executive management, boards of directors and audit
committees with standards, guidance, and information on best practices in internal auditing. It is a dynamic
international organization that meets the needs of a worldwide body of internal auditors. The history of 
internal auditing has been synonymous with that of the IIA and its motto, "Progress Through Sharing."

In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards, in
the first major revision to the "Red Book" since it was introduced a quarter century ago (i.e., Standards for the
Professional Practice of Internal Auditing (SPPIA)).

b. Information Systems Audit and Control Association

Information Systems Audit and Control Association

3701 Algonquin Road, Suite 1010
Rolling Meadows,
Meadows, IL 60008
Phone: (847) 253-1545
Fax: (847) 253-1443
Web: www.isaca.org

The Electronic Data Processing Auditing Association (EDPAA) was formed in 1969 and later changed its
name to Information Systems Audit and Control Association (ISACA). It is dedicated to the profession of IS

22 Chapter 1: Background
 

Chapter 1: Background 23

auditing. Its certification is CISA (Certified Information Systems Auditor).

With more than 26,000 members in over 100 countries, ISACA is a recognized global leader in IT
governance, control and assurance. The organization sponsors international conferences, administers the
globally respected CISA designation earned by more than 27,000 professionals worldwide, and develops
globally applicable information systems auditing and control standards. An affiliated foundation undertakes
leading-edge research in support of the profession. The IT Governance Institute, established by the association
and foundation in 1998, offers symposia, original research, presentations at both ISACA and non-ISACA
conferences, and electronic resources to assist enterprise leaders in their responsibility to make IT successful
in supporting the enterprise's mission and goals.

ISACA's vision is to be the recognized global leader in IT governance, control, and assurance.

ISACA's mission is to support enterprise objectives through the development, provision, and promotion of 
research, standards, competencies, and practices for the effective governance, control, and assurance of 
information, systems, and technology.

ISACA members residing in more than 160 chapters throughout more than 100 countries around the world
unite through:

• One set of standards used as guidance for IS audit and control activities worldwide
• A respected certification program that is recognized internationally in the IS audit, control, and
security fields
• A professional development program on critical managerial and technical topics
• Award-winning technical publications providing the latest research, case studies, and how-to
information, and
• A code of professional ethics to guide members' professional activities and conduct

c. American Institute of Certified Public Accountants

American Institute of Certified Public Accountants

1211 Avenue of the Americas
New York, NY 10036-8775
10036-8775
Phone: (212) 596-6200
Fax: (212) 596-6213
Web: www.aicpa.org

The AICPA is the professional organization that represents external auditors. The AICPA oversees the
Certified Public Accountant (CPA) designation that is actually administered and awarded by individual states
(the examination is common to all states).

It has a strict code of ethics that it enforces. Internal auditors must be familiar with their duties, Generally
Accepted Accounting Principles (GAAP), and other financial reporting criteria in order to perform their duties
effectively.

The AICPA and its predecessors have a history dating back to 1887, when the American Association of Public
Accountants was formed. In 1916, the American Association was succeeded by the Institute of Public
Accountants, whose membership numbered 1,150. The name was changed to the American Institute of 
Accountants in 1917 and remained so until 1957, when the name was again changed to the American Institute
of Certified Public Accountants. Separately, the American Society of Certified Public Accountants was
formed in 1921 and acted as a federation of state societies. The Society was merged into the Institute in 1936

Chapter 1: Background 23
 

24 Chapter 1: Background

and, at that time, the Institute agreed to restrict its future members to CPAs.

d. American Accounting Association

American Accounting Association

5717 Bessie Drive
Sarasota, FL 34233-2399
34233-2399
Phone: (941) 921-7747

Fax: (941)
E-mail: 923-4093
<office@aaahq.org>
Web: www.aaa-edu.org

The American Accounting Association is dedicated to accounting education with most of its membership
comprised of accounting academics; in fact, it has fewer practitioners as a percentage over time. There is no
separate certification associated with the AAA.

The AAA promotes worldwide excellence in accounting education, research, and practice. Founded in 1916
as the American Association of University Instructors in Accounting, its present name was adopted in 1936.

The AAA provides a wealth of resources for IA in doing research and in communicating education needs back 
to the classrooms. Interaction between IA and AAA should lead to a synergistic relationship.

e. Financial Executives International

Financial Executives International

10 Madison Avenue
P.O. Box 1938
Morristown, NJ
NJ 07962-1938
07962-1938
Phone: (973) 898-4600
Fax: (973) 898-4649
Web: www.fei.org

FEI represents the financial profession and community. It has no separate certification.

FEI was founded in 1931. Over time the role of the financial executive expanded and it adopted its broader
present name in 1962. On November 6, 2000, the Financial Executives Institute became what is now Financial
Executives International.

FEI is the preeminent professional association for senior financial executives representing 15,000 individuals.
Membership driven, FEI provides peer networking opportunities, emerging issues alerts, personal and
professional development, and advocacy services to chief financial officers, controllers, treasurers, tax
executives, finance and accounting professors in academia. FEI does this principally through its strong
Internet community, its 85 chapters and its 9 technical committees. Membership is limited to individuals
holding senior management positions, but the organization allows many other finance professionals to join if 
they meet certain criteria. Other typical titles held by FEI members include assistant controller, subsidiary
CFO or controller, assistant treasurer, and director of tax. FEI also has a special rate and status for academics.

As the global economy developed, FEI was the driving force in forming the International Association of 

Financial Executives
supporting legislationInstitutes in 1969.
that enhances the FEI proactively
business climate.helped design
Its largest the CFO
chapters areAct and hasSanta
in Boston, a history of 
Clara
Valley, New York, and Chicago. In total, FEI has 85 chapters across the United States and Canada. FEI
Canada was established in 1973 to serve the needs of its Canadian members and consists of 11 chapters.

24 Chapter 1: Background
 

Chapter 1: Background 25

Vision:

FEI will continue to be the association for the corporate finance profession.

f. Association of Government Accountants

Association of Government Accountants

2208 Mount Vernon Avenue

Alexandria, VA 22301
Phone: (703) 684-6931
684-6931
(800) AGA-7211
Fax: (703) 548-9367
Web: www.agacgfm.org

The Association of Government Accountants specializes in public financial management. AGA sponsors the
CGFM (Certified Government Financial Manager) certification.

Since 1950, the AGA has been&"para">AGA has been instrumental in developing accounting and auditing
standards and in generating new concepts for the effective organization and administration of financial
management functions, including the passage of the Inspector General Act of 1978 and the Chief Financial

Officer's Act of
management. 1990.
These AGA have
studies conducts independent
led AGA research and
to be recognized as aanalysis
leading of all aspects
advocate of government
for improving financial
the quality
and effectiveness of government fiscal administration.

Since its inception in 1994, the CGFM has become the standard by which government financial management
professionals are measured. Its education, experience and ethics requirements have served to elevate the most
seasoned financial professionals. More than 13,000 individuals have received the designation so far.

g. Association of Certified Fraud Examiners

Association of Certified Fraud Examiners

The Gregor Building
716 West Avenue
Austin, Texas 78701
Phone: (512) 478-9070
478-9070
(800) 245-3321 (USA & Canada only)
Fax: (512) 478-9297
Web: www.cfenet.com

The Association of Certified Fraud Examiners (ACFE) specializes in anti-fraud activities and white-collar
crime detection, and sponsors the CFE (Certified Fraud Examiner) certification.

ACFE, established in 1988, is based in Austin, Texas. The 26,000-member professional organization is
dedicated to educating qualified individuals (Certified Fraud Examiners), who are trained in the highly
specialized aspects of detecting, investigating, and deterring fraud and white-collar crime. Each member of 
the association designated a Certified Fraud Examiner has earned certification after an extensive application
process and upon passing the uniform CFE examination.

Certified Fraud Examiners come from various professions, including auditors, accountants, fraud
investigators, loss prevention specialists, attorneys, educators, and criminologists. CFEs gather evidence, take
statements, write reports, and assist in investigating fraud in its varied forms. CFEs are employed by most

Chapter 1: Background 25
 

26 Chapter 1: Background

major corporations and government agencies, and others provide consulting and investigative services.

The association sponsors approximately 100 local chapters worldwide. CFEs in more than 100 countries on
four continents have investigated more than 1 million suspected cases of civil and criminal fraud.

Endnotes
1. Special thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing Before
EDP," The EDP Auditor Journal, Vol. III, 1993, pp. 38–47. Most of this section came from this article.

2. Interestingly enough, a similar law was passed during the Civil War but was later ruled to be
unconstitutional by the U.S. Supreme Court.

3. Some of the material from this section was taken from The Institute of Internal Auditors: 50 Years of 
Progress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 Maitland
Avenue, Altamonte Springs, FL 32701-4201. Reprinted with permission.

4. See Journal of Corporate Accounting & Finance , Vol. 13, Issue 4, 2002, pp. 29–39, for more on viruses.
"Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton.

5. Per case: Ernst & Ernst v. Hochfelder (First Securities Co. of Chicago) 1976.

6. See full text of FCPA at www.usdoj.gov/criminal/fraud/fepa/fepastat.htm.

26 Chapter 1: Background
 

Chapter 2: Auditing Standards and

Responsibilities
Overview

SAM POLE COMPANY  Corporate

DepartmentAudit
Procedures
Manual
NO:: 2.1
NO 2.1 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Introduction PAGES:

2.1 Introduction
The internal audit function is guided by auditing standards, guidelines, principles, and the responsibilities for
auditors both individually and professionally. Individually, internal auditors have an ethical responsibility to
perform their duties with integrity. Professionally, there are standards that must be considered.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 2.2
NO 2.2 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Ethics PAGES:

2.2 Ethics
Every company should have its own ethics officer, who answers to the chief executive officer (CEO) or, better
yet, chairman of the board. Companies should consider ethics training and an ethics system for reporting
suspicious activities or events (e.g., a toll-free phone line that goes to a special group responsible for corporate

ethics).
ethics). Companies may even hire ethics consultants when necessary (e.g., for developing international

Managers and business professionals alike should use ethical principles to evaluate their activities, behaviors,
and decisions. One area of concern for organizations today is the potential harm or risks from the use of 
information technologies. Because the work of auditors is inexorably melded with technology, ethics related
to information technology (IT) should at least be considered while conducting reviews and audits. Ethical
principles for responsible use of IT include:

• Proportionality. The good achieved by technology must outweigh any harm or risk in its use.
• Informed Consent. Those affected by the technology should understand and accept the risks
associated with that use.
• Justice. The benefits and burdens of the technology should be distributed fairly.
• Minimized Risk. To the extent that any risk is judged acceptable by the preceding three guidelines,
technology should be implemented to eliminate all unnecessary risk.

The Association of Information Technology Professionals (AITP) provides the following guidelines for
becoming a responsible end user [1]:

Chapter 2: Auditing Standards and Responsibilities 1

 

2 Chapter 2: Auditing Standards and Responsibilities

• Act with integrity, avoid conflicts of interest, and ensure your employer is aware of any potential
conflicts.
• Protect the privacy and confidentiality of any information you are entrusted with.
• Do not misrepresent or withhold information that is germane to a situation.
• Do not attempt to use the resources of an employer for personal gain or for any purpose without
proper approval.

• Do not exploit the weakness of a computer system for personal gain or personal satisfaction.
• Set high standards for your work. Accept responsibility for your work.
• Advance the health, privacy, and general welfare of the public.

The above ethics principles can be used to govern ethical conduct by managers and users. However, more
specific standards of conduct are needed to govern ethical use of information technology. One of the
hallmarks of any profession is having and following a basic set of ethical standards. For auditors, it matters
how "doing what is right" is defined and by whom. Exactly what constitutes the ethical standards for internal
auditing as a profession? A code of ethics is necessary and appropriate for the profession of internal auditing,
founded as it is on the trust placed on its objective assurance about risk management, control, and governance.

a. Institute of Internal Auditors (IIA) [2]

The Institute of Internal Auditors has a Code of Ethics that applies to its members and Certified Internal
Auditors (CIA). It extends beyond the definition of internal auditing to include two essential components:

1. Principles that are relevant to the profession and practice of internal auditing.
2. Rules of conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the principles into practical applications and are intended to guide the ethical conduct of 
internal auditors.

i. Purpose

The purpose of this Code is to promote an ethical culture in the profession of internal auditing.

ii. Applicability

This Code of Ethics applies to both individuals and entities that provide internal auditing services. For the IIA,
"internal auditors" refer to IIA members, recipients of IIA professional certification (CIA, CGAP, CCSA, and
CFSA), and candidates for those certifications. For internal auditors, breaches of the Code will be evaluated,
and enforcement administered according to the IIA's bylaws and administrative guidelines.

iii. Principles of the IIA Code of Ethics

Internal auditors are expected to apply and uphold these principles:

• Integrity. The integrity of internal auditors establishes trust and thus provides the basis for reliance on
their judgment.
• Objectivity. Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined. Internal
auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced
by their own interests or by others in forming judgments.
• Confidentiality. Internal auditors respect the value and ownership of information they receive and do
not disclose information without appropriate authority, unless there is a legal or professional
obligation to do so.
• Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance
of internal auditing services.

2 Chapter 2: Auditing Standards and Responsibilities

 

Chapter 2: Auditing Standards and Responsibilities 3

iv. Rules of Conduct

The rules of conduct include:

• Integrity. Internal auditors (a) shall perform their work with honesty, diligence, and responsibility, (b)
shall observe the law and make disclosures expected by the law and the profession, (c) shall not
knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession
of internal auditing or the organization, and (d) shall respect and contribute to the legitimate and
ethical objectives to the organization.
• Objectivity. Internal auditors (a) shall not participate in any activity or relationship that may impair or
be presumed to impair their unbiased assessment; this participation includes those activities or
relationships that may be in conflict with the interests of the organization, (b) shall not accept
anything that may impair or be presumed to impair their professional judgment, and (c) shall disclose
all material facts known to them that, if not disclosed, may distort the reporting of activities under
review.
• Confidentiality. Internal auditors (a) shall be prudent in the use and protection of information
acquired in the course of their duties, and (b) shall not use information for any personal gain or in any
manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the
organization.

• Competency. Internal auditors (a) shall engage only in those services for which they have the
necessary knowledge, skills, and experience, (b) shall perform internal auditing services in
accordance with the Standards for the Professional Practice of Internal Auditing , and (c) shall
continually improve their proficiency and the effectiveness and quality of their services.

b. Information Systems Audit and Control Association (ISACA) [3]

The Information Systems Audit and Control Association (ISACA) also has a Code of Professional Ethics.

i. Purpose

The purpose of the ISACA Code is to guide the professional and personal conduct of members of the
association and/or holders of the professional certifications from ISACA.

ii. Applicability

The Code applies to members of ISACA and/or holders of Certified Information Systems Auditor (CISA)
and/or the Certified Information Security Manager (CISM) certifications. Failure to comply with the Code can
result in an investigation into one's conduct and, ultimately, in disciplinary measures.

iii. Rules of Conduct

This Code says members and CISAs [4] shall:

• Support the implementation of, and encourage compliance with, appropriate standards, procedures,
and controls for information systems.
• Serve in the interest of relevant parties in a diligent, loyal and honest manner, and shall not knowingly
be a party to any illegal or improper activities.
• Maintain the privacy and confidentiality of information obtained in the course of their duties unless
disclosure is required by legal authority. Such information shall not be used for personal benefit or
released to inappropriate parties.
• Perform their duties in an independent and objective manner and avoid activities that impair, or may
appear to impair, their independence or objectivity.

Chapter 2: Auditing Standards and Responsibilities 3

 

4 Chapter 2: Auditing Standards and Responsibilities

• Maintain competency in their respective fields of auditing and information systems control.
• Agree to undertake only those activities that they can reasonably expect to complete with professional
competence.
• Perform their duties with due professional care.
• Inform the appropriate parties of the results of information systems audits and/or control work 
performed, revealing all material facts known to them, which if not revealed could either distort
reports of operations or conceal unlawful practices.
• Support the education of clients, colleagues, the general public, management, and boards of directors
in enhancing their understanding of information systems auditing and control.
• Maintain high standards of conduct and character and not engage in acts discreditable to the
profession.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 2
NO 2..3 REV
REV NO:
NO: DATE
DATE::
TITLE: Professional Auditing Standards PAGES:
[1]Accor
According
ding to the Code of Ethics and Standards of C ond 
uct by AITP from
ond uct  from its web site at www.aitp.org.

[2]The
majority of this section comes from the IIA's Code of Ethics web page at
www.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check the
web page for any changes. The document used in this manual was adopted by the IIA Board of Directors on
June 17, 2000.

[3]The majority of this section comes from the ISACA's Code of Professional Ethics web page at
www.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for any
changes. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review at
the time this chapter was written for changes related to the
t he CISM certification.

[4]At the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its new
certification—CISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changes
effective since this writing.

2.3 Professional Auditing Standards

Like ethics, standards exist from authoritative sources that impose certain requirements and/or structures to
the tasks and duties of the internal auditor. These standards come from professional accounting organizations
and proven systems theory. There is great deal of overlap from accounting organizations regarding auditing
standards; for example, independence, planning, and competence.

a. Institute of Internal Auditors

The IIA's authoritative standards document that is applicable to IA is known as the Standards for the
Professional Practice of Internal Auditing (SPPIA). The purpose of SPPIA is to:

• Delineate basic principles that represent the practice of internal auditing as it should be
• Provide a framework for performing and promoting a broad range of value-added internal audit
activities
• Establish the basis for the measurement of internal audit performance

4 Chapter 2: Auditing Standards and Responsibilities

 

Chapter 2: Auditing Standards and Responsibilities 5

• Foster improved organizational processes and operations

In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards in the
first major revision of the so-called "Red Book" since it was introduced a quarter century earlier. Mandatory
implementation date for these Standards was January 1, 2002. The Standards consist of Attribute Standards
(the 1000 series), Performance Standards (the 2000 series), and Implementation Standards (nnnn.Xn). While
there is one set of the two former standards, the later may be multiple sets—a set for each of the major types
of internal audit activity. Implementation Standards related to assurance include an "A" in the number (e.g.,
1130.A1), and standards related to consulting include a "C" in the number (e.g., 1130.C1).

The following is a brief summary of the main categories of the Attribute Standards and Performance
Standards from the most recent version of the SPPIA:

 Attribute Standards

• 1000—Purpose, Authority, and Responsibility

• The purpose, authority, and responsibility of the internal audit activity should be formally defined in a
charter, consistent with the Standards, and approved by the board.

• 1100—Independen
1100—Independence
ce and Objectivity
• The internal audit activity should be independent, and internal auditors should be objective in
performing their work.
• 1200—Proficiency and Due Professional Care
• Engagements should be performed with proficiency and due professional care.
• 1300—Quality Assurance and Improvement Program
• The chief audit executive should develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity and continuously monitor its effectiveness. The
program should be designed to help the internal auditing activity add value and improve the
organization's operations and to provide assurance that the internal audit activity is in conformity with
the Standards and the Code of Ethics.

 Performance Standards

• 2000—Managing the Internal Audit Activity

• The chief audit executive should effectively manage the internal audit activity to ensure it adds value
to the organization.
• 2100—Nature of Work
• The internal audit activity evaluates and contributes to the improvement of risk management, control,
and governance systems.
• 2200—Engagement Planning
• Internal auditors should develop and record a plan for each engagement.
• 2300—Performing the Engagement
• Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the
engagement's objectives.
• 2400—Communicating Results
• Internal auditors should communicate the engagement results promptly.
• 2500—Monitoring Progress
• The chief audit executive should establish and maintain a system to monitor the disposition of results
communicated to management.

• 2600—Management's Acceptance of Risks

• When the chief audit executive believes that senior management has accepted a level of residual risk 
that is unacceptable to the organization, the chief audit executive should discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit executive and

Chapter 2: Auditing Standards and Responsibilities 5

 

6 Chapter 2: Auditing Standards and Responsibilities

senior management should report the matter to the board for resolution.

b. Information Systems Audit and Control Association [5]

The concept of a professional association of computer auditors originated in Los Angeles, California, in the
late 1960s with a small group of auditors who were working in the area of computerized systems. The entity
was named the Electronic Data Processing Auditors Association, and the name changed later to Information
Systems Audit and Control Association (See Section 1.5(f) for a detailed history of EDPAA/ISACA).

Computer-based systems are pervasive tools used by management in almost all organizations. Such systems
affect control over many of the assets—including the very valuable corporate data—and operations of an
organization. Development and support of such systems may require a significant portion of an organization's
total resources. When these conditions exist, the auditor's mission may include auditing the development,
maintenance, and operation of the systems. The work of auditors, both internal and external, is governed by
standards developed by a number of professional organizations, each of which seeks to assure the quality of 
auditing work being performed.

The Information Systems Audit and Control Foundation (ISACF) has determined that the specialized nature
of information systems (IS) auditing work, and the skills necessary to perform such audits, require the
development and promulgation of auditing standards that apply specifically to IS auditing.

For the purposes of these standards, IS auditing is defined as any audit that encompasses the review and
evaluation of all aspects (or any portion) of automated information processing systems, including related
non-automated processes, and the interfaces between them. IS auditors review and evaluate the development,
maintenance, and operation of components of automated systems (or such systems as a whole) and their
interfaces with the non-automated areas of the organization's operations. The objectives of such auditing
generally are to assess the extent to which such systems or components produce reliable and accurate
information and to determine if such information is in conformity with management's requirements and any
applicable statutory provisions.

ISACF has developed its Standards in order to inform (1) IS auditors of the minimum level of acceptable
performance required to meet the professional responsibilities set out in the ISACA Code of Professional
 Ethics, and (2) management and other interested parties of the profession's expectations concerning the work 
of practitioners. The framework for the IS Standards, Guidelines, and Procedures for IS Auditing (Standards)
provides multiple levels of guidance. First, Standards define mandatory requirements for IS auditing and
reporting. Second, Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should
consider them in determining how to achieve implementation of the Standards, use professional judgment in
their application, and be prepared to justify any departure. Last, Procedures provide examples of procedures
an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any
proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain
the same results. In determining the appropriateness of any specific procedure, group of procedures or test, IS
auditors should apply their own professional judgment to the specific circumstances presented by the
particular information systems or technology environment. The procedure documents provide information on
how to meet the standards when performing
performing IS auditing work, but do not set requirements.

The Standards, and their concomitant number, are divided into three areas: Standard Category, the Standard,
and Guideline (see Exhibit 2.1).
2.1). There are eight Standard Categories and 12 overall IS Auditing Standards. IS
Auditing Standards are brief mandatory requirements for CISA holders' reports on the audit and its findings.
IS Auditing Guidelines and Procedures are detailed guidance on how to follow those Standards in most
situations. There will be times however, when the auditor will not follow that guidance. In such a case, it will
be the auditor's responsibility to justify the way in which the work is done. The Procedure examples show the
steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are
constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on
following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be

6 Chapter 2: Auditing Standards and Responsibilities

 

Chapter 2: Auditing Standards and Responsibilities 7

followed. For ISACA, these Standards are effective for all information systems audits with periods of 
coverage beginning July 25, 1997.

Exhibit 2.1: ISACA Auditing Standards Guidelines [6]

Standard Category Standard Guideline

010—Audit Charter .010—Responsibility, Authority, and .010—Audit Charter
Accountability
.020—Outsourcing
020—Independence .010—Professional Independence .010—Nonaudit Role Impact

030—Professional Ethics and
Standards
.020—Organizational Relationship
.010—Code of Professional Ethics
.020—Due Professional Care
.010—Irregularities and Illegal
Acts
.010—Audit Considerations for
Irregularities

.020—Due Professional Care

040—Competence .010—Skills and Knowledge

.020—Continuing Professional
Education
050—Planning .010—Audit Planning .010—Materiality

.020—Planning

.030—Risk Assessment

.040—Effect of Third Parties

060—Performance of Audit .010—Supervision .010—Audit Documentation
Work
.020—Evidence .020—Application Systems
Review

.030—Audit Evidence
.040—Audit Sampling

.050—IT Governance

.060—Pervasive IS Controls

.070—Use of CAATS

.080—Use of EXPERTS

.NNN—etc.
070—Reporting .010—Report Co
Content aan
nd Fo
Form .010—Reporting
080—Follow-Up Activities .010—Follow-Up

Source: ISACA, from web site www.isaca.org/stand1.htm. Reprinted with permission.

 Chapter 2: Auditing Standards and Responsibilities 7

8 Chapter 2: Auditing Standards and Responsibilities

The eight categories and a brief summary description of each follow:

• 010—Audit Charter
• The responsibility, authority, and accountability of the information systems audit function are to be
appropriately documented in an audit charter or engagement letter.
• 020—Independence
• In all matters related to auditing, the information systems auditor is to be independent of the auditee in
attitude and appearance. The information systems audit function is to be sufficiently independent of 
the area being audited to permit objective completion of the audit.

• 030—Professional Ethics and Standards

• The information systems auditor is to adhere to the Code of Professional Ethics of the Information
Systems Audit and Control Association.
• 040—Competence
• The information systems auditor is to be technically competent, having the skills and knowledge
necessary to perform the auditor's work. The information systems auditor is to maintain technical
competence through appropriate continuing professional education.
• 050—Planning
• The information systems auditor is to plan the information systems audit work to address the audit
objectives and to comply with applicable professional auditing standards.
• 060—Performance of Audit Work
• Information systems audit staff are to be appropriately supervised to provide assurance that audit
objectives are accomplished and applicable professional auditing standards are met. During the course
of the audit, the information systems auditor is to obtain sufficient, reliable, relevant, and useful
evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be
supported by appropriate analysis and interpretation of this evidence.
• 070—Reporting
• The information systems auditor is to provide a report, in an appropriate form, to intended recipients
upon the completion of audit work. The audit report is to state the scope, objectives, period of 
coverage, and the nature and extent of the audit work performed. The report is to identify the
organization, the intended recipients, and any restrictions on circulation. Audit findings, conclusions,
and recommendations and any reservations or qualifications that the auditor has with respect to the
audit are to be stated in the report.
• 080—Follow-Up Activities
• The information systems auditor is to request and evaluate appropriate information on previous
relevant findings, conclusions, and recommendations to determine whether appropriate actions have
been implemented in a timely manner.

The first three digits in a document number represent one of the eight standards categories. IS Auditing
Standards begin with 0 and Standards for IS Control Professionals begin
be gin with "5."
"5." The standards numbers are
the second three numbers in the document (12 standards to date). The third set of three digits in a document
number is the number of the guideline. Procedures are listed separately and numbered consecutively by issue
date. For example, document 050.010.030 is a guideline (see Exhibit 2.1 2.1).
). It provides guidance in the fifth
standard category (050), Planning. The Guidance applies to the first standard in that category (010), Audit
Planning. It is the third guideline listed under Audit Planning (030). Procedures are numbered consecutively
as they are issued, beginning with "1." Refer to the latest index of IS auditing standards, guidelines, and
procedures for a complete listing of those documents available online from ISACA's web site.

c. American Institute of Certified Public Accountants

The AICPA has long-established Generally Accepted Auditing Standards (GAAS) that are related to internal
auditing—it is at least tangential when external auditors come to the IA's firm to conduct financial audits. The
basic Standards fall into three categories: General Standards, Standards of Field Work, and Reporting
 8 Chapter 2: Auditing Standards and Responsibilities

Chapter 2: Auditing Standards and Responsibilities 9

Standards. The first two groups are similar to many of the standards from the IIA and ISACA. The AICPA
also issues Statements of Auditing Standards from time to time.

General Standards

1. The auditor must have adequate technical training and proficiency.

2. The auditor must have independence of mental attitude.
3. The auditor must exercise due professional care in the performance of the audit and the preparation of 
the report.

Standards of Field Work

1. Audit work must be adequately planned.

2. The auditor must gain a sufficient understanding of the internal control structure.
3. The auditor must obtain sufficient, competent evidence.

 Reporting Standards

1. The auditor must state in the report whether financial statements were prepared in accordance with
generally accepted accounting principles (GAAP).
2. The report must identify those circumstances in which GAAP were not applied.
3. The report must identify any items that do not have adequate informative disclosures.
4. The report shall contain an expression of the auditor's opinion on the financial statements as a whole.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO: 2.4 REV NO
NO: DATE:
TI
TITL
TLE:
E: Sy
Syst
stem
emss Deve
Develo
lopm
pmenentt Life
Life Cycl
Cyclee Stan
Standa
dard
rdss PAGE
PAGES:
S:
[5]Muchof this section was taken from ISACA's web page on Standards located at:
www.isaca.org/stand1.htm.

[6]The
list illustrates the Standards for Information Systems Auditing issued by ISACA, and is not
comprehensive. For the complete list, see www.isaca.org/stand1.htm.

2.4 Systems Development Life Cycle Standards

While the standards from the IIA, ISACA, and AICPA are obviously relevant to the IA function, it is also true
that proven systems development life cycle (SDLC) standards are relevant. For instance, the ISACA standard
060.020.020 (IS Auditing Guideline: Applications Systems Review) states in section 2.1.1
2.1.1 "Planning
Considerations" in part:

• The IS auditor should

should gain an understanding of ... the risks and exposures associated with the
organization's objectives and its information systems.

Further, section 2.1.3

2.1.3 states in part:

• Application level risks at the system and data level include such things as: system integrity risks
relating to the incomplete, inaccurate, untimely, or unauthorized processing of data, and system
 Chapter 2: Auditing Standards and Responsibilities 9

10 Chapter 2: Auditing Standards and Responsibilities

maintainability risks relating to the inability to update the system when required in a manner that 
continues to provide for system availability, security, and integrity.

All of the above portions of the Standards are directly related to the proper use of SDLC techniques. For
example, if system updates are done
don e online (LAN
(LAN or Internet) rather than taken offline, updated, tested, then
restored to live access, risks are greater according to SDLC standards. Many a system has been updated online
only to cause extra costs or other loss due to the extra or unnecessary problems this process created. The same
is true for the phrase from section 2.1.3
2.1.3 "integrity risks relating to incomplete . . . ." By not following SDLC
procedures in systems changes or purchases, the result can be these very risks.

The SDLC procedures for new systems include these steps: Identify the process, understand what needs to be
done, consider alternative solutions, select the best solution, test the solution, activate or implement the
solution, and maintain the solution.

Another key SDLC standard is the use of a cross-functional team in developing any major system, whether
new or a major change. The team should include: systems professionals (analyst, programmers, etc.), end
users, management, and auditors or accountants (limited to design functions, focusing on application
ap plication
controls). Another effective technique is to include different levels of the organization within the different
functions. That is, consider using a manager from IS, a mid-level person, and someone from the operational
level of IS. The same would be true for users/operations, and audit/accounting (see Exhibit 2.2 for a matrix
view of this technique). Part of the responsibility of this team or steering committee is to ensure an
appropriate linkage between the project and the strategic objectives of the firm.

Exhibit 2.2: SDLC Steering Committee/Cross-Functional Team Matrix

Departments = > IA IS Dept. 1 Dept. 2

Executive Ma
Management =>1 =>1 =>1 =>1
Middle Management =>1 =>1 =>1 =>1
Operations Personnel =>1 =>1 =>1 =>1

The SDLC has two pre-requisite documents and steps: a preliminary feasibility study and project
authorization. The specific phases of the SDLC cycle are described in the following, and pictured in Exhibit
2.3—which
2.3 —which includes a list of the documents or reports that are involved with the phases:

• Phase 1—Systems Planning

• Systems planning has proven to be cost effective, although it is tempting for the IS technicians to
skip—usually due to time pressures. It includes both the strategic systems planning (long-term
planning) and project planning (short-term planning). A dynamic strategic systems plan is certainly
better than no plan at all. Project planning includes identifying users' needs, preparing proposals,
evaluating proposals, prioritizing individual projects, and scheduling work.
work. It includes
includes a project
proposal and project schedule document. One proven effective approach to systems planning is to use
a steering committee to manage the process. The members of this group follow a similar makeup as
the "matrix" view of cross-functional teams, and that depicted in Exhibit 2.2.
2.2.
• Phase 2—Systems Analysis
• This phase includes surveys, if necessary, and other fact-gathering steps. The step is documented by
the system analysis report.

• Phase 3—Conceptual Design

• In this phase, the team will develop alternative systems that satisfy the system requirements identified
during system analysis. This phase includes a data flow diagram (DFD), in general terms.
• Phase 4—Systems Evaluation and Selection
• This process seeks to identify the optimal solution from among the alternatives. It includes a
feasibility study, cost-benefit analysis, and the system selection report (documentation).
 10 Chapter 2: Auditing Standards and Responsibilities

Chapter 2: Auditing Standards and Responsibilities 11

• Phase 5—Detailed Design

• This phase will produce a detailed description of the proposed system that satisfies system
requirements identified during systems analysis and is in accordance with conceptual design. It will
include some sort of testing, such as a simulation or walkthrough. It involves numerous reports and
some of the most important documentation of the processes and system. Examples include: detailed
design report, DFD (detail), entity-relationship (ER) diagram, relational model, normalized data, data
dictionary, and other documentation.
• Phase 6—Systems Implementation
• At this point, the database structures are created and populated with data, applications are coded and
tested ( prior 
 prior to going live), equipment is purchased and installed, employees are trained, the system is
documented, and the new system is installed. Once the final tests have been conducted, the system is
placed in active use. This phase then would provide a post-implementation review, program
flowcharts, program documentation, and the user acceptance report. It also should include a budget
variance analysis. The post-implementation review and budget analysis are critical follow-up
processes that will be valuable to management decisions and future projects.
• Phase 7—Maintenance
• The maintenance phase is the longest in time, and therefore the efficiency and effectiveness of this
phase are highly dependent on the documentation of the previous steps. Because about 80% of the
total cost of the system will occur during this phase, there is plenty of opportunity for cost savings
based on activities such as the data dictionary [7] developed in the detailed design phase. During this
phase, the system is changed to accommodate changes in user needs. A minimum of four controls are
needed in maintenance: formal authorization for changes, technical specifications (documentation),
retesting (offline first), and updating of the documentation (especially the data dictionary).

Exhibit 2.3: SDLC Guidelines

A materially flawed financial application will eventually misstate the financial data, which will then be
incorrectly, and materially, reported in the financial statements. Therefore, the accuracy and integrity of these
information systems directly affects the accuracy of the client's financial data. Some of the questions internal
auditors should ask include:

• How can audit verify that SDLC activities are being applied consistently?
• How can audit verify that systems are free from material errors and fraud using SDLC principles?

• How can audit verify that the purchase or development of a system is justified?
• How can audit verify that system documentation is adequate and complete?
• How can audit verify that a library control is effective for original source code (or original copies and
licenses of commercial software) and data (backups)? That is, what controls exist to protect original
software and backup data? (See page 109 for a description of library control.)
 Chapter 2: Auditing Standards and Responsibilities 11

12 Chapter 2: Auditing Standards and Responsibilities

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 2
NO 2..5 REV
REV NO:
NO: DATE
DATE::
TITLE: Professional Development PAGES:
[7]A data dictionary will include all of the fields in all of the files used by the system with details on the

characteristics of the field and places it is used in the applications.

2.5 Professional Development

One of the critical success factors in internal audit (IA) is professional development. Not only do accounting
and auditing rules change, but other relevant matters also change.
chang e. For instance,
instance, technology and systems are
constantly evolving at a rapid pace; they not only house the accounting information, but are also excellent
tools to use in audits. Management issues, such as conflict resolution and leadership, are vital to IA. Life-long
learning, professional development, is a necessity. (See Section 5.2 on personal development for details on
professional development.)

Certification is an important element in a successful, effective internal audit department. Major benefits are
that certification is a sign of professionalism, an adequate level of knowledge (for the area under certification),
and a willingness to submit to a professional code of ethics. Another benefit of certification is the mandatory
Continuing Professional Education (CPE) credits that must be earned each year in order to maintain one's
certification. (See Section 5.1(c) i for more on certification.)

This manual also recommends an annual staff meeting or conference for training and education of the staff 
auditors, in addition to other educational options. (See Section 5.5 for details.)

Most of all, the ISACF Standards state that IS auditors are to be technically competent, having the skills and
knowledge necessary to perform auditor's work
work (040.010—Competence/
(040.010—Competence/ Skills and Knowledge) and also
specify that IS auditors are to maintain their technical competence through appropriate CPE
(040.020—Continuing Professional Education). The IIA Code of Ethics states the same requirement for
" Rules of Conduct"
competence in its "Principles" and "Rules Conduct" sections. Therefore, professional development is a key
to quality audits and an effective IA function.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 2
NO 2..6 REV
REV NO:
NO: DATE
DATE::
TITLE: Responsibilities of a Corporate Auditor PAGES:

2.6 Responsibilities of a Corporate Auditor

In addition to the various standards to be followed, the corporate auditor and the IA function have
responsibilities that must be fulfilled for IA to have successful results.
 12 Chapter 2: Auditing Standards and Responsibilities

Chapter 2: Auditing Standards and Responsibilities 13

a. Nature
Internal auditing is an independent appraisal activity within an organization for the review of operations as a
service to management. It improves managerial control by measuring and evaluating the effectiveness of other
controls, and by maintaining a vigilant watch over risks.

b. Objective and Scope

The objective of internal auditing is to assist all members of the organization in the effective discharge of 
responsibilities by furnishing them with analyses, appraisals, recommendations, and pertinent comments
concerning the activities reviewed. The internal auditor is concerned with any phase of business activity
where he/she may provide service to the organization. This scope involves going beyond the accounting and
financial records to obtain a full understanding of the operations under review. The attainment of this overall
objective involves such activities as:

• Reviewing and appraising the correctness, adequacy, and application of accounting, financial, and
other operating controls and promoting effective control at reasonable cost
• Ascertaining the extent of compliance with established policies, plans, and procedures
• Ascertaining the extent to which company assets are accounted for and safeguarded from losses of all
kinds
• Ascertaining the reliability of management data developed within the organization
• Ascertaining the quality of performance in carrying out assigned responsibilities

• Recommending operational improvements

c. Responsibility and Authority

The responsibilities of corporate auditing within Sam Pole Company are clearly established by management
policy. The related authority provides the corporate auditor full access to all of the organization's records,
properties, and personnel relevant to the subject under review. The corporate auditor should be free to review
and appraise policies, plans, procedures, and records. The internal auditor's responsibilities should be:

• To inform and advise management and to discharge this responsibility in a manner that is consistent
with the codes of ethics of the IIA and the ISACA (IS audits)
• To coordinate his/her activities with others so as to best achieve audit objectives and the objectives of 
the organization

Corporate auditors have neither direct responsibility for, nor authority over, any of the activities that they
review. Therefore, the corporate audit review and appraisal do not in any way relieve other persons in the
organization of the responsibilities assigned to them.

d. Independence
Independence is essential to the effectiveness of corporate auditing. This independence is obtained primarily
through organizational status and objectivity:

• The organizational status of the corporate auditing function and the support accorded to it by
management are major determinants of its range and value. The head of the corporate auditing
function should be responsible to an officer whose authority is sufficient to assure both a broad range
of audit coverage and the adequate consideration of and effective action on the audit findings and
recommendations.

Objectivity is essential to the audit function. Therefore, corporate auditors should not develop and install
procedures, prepare records, or engage in any other activity that would normally be the subject of a review
 Chapter 2: Auditing Standards and Responsibilities 13

14 Chapter 2: Auditing Standards and Responsibilities

and could reasonably be construed to compromise one's independence. Auditors' objectivity need not be
adversely affected by their determination and recommendation of standards or controls to be applied in the
development of the systems and procedures under review.

It is common to read in the financial section of a newspaper or other publication that a public accounting firm
has been sued or censored. Why? Usually because the firm allegedly did not follow Generally Accepted
Auditing Standards (GAAS), or the firm did not issue an accurate audit report on the financial statements, or
the firm did not ensure adequate disclosures (e.g., certain information required by the Securities and Exchange
Commission (SEC) or other regulatory body that could influence shareholders and/or the general public in
financial planning decisions).

Although similar situations specifically addressed to the internal audit profession are rare, the possibility does
exist. The SEC and other regulatory entities are looking in that direction due to the improved image of the
profession and the greater reliance upon internal auditors' work by management and the public accountants.

Don't be alarmed! Unlike the public accountants, internal auditors do not have the same contractual or
fiduciary obligations. We do have similar responsibilities. Therefore, we must perform our audits with the
same extreme care as the external auditors, and in accordance with GAAS.

The Director of Auditing reports directly to the Audit Committee of the Board of Directors of Sam Pole
Company for the purposes of audit scope. The Director's responsibility to the Committee, the entire Board of 
Directors, and management is to inform them promptly of significant situations disclosed by audits so that
they can meet their obligations to the shareholders, regulatory bodies, and the general public.

e. Regulatory Issues
Due care is required in reporting comments related to regulatory bodies and federal laws. Relevant laws
include income tax, SEC, copyright laws and the Foreign Corrupt Practices Act.

In 1913, the Income Tax Act was passed (Sixteenth Amendment), and it affects internal auditors. For
example, the Internal Revenue Service can and does request copies of audit reports during their examinations
of tax returns. The company's reporting should be objective and factual to reduce further extensive tests of 
expense reports. If improved controls for reporting of travel and other business expenses are recommended, it
is essential that the situations are clearly described and the number of instances noted be reflected in the
detailed section of the audit report. Also, any corrective action taken should be indicated. Otherwise, the
auditee will normally do so in the response to the audit report.

The Securities Act of 1933 and Securities Exchange Act of 1934 require all corporations that report to the
SEC, which was created by the acts, to maintain a system of internal control that is evaluated as part of the
annual external audit. The Foreign Corrupt Practices Act, passed in 1977, requires,
r equires, under
under penalty of law, that
managements ensure good systems of internal control in their companies. Copyright laws (1977 et al.) protect
intellectual property, which usually affects audit programs—that is, audit steps need to be included to audit for
unlicensed software and other potential violations of this law. (See Section 1.6 for a history of federal
regulations related to auditing.)

The company's legal responsibilities can be attained if due care is used, GAAS are followed, situations are
promptly and carefully reported, and confidentiality is maintained.
 14 Chapter 2: Auditing Standards and Responsibilities

Chapter 2: Auditing Standards and Responsibilities 15

Endnotes

1. According to the Code of Ethics and Standards of Conduct  by AITP

AITP from its web
web site at www.aitp.org.

2. The majority of this section comes from the IIA's Code of Ethics web page at
www.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check the
web page for any changes. The document used in this manual was adopted by the IIA Board of Directors on
June 17, 2000.

3. The majority of this section comes from the ISACA's Code of Professional Ethics web page at
www.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for any
changes. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review at
the time this chapter was written for changes related to the CISM certification.

4. At the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its new
certification—CISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changes
effective since this
this writing.

5. Much of this section was taken from ISACA's web page on Standards located at:
www.isaca.org/stand1.htm.

6. A data dictionary will include all of the fields in all of the files used by the system with details on the
characteristics of the field and places it is used in the applications.
 Chapter 2: Auditing Standards and Responsibilities 15

16 Chapter 2: Auditing Standards and Responsibilities

 16 Chapter 2: Auditing Standards and Responsibilities

Chapter 3: Internal Control System

Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3.1
NO 3.1 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Definition PAGES:

3.1 Definition
Executives and auditors alike understand the importance of a strong internal control system in relation to
financial audits and reliable financial reports. But a sound internal control system also has the potential to
enhance corporate strategies and thus provides internal auditors with the opportunity to express their value as
business partners. Corporate objectives generally include the provision for reliable, timely information in
effective decision-making. There is a need to protect assets, to communicate internally, and to analyze events
and transactions. A strong internal control system can enhance all of these strategic objectives and assist in
operational control.

Exactly what is an internal control system? The Information Systems Control & Audit Association (ISACA)
defines it as:

• The policies, procedures, practices and organizational structures, designed to provide reasonable
assurance that business objectives will be achieved and that undesired events will be prevented, or 
detected and corrected.

This definition demonstrates the link between the internal control system and business objectives. According
to the Committee on Sponsoring Organizations (COSO), internal control is:

• A process, effected by an entity's board of directors, management and other personnel, designed to
 provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and 
efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable
laws and regulations.

According to the Institute of Internal Auditors (IIA), the control system is:

• The attitude and actions of management and the board regarding the significance of control within
the organization. The control environment provides the discipline and structure for the achievement 
of the primary objectives of the system of internal control. The control environment includes the
 following elements: integrity and ethical values, management's philosophy and operating style,
organizational structure, assignment of authority and responsibility, human resource policies and 
 practices, and competence of personnel.

The bottom line is that an effective internal control system is a critical success factor for any organization in
the long term, and that internal auditors should ensure they are inexorably melded with corporate strategies.

Internal controlsrisks,
ever-increasing have exposures,
become moreandthan accounting
threats guidelines.
to accounting They
systems, areand
data, indispensable tools forthis
assets. Therefore, themanual
will use the following definition for internal control system, and provides the basis for the discussion in this
chapter:
 Chapter 3: Internal Control System 1

2 Chapter 3: Internal Control System

• Internal control system is the policies, practices, procedures, and tools designed to: (1) safeguard
corporate assets, (2) ensure accuracy and reliability of data captured and information products, (3)
promote efficiency, (4) measure compliance with corporate policies, (5) measure compliance with
regulations, and (6) manage the negative events and effects from fraud, crime, and deleterious
activities.

It goes without saying that corporate data, and the files that contain them, are an asset and do have value. The
same is true for systems and the value is proportionate to the degree the organization is dependent on
information systems (IS) or information technologies (IT) in delivering products or services. Thus the
safeguarding of corporate assets includes the data and systems of the organization—even system availability.

This chapter will attempt to provide information to strengthen the internal control system. There is a
discussion of related management policies, related regulations, risk assessment, some control activities, the
employment of proven resources (i.e., computer-assisted audit tools and techniques), related fraud and crime,
various applicable models, and some specific examples of tools and documents for internal auditors.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3
NO 3..2 REV
REV NO:
NO: DATE
DATE::
TITLE: Assumptions in Establishing an Internal Control PAGES:
System

3.2 Fundamental Assumptions in Establishing an Internal

Control System
Federal law and business wisdom require management to exert a conscientious effort to maintain an effective
system of internal controls and to build a strong internal control system. Management, with the aid of the
internal audit IA function, should identify what needs protecting (i.e., assets), what risks exist to compromise
those assets, and the extent of those risks (probability and impact cost). With those factors in mind,
management, along with the assistance of the IA function, then should see that appropriate policies and
strategies are developed concerning organizational structure (i.e., segregation of duties); physical, general, and
application controls; and transaction processes. One key to safeguarding assets is personal accountability,
whether it is enforcing policy violations by employees or tracking down and prosecuting crackers and hackers.
It also extends to management to make sure controls are operating effectively as designed. That accountability
means management must make sure error logs, monitoring reports, and so on, are being read and responded to
timely.

Management should employ the skills and abilities of professionals in designing internal controls and auditing
their effectiveness. That includes technicians in the IS function and audit professionals in the IA function. If 
the company is conducting business over the Internet, that would include IS professionals such as Certified
Information System Security Professional (CISSP), Certified Information Technology Professional (CITP), or
Certified Information Systems Auditor (CISA) who understand both computer technologies and security. For
the IA function it would include Certified Internal Auditor (CIA) or CISA. Internal control professionals
should also be involved in all new systems development—CIA, CISA, or CITP. The specific tools and
techniques used to develop specific controls should be used in conjunction with the expertise of IA personnel.
Management should also encourage the use of proven resources, such as the Internal controls models
identified herein. Most of all, management should pursue an effective audit committee in which members are
qualified and independent (i.e., effective corporate governance).
 2 Chapter 3: Internal Control System

Chapter 3: Internal Control System 3

An important step in building an effective internal control system is to make sure the organization has
adequate relevant policies, accompanied by an effective monitoring and reporting system to make sure
management's objectives are being met. Another step, sometimes chronologically preceding policy po licy
development, is for the organization to identify the risks to which it is subject and the corresponding loss if 
that risk came to pass; that is, a thorough risk assessment. Also, the organization should use proven resources
to determine and implement the actual controls necessary to manage the risks. Exhibit 3.1 depicts a model of 
an effective internal control system to illustrate these elements, and most of the detail processes described in
this chapter. Some basic assumptions constrain the implementation and effectiveness of any internal control
system, no matter how well it may be designed. It is also important to think about the evolution of intruders in
order to design effective controls. Controls are affected by laws and regulations.

Exhibit 3.1: Internal Control Environment Model

But first, reasons will be given for a strong internal control system. There are business reasons, legal reasons,
and audit reasons.

a. Business Reasons for a Strong Internal Control System

The business reasons have to do with management objectives. Sound internal controls enhance corporate
strategies by maximizing the reliability and timeliness of information in making effective decisions.
Management, in general, desires to safeguard assets thoroughly, to communicate efficiently and effectively
internally, to analyze events and transactions timely, and to promote operational efficiencies universally.
Strong internal controls have the potential to help meet these objectives. For example, the Committee on
Sponsoring Organizations (COSO) says this about internal controls:

• ... a process, effected by an entity's

entit y's board of directors, management and other personnel, designed to
 provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and 
efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable
laws and regulations.

b. Legal Reasons for a Strong Internal Control System

The last statement brings up the second point about compliance with applicable laws and regulations. Controls
help to assure such compliance, especially for laws regarding the system and intellectual property. (See
"Regulations"
Regulations" in this chapter for more details.)
 Chapter 3: Internal Control System 3

4 Chapter 3: Internal Control System

c. Basic Assumptions for the Internal Control System

The first basic assumption is that of management responsibility. The responsibility for an effective internal
control system is not that of internal auditors, external auditors, management accountants, or any other group
except management.

The second assumption is that of  reasonable assurance. There is no such thing as a perfect internal control
system. Controls can generally be compromised under the right conditions. No computer system is impervious
to attacks or malicious activities. In addition, controls have a cost and following the cost-benefit concept used
in accounting, it must be applied even to controls. After all, if it costs $1 million to implement a control and
the risk assessment shows a risk of loss of $200,000, then the control does not pass the cost-benefit test. The
result is an exposure—a weakness in the control system. Internal control does not guarantee that an entity will
meet management objectives, or even that the firm will survive. Rather, internal controls are designed to
provide management with reasonable assurance regarding the achievement of these objectives.

The third assumption is independence from the method of data processing. That is, the control objectives
should be designed without regard for the specific type of data processing. Certain control objectives may be
peculiar to information systems or information technologies, but generally, a strong control objective should
be just as applicable to a paper-based system as a computer-based system. The specific controls will vary with
different technologies, but the objectives should be process independent.

The fourth assumption deals with limitations, of which there are several. First, there will always be a

possibility of error
by a determined andintalented
any accounting
attacker.system.
There isThere will always
certainly always be
thethe possibility
possibility of circumvention
of management of controls
override of 
controls. Last, there is the simple passing of time—conditions change. With changing conditions, effective
controls may become obsolete or ineffective and thus need constant re-evaluation ( raison d'être for the
internal audit function!).

d. Evolution of Attacks and Intruders' Technical Knowledge

Attacks have grown from simplistic to complicated, while simultaneously the technical knowledge needed by
intruders has gone from a high level to a very low level. For example, in the 1980s, attacks were mostly
password guessing ("war dialers"), password cracking, some self-replicating code, and exploiting known
vulnerabilities—all of which required a high level of technical skills at the time. Then, there was not the
widespread communication of vulnerabilities and hacker tools that we have in the twenty-first
century—making it much easier today to do these kinds of attacks.

Then attacks became a little more sophisticated, such as hijacking sessions, back doors, sweepers, sniffers,
and stealth diagnostics. The technical knowledge became moderate instead of the high level of technical skills
needed earlier. In fact, the term "hacker" really evolves from a complimentary term applied to those who had
a lot of technical knowledge, knowing the administrative types of functions, commands, and intricacies of 
operating systems.

By 1995, attacks became even more sophisticated. They included packet spoofing, use of intelligent agents,
denial of service, and a combination of the two—distributed denial of service. Yet the level of knowledge
diminished. In fact, there is such an abundance of malicious code, and so easy to obtain, that by the end of the
twentieth century, many intruders were called "script kiddies"—so named because young teenagers were
downloading scripts files and conducting attacks, all without a prerequisite high level of technical knowledge.

Therefore, the level of risk today is much higher than 20 years ago. It is necessary for the IA function and

other security
in order personnel
to be best to understand
prepared thecorporate
to defend the profiles ofassets.
intruders
(Seeand the types
Section of popular
3.8 for tools being employed,
more details.)
 4 Chapter 3: Internal Control System

Chapter 3: Internal Control System 5

e. Cost-Benefit Analysis of Controls

An important constraint
constraint in developing internal controls is the use of cost-benefit analysis on controls. Control
activities are subject to the same cost-benefit analysis of other management activities. But a 2 × 2 model of 
risk probability and cost provides additional guidance in decision-making related to security and controls (see
Exhibit 3.2).
3.2). For example, those risks that have a low probability and low cost should simply be ignored. But
for those with high probability and high costs, control activities need to be implemented to prevent the risk 
from occurring. For example, a disaster may have a low probability but it has a high cost (see Exhibit 3.2 3.2);
);
therefore management should employ insurance and/or backup plan as an appropriate control activity. This
model requires management to identify what needs protecting, what the risks are for those assets, and the level
of cost impact and probability for each risk. Input from internal auditors and IS professionals most likely will
be necessary to perform these steps appropriately.

Exhibit 3.2: Controls Decision Making Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3.3
NO 3.3 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Effective Internal Control Models PAGES:

3.3 Effective Internal Control Models

There are numerous proven internal controls models that internal auditors can rely on in developing and
maintaining an effective internal control system. These come from reliable professional organizations such as
COSO, ISACA, IIA, AICPA, and the Canadian Institute of Chartered Accountants (CICA).

a. The COSO Model (AICPA, AAA, FEI, IIA, and IMA)

The COSO Model was developed by the Committee of Sponsoring Organizations (COSO), [1] originally
known as the Treadway Commission. Organizations in COSO include American Institute of Certified Public
Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI),
Institute of Internal
Internal Auditors (IIA), and the Institute of Management Accountants (IMA). The final
promulgated model on internal controls was published in 1992. The model contains five elements: the control
environment, risk assessment, control activities, monitoring, and information and communication (see Exhibit
3.3).
3.3). This particular model has been widely accepted and used by internal auditors and financial executives
with equal success, and provides an effective model for designing, implementing, evaluating, and managing
an effective internal control system.

Exhibit 3.3: COSO Model

 Chapter 3: Internal Control System 5

6 Chapter 3: Internal Control System

The COSO report defines internal control as "a process, effected by an entity's board of directors,
management, and other personnel, designed to provide reasonable assurance regarding the achievement of 

objectives in the
reporting, and following with
compliance categories: effectiveness
applicable and efficiencyThe
laws and regulations." of operations, reliability
report emphasizes thatofthe
financial
internal
control system is a tool of, but not a substitute for, management and that controls should be built into, rather
than built onto, operating activities. Although the report defines internal control as a process, it recommends
evaluating the effectiveness of internal control as of a point in time.

COSO recognizes that people are involved with internal control as members of the board of directors
(especially the audit committee), management, and other entity personnel such as internal auditors. Objectives
are categorized by COSO as operational, financial reporting, and compliance (see Exhibit 3.3).
3.3).

COSO's "Internal Control Environment" covers factors such as integrity and ethical values of management,
competence of personnel,
personnel, management
management philosophy and operating style, how authority and responsibilities are
assigned, and the guidance provided by the board of directors.

Under "Risk
"Risk Assessment
Assessment," ," COSO addresses the risk of failing to meet financial reporting objectives, failing to
meet compliance, and failing to meet operational objectives. COSO suggests the identification of external and
internal risks to the entity and to individual activities. The cost-benefit consideration is a part of the COSO
Model, as well as the dynamic nature of risk assessment. The COSO Model considers management's analysis
of risk and their ability to override and adjust the internal control system.

Information systems are covered in the "Information and Communication" segment of the COSO Model. This
area covers the need to capture pertinent internal and external information, the potential of strategic and
integrated systems, and the need for data quality. The Communication subsection discusses conveying internal
control matters, and gathering competitive, economic, and legislative information.

COSO discusses the "Monitoring" aspect by recognizing the need for management to monitor the entire
internal control system through the internal control system itself and through special evaluations directed at
specific areas or activities. It uses an internal perspective for monitoring, and covers them in broad terms.

"Control Activities" and procedures are discussed throughout the entity in the COSO Model. This model uses
only one classification scheme for IS control procedures (by contrast, SAC uses five different schemes).
 6 Chapter 3: Internal Control System

Chapter 3: Internal Control System 7

COSO emphasizes the desirability of integrating control activities with risk assessment.

The AICPA has adopted the COSO Model officially by incorporating it into Statement on Auditing Standards
(SAS) No. 78. SAS 78 revised SAS No. 55: Consideration of Internal Control in a Financial Statement Audit ,
and makes the COSO model part of external audit standards.

b. The CobiT Model (ISACA)

The CobiT Model [2] is the culmination of the evolution of ISACA's Control Objectives. In 1977, the
Electronic Data Processing Auditors Foundation (forerunner of ISAC Foundation) published the first Control
Objectives. It was a compilation of techniques and procedures for conducting IS audits covering various
information technologies. This book provided a normative model for IS auditors in performing their duties.
Control Objectives included not only objectives related to controls, but also audit procedures. The publication
matched a particular IT with certain controls that ought to be addressed when conducting IS audits in that area
or technology. Thus, Control Objectives provided IS auditors a benchmark to measure audit effectiveness and
emphasized best practices. The guidelines underwent revisions in 1980 and 1983 (second edition). The 1983
version was intended to be a complete overhaul of delineating the discharge of IS auditors' responsibilities.
Other revisions would occur in 1990 and 1992 (the fifth version of the document).

Then, in 1996, the ISAC Foundation revised the tools in Control Objectives into a new guidance publication
known as Control Objectives for Information Technology—CobiT. CobiT helps bridge the gaps between
business risks, control needs, and technical issues. It is a control model, or framework, to meet the needs of IT

governance and ensure

from international input.the integrity of information and information systems applied on an international basis,

Research for the first (1996) and second (1998) editions included the collection and analysis of identified
international sources and was carried out by teams in Europe (Free University of Amsterdam), the United
States (California Polytechnic University) and Australia (University of New South Wales). The researchers
were charged with the compilation, review, assessment and appropriate incorporation of international
technical standards, codes of conduct, quality standards, professional standards in auditing, and industry
practices and requirements, as they relate to the Framework and to individual control objectives. After
collection and analysis, the researchers were challenged to examine each domain and process in depth and
suggest new or modified control objectives applicable to that particular IT process. Consolidation of the
results was performed by the CobiT Steering Committee and the Director of Research of ISACF. [3]

The current edition is the third (2000) and is available on CD-ROM and online from ISACA. [4] CobiT

provides an Executive
Audit Guidelines. The Summary, a Framework
latter two are for control
reference works for theofFramework.
IT, a list of Control Objectives, and a set of 

CobiT adapted its definition of control from COSO: The policies, procedures, practices, and organizational
structures are designed to provide reasonable assurance that business objectives will be achieved and that 
undesired events will be prevented or detected and corrected. CobiT adapts its definition of an IT control
from SAC: a statement of the desired result or purpose to be achieved by implementing control procedures in
a particular IT activity. The role and impact of IT controls as they relate to business processes are emphasized
in CobiT. The document outlines platform and application independent IT control objectives that can be
applied internationally.

CobiT combines the principles embedded in existing reference models in three broad categories: quality,
fiduciary responsibility, and security. From these broad requirements, the report extracts seven overlapping
categories of criteria for evaluating how well IT resources are meeting business requirements for information.
These criteria are effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability
of information. CobiT also classifies IT processes into four domains: planning and organization, acquisition
and implementation, delivery and support, and monitoring. These processes follow the system development
life cycle applicable to IT processes in any IT environment. CobiT includes definitions of both internal control
 Chapter 3: Internal Control System 7

8 Chapter 3: Internal Control System

and IT control objectives, four domains of processes and 32 high-level control statements for those processes,
271 control objectives references to those 32 processes, and audit guidelines linked to the control objectives.

c. The SAC and eSAC Reports (IIA)

The SAC report also has a long history of development and evolution. In 1977, the International EDP Audit
Committee (later known as the Advanced Technology Committee) codified and published best practices
among IT shops related to EDP audits in a document entitled Systems Auditability and Control (SAC). Based
on empirical evidence from around the world and from a committee of experts, SAC was published in three
separate documents: Control Practices, Audit Practices, and Executive Report. SAC enjoyed a high degree of 
dissemination, mostly because of the numbers of copies distributed by the IIA to members, and by IBM, the
financial sponsor of the project. After 11 printings of the original document, SAC was revised in 1991, and
again in 1994 by the IIA Research Foundation.

In order to emphasize both e-business impact and electronic delivery of the new material, in 2001 the IIA
Research Foundation issued a completely revised set of guidance, Electronic Systems Assurance and Control
(eSAC). It brings executive
executive management,
management, corporate governance entities, and auditors new information to
understand, monitor, assess, and mitigate technology risks. These guidelines examine and assess risks that
accompany each organizational component, including customers, competitors, regulators, communities, and
3.4).
owners (see Exhibit 3.4 ).

Exhibit 3.4: eSAC Model

The eSAC report defines the system of internal control, describes its components, provides several
classifications of controls, describes control objectives and risks, and defines the internal auditor's role. The
report provides guidance on using, managing, and protecting IT resources and discusses the effects of 
end-user computing, telecommunications, and emerging technologies.

The eSAC report defines a system of internal control as: "a set of processes, functions, activities, subsystems,
and people who are grouped together or consciously segregated to ensure the effective achievement of 
objectives and goals." The report emphasizes the role and impact of computer-based information systems on
the system of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to build
controls into systems rather than add them after implementation.

The system of internal controls consists of three components: the control environment, manual and automated
systems, and control procedures. The control environment includes organization structure, control framework,
policies and procedures, and external influences. Automated systems consist of systems and application
software. The eSAC report discusses the control risks associated with end-user and departmental systems, but
neither describes nor defines manual systems. Control procedures consist of general, application, and
 8 Chapter 3: Internal Control System

Chapter 3: Internal Control System 9

compensating controls.

The eSAC report provides five classification schemes for internal controls in information systems: (1)
preventive, detective, and corrective, (2) discretionary and non-discretionary, (3) voluntary and mandated, (4)
manual and automated, and (5) application and general controls. These schemes focus on when the control is
applied, whether the control can be bypassed, who imposes the need for the control, how the control is
implemented, and where in the software the control is implemented.

Risks in eSAC
resources. are defined
Control as reduce
objectives fraud, errors, business
these risks interruptions,
and assure and inefficient
information and ineffective
integrity, security, use of 
and compliance.
Information integrity is guarded by input, processing, output, and software quality controls. Security measures
include data, physical, and program security controls. Compliance controls ensure conformance with laws and
regulations, accounting and auditing standards, and internal policies and procedures.

The role of internal auditors is also defined in eSAC. Their responsibilities include ensuring the adequacy of 
the internal control system, the reliability of data, and the efficient use of the organization's resources. Internal
auditors are also to be concerned with preventing and detecting fraud, and coordinating activities with external
auditors. The integration of audit and IS skills and an understanding of the impact of IT on the audit process
are necessary for internal auditors. Internal audit professionals now perform financial, operational, and IS
audits.

d. SysTrust (AICPA and CICA)

In response to the increased dependence on IS, the AICPA and Chartered Accountants of Canada (CICA)
developed SysTrust and introduced it in December 1999. SysTrust focuses on providing assurance of the
reliability of the controls of a system. To evaluate the reliability of a system objectively, the CPA evaluates
SysTrust's four essential principles [5]—availability, security, integrity, and maintainability—individually
against four categories
categories of criteria—policies,
criteria—policies, communication, procedures, and monitoring. In a SysTrust
engagement, the CPA reports on the availability, security, integrity, and maintainability of a system. The
system must meet all of SysTrust's four principles and 58 criteria to earn an unqualified SysTrust report (see
Exhibit 3.5 for a list of the criteria). The SysTrust model is another potential model to use in designing,
implementing, and especially evaluating an internal control system—in particular, where there is a high
reliance on IS and IT for business operations.

Exhibit 3.5: SysTrust Model[6]

SysTrust Principles and Criteria

Availability. The system is available for operation and use at times set forth in service-level statements or
agreements.

A1 The entity
entity has defined
defined and
and communica
communicated
ted performan
performance
ce objectives,
objectives, policie
policies,
s, and standard
standardss for system
system
availability.
A1.1 The system availability requirements of authorized users—and system availability objectives, policies,
and standards—are identified and documented.
A1.2 The documented system availability objectives, policies, and standards have been communicated
communicated to
authorized users.
A1.3 The documented system availability objectives, policies, and standards are consistent with the system
availability requirements specified in contractual, legal, and other service-level agreements and
applicable laws and regulations.
A1.4 Responsibility and accountability for system availability have
have been assigned.
A1.5 Documented system availability objectives, policies, and standards are communicated to entity
personnel responsible for implementing them.
 Chapter 3: Internal Control System 9

10 Chapter 3: Internal Control System

A2 The entity
entity utilizes
utilizes procedur
procedures,
es, people,
people, software,
software, data,
data, and
and infrastructu
infrastructure
re to achieve
achieve system
system availabilit
availability
y
objectives in accordance with established policies and standards.
A2.1 Acquisition, implementation, configuration,
configuration, and management of system components related to system
availability are consistent with documented system availability objectives, policies, and standards.
A2.2 There are procedures to protect the system against potential rrisks
isks that might disrupt system oper
operations
ations
and impair system availability.
A2.3 Continuity provisions address minor
minor processing errors, minor destruction of records, and major
disruptions of system processing that might impair system availability.
A2.4 There are procedures to ensure that personnel responsible for the design, development,
development, implementation,
and operation of system availability features are qualified to fulfill their responsibilities.
A3 The entity
entity monitor
monitorss the system
system and
and takes action to achieve
achieve complian
compliance
ce with system availab
availability
ility
objectives, policies, and standards.
A3.1 System availability is periodically
periodically reviewed and compared with documented system availability
objectives, policies, and standards.
A3.2 There is a process to identify potential impairments to th
thee system's ongoing ability to address the
documented system availability objectives, policies, and standards and to take appropriate action.
A3.3 Environmental and technological
technological changes are monitored and their impact on system availability is
assessed on a timely basis.

Security. The system is protected against unauthorized physical and logical access.

S1 The entity has defined

defined and
and communicate
communicated
d perform
performance
ance objectives,
objectives, policies,
policies, and standards
standards for system
security.
S1.1 The system
system security
security requirement
requirementss of authorized
authorized users
users and the system
system security
security objectives,
objectives, policies,
policies, and
and
standards are identified and documented.
S1.2 The documented
documented system
system security
security objectives
objectives,, policies,
policies, and standards
standards have
have been communica
communicated
ted to
authorized users.
S1.3 Documented
Documented system
system security
security objectives,
objectives, policies
policies,, and standards
standards are consisten
consistentt with system security
security
requirements defined in contractual, legal, and other service-level agreements and applicable laws and
regulations.
S1.4 Responsibili
Responsibility
ty and account
accountabilit
ability
y for system
system security
security have been
been assigned.
assigned.
S1.5 Documented
Documented system
system security
security objectives,
objectives, policies,
policies, and standards
standards are communicat
communicated
ed to entity personnel
personnel
responsible for implementing them.

S2 The entity in
objectives utilizes
utilizes procedu
procedures,
accordance res,established
with people,
people, software
software,, data,
policiesdaand
ta, and infra
infrastructu
structure
standards. re to
to ac
achieve
hieve system security
security

S2.1 Acquisition,
Acquisition, implement
implementation,
ation, configu
configuration
ration,, and management
management of system compone
components
nts related to system
system
security are consistent with documented system security objectives, policies, and standards.
S2.2 There are
are procedures
procedures to identify
identify and
and authenticate
authenticate users
users authorized
authorized to access
access the system.
system.
S2.3 There are
are procedures
procedures to grant
grant system access
access privileges
privileges to users
users in accordance
accordance with
with the policies
policies and
standards for granting such privileges.
S2.4 There are
are procedures
procedures to restrict
restrict access
access to computer
computer processing
processing output
output to authoriz
authorized
ed users.
S2.5 There are
are procedures
procedures to restrict
restrict access
access to files on off-line
off-line storage
storage media
media to authorized
authorized users.
users.

S2.6 There are

are procedures
procedures to protect
protect external
external access
access points against
against unauthor
unauthorized
ized logical
logical access.
access.
S2.7 There are
are procedures
procedures to protect
protect the system
system against
against infection
infection by computer
computer viruses,
viruses, malicious
malicious codes,
codes, and
unauthorized software.
S2.8 Threats
Threats of sabotage,
sabotage, terrorism,
terrorism, vandali
vandalism,
sm, and other
other physical
physical attacks
attacks have been conside
considered
red when
locating the system.
S2.9
 10 Chapter 3: Internal Control System

Chapter 3: Internal Control System 11

There are procedures to segregate incompatible functions within the system through security
authorizations.
S2.10 There are procedures
procedures to protect
protect the system against
against unauthorized physical
physical access.
S2.11 There are procedures to ensure that personnel responsible for the design, development,
implementation, and operation of system security are qualified to fulfill their responsibilities.
S3 The entity monitors
monitors the
the system
system an
and
d takes
takes ac
action
tion to achieve
achieve compliance
compliance with system security
security o
objecti
bjectives,
ves,
policies, and standards.

S3.1 System security

security
requirements performan
performance
of authorizedce is periodically
usersperiodically reviewed
reviewed
and contractual, legal,and
andcompared
comp
otherared with document
documented
service-level ed system security
agreements. security
S3.2 There is a process
process to identify
identify potential
potential impairme
impairments
nts to the system's
system's ongoing
ongoing ability
ability to address
address the
documented security objectives, policies, and standards and to take appropriate action.
S3.3 Environmen
Environmentaltal and technolog
technological
ical chan
changes
ges are monitored
monitored and
and their impact
impact on system
system security
security is
periodically assessed on a timely basis.
Integrity. System processing is complete, accurate, timely, and authorized.

I1 The entity
entity has defined
defined and
and communicate
communicated
d performance
performance objectiv
objectives,
es, policies,
policies, and
and standards
standards for system
system
processing integrity.
I1.1 The system processing integrity requirements
requirements of authorized users an
and
d the system processing integrity
objectives, policies, and standards are identified and documented.
I1.2 Documented system processing integrity objectives, policies, and standards have been communicated to
authorized users.
I1.3 Documented system processing integrity objectives, policies, and standards are consistent with system
processing integrity requirements defined in contractual, legal, and other service-level agreements and
applicable laws and regulations.

I1.4 Responsibility and accountability

accountability for system processing integrity have
have been assigned.
I1.5 Documented system processing integrity objectives, policies, and standards are communicated to entity
entity
personnel responsible for implementing them.
I2 The entity
entity utilizes
utilizes procedure
procedures,
s, people,
people, software,
software, data,
data, and infrastructu
infrastructure
re to achieve
achieve system
system processing
processing
integrity objectives in accordance with established policies and standards.
I2.1 Acquisition, implementation, configuration,
configuration, and management
management of system components related to system
processing integrity are consistent with documented system processing integrity objectives, policies, and
standards.

I2.2 documented
The information processing
system integrity
integr
processing ity procedures
integrity related to information inputs are consistent with the
requirements
I2.3 There are procedures to ensure that system processing is complete, accurate, timely, and authorized.
I2.4 The information processing integrity
integrity procedures related to information outputs are consistent
consistent with the
documented system processing integrity requirements.
There are procedures to ensure that personnel responsible for the design, development, implementation,
I2.5
and operation of the system are qualified to fulfill their responsibilities.
There are procedures to enable tracing of information inputs from their source to their final disposition
I2.6
and vice versa.
The entity monitors the system and takes action to achieve compliance with system processing integrity
I3
objectives, policies, and standards.
System processing integrity performance is periodically reviewed and compared to the documented
I3.1 system processing integrity requirements of authorized users and contractual, legal, and other
service-level agreements.
There is a process to identify potential impairments to the system's ongoing ability to address the
I3.2
documented processing integrity objectives, policies, and standards and take appropriate action.
 Chapter 3: Internal Control System 11

12 Chapter 3: Internal Control System

Environmental and technological changes are monitored and their impact on system processing integrity
I3.3
is periodically assessed on a timely basis.
Maintainability. The system can be updated when required in a manner that continues to provide for system
availability, security, and integrity.

M1 The entity
entity has defined
defined and
and communica
communicated
ted performan
performance
ce objectives,
objectives, policie
policies,
s, and standard
standardss for system
system
maintainability.

M1.1 Documented system maintainability objectives, policies, and standards address all areas affected by
system changes.
M1.2 Documented system maintainability objectives, policies, and standards are communicated
communicated to authorized
users.
M1.3 Documented system maintainability objectives, policies, and standards are consistent with the
requirements defined in contractual, legal, and other service-level agreements and applicable laws and
regulations.
M1.4 Responsibility and accountability for system maintainability have been assigned.
M1.5 Documented system maintainability performance objectives, policies, and standards are communicated
to entity personnel responsible for implementing them.
M2 The entity
entity utilizes
utilizes proced
procedures,
ures, people,
people, software,
software, data,
data, and
and infrastruc
infrastructure
ture to achieve
achieve system
maintainability objectives in accordance with established policies and standards.
M2.1 Resources available to maintain the system are consistent with the documented requirements of 
authorized users and documented objectives, policies, and standards.
M2.2 Procedures to manage, schedule,
schedule, and document all planned changes to the system are applied to
modifications of system components to maintain documented system availability, security, and
integrity consistent with documented objectives, policies, and standards.
M2.3 There are procedures to ensure that only authorized,
authorized, tested, and documented
documented changes are made to the
system and related data.
M2.4 There are procedures to communicate planned and completed system changes to info
information
rmation systems
management and to authorized users.
M2.5 There are procedures
procedures to allow for and to control emergency changes.
M3 The entity
entity monitors
monitors the
the system and
and takes action
action to achieve
achieve complia
compliance
nce with maintainabil
maintainability
ity objectives
objectives,,
policies, and standards.
M3.1 System maintainability performance
performance is periodically reviewed and compared with the documented
system maintainability requirements of authorized users and contractual, legal, and other service-level
agreements.
M3.2 There is a process to identify potential impairments to the system's ongoing ability to address the
documented system maintainability objectives, policies, and standards and to take appropriate action.
M3.3 Environmental and technological changes are monitored and their impact on system processing
integrity is periodically assessed on a timely basis.

The evaluation of a system's reliability begins by understanding the basic components of the system. A system
is defined as a set of procedures used to accomplish specific results, and an information system consists of 
five basic components organized to transform data inputs (raw facts) into information outputs. These five
basic components of a system are: (1) infrastructure, (2) software, (3) personnel, (4) procedures, and (5) data.
A reliable system is capable of operating without material error, fault, or failure during a specified period in a
specified environment.

Availability is defined by the system being available for operations. Security is the protection of the system
against unauthorized physical or logical access—including both the physical components and the data.
Integrity refers to system processing being complete, accurate, timely, and authorized. Maintainability refers
to the required updates of the system, and whether such updates will continue to provide for the other three
 12 Chapter 3: Internal Control System

Chapter 3: Internal Control System 13

aspects above.

For each of these aspects, the CPA practitioner uses four categories of criteria: Policies, Communication,
Procedures, and Monitoring. For Policies, the CPA evaluates whether the entity had defined and documented
its policies relevant to the particular principle. Communication refers to the fact that the entity has defined and
communicated performance objectives, policies, and standards for the essential principle being evaluated
(availability, security, integrity, or maintainability). Procedures refer to the entity using procedures that are in
accordance with its established policies and standards. Monitoring is defined as the monitoring of the entity's

activities
reliabilityand
andthe surrounding
to achieve environment
compliance of the system
with objectives, to identify
policies, potentialfor
and standards impairments to the
the essen tial system's
principl
principle
e being
evaluated. To further assist the practitioner in the evaluation of these criteria, the Systems Reliability Task 
Force developed a list of illustrative controls. This list is not intended to be comprehensive, so the practitioner
must tailor the list to the circumstances of the particular engagement. See Exhibit 3.5 for a list of the
illustrative controls.

e. Conclusion:
Conclusion: Co
Comparing
mparing and Contrasting the Models
Although the different control definitions contain similar concepts, the emphases are somewhat different (see
Exhibit 3.6 for a comparison table). The CobiT Model views internal control as a process that includes
policies, procedures, practices, and organizational structures that support business processes and objectives.
The eSAC report emphasizes that internal control is a system—a set of functions, subsystems, people, and
their interrelationships. The COSO Model accentuates internal control as a process—an integrated part of 
ongoing business activities. SysTrust emphasizes the reliability of IS in financial reporting and business
activities.

Exhibit 3.6: Comparison of Internal Control Models

COSO CobiT eSAC SYSTRUST

Primary Management Management, users, Internal
Internal auditors
auditors External
External auditors
auditors
Audience process owners, auditors
IC Viewed as a ... Process Set of processes Set of processes, Not explicitly defined:
including policies, subsystems, and Viewed similar to an
procedures, practices, and people assertion to which a CPA
organizational structures does an attestation
IC Objectives Effective and Effective and efficient Effective and Effectiveness of business
Organizational efficient operations operations efficient purposes and
operations management's objectives
Reliable financial Confidentiality, integrity,
reporting. and availability of  Reliable Reliable financial
information financial reporting
Compliance with reporting
laws and Reliable financial
regulations reporting Compliance with
laws and
Compliance with laws regulations
and regulations
Components or Control Planning and Control Availability
Domains environment organization environment
Security

Risk management Acquisition and

implementation Manual and
automated Integrity
Control activities systems
Delivery and support Maintainability
 Chapter 3: Internal Control System 13

14 Chapter 3: Internal Control System

Information and Monitoring Control

communication procedures

Monitoring
Focus Overall entity Information technology Information Information systems
and overall entity technology
IC Effectiveness At a point in time For a period of time For a period of  At a point in time
Evaluated time
Responsibility for Management Management Management Management
IC System
Size 353 pages in four 664 pages in five 1,193 pages in A few online pages
volumes volumes 12 modules
Source: ISACA, from web site www.isaca.org/bkr_cbt3.htm. Reprinted with permission.

The use of the COSO Model components is one way to compare and contrast the four models. The following
analysis, therefore, is based on these five components.

1. Control Environment. The eSAC report describes three components of internal control. COSO
discusses five components. CobiT incorporates the five components of the COSO report and focuses
them within the IT internal control system. CobiT further bridges the gap between the broader
business control models such as COSO and highly technical IS control models—worldwide. SysTrust
describes four principles measured by four categories.
2. Information and Communication Systems. CobiT's focus is the establishment of a reference
framework for security and control in IT. It defines a clear linkage between IS controls and business
objectives. In addition, it provides globally validated control objectives for each IT process that gives
pragmatic control guidance to all interested parties. CobiT also provides a vehicle to facilitate
communications among management, users, and auditors regarding IS controls. The eSAC report,
however, focuses on automated IS. The document examines the interrelationships among internal
control and systems software, application systems, and end-user and department systems. The
volumes of eSAC provide guidance on internal controls in these areas. COSO discusses both
information and communication, emphasizing the need to capture internal and external information,
the potential of strategic and integrated systems, and the need for data quality. Communication
focuses on conveying matters related to the internal control system.
3. Control Objectives. CobiT, eSAC, and SysTrust examine control procedures relative to an entity's
automated IS. COSO discusses the control procedures and activities used throughout the entity. CobiT

classifies controls
classification into for
schemes 32 processes
IS controlnaturally grouped
procedures. COSO into four
only hasdomains. SAC uses scheme,
one classification five different
and
emphasizes the desirability of integrating control activities with risk assessment. SysTrust classifies
58 controls into four classifications.

4. Risk Assessment. COSO identifies risk assessment as an important component of internal control.
CobiT identifies a process within the IT environment as assessing risks, falling in the planning and
organization domain and with six specific control objectives associated with it. CobiT addresses, in
depth, several components of risk assessment in an IT environment. These include business risk 
assessment, the risk assessment approach, risk identification, risk measurement, risk action plan, and
risk acceptance. It also deals directly with IT types of risk such as technology, security, continuity,
and regulatory risks. Lastly, CobiT addresses risk from both a global and systems-specific
perspective. Risk assessment is an explicit component of eSAC's system of internal control, and the
document contains extensive discussions of the importance of risk assessment as foundational to
internal controls. COSO and eSAC address risk concepts in a similar fashion. For example, both
address the risks of failing to meet compliance and operational objectives. SysTrust stresses the entire
attestation is to identify weak controls or other risks in the internal control system. Only one of the
controls, however, specifically addresses risk.
 14 Chapter 3: Internal Control System

Chapter 3: Internal Control System 15

5. Monitoring. In contrast to COSO, CobiT, and SysTrust, eSAC does not explicitly include monitoring
as a component of the internal control system. SysTrust uses monitoring as one of the four categories
that must be addressed in each of the four principal areas of investigation. COSO discusses
monitoring activities in broad terms, and eSAC discusses specific monitoring activities that should be
performed. CobiT, in an in-depth manner, defines specific monitoring requirements and
responsibilities within the IT function. All the documents assign management the responsibility of 
ensuring the adequacy of the internal control system and its continued effectiveness.

All of the
internal models
control provide
system. tools,are
There usually explicit toolsbut
some differences, or altogether,
controls, asthere
guidance in managing
are more the
similarities
between the models. The more technology an entity uses, or the more reliance an entity had on
technology, the more it needs CobiT, eSAC, or SysTrust. If the entity conducts e-commerce and is
publicly traded, SysTrust makes a good choice. If an entity has only a modicum of technology and a
low-to-medium reliance upon IT, COSO is probably the best choice. The final choice is up to the IA
function, in matching the entity with the strengths of these individual models, or it may choose to
develop its own unique model.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3.4
NO 3.4 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Regulations PAGES:
[1]See www.coso.org.

[2]See www.isaca.org/cobit.htm.

[3]This paragraph is from the ISACA web page on CobiT at www.isaca.org.

[4]See www.isaca.org.

[5]An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing
integrity, (4) online privacy, and (5) confidentiality.

[6]An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing
integrity, (4) online privacy, and (5) confidentiality. These new principles will cause this chart to change
accordingly.

3.4 Regulations
Internal auditors know the importance of adhering to federal and state regulations. Some of them apply to
internal controls. (See Section 1.6,
1.6, "History of Federal Regulations Related to Auditing.")

a. Securities and Exchange Commission (1933, 1934)

The Securities Act of 1933 and the Securities Exchange Act of 1934 require all corporations that report to the

Securities and Exchange Commission (SEC) to maintain a system of internal control that is evaluated as part
of the annual external audit. The acts give the SEC authority to oversee the setting of Generally Accepted
Accounting Principles (GAAP) for publicly traded companies. They also convey the authority to investigate
cases of suspected financial fraud and to censure companies from trading (i.e., prevent the stock from being
 Chapter 3: Internal Control System 15

16 Chapter 3: Internal Control System

traded publicly). The SEC laws have a direct impact on companies that have publicly traded stock, especially
regarding the need for a system of internal control and its evaluation.

b. Foreign Corrupt Practices Act (1977)

The Foreign Corrupt Practices Act of 1977 also requires SEC companies to maintain an internal control
system with reasonable assurance that the organization's objectives are being met, and even providing
penalties for violations.

c. Copyright Laws (1976 et al.)

The Copyright Laws of 1976 (and other years) protect intellectual property. One aspect of intellectual
property crucial to internal controls is software. Illegal copies of software on organizational computers can
lead to severe penalties and bad publicity. In addition, management will be held responsible by federal
officials even if software piracy went on contrary to policy and without management awareness. Other
intellectual property includes books, music, and copyrighted graphical images (e.g., logos). Therefore,
management must first develop a policy against violations of copyright laws, such as software piracy, and
make sure the internal audit function ensures compliance with the policy.

A study of 121 Certified Information Systems Auditors (CISAs) showed that software piracy is a problem in
relatively large firms—those with about 3,000 microcomputers. Although almost all (91%) indicated an
organizational policy governing unauthorized duplication of software, they estimated that more than 20% of 
their firms' employees had illegally copied software in the previous 12 months. Sixty percent of the auditors
reported that their typical audit program included a specific procedure that was designed to detect pirated
software. In spite of this fact, the auditors indicated that less than one-fourth of the audits that were conducted
in the previous 12 months actually included such a test. Surprisingly, over one-third of the sample indicated
that none of their audits included a test for unauthorized software.

Unauthorized software poses a legal and financial risk to firms. Risks (or exposures, as the case may be), such
as civil and criminal penalties, exist for those who use unauthorized or pirated computer software. These risks
also include significant monetary fines. Information systems auditors, in general, and CISAs, in particular,
should be especially concerned with these risks. However, it has been reported that many managers and
auditors are unaware of the potential legal liability from software piracy. According to ISACA, IS auditors
have a responsibility regarding the risks of software piracy to: (1) be aware of such risks, (2) communicate
these risks to management, (3) review software implementation, (4) develop adequate control procedures, and
(5) incorporate appropriate techniques or tools in audit programs to detect unauthorized use of software.

ISACA Standards (Section 030.010.010, Irregularities and Illegal Acts, paragraph 2.1.1) defines irregularities
and illegal acts as "Other acts that involve noncompliance with laws and regulations, including the failure of 
 IT systems to meet applicable laws and regulations." The Standard further clarifies that ISACA believes it is
management's responsibility to prevent and detect irregularities and illegal acts, and not the IS auditor's,
unless evidence exists that would indicate an irregularity or illegal act has occurred. ISACA Standards assert
that IS auditors should be familiar with irregularities and illegal acts that are common to a particular industry
or have occurred in similar organizations (paragraph 4.1.5).

d. Environmental Laws (Various)

In addition, there are federal laws regarding environmental issues that affect many organizations. Due to stiff 
penalties and negative public image that result from violations, internal auditors must be cognizant of any
applicable environmental laws.
 16 Chapter 3: Internal Control System

Chapter 3: Internal Control System 17

e. Sarbanes-Oxley Act (2002)

Several public frauds carried out in the years prior to 2002 focused attention on all aspects of financial
reporting. Enron collapsed after what amounted to financial fraud by some of its executive managers.
WorldCom also filed for bankruptcy when an internal auditor, Cynthia Cooper, Vice President of Internal
Audit, uncovered $3.8 billion in fraud, the largest accounting fraud at the time. She boldly identified the fraud
and fraudsters to the board of WorldCom in June 2002; as much as $9 billion of fraud has since been
uncovered. She later was recognized as Person of the Year by Time magazine—along with Sherron Watkins
of Enron and Coleen Rowley of the FBI. Sherron Watkins, a former accountant, tried to blow the whistle at
Enron, but the principal executive officers dismissed her claims of fraud. Other frauds were uncovered at
Adelphia and Tyco, to mention just a few from this time.

As a result of these frauds and related pressures brought on the U.S. Congress, the Sarbanes-Oxley Act was
passed in the summer of 2002. The subsequent rules and regulations by the Securities and Exchange
Commission (SEC) and New York Stock Exchange (NYSE) will have a dramatic affect on internal controls
for publicly traded companies. According to Section 404 (Management Assessment Of Internal Controls),
affected companies are required to: (1) state the responsibility of management for establishing and
maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an
assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and
procedures of the issuer for financial reporting. For the first time, the NYSE now requires an IA function in all
listed companies.

Because the law requires CEOs and CFOs to report on their internal control systems and sign off on—and
therefore certify—their financial statements filed with the SEC, this law will
wil l force
force top executives to assure the
adequacy of their internal control systems. The role of internal controls and the system of internal controls has
become more critical. Therefore, the material in this chapter is an important resource for IA in performing this
critical and required function. (See also Sections 1.6(e) and 9.2 for more on the Sarbanes-Oxley Act.)

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3.5
NO 3.5 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Policies PAGES:

3.5 Policies [7]

Internal controls should have objectives related to assets, security, and auditability—ideally, objectives shared
with executive management. These objectives should be methodically developed into cogent policies that
protect the assets identified as important (see Exhibit 3.7
3.7).
). Internal auditors will need to consider the
following areas (and maybe others) related to internal controls, with the goal of providing valuable input into
management's development of policies: computer system development, computer system usage, security,
passwords, e-mail, business recovery (also disaster recovery), and privacy of both employee and customer
data. For all policies, management should provide oversight for enforcement to hold employees accountable
for them in order to increase the effectiveness of policies. While policies in and of themselves are not
preventive measures, they are the foundation for building appropriate preventive techniques or tools, they set
the tone for the internal control environment, and they provide the benchmark for evaluating controls (i.e.,
measure compliance with the specifics of the policies). Where applicable, employees should sign a copy of 

policies to indicate their commitment (e.g., e-mail, computer usage).

Exhibit 3.7: Internal Control System Model
 Chapter 3: Internal Control System 17

18 Chapter 3: Internal Control System

Management Policy
System Development System Usage
Security
Security (especially
(especially passwords)
passwords) Privac
Privacy
y
E-Mail Business Recovery Plans
Regulations
SEC FCPA
Environmenta
Environmentall Copyright
Copyright (e.g., software
software piracy)
Risk Assessment
I  nternal Threats: External Threats:
Malicious Activities Remote Access
Accidents Intruders:
Disgruntled Emp
Employees Hackers/Crackers/Script Kid
Kiddies
Ineffective Accountability Viruses
Financial
Financial Fraud/T
Fraud/Theft
heft of Assets
Assets Comp
Computer
uter Crime
Control Strategies
Pred
Predic
icti
tion
on (e.
(e.g.
g.,, moni
monito
tori
ring
ng sys
syste
tems
ms)) Prev
Preven
enti
tion
on (e.
(e.g.
g.,, mult
multi-
i-la
laye
yere
red
d fire
firewa
wall
ll))
Detection
Detection (e.g.,
(e.g., intrusion
intrusion detection
detection system)
system) Correction
Correction (e.g.,
(e.g., DRP/IRP)
DRP/IRP)
Computer—General Controls Computer—Application Controls

Physical Controls (e.g., locked doors)

Human Resource Procedures (e.g., background checks)
IA Function Computer Logs/Electronic Audit Trail
Seg
Segre
rega
gati
tion
on of Duti
Duties
es (I
(IS,
S, et al.)
al.) Corp
Corpo
ora
rate
te Gove
Govern
rnan
ance
ce:: Audi
Auditt Commi
ommitt
ttee
ee and
and IT Go
Gove
verrna
nanc
ncee
Specific Controls CAATTs
Auth
Author
oriza
izati
tion
on:: LAN,
LAN, Appl
Applic
icati
ation
ons,
s, Da
Data
ta (pa
(passw
sswor
ord
d syste
systems
ms)) Frau
Fraud
d and Cri
Crime
me-R
-Rel
elat
ated
ed Activ
Activiti
ities
es (e.g
(e.g.,
.,
encryption)
Business Recovery Plans: Disaster Recovery Plan (DRP), Incident Data Integrity (e.g., validation procedures
Response Plan (IRP), Backups in applications)
System Development Life Cycle Concepts Firewalls (multi-layered)
Intrusion Detection Systems/Monitoring

Policies may be developed before a risk assessment is formally conducted, but if so, they are definitely
affected by an appropriate risk assessment. Therefore policies, to some degree, will need to be flexible and
dynamic in order to accommodate evolving issues. A well-written policy, however, should state in broad
terms the organization's objectives regarding areas such as those discussed and allow the details and specifics
to evolve based on the expertise and knowledge of the internal auditors and maybe IS personnel.

a. Systems Development Life Cycle Policy

A key policy consideration is information systems, especially systems development and implementation.
There should be a written policy that segregates processes of systems development, usage (operations), and
maintenance (see "Segmentation of Duties" in this chapter for more information). There are many stories of 
programmers and systems people who operated without proper segregation and were able to build fraudulent
codes into programs unnoticed. At least one case involved millions of dollars stolen from ATM machines, and
many others involved large sums stolen using techniques such as salami slicing. A review of the
organizational chart should indicate proper segregation of duties in the IS group.

One systems development life cycle (SDLC) concept that is often overlooked in actual practice is that of 
taking systems off-line for upgrades, updates, and so on, and bringing them back online only after testing the
 18 Chapter 3: Internal Control System

Chapter 3: Internal Control System 19

new system thoroughly. It is recommended that this concept be included as corporate policy.

b. Systems Usage Policy (End Users)

A second related area is computer usage. In order to effectively manage distributed computer resources, a
thorough written computer usage policy must be developed and communicated. The computer system usage
policy should focus on identifying the authorized uses of company computer resources. One recent survey
showed that a majority of employees use company computers for personal business while at work. A good
method of developing this policy is to specifically identify all of the approved uses of systems and to state all
other uses are prohibited, unless permission is secured in writing from management. The policy should also
stipulate repercussions for violations.

c. Security Policy
Another critical policy is the security (or information security—InfoSec) policy. Internal auditors need to
assist management in establishing fundamental security objectives tied to business objectives and assets that
need protection from identified risks. One goal of the security policy is to emphasize to all
stakeholders—employees in particular—that information and data are not just computer files—they are assets
that have a value. A security policy will remind employees of the importance and value of information they
handle, and the risks or exposures that exist. Such a policy will help create a corporate culture that is security
conscious. For a good overview of why to have an InfoSec policy, and how to develop it, view Computer
Emergency Response Team's (CERT's) presentation. [8]

d. Password Policy
A significant part of the security policy is a password policy. An effective password policy is a strategic
advantage in maintaining strong internal controls and helps to minimize adverse events such as computer
crime, fraud, and other unauthorized activities. It has been shown that an effective password system in
operation prevents the majority of potential unauthorized activities. In one recent study, a researcher stated
that 80% of the fraud and malicious activities he found could have been prevented with an adequate password
system.

For example, a former AT&T employee stole thousands of dollars of materials after being terminated. He
used his password to get into the system, then cracked the purchasing agent's password, then ordered materials
and had them shipped to him at a remote location. In a similar case, a former network administrator for a
medium-size firm was terminated. He later logged onto the system with his regular password and proceeded
to destroy live data and online backup data. The company almost went bankrupt. Obviously, in both
circumstances, the passwords for the terminated employees should have been disabled immediately upon
dismissal. That simple procedure would have prevented both tragedies.

Therefore, the password policy needs to include a strong statement about authentication and authorization via
access to systems using appropriate password schemes and structures, including the immediate removal of 
passwords when an employee is dismissed. (See Section 3.8(b) for more details on passwords; see Exhibit 3.8
for additional guidance in developing an effective password policy.)

Exhibit 3.8: Password Policy

Communication — Promote it, use it during employee training or orientation, and find ways to continue to
raise awareness within the organization.
Multi-faceted —
For example,
matrix of data to grant read-only,use multiple levels
read/write, of access
or no access perrequiring
data fieldmultiple
per user;passwords; use a(such
use biometrics password
as
fingerprints, voice prints), smart cards, or beeper personal identification numbers (PINs) in conjunction with
remote logins; and user-defined procedures.
 Chapter 3: Internal Control System 19

20 Chapter 3: Internal Control System

= > 6 characters — The more characters, the more difficult to guess or crack. Eight characters provide an
effective length to prevent guessing, if combined with below.
Mix numbers, special characters with alphabet — The more non-alpha, the harder to guess or crack. Make
them case-sensitive, and mix upper and lower case.
Regular forced changes — At regular intervals, make employees change their passwords.
Protection of individual passwords — Prohibit the sharing of passwords or "post-its" with passwords
located near one's computer.

Limited trials
the account after Limit
—1-3 theattempts
false numbertoofprevent
attempts to access the system with invalid data to about three. Lock 
hacking.
Notification of significant employee changes — Make sure the IS department is notified immediately when
an employee is terminated or reassigned where responsibilities require a change in system access. This
process prevents a disgruntled employee from perpetrating malicious activities.

e. E-Mail Policy
Internal auditors should also assist management in developing an e-mail policy that describes appropriate use
of corporate e-mail resources. In order to enforce the policy, management will likely need to audit e-mail
messages from time to time. If there is ever a need to access an employee's e-mail messages, management
should make sure that such access is stated in the e-mail policy and that all employees are aware that their
e-mail could be read by management or staff. Otherwise employees rightfully could complain, maybe even
sue successfully, for violation of privacy. The policy should address the unethical activities discussed later in
this chapter and procedures
procedures for opening attachments—because they could be viruses or other malicious codes.
It should also be signed by every employee using corporate e-mail resources.

See Exhibit 3.9 for a checklist or questionnaire about e-mail controls. Also see Section 3.6(b) for discussion
on a variety of e-mail issues that are unethical or detrimental, all of which need to be considered in the e-mail
policy.

Exhibit 3.9: E-Mail Questionnaire

1. Are there effective procedures and controls in place to prevent viruses from penetrating the IS of the
3.11)?
enterprise via e-mail attachments (a thorough anti-virus system—see Exhibit 3.11 )?

2. Are there effective procedures and controls in place to prevent employees from broadcasting hoax
virus warnings to the employees of the enterprise?

3. Are there effective procedures and controls in place to prevent flamming by employees?

4. Are there effective procedures and controls in place to prevent spamming? Has the enterprise
determined which states have laws regarding spamming, and have the details of applicable laws been
incorporated into policy and controls?

5. Are there effective procedures and controls in place to prevent spoofing?

f. Business Recovery Policy

An indispensable policy is business recovery plans (a.k.a. enterprise availability, business continuity). Those
plans include adequate planning for business recovery of systems (e.g., after systems become unavailable,
minor disruptions), disaster recovery (natural or man-made cataclysmic events that wipe out systems),
incident response plans (to deal with the effects of a deleterious event such as theft of credit cards, including
bad press), and even ordinary backups of data. Because disastrous events are so rare, many organizations
 20 Chapter 3: Internal Control System

Chapter 3: Internal Control System 21

(most organizations, according to statistics) do not plan adequately for any of the recovery procedures.
However, the simple truth is every organization will deal with business recovery in some form or the other, to
some extent or scope. Not only can natural or man-made disasters disrupt the commercial affairs of an
organization, but system errors, system failures, hacking, or other computer attacks can also cause disruption.

For disaster recovery, the policy should include some basics of the disaster recovery
re covery plan. For example, the
ability to recover critical operations with minimal downtime should be the objective of the plan and the
foundation of the policy. The plan itself should cover backup measures for a site, hardware, system software,

application software,
include a means data, supplies,
to develop a rankingand documentation
of critical (see and
applications Exhibit 3.10
3.10).
to test ). effectiveness.
for In addition, the plan should

Exhibit 3.10: Disaster Recovery Plan

Site — A backup site facility, including appropriate furniture, housing, computers, and telecommunications.
Another valid option is a mutual aid pact where a similar business or branch of same company swap
availability when needed.
Hardware — Some vendors provide computers with their site, known as a "hot site" or recovery operations
center. Some do not provide hardware - known as a "cold site." When not available, make sure plan
accommodates compatible hardware (e.g., ability to lease computers).
System Software — Some hot sites provide the operating system. If not included in the site plan, make sure
copies are available at the backup site.
Application Software — Make sure copies of critical applications are available at the backup site.
Data Backups — One key strategy in backups is to store copies of data backups away from the business
campus, preferably several miles away or at the backup site. Another key is to test the restore function of data
backups before a crisis.
Critical Applications — Rank critical applications so an orderly and effective restoration of computer
systems is possible.
Team — The specific team members and their roles should be written, understood, and rehearsed. The team
leader is a critical success factor of the plan.
Supplies — A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
Documentation — An adequate set of copies of user and system documentation. Also, the steps and
elements of the plan itself should be documented with adequate detailed information.
TEST! — The most important element of an effective Disaster Recovery Plan is to test it before a crisis
occurs, and to test it periodically (e.g., once a year).

Results from one survey show data losses were due to hardware or system malfunctions (44%), human error
(32%), software malfunctions (14%), viruses (7%), and natural disasters (3%). To survive such events with
minimal losses, a business needs to formalize recovery procedures into a business recovery plan. It serves this
purpose and provides protection against other undesirable events, and usually goes beyond such ordinary
business decisions as insurance. Obviously, it is critical when disasters actually occur (e.g., hurricanes, floods,
or the attacks on the World Trade Center on September 11, 2001). A cost-benefit analysis will also raise
eyebrows to the necessity of having an appropriate set of business recovery plans. Therefore, internal auditors
should encourage management to have written policies about restoring or recovering systems and/or data
before a detrimental event occurs.

g. Privacy Policy
Information about individuals, either personal data or data about actions, is generally considered private
information. If an entity observes an employee secretively, it can be taken as intrusive; in some cases, the
legal system considers it an invasion of privacy. To protect the company from either of these injurious events,
the company should protect the private information of employees wherever possible. When data is captured to
ensure compliance with policies, employees should be asked to sign the pertinent policy to ensure their
 Chapter 3: Internal Control System 21

22 Chapter 3: Internal Control System

knowledge of this type of observation, the type of data about the employee being captured, and the
ramifications for violations.

For entities that have interactions with customers or clients over the Internet, a privacy policy should be
developed for them regarding information collected by the entity (e.g., cookies). Then, this policy should be
easily found on the web site home page and accessible to all customers or prospects. It is important for
customers or potential customers to know how the entity will use their information, what the cookies will
contain, and how they will function in order to make them comfortable in conducting business online.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3
NO 3..6 REV
REV NO:
NO: DATE
DATE::
TITLE: Ri
Risk Assessment PAGES:
[7]See
Exhibit 3.1 for a full diagram of Sections 3.5 through 3.9.

[8]www.cert.org/present/cert-overview-trends/module-6.pdf 
.

3.6 Risk Assessment

Risk assessment is a critical step in building an effective internal control system that has the ability to manage
undesirable events, primarily because it strategically focuses attention on the most likely trouble spots with
the highest costs rather than general protection. The IIA focuses on risk assessment in IA activities and
standards. Under the Performance Standards of the IIA's Standards for the Professional Practice of Internal
 Auditing, the first topic is Planning (section 2010): "The chief audit executive should establish risk-based 
 plans to determine the priorities of the internal audit activity, consistent with the organization's goals." Risk 
analysis, or assessment, has become the preeminent method of guiding audits. External auditors have long
begun their process of financial audits with the audit formula—assessing inherent risk, control risk, detection
risk, audit risk, and business risk. In SAS No. 78: Consideration of Internal Control in a Financial Statement 
 Audit , [9] the AICPA institutionalized as guidelines the Committee of Sponsoring Organizations (COSO)
model of internal control. The five major areas of internal control include (1) Control Environment, (2) Risk 

Assessment,
auditing (3) Information
has also and on
put more focus Communication, (4)The
risk assessment. Monitoring, and (5) Control
current definition Activities.
of internal auditingLately,
by the internal
IIA
states:

• Internal auditing is an independent, objective assurance and consulting activity to add value and 
improve an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.

In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Nature
of Work section (SPPIA 2100), the first standard relates to Risk Management (SPPIA 2110). It states: "The
internal audit activity should assist the organization by identifying and evaluating significant exposures to
risk and contributing to the improvement of risk management and control systems." In order to develop
effective audit planning, some type of risk analysis is necessary because it provides strategic direction for
limited resources.

One model for investigating risks is to view them as internal risks and external risks. This manual uses this
simple model for discussing some of the more common risks that exist in the average organization. See
 22 Chapter 3: Internal Control System

Chapter 3: Internal Control System 23

Section 6.1(b) of this manual for more about risk assessment, especially as it relates to audit planning.

a. Risk Assessment: Internal Perspective

An effective risk assessment must emphasize a good understanding of the internal risks (i.e., risks from within
the organization). Despite the high-profile stories of hackers in the public press, research shows that about 75
to 80% of frauds and malicious activities actually originate from within the organization. An appropriate risk 
assessment would not only identify the specific risks associated with malicious activities, accidents, and other
activities for the specific organization but perhaps put more emphasis on it than external threats—depending
on the specific system, risks, and threats.

There are several groups to think about in assessing risk from internal sources. Disgruntled employees as a
group probably present the highest risk—even more than hackers external to the firm. These people can be
motivated to cause extensive harm to the organization and, depending on their knowledge and access to
systems, data, and assets, may cause very costly damage.

Second, management itself is a risky group. Because of their unique position to override controls, they can
more easily commit fraud, especially financial fraud. If management is subjected to monetary pressures (e.g.,
they have stock options, but declining profits are driving stock prices down, or their bonuses are based on
profits, etc.), they may be tempted to "cook the books." Even the normal aggressive nature of driven managers
can become a risk if not mitigated by strong personal and corporate ethics, and an effective internal control
system (e.g., audit committee). One management accountant reported his dilemma when his boss wanted him
to reverse a correct accounting transaction because it caused a department to miss its profit goals (budget
variances) for the first time in months. Such actions are indicative of ethical soft spots that can lead to fraud,
theft, or material misstatements. Because of the nature of internal audit, it is difficult to assess this risk, but
should be analyzed thoroughly by external audits during financial audits.

Another dangerous group is the one of employees with personal problems. These conditions can motivate
fraud, theft, or misuse of assets. For example, a person who has a severe deficit cash flow, for whatever reason
(e.g., gambling, excessive lifestyle, etc.), coupled with weak controls or opportunity, may be tempted to steal
assets to cover personal losses; often with the intent to "pay back" the organization shortly. Numerous
reported frauds give credence to this particular set of risky circumstances internally. It is also possible
someone in the firm will become an industrial spy.

 Malicious activities include destructive activities directed at the data or information system, communications
to outsiders that would be detrimental to the organization, theft or fraudulent activities related to assets, and
other similar activities.

A sample of accidents using the internal view would include the following: inadvertent data destruction (e.g.,
erasing a hard drive), unintentional IS interruptions (e.g., infesting it with a virus or worm), errors in systems
development, and errors in accounting data.

Another area of concern is ineffective accountability. It is possible to create a strong set of appropriate internal
controls only to have them fail to operate effectively. For example, well-designed systems provide error
reports or logs where errors have been detected but not corrected. Failure to review such reports on a timely
basis and provide corrective action quickly not only fails to correct an existing error but may likely lead to
further errors. First, if the error is systematic, then obviously it will occur again when the circumstances are
duplicated. Second, if the error report has actually identified a fraudulent event, this oversight can

inadvertently
fails to enforceallow the fraud
policies when to be perpetrated
violations occur. without discovery.
Such neglect couldAencourage
similar result canviolations
further happen ifor
management
even extend
the scope of violations, since employees would know that repercussions are not forthcoming.
 Chapter 3: Internal Control System 23

24 Chapter 3: Internal Control System

One other observation must be made concerning internal controls, fraud, and management. COSO made a
study of 200 randomly selected cases of alleged financial fraud investigated by the Securities and Exchange
Commission—about two-thirds of the 300 SEC probes into fraud between 1987 and 1997. In that decade,
most of the financial frauds among public companies were committed by small corporations—well below
$100 million in assets. Top senior executives were involved in most of the cases (CEO and/or CFO in 83% of 
the cases). The average misstatement or misappropriation of assets was $25 million, with a median of $4.1
million. The size of the fraud relative to the size of the company is quite large. Some companies committing
fraud were experiencing net losses or were at close to break-even positions in periods before the fraud.

Pressures of financial strain or distress may have provided incentives for fraud for some companies. For
internal auditors of firms of this size, these findings provide valuable input to a risk assessment.

b. Risk Assessment: External Perspective

An effective risk assessment must also emphasize a good understanding of the external risks (i.e., risks from
without the organization), especially if the firm has a web server connected to its internal systems, or has
remote access to networks. If the company has remote access to its computer systems, it should be concerned
about unauthorized access by users external to the organization. Unauthorized access would most likely
eventually lead to some detrimental activities.

If the company has employed electronic commerce, there are a number of risks to consider. These risks being
unique require some special expertise regarding internal controls. It begins with security of data.

While online, there is a risk that the data used in an e-commerce transaction might be stolen. However, secure
sockets layer (SSL) and secure electronic transaction (SET) have proven to be nearly invincible, using
encryption combined with public keys to protect data while exposed online. Both serve as effective tools in
preventing theft of data while online. It is after the online transaction is consummated that credit card data has
been stolen. For example, one online storefront selling compact discs (CDs) took down its firewall to upgrade
the system. Once the upgrade was completed, the connection was restored but IS employees forgot to
reactivate the firewall. Crackers broke through the system and stole files containing thousands of credit cards,
and then held the firm hostage—threatening to post the credit
c redit card data on the
the Internet unless the firm paid the
ransom. The episode was devastating to the CD company, causing its financial collapse. This also
demonstrates the combination of risks: an accident (firewall not restarted) and crackers (stolen credit card
" Types of Criminals"
data). There are other reports of "crackers" (see "Types Criminals" in this chapter for definition and
description of cracker) stealing credit card data but always from files on the back office computers or web
servers after the transactions were completed online.

Some adverse activities have the objective of disrupting service (availability). For instance, denial of service
(DoS) and/or distributed denial of service (DDoS) attacks are examples of crimes other than theft, in which
crackers bring down an e-commerce server with technically devised computer attacks. One series of attacks
brought down eBay and Yahoo, among others, in early 2000. Yet even here, there were early warnings from
certain groups that a DDoS attack was pending.

The likelihood of these kinds of attacks depend on whether it occurs because of personal reasons (e.g.,
vengeance from disgruntled former employee or a computer whiz out to get your business) or because the
organization is high-profile (e.g., government entity, eBay, Yahoo, amazon.com, etc.). For internal auditors,
that means the level of risk is lower if the company has a low profile, is not a government entity, or has a low
level of online transactions. Nevertheless, there is a serious threat to anyone connected to the Internet today,
including desktop computers of a firm.

The highest
relatively risktoassociated
easy with thecode
spread malicious Internet is neither hackers
as attachments or crackers
to e-mail. butitviruses
And while or worms.
is virtually It is to
impossible
activate a virus by simply opening an e-mail message, Microsoft complicated that by allowing the automatic
opening of attachments in Outlook. Almost all widespread viruses depend on the features of Outlook (e.g.,
 24 Chapter 3: Internal Control System

Chapter 3: Internal Control System 25

automatically open attachments) and the address book on each computer. One relatively easy and cheap way
to stop the spreading from a single infected computer is to add an e-mail address that will sort to the top with
a bogus e-mail address. The costs of damages created by viruses and worms in 2001 ran $12 billion— each of 
the several successful ones perpetrated costing millions. Therefore, it is very important for internal auditors
and the internal control system to address this risk specifically and conscientiously. Anti-virus software alone
is insufficient as a control. For instance, new viruses would
w ould not be included
included in the database/definitions of an
anti-virus system. Thus, some sort of dynamic, daily warning system is necessary. Several mailing lists offer
this service, including CERT, [10 10]] SANS, [11]
11] and Zdnet, [12
12]] and IA should ensure the responsible party is

subscribed to this kind of mailing list. Exhibit 3.11 provides a model for an effective anti-virus system.
Exhibit 3.11: Anti-Virus System/Model

1. Anti-virus software installed on all PCs (with online updates available).

2. Require regular desktop and laptop updates of virus definitions and databases (use e-mail reminders
and/or policy).

3. Responsible person or group subscribes to a credible virus alert mailing list (Cnet, Zdnet, Norton
Anti-Virus Center, CERT, and others — to identify emerging viruses that cannot be detected using
existing anti-virus databases, and to be able to get the newest anti-virus definitions when a new virus
is released on the Internet).

4. Regular virus scans of PC hard desktops and laptops (part of regular anti-virus maintenance).

5. Filter e-mail servers (using routers, firewalls, or software) for potential viruses.

6. Other measures as appropriate in particular enterprise (e.g., removal of floppy drives).

7. Training of all employees (e.g., during orientation).

8. Measures to prohibit propagation of hoax viruses (e.g., policy to not forward virus warnings except
by executive designate).

There are several other problem areas or risks associated with e-mail. One is the fact that some virus warnings
via e-mail are simply hoaxes. They are a problem, but much less costly than real viruses. Yet it only takes a
minute to access one of the several hoax centers (e.g., computer incident advisory capability (CIAC), [13]
13]

Norton Anti-Virus Center [14 14]]) to authenticate the message before forwarding it to everyone you know—the

hidden purpose of the perpetrator. One suggestion regarding policy is to forbid broadcasting virus warnings
from anyone other than a designated person or group. If a person receives a message and he/she thinks it is
legitimate, that person would be required to forward the message to the enterprise anti-virus person or group.
This person or group can then authenticate any virus warnings and broadcast appropriate messages. By
centralizing broadcast warnings, the enterprise can eliminate the waste of resources associated with hoax
viruses (time to delete, clogging bandwidth with numerous bogus messages, etc.).

Another e-mail risk to consider is flaming (electronic smash mouth, trash talking, derogatory messages, and
even biased remarks). Such use of corporate e-mail should be prohibited, whether the attack is another
employee or the company. It can be a serious problem, even leading to litigation, if it involves sexual
harassment or racial slurs.

Spamming (junk e-mail) is a risk because it can clog bandwidth much like hoax viruses. Many states have
laws against spamming. But as long as the message has some mechanism to disable future messages, it is not
considered spamming, although often such mechanisms do not work. Internal auditors should investigate
 Chapter 3: Internal Control System 25

26 Chapter 3: Internal Control System

spamming legislation in the states where the enterprise has servers and promote an appropriate policy
regarding the handling of spamming—received or sent. America Online (AOL) has a strict policy regarding
spam and enforces it—as such AOL serves as a good model to follow. Anti-spam software packages are
available but some have problems making a consistent distinction between spam and legitimate e-mail.

Spoofing (impersonating) can also be a risk. Spoofing refers to e-mail messages that pretend to be sent
(authorized) by someone who has no knowledge of the message. For example, an e-mail message could be
broadcast to the enterprise's employees informing them of a day off, or some other message, and give the
appearance of being authentic (such as the signature of an executive), yet be a bogus message. Exhibit 3.9
provides a questionnaire for internal auditors that could be used to audit the e-mail services of an entity.

There are objects or code agents that pose threats similar to viruses or worms—be it applets, scripts, ActiveX
elements, or other objects. Be sure the IS department has made the necessary precautions to prevent these
objects from carrying out destructive code. Crackers
Crackers and script kiddies also take advantage of security h holes
oles in
systems. These holes allow outsiders to gain unauthorized
unauthorize d access to systems
systems and then they can do a wide
variety of malicious activities, all unnoticed. Controls and procedures need to be developed to effectively
protect against such attacks and risks. See Exhibit 3.12 for a set of basic vulnerability controls, Exhibit 3.13
for a questionnaire related to vulnerabilities, and Exhibit 3.14 for a list of the Top 20 vulnerabilities. The
latter, developed by SysAdmin, Audit, Network, Security (SANS) and the FBI, documents the most often
used vulnerabilities by attackers and intruders.

Exhibit 3.12: A Basic Vulnerability Plan

1. List of probable vulnerabilities (broad scope of input).

2. Use list as checklist to plug applicable vulnerabilities.

3. Subscribe to security-related mailing list (security alerts).

4. Regularly use the alerts to plug emerging leaks.

5. ALWAYS test all changes, fixes, plugs OFFLINE before putting the system back 
online.

Exhibit 3.13: Sample Questionnaire/Inquiry

□ There is a reputable
reputable source
source or list of
of applicable
applicable vulnerabi
vulnerabilities
lities to our inform
information
ation systems.
systems.
□ The list is reviewed
reviewed on a regular
regular basis
basis to see that all applicabl
applicablee vulnerabilit
vulnerabilities
ies have been
been corrected.
corrected.
□ There is a credib
credible
le source
source to update
update the list
list for emerging
emerging vulner
vulnerabiliti
abilities.
es.
□ The updates
updates are reviewed
reviewed daily
daily (weekly)
(weekly) for applicabl
applicablee ones, and correcti
corrections
ons made.
□ Both processes
processes are reporte
reported
d or checked
checked off by a responsibl
responsiblee party in InfoSec.
InfoSec.
□ The system is tested
tested on a regular
regular basis for
for known vulnerab
vulnerabilities
ilities or potential
potential exposure
exposures.
s.
□ Fixes and changes
changes are first thorough
thoroughly
ly tested on systems
systems OFFLINE before
before being allowed
allowed online.
online.

Exhibit 3.14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502) [15]
15]

G1—Default installs of operating systems and applications

G2—Accounts with no passwords or weak passwords

G3—Non-existent or incomplete backups

 26 Chapter 3: Internal Control System

Chapter 3: Internal Control System 27

G4—Large number of open ports

G5—Not filtering packets for correct incoming and outgoing addresses

G6—Non-existent or incomplete logging

G7—Vulnerable CGI programs

W1—Unicode vulnerability (web server folder traversal)

W2—ISAPI extension buffer overflows

W3—IIS RDS exploit (Microsoft Remote Data Services)

W4—NETBIOS—unprotected Windows networking shares

W5—Information leakage via null session connections

W6—Weak hashing in SAM (LM hash)

U1—Buffer overflows in RPC services

U2—Send mail vulnerabilities

U3—Bind weaknesses

U4—R commands

U5—LPD (remote print protocol daemon)

U6—sadmind and mountd

U7—Default SNMP strings

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3.7
NO 3.7 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Control Strategies
Strategies PAGES:
[9]SAS No. 78 revised SAS No. 55—the same topic.

[10]
10]See www.cert.org.

11]]See
[11 www.sans.org.

[12
12]]See www.securityresponse.symantec.com/avcenter or www.norton.com.

[13
13]]See www.ciac.org/ciac by U.S. Department of Energy.

14]]See
[14 om/avcenter/ or www.norton.com.
www.securityresponse.symantec.com/avcenter/ 
www.securityresponse.symantec.c

[15
15]]G
= General Vulnerabilities, W = Windows Vulnerabilities, U = UNIX Vulnerabilities. See
www.sans.org/top20.htm.
 Chapter 3: Internal Control System 27

28 Chapter 3: Internal Control System

3.7 Control Strategies

Effective control activities can help to mitigate the risks identified in the risk assessment. Control activities
are developed at least in part from proven control strategies. Specific controls, such as CAATTs, are identified
"Specific Controls/CAATTS"
in "Specific Controls/CAATTS" in this chapter. Control activities will be presented in two models and some
other general areas of control activities, with specific illustrations. The two models are discussed to provide a
way for internal auditors to think about developing general control activities and objectives.

a. Fourfold Perspective of Controls Model

Before developing management policies, management needs to have a general understanding of how to design
effective internal controls. The management of undesirable events is one aspect, which is divided into four
perspectives. The first is prediction. The second is preventive controls that will minimize the possibility of a
risk occurring. The third and fourth are detective and corrective, where controls are able to detect undesirable
events after they have occurred and in some cases automatically correct it—in others it provides the means to
correct it. Obviously, predictive and preventive measures are more efficient and less harmful and therefore
should be premier in building the internal control system.

i. Prediction

The first area, prediction, is the most difficult. Profiling and background checks are specific activities that
serve to predict malicious behavior or actions. Others include systems that are capable of generating accurate
warnings regarding malicious activities. Two examples are certain mailing lists and Internet warning systems.
One good example is the early warning system of a mailing list for malicious activities such as viruses and
security vulnerabilities. When a new virus is released on the Internet, several organizations watch for them
and publish early warnings via a mailing list. These organizations include non-profit or government ones such
as CERT, some of the anti-virus manufacturers such as Norton, and technical publications such as ZDnet.
Since anti-virus software is vulnerable to a new virus, such a system is both "predictive" and preventive, and
as such is critical to protecting assets (see Exhibit 3.11 to illustrate the inclusion of a predictive step in an
anti-virus set of controls). Another type of predictive control is an Internet-wide monitoring system such as
those employed by CERT, [16] 16] BUGTRAQ, [17]17] and the Internet Storm Center (ISC). [18 18]] The latter uses a

similar approach as the virus warning systems—to monitor the Internet in a broad manner to determine if any
malicious activity is emerging. The infamous Berkley Internet Name Domain (BIND) attack is an example of 
how access to the ISC serves as a predictive control.

On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probes
to port 53—the port that supports the domain name service. Attacks on port 53 are significant only because
the software program called BIND [19] 19] uses that port, and versions of BIND that had not been recently updated

had a vulnerability that attackers could use to take over the systems. [20]20] Thousands of organizations that had

not updated their version of BIND were being infected with a worm called Lion. Lion stole password files
from infected machines and sent them to a site in China, and it installed a distributed denial of service (DDoS)
tool so that the infected machines could be used in denial of service attacks. But hundreds of intrusion
detection sensors that were logging attacks had become part of regional and industry-specific security
monitoring networks. They sent their logs to analysis sites. There the data was aggregated and charted
automatically, and posted for analysis at SANS. Analysts immediately saw a spike in the number of attacks on
DNS Port 53. Some kind of man-made, "electronic storm" (actually an electronic packet storm) was sweeping
through the Internet. The analysts determined what damage the worm did and how it was able to do it, and
then they developed a computer program to determine which computers had been infected. They tested the
program in multiple sites and they also let the FBI know of the attack. Just 14 hours after the spike in port 53
traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack 
 28 Chapter 3: Internal Control System

Chapter 3: Internal Control System 29

in progress, telling them where to get the program to check their machines, and advising what to do to avoid
the worm. This episode demonstrates the value of sharing intrusion detection logs in real time. Only in the
regional and global aggregates was the attack obvious which allowed the expeditious response to slow and
then stop the attacks—and serve as a predictive control for many organizations.

The technology, people, and networks that found the Lion worm were all part of the SANS Institute's
Consensus Incident Database (CID) project that had been monitoring global Internet traffic since November
2000. CID's contribution the night of March 22 was sufficient to earn it a new title: Internet Storm Center.
Today Internet Storm Center gathers more than 3 million intrusion detection log entries every day. It is
rapidly expanding in a quest to do a better job of finding new storms faster, isolating the sites that are used for
attacks, and providing authoritative data on the types of attacks that are being mounted against computers in
various industries and regions around the globe. Internet Storm Center is a free service to the Internet
community. The work is supported by the SANS Institute from tuition paid by students attending SANS
security education programs. [21]
21]

Another source that can serve as a predictive control is CERT. The CERT Coordination Center (CERT/CC) is
located at the Software Engineering Institute (SEI), a federally funded research and development center at
Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought
10% of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency
(DARPA) charged the SEI with setting up a center to coordinate communication among experts during
security emergencies and to help prevent future incidents. Since then, the CERT/CC has helped to establish
other response teams, and their incident handling practices have been adapted by more than 200 response

teams around
problems, andthe world. CERT
predicting future focuses on The
problems. protecting systems work
organization's against potential
involves problems,
handling reacting
computer to current
security
incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems,
and developing information and training to help entities improve security at their site. The security alerts and
mailing lists are excellent sources for predictive controls.

It could be argued that the internal auditor's experience and professional judgment have predictive powers of 
sorts. If the company is experiencing a high degree of pressure in the stock market (e.g., declining stock 
prices, earnings per share below street predictions), and there is a weakening or soft profitability (e.g.,
declining profits, declining revenues, economic woes of some sort), and personal weaknesses in executives
(e.g., lifestyle is high or beyond means, weak personal ethics), then there is a high risk of financial fraud; that
is, it could be predicted. Most major financial frauds of the past have these factors in common.
common. For employees,
it is opportunity (exposure) combined with personal weaknesses; and the possible result is theft. Many past
employee thefts have these traits in common. Therefore, the professional judgment of auditors should be
viewed as and used as a predictive control. For financial fraud, this "control
" control"" is effective if, and only if, the
internal auditors report directly to the audit committee.

Some emerging technologies are being used to build predictive models with a relatively high degree of 
accuracy. Technologies such as artificial neural networks (ANN) have been shown to be more accurate than
other modeling tools at making predictions where the data is extensive or complicated. Studies have shown
the ability of ANN to predict with a relatively high degree of accuracy such events as financial distress of a
firm (e.g., bankruptcy). Therefore it is not beyond the realm of possibility to use an ANN to build a predictive
model for control breaches, "training" it by using actual past data. However, it does take special skills to
properly build such a system.

ii. Prevention

Secondly, activities should be implemented where the objective is to prevent malicious activities. For InfoSec
and Internet resources, a multi-layered firewall is a good control. That is, a single firewall control, such as a
router with filters, is a weak control (i.e., becomes an exposure). A better control is a firewall that has multiple
layers: a combination of routers, filters, proxy servers, software, and so on, used to provide a shield that could
be compared to an onion, with all its layers of skin. Preventive controls are also necessary in software
 Chapter 3: Internal Control System 29

30 Chapter 3: Internal Control System

applications to prevent errors in data. System access likewise needs preventive controls to prohibit
unauthorized access of systems and data.

iii. Detection

It is much easier to develop controls for detection, the third perspective. For InfoSec, there are some
developing, effective means of detecting general Internet attacks. For example, The Internet Storm Watcher
[22
22]] gathers information real-time from logs all over the Internet. When general attack is made, the Storm

Watcher is able to spot it much like a weather system predicts a physical storm. Monitoring systems that
measure traffic on specific ports of the Internet and then graph it can produce an outcome that can detect an
intruder hacking into a system. There are more sophisticated intrusion detection systems, but any enterprise
with risks associated with the Internet needs a detection system commensurate with its level of risk.

Artificial neural networks mentioned above also have been shown to be able to detect fraudulent events or
transactions. Studies have shown that a detective model can be built to recognize potential fraudulent
transactions after having been trained by using actual past data (i.e., actual valid transactions and actual fraud
transactions). Such a system could potentially then "sit" on top of the processing systems and filter
transactions looking for potential fraudulent ones. Once a suspicious transaction is detected, the ANN would
warn someone in IA directly, giving IA and the firm a chance to detect a fraudulent or irregular transaction as
it is being conducted, rather than detecting it weeks or months later in an audit. There is a need to make sure
such a system does not seriously impede the processing of transactions in the corporate system (i.e., IS
performance). Again, it does take special skills and knowledge, as well as a set of transactions to do the

training.
iv. Correction

The last perspective, correction, is another fruitful source of controls. For instance, logs that generate a list of 
detected errors and the procedures to correct them are a critical component of applications and systems. Other
types of correction controls include disaster recovery plans, business recovery plans, and incident response
plans—all intended to correct the damage from major catastrophes.

b. Information Systems and Controls

Controls M
Model
odel
A second model applies to controls in general: physical and computer. Computer control is subdivided into
general and application controls (see Exhibit 3.15).
3.15).

Exhibit 3.15: IS Model of Controls

Computer Controls
General Co
Controls Application Co
Controls
Passwords Input Controls Output Controls
Locked Do
Doors Pr
Pro
ocess
ssiing Co
Contro
trols Batch Co
Controls
 Physical Controls
Inde
Indepe
pend
nden
entt Veri
Verifi
fica
cati
tion
on Acco
Accoun
unti
ting
ng Re
Reco
cord
rdss
Segreg
Segregati
ation
on of Duties
Duties Transa
Transactio
ction
n Auth
Authori
orizati
zation
on
Supervision Access Control

i. Physical Controls

Physical controls involve controls of a manual nature (see Exhibit 3.16).

3.16). Some examples follow for
illustrative purposes and are not exhaustive.
 30 Chapter 3: Internal Control System

Chapter 3: Internal Control System 31

Exhibit 3.16: Physical Controls

1. Transaction authorization (manual procedures)

2. Segregation of duties (IS processes, accounting processes, etc.) (authorization versus processing,
custody versus recordkeeping, and such that fraud requires collusion)

3. Supervision (compensating control when unable to use segregation of duties)

4. Accounting records

5. Access controls (direct, indirect)

6. Independent verification (performance, system integrity, data integrity)

Transaction authorization needs physical controls (i.e., manual controls) to ensure all material transactions are
processed by the accounting system with integrity and in compliance with management policies and
objectives. Using management decision rules, certain recurring transactions become a programmed procedure,
or operate under general authority. Other decisions of a non-routine nature need specific authority.

Segregation of duties is another important type of physical control. Three good rules of thumb for developing
controls using segregation of duties controls is: (1) separate authorization of transactions from processing
them, (2) separate custody of assets from record keeping, and (3) create controls such that a successful fraud
can only be perpetrated using collusion. The latter generally can be accomplished by separating steps of the
process between different individuals. Also, make sure segregation of duties extends beyond the typical area
of basic accounting functions. For example, segregation of duties has many applications in IS processes and
database management.

Some of the controls that illustrate proper segregation of duties in IS are:

• Separate systems development from computer operations. This control should both deter fraud and
increase the quality of documentation.

• Separate new systems development from maintenance, which also should increase the quality of 
documentation. If this separation is not possible, systems analysis can be separated from
programming. This alternate organizational structure could lead to weaker documentation and creates
an exposure for programming, leaving it open to possible malicious code (e.g., back doors, salami
slicing).
• Separate the database administrator (DBA) from other database and systems functions, computer
operations, development, and maintenance.
• Separate data library function from computer operations, development, and maintenance. If the
enterprise stores data tapes, backups, or other centralized storage, then a data librarian serves as
custodian of the data asset. Some enterprises include original software and their licenses in the
"library" as well. Documentation of in-house software, including original source code, should also be
housed in the library. Software and data assets should be treated much like inventory assets when it
comes to controls. That is, they need to have a custodian, strict procedures for checking assets in and
out, and an adequate audit trail of transactions (where the assets go, why, and in this case, their safe
return). If a permanent librarian is not feasible, the rotation of a person on an ad hoc basis should
suffice as an adequate control.
• Use of a data control group. This group (or person) serves as a control between operations and end
users—including management. They perform tasks such as: review and test computer procedures,
monitor data processing, review and distribute computer output, serve as liaison with end users, and
 Chapter 3: Internal Control System 31

32 Chapter 3: Internal Control System

review control logs from data processing. Therefore, this group, if employed, should be separated
from operations and systems development.

Other segregations may be necessary depending on the circumstances, size, and other issues pertinent to the
enterprise. (See Section 3.7(f) for more on segregation of duties.)

Supervision is a vital part of physical controls. When segregation of duties becomes impractical, supervision
is the default compensating control. This control includes formal reporting and procedures as well as
physically supervising a person or process.
Accounting records should be kept in such a way as to prevent unauthorized physical access. That is,
safeguard documents (e.g., checks) and physical accounting records (ledger cards).

Access controls (direct and indirect) are addressed in Section 3.8(b), and are a part of physical controls. Direct
controls involve physical access to assets such as inventory or cash. Indirect controls relate to documents and
processes that control such assets (e.g., credit memos, purchase orders, etc.).

Management also will assess the integrity of the computer system and data on an ongoing basis as a part of 
independent verification. Internal controls should also be implemented for independent verification of data. A
classic control in this category is the comparison of physical assets with accounting records, but it also
includes controls such as reviewing management reports.

ii. Computer Controls: General

Computer controls are subdivided into general and application. This section addresses general computer
controls.

They would include controls such as locked doors for sensitive areas (e.g., data storage, mainframe room).
They should also include controls regarding the development of new systems. These controls might include:

• Requiring a written request with justification from user(s)

• Requiring a written evaluation and authorization of this request by IS staff 
• Requiring the design of the application by a cross-functional team that includes a CISA or CIA (to
ensure the inclusion of adequate controls during development)
• Requiring adequate documentation procedures

•
Requiring
point) a written report on the testing (probably re-introduce CISA or CIA to the process at this
• Requiring full off-line testing for new applications, hardware, or systems before activation online, and
• Requiring training of new applications before implementation

Major changes to existing software systems should generally follow the same set of controls.

There should also be controls regarding

regarding computer operations. For example, the system should build a log of 
activities including application used, data used, and manipulations made, how long the user used the data or
application, and the identification of users. Some operating systems have the ability to build this kind of log
(see "Logs
"Logs and Auditability
Auditability"" in this chapter for more information). There should be some kind of controls for
the receipt of data for keying (if feasible) and for the distribution of output (e.g., data control group). Data
backups (tapes or disks) should have controls for labeling (either internal or external labels). Other
library-related controls may be needed for data backups.

Access to programs and data are critical and need controls, and have already been discussed. Segregation of 
duties should be used to build independence (cannot alter programs or data), and to limit opportunities for
concealment of fraud.
 32 Chapter 3: Internal Control System

Chapter 3: Internal Control System 33

iii. Computer Controls: Application

The next aspect of the IS controls models is application controls, which are more specific. They include input
controls, processing controls, and output controls. Examples of input controls include:

• (A) Authorization.Proper authorization procedures and controls are essential to an effective internal
control system. The fact the accounting system is a computer-based one does have some effect on
these controls. Two basic control guidelines for authorization are:

♦ Controls should make sure transactions are properly authorized in accordance with
management objectives and policies
♦ Embed controls where the computer performs the authorization
An example of the latter would be credit limits. The software should have built-in controls that verify
a customer has sufficient credit to issue an invoice without going over the credit limit, and that require
special authorization (preferably from the credit department) to allow the invoice to be processed
when the amount would put the customer over the credit limit.

• (B) Converting data into computer files. Controls should be developed to ensure the validity of data
entry from the point of data capture and/or input.

♦ Use of batch control methodology, where applicable

♦ Record counts, batch totals, hash totals, computer editing controls, verification programs and

controls
• (C) Subsequent accountability.Subsequent to data entry, application controls should be employed to
make sure data has not changed and data maintenance is validated, where applicable. Examples
include:

♦
Transmittal controls
♦ Routing slips
♦ Control totals (hash, amount totals, etc.)
Examples of processing controls include the following:

♦ Batch control where applicable (not likely to apply in real-time systems)—control totals,
batch totals, hash totals, record counts
♦ Validity check test (e.g., valid data for the particular field, complimentary master record(s)
exist, etc.)
♦
Limit
♦ test (datadigit,
Self-checking is within range
where of valid(telecommunications)
applicable entries for the particular field, data is reasonable)
Example of output controls include the following:

♦ Controls to ensure reliability of computer output (e.g., error reports, printed reports, printed
checks, etc.)
♦ Controls to ensure outputs are distributed with appropriate custody to authorized personnel
only
♦ If batch methodology is employed, reconcile output control totals with processing and input
control totals
♦ Develop controls using error reports for data that does not meet certain validity checks,
including control procedures for follow-up of error reports for corrections
♦ Develop effective controls such as data control group, the computer itself, and users to
perform these control tasks (from most effective to least)
 Chapter 3: Internal Control System 33

34 Chapter 3: Internal Control System

c. An Internal Audit Function

The most important general control activity is an internal audit function. Each enterprise must have an
independent source for developing and verifying controls, above and beyond what the external auditors might
do in a financial audit. Internal audit is much broader and more flexible in the tasks it performs. A qualified
group of people, and an adequate staff, are indispensable in effective control activities, and a successful
internal control system. Major bankruptcies such as Enron have brought criticism to the possible lack of 
independence when the internal audit function has been outsourced to the external auditors responsible for the
financial audit. Therefore, if it is outsourced, management should be careful to maintain a maximum degree of 
independence. The best situation is to have an IA department within the firm. In fact, the New York Stock 
Exchange and the IIA have asked the SEC to require an IA function for all companies with publicly traded
23]]
stock. [23

This manual stresses the activities, qualifications, and duties that make the IA shop successful and productive.
The IIA argues that an internal IA shop is a critical success factor in effective corporate governance,
especially regarding security, auditability, and controls.

d. Corporate Governance
A key control strategy is an effective corporate governance structure. This strategy begins with the IA
function and includes an effective audit committee and IT governance.

i. Audit Committee

Another key major control activity is an adequate audit committee. But having an audit committee is not the
same as having an effective audit committee. For publicly traded companies, the SEC issued a ruling that took 
effect January 31, 2000, related to audit committees. The ruling [24]
24] says in part:

• The Securities and Exchange Commission is adopting new rules and amendments to its current rules
to require that companies include in their proxy statements certain disclosures about their audit 
committees and reports from their audit committees containing certain disclosures. The rules are
designed to improve disclosure related to the functioning of corporate audit committees and to
enhance the reliability and credibility of financial statements of public companies.

The SEC basically requires publicly traded companies to not only have an audit committee but to include
information on its activities in SEC reports. Companies that are not publicly traded but have a large number of 
stockholders are probably in need of an audit committee because of the fiduciary responsibility. A significant
responsibility of the audit committee is to deal with risks of the entity. Therefore, businesses that have a
relatively large risk of fraud, theft, security, or illegal activities should also have an audit committee. For
example, financial institutions and other businesses that handle large volumes of cash daily are prime
candidates for an audit committee because cash misappropriation is the highest of risks.

Companies need an audit committee for several reasons. The main reason is the fiduciary responsibility the
company has to the shareholders. Management should also expect the audit committee to assist them in
ensuring the integrity of financial reports and in deterring fraud. The public expects no surprises in the
financial health of the company, and it expects to be able to trust the financial reports. Audit committees
should be able to serve as guardians of the public interest.

The audit committee serves as an independent "check and balance" with the internal audit function—serving
as a watchdog over financial statements, risks, and management assertions—and liaison with external
auditors. They interact with both these groups with the objective of ensuring data integrity in financial
statements and the avoidance of fraud or illegal activities. They also look for ways to identify adverse events.
For instance, they might serve as a sounding board for employees who observe suspicious behaviors or
outright fraudulent activities. The audit committee should have a willingness to challenge the internal auditor
 34 Chapter 3: Internal Control System

Chapter 3: Internal Control System 35

function as well as management when necessary. For those entities that employ outside auditors, the audit
committee should be best positioned to determine whether
wh ether or not the provision of any particular service by the
audit firm is inappropriate. In fact, they should be responsible for deciding which external auditor to hire. In
general, they become an independent source of protection of the entity's assets from a variety of risks, in
whatever fashion is appropriate. See Exhibit 3.17 for a list of audit committee oversight areas, based on a
study by the Financial Executives International (FEI).

Exhibit 3.17: Audit Committee Oversight Areas—In Order of Importance

1. Key areas of business and financial risk 

2. Tone at the top/code of ethics

3. Internal controls and systems

4. External audit activity and relationships

5. Periodic financial reporting, including financial and accounting

policies

6. Internal audit activity

7. Key personnel selection for critical financial/control positions

Certain historical events remind managers, board members, auditors, and other stakeholders of the risks that
exist even for those businesses that seem to be immune to fraud. These events also show the need for effective
audit committees. Enron proved that large companies with billions of dollars in assets can go bankrupt under
the noses of well-intended board members. Enron had $10 billion book value, $60 billion market value, and
$1 billion in profits in its latest financial reports that were "not materially misstated," according to its external
auditor, Arthur Andersen. Enron had an audit committee made up of distinguished members with financial
accounting pedigrees. Yet this large firm went bankrupt once it booked a $600 million entry to revise its
earnings in late 2001.

In 1998, COSO issued a report, "Landmark Study on Fraud in Financial Reporting," covering 10 years and
200 randomly selected cases of alleged financial fraud investigated by the SEC from 1987 to 1997. The 200
randomly selected cases make up about two-thirds of all the
th e SEC probes
probes into fraud during the time period.
The results of the study provide valuable information for any organization in protecting against fraud, but it is
especially valuable in developing audit committees because of its applicability. The study develops several
3.18).
common factors about the companies (see Exhibit 3.18 ).

Exhibit 3.18: Commonalities of Fraud Entities from COSO Study

Smaller firms
Lack of experience in board members
Lack of independence of audit committee/board members
Absence of audit committee or infrequent audit committee meetings
Likelihood of involvement of executive managers in financial fraud
Most of the auditors explicitly named in SEC enforcement releases were non-Big Five auditors
Audit firms of all sizes were associated with companies committing financial statement fraud (i.e., you
cannot depend on your external auditors to detect fraud based on their size)
 Chapter 3: Internal Control System 35

36 Chapter 3: Internal Control System

Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies
involved
involved — the average
average misstatement or misappropriation was $25 million

A model of attributes is presented based on the existing standards, SEC rules, and the COSO fraud report (see
3.19). The model attributes include independence, competence, organizational structure, leadership,
Exhibit 3.19).
and a proactive approach.

Exhibit 3.19: Model of Attributes for Effective Audit Committee

Independence (outside directors)

Competence (knowledge and understanding of accounting, auditing, and internal controls; critical thinkers)
Organizational Structure (reporting channels direct from internal audit function, external auditors, whistle
blowers)
Leadership (active, strong, decisive chair)
Proactive Approach

Audit committees need to be independent of management and even other board members in order to
effectively assess events, accusations, and risks. The main ingredient for an effective independence is
skepticism. Outside directors make it easier to provide both an appropriate degree of skepticism and
independence.

Members should also be competent. The entity should consider looking for outside directors, and locate
people who are well qualified in the area of financial accounting, auditing, internal controls, and risk 
assessment/management. But competence should also include critical thinking skills. Audit committee
members need to be able to sort through facts, exhibits, and circumstances to ascertain possible questionable
areas. They also need to ask tough questions and foresee situations that contain high risk. Lastly, competence
also includes experience; that is, experience being a board member for other organizations. Preferably
experience also means experience as either a member of an audit committee or similar experience in auditing,
security, risk, or internal controls. Thus a member of the audit committee should probably be the most
seasoned of the members of the board. However, one recent study [25 25]] revealed just the opposite:

• Unlike their counterparts, audit committee directors, for the most part, had served on significantly
 fewer other committees and for a shorter period of time on the corporate board, which implied they
were mere "babes in the woods."

The organizational
organizational structure
structure of the committee is also important. Some firms allow any employee to contact
the audit committee anonymously to report suspicious behaviors, fraud, or illegal financial activities. Such a
committee therefore serves as an ethics committee for financial reporting, fraud, and security (see item 2 in
Exhibit 3.17
3.17).
). Whatever management can do to encourage reporting of these events and behaviors should be
done. The audit committee will then have the opportunity to possibly identify fraudulent activities before they
adversely affect the firm.

Leadership refers to the chair of the audit committee. As in most committees, the chair sets the tone for the
activities, approach (proactive vs. reactive), and behaviors of the group. The chair needs to be active
(proactive), strong (a capable leader and competent audit committee member), and decisive. These attributes
identify any good leader, but are essential for the audit committee to be effective.

Lastly, the audit committee needs to be proactive. The recent study by the FEI mentioned earlier shows that
more than half of the respondents polled—chief financial officers and corporate controllers—felt that the audit
committee needed to be more proactive. The same report suggests that audit committees need to challenge
management assumptions and ask tough questions. Coca-Cola Company has a good set of such questions [26 26]]

that illustrate a proactive approach, questions the company's board asks the IA function each year:
 36 Chapter 3: Internal Control System

Chapter 3: Internal Control System 37

• Are there any significant accounting judgments made by management in preparing the financial
statements that would have been made differently had the auditors themselves prepared and been
responsible for the financial statements?
• Based on the auditors' experience, and their knowledge of the Company, do the Company's financial
statements fairly present to investors, with clarity and completeness, the Company's financial position
and performance for the reporting period in accordance with GAAP and SEC disclosure
requirements?

• Based on the auditors' experience, and their knowledge of the Company, has the Company
implemented internal controls and internal audit procedures that are appropriate for the Company?

The model of attributes should empower the audit committee to serve its entity effectively in protecting the
assets, inspecting suspicious behaviors or activities, ensuring the integrity of financial reports, and generally
managing risks. There is also a list of attributes or situations to avoid—those that were common to the cases
of financial fraud in the COSO study.
study. The
The study mentioned that one consistent factor with the fraud cases was
the absence of an effective audit committee. Often board members were neither independent (e.g., related to
executives or owners) nor capable of dealing with audits and internal controls. Together, these two lists
(Exhibits 3.18 and 3.19)
3.19) will hopefully assist internal auditors in providing input into the board's decision
about its audit committee, and in providing information on how to effectively interact with the audit
committee.

One of the most effective techniques against fraud or crime is an internal audit function with a direct

connection to an audit committee on the board, where such committee members are able to understand and
respond to audit evidence, reports, or internal control weaknesses. (See Section 9.2 for additional information
on audit committees.)

ii. Information Technology Governance

Information technology governance is similar to corporate governance in its objectives and is a prime service
of ISACA. That organization defines IT governance as:

• the responsibility of the board of directors and consists of the leadership, organizational structures
and processes that ensure that the organization's IT sustains and extends the organization's strategies
and objectives.

The more an organization relies on IT, the more IT governance is necessary; or put another way, IT

governance becomes an integral part of corporate governance.

The objectives of IT governance are to (1) understand the issues and the strategic importance of IT, (2) ensure
that the enterprise can sustain its operations, and (3) ascertain it can implement the strategies required to
extend its activities into the future. The primary goal is to ensure that expectations for IT are met and IT risks
are mitigated. IT governance should address the following:

• Appropriate and adequate business and IT performance measures

• Appropriate and adequate business and IT outcome drivers

• IT strategic and alignment issues

• Best practices in IT governance
• Questions boards and management should ask 

Questions such as "Is IT doing the right things?" "Are they doing them the right way?" "Are they being done
well?" and "Is the enterprise actualizing benefits from IT activities?" should be answered by IT governance
processes. IT governance should also lead to a structure through which the entity's overall objectives are set,
the method of attaining those objectives is outlined, and the manner in which performance will be monitored
 Chapter 3: Internal Control System 37

38 Chapter 3: Internal Control System

is described. One performance measurement system being used is Balanced Scorecard (see Chapter 9).
9).

Evidence of the need for IT governance is the number of chief executives who have criticized the benefits of 
IT. [27]
27] To promote IT governance, ISACA sponsors the IT Governance Institute and provides various support

documents and services. [28]

28] This organization also promotes CobiT as another tool that assists management in

IT governance.

e. Logs and Auditability

The last control activities area is that of logs. The more an enterprise is dependent on systems, automation,
and computers, the more invisible audit trails tend to become. Therefore, it is imperative that the internal
control system has an adequate degree of controls related to electronic audit trails. One effective control is the
implementation of computer logs. Detailed computer logs should be evaluated (i.e., are they necessary, how
detailed the data should be) for access and log-in to the system, access and use of applications, access and use
of data, changes to data, changes to applications, and changes to the operating system. When electronic logs
cannot be generated, paper ones should be considered (e.g., changes in an application).

If the entity is connected to the Internet, logs become even more important. Logs should be used to track data
such as sites visited, files downloaded or uploaded, time spent on the Internet, etc. Sites visited could reveal
access to illegal sites, and have in the past (i.e., child pornography). Files downloaded could reveal viruses,
hacking tools, illegal software, or other types of files that are contrary to organizational policy or federal
regulations. Hacking tools might be an indication of an employee preparing to hack into the organization's
system.

Logs should be developed and implemented that will assist in safeguarding assets and ensuring compliance
with policy (e.g., computer usage). Logs are the enforcement control for policy, but the entity needs to make
sure employees are told such actions are being recorded and even have employees sign policies that have this
form of enforcement (e.g., e-mail policy).

f. Segregation of Duties
Another primary objective of internal controls is the effective use of segregation of incompatible duties. This
proven technique for designing internal controls, policies, and especially organizational structures was
developed by accountants and auditors. Three rules to observe are to separate transaction authorization from
transaction processing, record-keeping from asset custody, and any series of transaction processing steps such
that a collusion of individuals would be necessary to commit fraud. Where segregation of duties is not
feasible, management should compensate by adding adequate supervision.

For example, one large tire reseller did not segregate duties. Because the firm had several locations, it made
use of a central tire warehouse. There was no security at the warehouse, and all salespersons had a key to it.
One salesman stole tires, drove to a nearby city, sold them to an acquaintance, and covered his tracks with
credit memos and phony invoices. No one suspected him, even though 75% of all credit memos came from
one individual (proof that management must review reports). The custody of the tires should have been
segregated from record-keeping of tire transactions (i.e., the sales force), and authorization of the credit
" Physical Controls"
memos should have been separated from the processing. (See "Physical Controls" in this chapter for more
information.)

g. Investigation Procedures
Management must also consider what specific procedures should be employed to protect against internal
threats. Key positions, including executives, may require a background search.
 38 Chapter 3: Internal Control System

Chapter 3: Internal Control System 39

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3.8
NO 3.8 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Malicious Activities
Activities PAGES:
[16]
16]See www.cert.org.

[17
17]]See www.securityfocus.com.

[18
18]]See www.incidents.org.

19]]BIND
[19 is one of the name services on the Internet—typically on Unix, Linux, etc.-based systems, though
Windows XP does support BIND now.

[20]
20]See Internet Vulnerability U3 on
o n the Top 20 List (see Exhibit 3.
3.12).
12).

[21]
21]The information for this paragraph came
came from a web page at The Internet Storm Center's web site. The
page is located at www.incidents.org/isw/iswp.php.

[22
22]]See www.incidents.org.
www.incidents.org

23]]Obviously,
[23 the SEC may or may not have adopted this ruling. Visit the IIA site www.theiia.org or the SEC
site www.sec.gov for clarification.

[24
24]]SEC Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm.

25]]Nikos
[25 Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20,
No. 1 (March 2001).

[26
26]]Connie
McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to the
AAA, August 13, 2001.

[27]
27]For
example, Jack Welsh,
Welsh, former chairman of General Electric, said, "IT has been the longest running
disappointment in business in the last 30 years." World Economic Forum, 1997.

28]]See
[28 www.itgi.org.

3.8 Malicious Activities

A brief description of aspects of malicious activities will assist in the development of effective specific
controls. Areas to consider are computer crime, theft/financial fraud, and unauthorized access.

a. Crime and Misappropriation of Assets

Computer crime is becoming popular among those with a criminal mind. The average dollar value of a
computer crime is far greater than the average dollar taken in a bank robbery. But just as important, internal
auditors need to understand the subtle differences between various attackers and thieves as well as typical
profiles of these perpetrators. Almost all of these crimes are driven by (1) opportunity (control weakness), (2)
pressure (e.g., cash flow problems), and (3) rationalization.
 Chapter 3: Internal Control System 39

40 Chapter 3: Internal Control System

i. Types of Crimes

Crimes associated with the theft of assets typically are carried out by employees. These frauds are conducted
by employees who have some pressure to steal (personal cash flow problems), accompanied with weak 
personal ethics. If a weakness exists in the controls, the temptation can become too great for the employee to
resist stealing from the organization. The rationalization is often that either the employee works hard and
deserves the extra money, or he/she is "borrowing" the money and plans to repay it. One typical area for fraud
and theft is performance bonuses. Such tactics can become the impetus (pressure) mentioned earlier, and the
rationalization; and if accompanied by personal weak ethics and an exposure, the result can be fraud and theft.
Another crime is financial fraud. By its very nature, it is virtually limited to executive management.
Management can come under pressure by such circumstances as economic problems in the firm (poor
performance of stock on the open market). Because of management's position, they are always in the position
to have opportunity; that is, they can override controls. The pressure to perform can be rationalized as perform
at any cost and lead to financial fraud.

Lastly, there are those who break in from the outside (see below). Some of these attackers come to steal, kill,
and destroy. Others come to play—possibly bringing a system down and making it unavailable. But all cause
damages and bring about costs. As such they are considered computer crimes (e.g., the laws against
spamming).

ii. Types of Criminals

Criminals can be broken down into different groups with specific profiles. The description of crimes includes
a profile of the employee or manager who might commit a crime. The following describes the outside
criminals.

According to President Bush's Commission on Critical Infrastructure Protection, an estimated 19 million

people worldwide have the skills to engage in malicious hacking. [29]
29] The profile of the authors of the typical

DDoS (and other Internet security incidents) is a male, 13 to 15 years old, with a lot of computer intelligence
(neon hair and body piercing optional!). They usually begin malicious activities early. For example, Mixter (a
self-proclaimed "white hat") started learning computers at six and malicious activity at 14.

One way to think of the group of people who break into Internet systems is to subdivide it down by the
objectives of the person: The groups are technically known as hackers, crackers, and script kiddies. The true
"hacker" (sometimes referred to as a "white hat" [30]
30]) actually tries to do service to the Internet community.

Hackers
enjoy thelook for vulnerabilities
intellectual and
challenge of weaknesses,
their activities, and
and then communicate
are technically the "hole"
defined to the entity.
as "hackers." [31] These
31] Even people
then,
there are rouges in this group. A contract employee at Intel went beyond the scope of his work, for which Intel
dismissed the white hat employee and had him arrested.

Traditionally, "hacker" was a term that carried a positive connotation, a badge of honor regarding one's
technical expertise. Then why is the popular press always referring to the "bad guys" as hackers? Because of 
the media's ignorance of the technical definitions. These people are actually "crackers" [32
32]] (sometimes

referred to as "black hats") whose intent is to steal or destroy. So although hacker and cracker are often used
interchangeably, they are in fact technically different sub-groups. It is the cracker who writes malicious code
such as DDoS.

The term "script kiddie" refers to young computer enthusiasts who usually download the malicious code (e.g.,
viruses, DDoS) generated by crackers, rather than author it, and conduct mischievous exploits on
unsuspecting entities, resulting in systems havoc. Most are not necessarily malicious, just bored. They are
similar to street gangs, having created a way to tag the Internet (viral code), having invented their own form of 
graffiti (web site defacements), and having fought gang wars online (using thousands of remote PCs
controlled by Internet Relay Chat (IRC) bots). [33]
33]
 40 Chapter 3: Internal Control System

Chapter 3: Internal Control System 41

One example is a female (rare among script kiddies) from Belgium who authored Sharpei, one of the first .Net
viruses. She says writing these viruses and DDoS programs is "a form of art, just like other hobbies. Also, it's
a fun way to practice programming." This statement reflects the attitude, and demonstrates the problem, with
DDoS attackers. They do not see any real harm to their victims and are in it for the personal pleasure it brings.

b. Unauthorized Access and Authentication

Access control systems are used to authenticate and verify usually by using one of three basic approaches to
security: (1) something you have, (2) something you know, and (3) something you are. [34 34]] Specific controls
range from access cards/readers (something you have), to passwords or PINs (something you know), to
biometrics (something you are). The more risk that exists, the greater the need to consider a multi-faceted
access control system in order to maintain adequate security.

The most general authentication, authorization, and verification controls are password systems, firewalls, and
occasionally access cards or biometrics. The weakness of these former two security methods is that they have
been compromised, and intruders have caused great harm and significant financial losses. The latter approach,
biometrics, has the potential to provide the greatest level of security because it involves something you are,
and because they can be more reliable than the passwords or firewalls—especially stand-alone password or
firewall systems.

There is a difference between verification and identification. Verification is the process of confirming that the
person carrying the token (badge, card, password, etc., which is the claim of identity) is the rightful owner of 
the token. Identification, on the other hand, is the recognition of a specific individual from among all the
individuals enrolled on the system. Ideally, access control systems would do both.

Passwords are the first line of defense in authenticating access to systems and data, and serve as a reasonably
effective preventive system. One strategy is to create multi-faceted passwords, especially where remote access
is frequent or e-commerce is employed. One current sophisticated approach is to generate password PINs over
very short time frames, sometimes less than a minute. When remote users log in, they check a beeper for the
most recent PIN and can only log in with both their password and the dynamic PIN. Another strategy is to
combine passwords with network administration
administratio n such that a matrix is developed for access. The columns are
fields, files, or other data element. The rows are users. The cells are accessibility: read-only (RO), read/write
(RW), or none. This matrix approach minimizes the exposure of data to internal users, narrowing
authorization and access. (See Exhibit 3.8 for a password model to assist in developing the access control
system.)

Although they appear to be much less expensive than biometric systems, password systems might cost an
organization. This cost usually happens in two ways: passwords that are forgotten and passwords that are
stolen. The former requires time and resources to reset passwords. The latter is a security breach and can be
much more costly if the system is compromised. Since the human brain is not a perfect storage system when it
comes to complicated and long letter-number combinations, the more sophisticated passwords might be
forgotten. In such situations, the password needs to be reset and a new password must be created. According
to Mandylion Research Labs, resetting a password security system of a company with 100 workers would cost
$3,850 per year. If the company has 1,000 authorized personnel, the same process would cost up to $38,500
per year!

For remote access, one control might be the use of call-back systems. If remote access is stationary (i.e., the
same person always accesses the system from the same phone), then this technique works well. Once a user
logs in from remote location, the system hangs up the line and calls back on a pre-determined phone number.
Where call-back systems are impractical, multi-faceted password systems should be employed—maybe
biometrics.
The most common biometric devices used for access control are fingerprint scanners, although facial and iris
scanners and voice recognition systems are increasing in use. [35]
35] Fingerprint scanners come in a variety of 
 Chapter 3: Internal Control System 41

42 Chapter 3: Internal Control System

formats, from stand-alone devices to readers built into keyboards and mice. They are unobtrusive,
inexpensive, and, essentially, they work. For example, the public benefits administrators in Texas and New
36]]
York claim fingerprint identification has virtually eliminated fraud in their programs. [36

But of all types of biometrics available, the most practical—the best solution—for access control appears to
be fingerprint recognition or keystroke recognition biometric systems. Keystroke recognition systems are
trained to recognize the unique features of a person entering his/her password. Because it is only software, it is
less expensive and easier to operate than fingerprinting and other biometrics. The fingerprint option should be
considered as part of a smart card plus fingerprint plus password method—versus a stand-alone fingerprint
system (if the risks warrant such a sophisticated access system). This system would provide a high level of 
reliability with a high level of user acceptance, and a relatively low level of cost. They are also readily
available in the market.

Of special importance is the emerging trend toward integration of biometrics into networks and systems. More
time is being spent on integrating biometrics into existing processes and applications, where feasible and
applicable, and into network access control systems. Biometric systems are being relegated as a commodity
item, and this progression leads to a potentially enhanced level of interoperability, something the biometric
industry needs. In recent months, an increasing number of devices, such as notebook computers and computer
keyboards, now come equipped with integral biometric fingerprint readers, and some with smartcard readers
37]] This area provides a lot of promise for all concerned with
as well, plus several variants of biometric mice. [37
InfoSec.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 3
NO 3..9 REV
REV NO:
NO: DATE
DATE::
TITLE: Specific Controls/CAATTs PAGES:
[29
29]]Accordingto Computer Emergency Response Team. See "Combating Cyberthreats: Partnership Between
Public and Private Entities," E. Lee, Information Systems Control Journal, Vol. 3, 2002.

30]]They
[30 are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is a
part of their job description and they are an employee,
emp loyee, (c) they have a contract to conduct a pen
p en test (specific
domain, specific time frame), and (d) they have an engagement letter to conduct the pen test.

31]]See
[31 technical definition of hacker at www.pcwebopedia.com/TERM/h/hacker.html.

[32]
32]See technical definition of cracker at www.pcwebopedia.com/TERM/c/crack.html. Likely a reference to
safe crackers.

[33]
33]Accordingto ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here's
How," ZD Net Reviews, May 15, 2002, online at www.zdnet.com.

[34]
34]Liu
& Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Online
www.computer.org/itpro/homepage/Jan_Feb/security3.htm.
at www.computer.org/itpro/homepage/Jan_Feb/security3.htm

[35]
35]"The
Lowdown on Biometrics," Government Computer News, 08/12/02. Online at
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567 .
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567 

[36
36]]Mark
Kellner, "Digital Security," Government Computer News, 08/12/02. Online at
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565.

[37
37]]Julian Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 58–63.
 42 Chapter 3: Internal Control System

Chapter 3: Internal Control System 43

3.9 Specific Controls/Caatts

One resource for internal auditors in developing an effective internal control system is proven controls and
CAATTs, which includes people, techniques, and models.

People would include the use of experts and professionals in the IA function, whether the corporation has a
separate internal audit department, outsources the function, or relies on external auditors for the function.
Regardless, management should make sure someone or some group is responsible for the internal audit
tasks—primarily the design, development, implementation, and examination of the corporate internal control
system. Management should require an appropriate certification of those to whom it entrusts its internal
controls system. Some applicable certifications include: Certified Internal Auditor (CIA from IIA), Certified
Information Systems Auditor (CISA from ISACA), Certified Information Technology Professional (CITP
from AICPA), Certified Information Systems Security Professional (CISSP from International Information
Systems Security Certification Consortium—ISC2), and Global Information Assurance Certification (GIAC
by Sans Institute).

Proven techniques include some already mentioned, such as an audit committee made up of qualified people
who are independent of owners and executive management.

a. Monitoring Systems
One of the best detective tools is a good monitoring system. Examples are intrusion detection systems, passive
logs, and traffic monitors. Intrusion detection systems are designed to detect crackers or hackers as they try to
gain unauthorized access to the company's system. Steve Gibson reported 500,000 attempts a day detected at
his site when a 15-year old hacker got mad at him. [38 38]] His intrusion detection system worked better than most

because he is an elite expert, but he wrote an open letter to hackers and admitted that his system could not
withstand a direct ongoing assault by hackers. Traffic monitors provide information to techies that will
indicate adverse activity such as a denial of service attack. They simply graph certain technical aspects of 
Internet activities and traffic, and visually indicate potential problem areas. The Internet storm watcher is one
example of a broader monitoring system—monitoring activity of the Internet as a whole. Passive logs can
provide data that could help detect or correct adverse attacks after the fact.

b. Firewalls
Any server connected to the Internet should also have a firewall as a preventive scheme. A firewall is one or
more elements such as software, hardware, or techniques that inhibit unauthorized activities from external
users. A variety of firewall defenses can be assimilated, and should be done so with the level of risk in mind.
The higher the risk probability and cost, the more complex and expensive the firewall needs to be.

c. Generalized Audit Software

Using generalized audit software (GAS)—such as ACL, IDEA, PanAudit Plus, and others—has proven to be
of immense value for internal auditors in detecting irregularities and fraud in computer systems. Audit
software is also valuable in auditing operations. Using GAS and CAATTs is more than extracting data,
dumping the data into a spreadsheet, sorting the data, producing a report (information), and manually
reviewing the paper copy. CAATTs use these steps as the precursor to the real work: the critical analysis of 
data. Using GAS can bring both effectiveness (quality of the audit) and efficiency (significant productivity
increases) to the IA function, and indeed has for many IA shops. One of the major benefits is the fact that
auditors are able to examine all of the records, not just a sample. To use CAATTs or GAS, the internal auditor
should follow these steps:
 Chapter 3: Internal Control System 43

44 Chapter 3: Internal Control System

1. Set the audit objectives.

2. Meet with the owner of the data and a programmer.
3. Formally request the data.
4. Create or build the input file definition of the GAS.
5. Verify data integrity for the data imported.
6. Gain an understanding of the data.
7. Analyze the data.

In the fifth step, verify data integrity, it is helpful to ask for a printout of the first 100 records along with the
data. Once the data is fully imported and ready, a review of these 100 records can establish some reasonable
reliability of the data set. The use of batch controls is very useful for this purpose, especially if the auditor can
establish those controls from the live data. In the sixth step, this understanding can generally be gained by
running some standard overview commands such as COUNT, STATISTICS, CLASSIFY, STRATIFY, and so
on, on the data set.

An internal auditor might run these types of tests:

• Reasonableness
• Completeness

• Gap
• Duplication

• Period-to-period (trends)
• Regression analysis
• Statistical analysis
• Transaction matching

d. Other Potential Controls/CAATTs

Other CAATTs include the following, which is not an exhaustive list, and some of which have been discussed
previously in this chapter:

• Embedded audit modules

• Artificial neural networks
• System development life cycle
• Librarian

• Passwords
• Biometrics
• Intrusion detection system
• Firewalls
• Anti-virus software
• Digital certificates
• Digital signatures
• Encryption
• Proposed XBRL system
• Disaster recovery plan/business recovery plan (see Exhibit 3.10)
3.10)
• Incident response plan

38]]Steve
[38 Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-tech
topics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hacker
and his report of the incident at his corporate web site: www.grc.com.
 44 Chapter 3: Internal Control System

Chapter 3: Internal Control System 45

References

Colbert, Janet L. and Paul L. Bowen. "A Comparison of Internal

In ternal Control
Controls:
s: CobiT, SAC, COSO, and SAS
55/78," ISACA at www.isaca.org/bkr_cbt3.htm.

Committee on Sponsoring Organizations, www.coso.org.

Electronic Commerce, Gary P. Schneider,James T. Perry, 2000, Course

Course Technology: Stamford, Conn. (2 × 2
security overview, Exhibit 3.1).

Information Systems Audit and Control Association, www.isaca.org.

Internal Auditors, www.theiia.org.

Institute of Internal

Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing (SPPIA),
www.theiia.org/ecm/guide-stand.cfm?doc_id=124.

Information Systems Auditing and Assurance, James Hall, 2000, South-Western College Publishing.

Singleton, T. "An Empirical Investigation of IS Audits and Software Piracy," Information System Audit &
Control Journal, Vol. VI, 1997, pp. 32–41.

Singleton, T. "Stop Fraud Cold With Powerful Internal Controls" (Building an Internal Control Environment
to Enhance Corporate Strategies), Journal of Corporate Accounting and Finance (Wiley), Vol. 13, Issue 4
(May/June 2002), pp. 29–39.

Singleton, T. "Effective Audit Committees for Cooperatives: Part I—What, Why and How," The Cooperative
 Accountant , Summer 2002, pp. 22–30.

Singleton, T. "Managing the Most Critical Internet Security Vulnerabilities: One Effective Approach,"
 EDPACS, Vol. XXX, No. 2 (August 2002), pp. 1–11.

Singleton, T. "Managing Distributed Denial of Service Attacks," EDPACS, Vol. XXX, No. 5 (November
2002), pp. 7, 9–20.

Singleton, T. "Biometric Security Systems: The Best InfoSec Solution?," EDPACS, forthcoming (January or
February 2003).

Endnotes
1. See www.coso.org.

2. See www.isaca.org/cobit.htm.

3. This paragraph is from the ISACA web page on CobiT at www.isaca.org.

4. See www.isaca.org.
 Chapter 3: Internal Control System 45

46 Chapter 3: Internal Control System

5. An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing
integrity, (4) online privacy, and (5) confidentiality.

6. See Exhibit 3.1 for a full diagram of Sections 3.5 through 3.9.

7. www.cert.org/present/cert-overview-trends/module-6.pdf .

8. SAS No. 78 revised SAS No. 55—the same topic.

9. See www.cert.org.

10. See www.sans.org.

11. See www.securityresponse.symantec.com/avcenter or www.norton.com.

12. See www.ciac.org/ciac by U.S. Department of Energy.

13. See www.securityresponse.symantec.com/avcenter/ or www.norton.com.

14. See www.cert.org.

15. See www.securityfocus.com.

16. See www.incidents.org.

17. BIND is one of the name services on the Internet—typically on Unix, Linux, etc.-based systems, though
Windows XP does support BIND now.

18. See Internet Vulnerability

Vulnerability U3 on the Top 20 List (see E
Exhibit
xhibit 3.12).

19. The information

information for this paragraph
paragraph came from a web page at The Internet Storm Center's web site. The
page is located at www.incidents.org/isw/iswp.php.

20. See www.incidents.or 

www.incidents.or g.

21.
site Obviously,
www.sec.govthefor
SEC Vis it the IIA site www.theiia.org or the SEC
may or may not have adopted this ruling. Visit
clarification. SEC

22. SEC Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm.

23. Nikos Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20,
No. 1 (March 2001).

24. Connie McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to the
AAA, August 13, 2001.

25. For example,

example, Jack Welsh,
Welsh, former chairman of General Electric, said, "IT has been the longest running
disappointment in business in the last 30 years." World Economic Forum, 1997.

26. See www.itgi.org.

27. According to Computer Emergency Response Team. See "Combating Cyberthreats: Partnership Between
Public and Private Entities," E. Lee, Information Systems Control Journal, Vol. 3, 2002.
 46 Chapter 3: Internal Control System

Chapter 3: Internal Control System 47

28. They are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is a
part of their job description and they are an employee, (c)
(c ) they have a contract to conduct a pen test (s
(specific
pecific
domain, specific time frame), and (d) they have an engagement letter to conduct the pen test.

29. See technical definition of hacker at www.pcwebopedia.com/TERM/h/hacker.html.

30. See technical definition of cracker at www.pcwebopedia.com/TERM/c/crack.html. Likely a reference to

safe crackers.

31. According to ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here's
How," ZDNet Reviews
Reviews, May 15, 2002, online at www.zdnet.com.

32. Liu & Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Online
at www.compute r.org/itpro/homepage/Jan_Feb/security3.htm.
www.computer.org/itpro/homepage/Jan_Feb/security3.htm

33. "The Lowdown on Biometrics," Government Computer News, 08/12/02. Online at

www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567 .
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567 

34. Mark Kellner, "Digital Security," Government Computer News, 08/12/02. Online at
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565.

35. Julian Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 58–63.
36. Steve Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-tech
topics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hacker
and his report of the incident at his corporate web site: www.grc.com.
 Chapter 3: Internal Control System 47

48 Chapter 3: Internal Control System

 48 Chapter 3: Internal Control System

Part II: Management

Management and Administration
Chapter List
Chapter 4: Department Organization
Chapter 5: Personnel, Administration, and Recruiting
 Part II: Management and Administration 1

2 Part II: Management and Administration

 2 Part II: Management and Administration

Chapter 4: Department Organization

Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 4.1
NO 4.1 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Introduction PAGES:

4.1 Introduction
In order to achieve the goal of a world-class internal audit (IA) organization, standardized procedures must be
developed and followed by the staff.

Setting high standards will ensure that your department's work will be of sufficient quality to satisfy your
mission and enable reliance by your independent auditors. Development of each auditor's individual
professionalism can be greatly enhanced by understanding the company's expectations and being evaluated on
compliance with approved departmental procedures.

a. Strategic Objectives
Internal audit consists of people and procedures. In order to maximize the productivity of a group, the group
needs a mission and consistent procedures to attain departmental goals. This procedures manual, and this
chapter in particular, provides a place to state the department mission and document departmental procedures
to attain that mission. All organizations need a mission. They also need goals—short-term and
long-term—that can be linked directly to the mission of the organization. Other elements of management
include feedback and mentoring, resources and training, and rewards. These elements can all be documented
in a procedures manual.

i. Mission Statement

While each organization will need to personalize its own mission statement, the following is a general
statement that might apply or could be modified to apply:

• The internal audit department will enhance corporate viability and/or profitability by providing
management with expertise in developing and maintaining an effective control environment,
conducting efficient and effective audits, and building a quality IA department that will contribute to
the corporate mission.

From the mission statement, the IA department (in conjunction with management) should establish strategic
objectives to reach the mission. One example is: The department will strive to achieve world-class procedures
and quality of services by adhering to professional standards, best practices, and proven quality improvement
techniques. Another example is the actual mission statement of JPMorganChase, from the merger on
December 31, 2002:

• The General Auditor and his global team are the Corporation's independent control assessment 
 function, accountable for providing the Audit Committee, the Chairman, senior management, and 
regulators with reasonable assurance that the system of internal
i nternal control achieves its objectives.
  Auditing's mission is to foster a continuous self-checking control environment in partnership with

Chapter 4: Department Organization 1

2 Chapter 4: Department Organization

senior management to identify opportunities to ensure the adequacy of the risk management and 
internal control processes. Auditing's primary objective is to identify emerging issues, detect control
deviations, and track management's corrective actions.

Long-term and short-term goals should be linked to the mission statement. Mission statements are critical
components of most quality improvement programs (see Section 9.4 9.4).
). Therefore, it is obvious that the first
step in establishing the internal audit department is to develop an appropriate mission statement.

ii. Why a Procedures Manual

The mission statement, objectives, goals, and procedures of the internal audit department need to be
documented in such a way that the resulting document can be used as a reference manual. Auditor and
manager turnover is unavoidable. An appropriate manual will allow for smooth transitions. It will also
document questions about issues such as travel and other policies. But it is also a dynamic entity, and should
be updated with a conscientious approach to being current, correct, and consistent (e.g., with professional
standards, with itself, with corporate policies and goals).

iii. Major Challenges of the Department

We have said that internal auditing involves people and procedures. In most cases, the procedures involve
reviewing and evaluating controls, efficiency, effectiveness, and other aspects of the business. Efficiency
generally relates to measures of operations or delivery of services, especially as a ratio of inputs to outputs.
Effectiveness is a measure of how well the organization meets its goals. Effectiveness usually focuses on
strategy and improvements to decision making.

The review process creates at least two factors for audit management to consider. The first is the difficulty in
measuring internal audit productivity, and the second factor relates to the potentially negative nature of the
auditing business. Both of these factors must be addressed in a progressive internal audit department.

Auditor productivity requires the development of a proactive spirit, a high degree of professionalism, and
measurement techniques, including budgets and time reporting. The methodology contained in this manual
includes a conscientious attempt to address all of these areas. Budgets are important. Time
reporting—although a laborious task—is necessary to properly analyze productivity. A proactive spirit and
professionalism must be instilled in all staff members through the department's professional development
program.

Auditors can reach beyond the negative aspects of the auditing business. A modern audit department
proactively seeks positive deliverables from within the work of the organization. This effort may involve the
development of preventive control procedures, and the recommendation of these to auditees before audits. The
overreaching goal of the audit program should be to improve the control environment within the company
(refer to the mission statement). It should not be to catch company units or individuals in violation of control
procedures. It is critical that the audit department develop a "work with" attitude within the organization.

b. Essence of Internal Auditing

One of the major challenges of audit management is contributing to the organization's mission. It is often
noted that internal auditors do not create, make, find, or deliver the organization's products or services. How
does internal audit fit into the organization's mission? If audit programs were suspended, what would be the
short-term and long-term effects?

Company management will periodically examine the contribution of the internal audit program. Will your
function pass this test? Unlike functions that produce products or services, audit results may be more difficult
 to measure. How is productivity of the internal audit function measured? Does your audit function have the

2 Chapter 4: Department Organization

Chapter 4: Department Organization 3

internal system to measure and improve internal audit productivity? Other areas of organizations, and
businesses in general, are monitored and pushed to greater limits and improvements in quality; why not
internal audit?

All too frequently, audit management becomes lax. Decisions to spread out and space out audits are all too
easy. These types of issues do not exist in other functions: shipping is measured monthly, sales sometimes
daily, accounting reports are issued monthly. With audit management comes the responsibility to push for
greater volume, efficiency, and effectiveness (see definitions of each above). Audit management needs to
employ any and all tools and procedures to measure and improve productivity. All of these procedures and
methodologies should be carefully developed, documented in your procedures manual, and built into your
audit culture.

What happens if you become lax? Management does not look at internal audit every day, month, or quarter.
Over time, an impression is recorded on the effectiveness and efficiency of the internal audit function. In
many cases, change is made in dramatic fashion by changing audit management, or by eliminating, reducing,
or outsourcing the function. The fact that all appears quiet may be only a warning for an impending storm.

Measuring efficiency in internal audit is generally a simple and feasible process. Measuring the inputs—labor
hours or some other quantitative measure—is relatively simple. But outputs need to take on relevance to the
organization rather than a simple number of audits conducted, or ignoring outputs and simply quantifying
inputs. Effectiveness is quite different. Based on the definition of effectiveness, management of internal audit
should first establish a reasonable, achievable, and relevant mission statement, with appropriate
accompanying goals and strategies (both must be measurable). This mission should be compatible with the
organization, culture, management's goals and objectives, and professional responsibilities. Then effectiveness
becomes a measure of how well internal audit accomplishes the mission, as measured by how well it is
reaching its goals associated with the mission statement. This measure is the one with which corporate
management will be most concerned.

To function effectively, internal auditors and the customers of audit services should possess a similar
understanding of what makes internal auditing a value-added activity. Failure to reach this understanding
could result in the perception that internal audit is simply an obstacle to achieving production objectives. This
perception can result in underutilized audit services and ignored audit recommendations. [1] It is imperative
that IA staff members articulate the mission of the IA function to its stakeholders effectively to avoid this
unproductive environment.

c. Quality Assurance Reviews of Internal Audit

Recently, quality assurance reviews of internal audit functions have been on the rise. This internal or external
review is a very positive development for internal auditing as a profession. To some extent, this trend is
encouraged by the very nature of internal audit and the concern on the part of management about internal
audit effectiveness and efficiency.

Every dollar spent on internal audit is a dollar not earned on the bottom line. Why not challenge the spending,
( Chapter 9 proposes a full quality assurance program
as is the case in other areas of the company? (Chapter
administered by audit management.)

d. Outsourcing Internal Audits

In the 1990s, a manifestation of the concern of management about the effective use of corporate resources for
internal auditing was the ever-expanding trend toward outsourcing the internal audit function.

As noted earlier, internal auditing management requires a proactive approach, good personnel, personal
development programs, structured procedures, a mission, short-term and long-term objectives, quality
 assurance reviews, productivity measures, and so on. However, there is no simple measurement tool such as

Chapter 4: Department Organization 3

4 Chapter 4: Department Organization

units booked, units shipped, financial statements produced on time with accuracy each month,
comparable-store sales versus last year, capacity utilization, and so forth.

Audit contribution is very difficult to measure! Therefore, when management is offered a simple, perhaps less
expensive approach, it will be seriously considered. Is internal audit an organization's core competency? Can
it be more efficiently and effectively implemented by the organization dedicated to internal audit as a core
competency? These are questions currently being explored by many organizations.

Clearly, there are many factors involved in the decision to outsource all or part of an internal audit function. A
major element is size and ability to maintain various specialized skill sets, such as information systems (IS)
audit. In smaller organizations, outsourcing of general IS audit may be effective and efficient. In larger
organizations, with IS audit staffs, outsourcing certain very technical audits may be the advisable course of 
action. Outsourcing should be considered during the departmental planning process. That is, if there is a need
for technical competencies not immediately available in the staff (e.g., Internet, encryption, intrusion
detection), audit management should consider whether to outsource or develop the skill internally.

The Institute of Internal Auditors (IIA) issued a report entitled, "Perspective on Outsourcing Internal
Auditing." In it, the IIA takes the following view:

• The IIA's perspective is that internal auditing is best performed by an independent entity that is an
integral part of the management
m anagement structure of an organization. The IIA states unequivocally that a
competent internal auditing department that is properly organized with trained staff can perform the
internal auditing function more efficiently and effectively than a contracted audit service.
• Internal auditing by definition should be internal and integral to the organization, and the internal
auditing department should be staffed with professional internal auditors who adhere to the Standards
for the Professional Practice of Internal Auditing and the related Code of Ethics. One of the best 
evidences of internal auditing competence is the Certified Internal Auditor (CIA) designation.
• Most internal auditors are degreed professionals. In fact, many hold advanced degrees and have
acquired specialized skills related to the organization for which they work. These professionals are
aware of their responsibilities with regard to the organization and the Standards.
• The key proficiency of internal auditors is internal control in its
it s broadest sense. Internal auditors
 provide management and the board of directors with competent evaluations of an organization's
system of internal control and the quality of performance of assigned responsibilities regarding the
reliability and integrity of information, compliance with laws, and regulations, the safeguarding of 
assets, the economical and efficient use of resources, and accomplishment of goals and objectives.
• Several common themes recur in control models, such as the Committee on Sponsoring Organizations

(COSO) of the Treadway Commission, Criteria of Control Committee of the Canadian Institute of 
Chartered Accountants (CICA), and Cadbury Committee: "Internal control is management's
responsibility; tone from the top is important; controls must be built in not on; and internal
communication and people development are critical elements of the control framework." Internal
auditors' value and effectiveness are linked not only to their attunement to management's philosophy
and direction, but to their understanding of internal control and their direct knowledge of operating
systems that are often in flux.
• Internal auditors are in touch with governance issues and are intimately acquainted with their 
organization's policies, procedures, operating practices, and personnel. They are able to devote their 
 full attention and loyalty to the organization and to identify subtle changes and ambiguities that may
signal trouble. Internal auditors can respond immediately to the concerns of senior management 
because they are familiar with their organizations' culture and processes, and their status as
employees ensures confidentiality and loyalty.
• As long as internal auditing staffs are highly skilled, efficient, and responsive to management,

organizations are best served by keeping the internal auditing function internal.
The Enron fraud and disaster (bankruptcy) of 2001 also lends credence to the IIA's stance. Enron was
 questioned for its outsourcing of the internal audit function, and the possible loss of independence when its

4 Chapter 4: Department Organization

Chapter 4: Department Organization 5

external auditor firm, Arthur

Arthur Andersen, was awarded the outsourcing of the internal audit function.

ISACA Standards provide guidance in and issues related to outsourcing. Standard #010.010.020 says in
section 2.1.1:
2.1.1: "Where any aspect of the IS function has been outsourced to a service provider, these services
should be included in the scope of the audit charter." Section 2.1.2
2.1.2 further states: "The Audit Charter should
explicitly include the right of the IS Auditor to (1) review the agreement between the service user and the
service provider (pre-effect
(pre-effect or post-effect), (2) carry out such audit work as is considered necessary regarding
the outsourced function, and (3) report findings, conclusions, and recommendations to service user
management." Thus outsourcing is something to be considered during the development of the audit charter
"Corporate Audit Charter"
(see "Corporate Charter" in this chapter).

e. Control Self-Assessment
In the 1990s, in reaction to the ever-expanding requirements for internal audit services and the need to control
overhead costs, internal audit groups have been turning to control self-assessment (CSA) reviews, also known
as self-audits. CSA reviews are performed by line managers under the direction of the internal audit program.
Most line managers are concerned about controls over their operations and have a basic knowledge of control
issues related to their function of operation. Of course, CSA is not performed by individuals independent of 
the operations under review and, therefore, will only supplement, not replace, internal audit activities.

In the current marketplace, all organizations are affected by global competition, as well as demands for greater
accountability. Customer-focused organizations are attempting to reengineer systems and eliminate activities
that do not add value to customers. These programs are changing business processes very rapidly, and in some
cases, reducing the internal control systems. At the same time, the profession of internal auditing, through the
IIA and other professional organizations including the American Institute of Certified Public Accountants
(AICPA) and the Financial Executives International (FEI), have redefined internal control with a broader,
more detailed definition, adding to the work of internal audit.

In this period of rapid change, CSA has arisen as a means of raising control awareness and coverage. This
innovative approach provides the internal audit department with an opportunity to meet its audit customers'
(management's) needs while controlling auditing costs.

CSA, or self-auditing programs, are usually built around self-audit questionnaires or audit programs. CSA
programs are initiated by sending a letter about the program to line or operating managers explaining how the
program will work, what their responsibilities will be (completion of the self-audit appraisal questionnaire)
and how the information will be used by the internal audit department. The letter should point out that the
information will not only be reviewed, but will also be verified during subsequent audits.

A member of the audit department at the supervisor or manager level will review the CSA response and
follow up on noted significant control weaknesses immediately if deemed necessary. All less significant
issues will be followed up at the point of the next audit. The CSA reports will also be integrated into the audit
planning process. It is advisable to assign a supervisor or manager who is acquainted with the subject
operations and/or who will be assigned to subsequent audits. Over time, locations or operations subject to
CSA reviews can be considered for extended audit intervals or lower risk assessments in the three-year plan.
This process will have the effect of reducing the audit time and travel expenses. Of course, the quality of the
CSA document and the seriousness with which local management implements the CSA program will be
important factors.

CSA programs are relatively new methods of delivery of the internal audit service. Each organization will
develop a program that fits its organization. Another major benefit of this approach is that it allows the
internal audit function to continue to evolve from the policing role to the facilitator of controls and policies
role. Through CSA line or operations, managers assume more ownership and accountability for controls and
 participate in the process of reviewing and improving control effectiveness.

Chapter 4: Department Organization 5

6 Chapter 4: Department Organization

f. Integrating the Auditing Process

The core process in an internal auditing function is the auditing process. This core process is supplemented by
tangent processes such as personal development
develop ment and quality assurance. The auditing process is defined in this
manual as consisting of three major aspects:

1. The Planning Process (see Chapter 6

6))
2. The Auditing Process—Performance (see Chapter 7)
7)
3. The Reporting Process (see Chapter 8
8))

We have learned that there exists the ability to link these processes and leverage work performed in one
process to benefit the auditors, or reduce their work and thereby increase their productivity in a subsequent
process. In addition, the methodology involves paying a great amount of attention to planning so that proper
objectives are set and work is directed to the higher-risk areas within the organization. An example of the
leverage is the use of information from the planning process, including the scope and auditee profile, in the
resulting audit report. Good planning leads to improved effectiveness and better quality results.

This methodology has been successfully implemented in a number of audit departments, and although at first
it may appear overly structured, the implementation has resulted in a consistently high-level, quality audit
product. There are no government or professional requirements for internal audit management to be so
structured; however, it has been our experience that operating in an unstructured environment causes an
erosion of management support and credibility over time.

Audit departments do not need to implement all of these strategies; however, they support the practice and
provide management with a clear understanding of the process. Without this process, management may
sometimes question the value of contribution of internal auditing.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 4
NO 4..2 REV
REV NO:
NO: DATE
DATE::
TITLE: Corporate Audit Charter PAGES:
[1]"Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing," Dale

L. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.

4.2 Corporate Audit Charter

Audit departments
departments should operate pursuant to a written charter indicating the purpose, authority, duties, and
responsibilities of the function. The audit department charter should be formally approved by the audit
committee and the board of directors, updated periodically, and distributed to all company management. (See
9.5, "Marketing the Audit Function.")
Section 9.5,

The IIA Standards suggest the charter should (1) establish the department's position in the organization; (2)
authorize access to records, locations, and personnel; and (3) define the scope of internal activities. (See
Exhibit 4.1.)
4.1.)

Exhibit 4.1: Sample Corporate Audit Charter[2]

 (a) Policy Statement

6 Chapter 4: Department Organization

Chapter 4: Department Organization 7

It is the policy of Sam Pole Company (the Corporation) to maintain an audit department as a means of 
providing the Board of Directors and all levels of management with information to assist in the control of 
operations and to assist senior management in reaching a conclusion concerning the overall control over assets
and the effectiveness of the system of internal controls in achieving its broad objectives. Additionally, the
Audit Department will review the effectiveness and efficiency of operations
of  operations and
and organizational structures.

Complementary objectives of the corporate audit department are to develop personnel (see Chapter 5,
5,
"Personnel, Administration, and Recruiting," and Section 9.5
9.5,, "Marketing the Audit Function").

(b) Responsibility of the Director of Auditing

The Director of Auditing is responsible for properly managing the department so that (1) audit work fulfills
the purposes and responsibilities established herein; (2) resources are efficiently and effectively employed;
and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing .

(c) Reporting and Relationship of Audit Committee

The Director of Auditing will report to the Audit Committee for approval of audit scope, policy, and
administration. The Director will report in writing on all internal reviews conducted in the Corporation and
will attend the Committee meetings to report on significant recommendations and the operations of the
internal audit function.

(d) Independence

Independence is essential for effective operation of the internal audit function. It is the policy of the
Corporation, therefore, that all audit activities shall remain free of influence by any organizational elements.
This objective shall include such matters as scope of audit programs, frequency and timing of examinations,
and the content of audit reports.

(e) Scope of Audit Activities

Audit coverage will encompass, as deemed appropriate by the Director of Auditing, independent reviews and
evaluations of any and all management operations and activities to appraise:

• Measures taken to safeguard assets, including tests of existence and ownership as appropriate
• The reliability, consistency, and integrity of financial and operating information
• Compliance with policies, plans, standards, laws, and regulations that could have significant impact
on operations
• Economy and efficiency in the use of resources
• Effectiveness in the accomplishment of the mission, objectives, and goals established for the
Corporation's operations and projects

Audit activities will be coordinated, to the extent possible, with the public accountants so as to enhance audit
efficiency.

(f) Access and Confidentiality

In accomplishing activities, the Directors of Auditing and their staffs are authorized to have full, free, and
unrestricted access to all Corporation functions, activities, operations, records, data files, computer programs,

property, and personnel.

to communicate Under
directly to appropriatePresident,
the Chairman, circumstances,
and/orthe
theDirector
Board ofofDirectors.
AuditingItisisspecifically authorized
expected that
Directors of Auditing and their staffs will exercise discretion in the review of records to ensure the
 confidentiality of all matters that come to their attention.

Chapter 4: Department Organization 7

8 Chapter 4: Department Organization

(g) Responsibility for Corrective Action

The manager or head of the division, department, unit, or site audited is responsible for either planning or
taking corrective action on recommendations made or deficient conditions reported by the auditor. If the
proper corrective action is not taken, the Director of Auditing is responsible for presenting a report on
significant matters to a senior financial officer and/or the Audit Committee.

(h) Limitation of Authority and Responsibility

In performing their functions, the Director of Auditing and corporate audit staff members have neither direct
authority over, nor responsibility for, any of the activities reviewed. Internal auditors will not develop and
install procedures, prepare records, make management decisions, or engage in any other activity that could be
reasonably construed to compromise their independence. However, in connection with the complementary
objectives of this audit function, Internal Audit will recommend accounting and information systems policies
and procedures for approval and implementation by appropriate management. Therefore, internal audit review
and appraisal do not in any way substitute for other activities or relieve other persons in the organization of 
the responsibilities assigned to them.

The Information Systems Audit & Control Association (ISACA) Standards also address audit charters.
Standard #010.010.010 states in section 2.1.1:
2.1.1:

• The IS Auditor should have a clear mandate to perform the IS audit function. This mandate is
ordinarily documented in an audit charter that should be formally accepted. Where an audit charter 
exists
exists for the a
audit
udit function as a whole, wherever possible the IS audit mandate should be
incorporated.

In Section 2.2.1
2.2.1 it further states: "The audit charter should clearly address the three aspects of responsibility,
authority and accountability." Under responsibility, the first subtopic is mission statement. Other ISACA
Standards affect the development of the audit charter, such as outsourcing mentioned previously. Thus ISACA
Guidelines provide a lot of general guidance in developing the audit charter, mission statement, and other
organizational documents.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 4
NO 4..3 REV
REV NO:
NO: DATE
DATE::
TITLE: Company Organization PAGES:
[2]Note: Adapted from Guide to Accounting Controls, Price Waterhouse, 1981, Warren Gorham Lamont.

4.3 Company Organization

Auditors should be aware of their company structure and management organization. In order to provide this
background, a section of the audit manual should be devoted to
t o a description
description of the company's activities. This
section can include a copy of the company's divisional or subsidiary organization structure. In addition to this
structure, it is common to produce management organization charts. The senior management organization
chart should be included in the internal audit manual. Exhibit 4.2
4.2,, "Sam Pole Company Organization Chart,"
 is an example of a high-level organization chart depicting the financial organization and the auditing

8 Chapter 4: Department Organization

Chapter 4: Department Organization 9

organization.

Exhibit 4.2: Sam Pole Company Organization Chart

The positioning of internal audit within a company can vary. There is a great debate in the profession that
addresses the independence of internal auditing. The Sam Pole Company organization chart depicts the
Director of Auditing reporting directly to the Board of Directors, with a dotted-line responsibility to the Chief 
Financial Officer (CFO) and Audit Committee. In some companies, the internal auditing function reports
directly to the CFO. This organization may be appropriate if the circumstances warrant this reporting
relationship. Whenever possible, the reporting relationship should be independent of the financial
organization.

a. Audit Department Organization

The audit department organization chart should be included in the manual. If practical, it is beneficial to
include the names of all the auditors in the department. This approach provides a level of personalization for
the manual. However, this approach will require more frequent revisions.

Exhibit 4.3 is the "Sam Pole Company Audit Department Organization Chart." The chart depicts an integrated
audit department approach in which staff are available to managers of each audit discipline. This approach is
unusual and was included in this version of the manual to provide a thought-provoking example. Most

departments have organization

classifications/descriptions thatcharts
followwhich can be
have been easily included
developed in this
in a format section ofwith
consistent the this
manual. The job
organization
chart.

Exhibit 4.3: Sam Pole Company Audit Department Organization Chart

 Chapter 4: Department Organization 9

10 Chapter 4: Department Organization

Another method for improving commitment and team spirit is to include the names of all the department
members on a departmental routing slip. This routing slip can augment the organization chart.

b. Job Classifications and Descriptions

Job descriptions formally define the functions, duties, and responsibilities of a position. They also indicate the
knowledge and skills required for successful performance. As such, they provide a vehicle for defining
different levels on the audit staff and also provide criteria for performance evaluation.

The Corporate Audit Department currently has three levels of professional job classifications, in addition to
the Director of Auditing. They are: Manager/Director, Senior Auditor, and Auditor. In addition, there is one
administrative position: executive secretary. Job descriptions for the current professional positions can be
found on the following pages. These job descriptions reference responsibilities for the major procedures
contained in the processes in other sections of the manual. Therefore, they document the responsibilities of 
each staff member related to these methodologies.

POSITION DIRECTOR OF AUDITING

NAME:
REPORTS Senior Officer for Administration and the Board of Directors (usually through the Audit
TO: Committee) for audit scope and policy.
FUNCTION: The position is responsible for properly managing the department so that (1) audit work 
fulfills the purposes and responsibilities established in the department charter, (2) resources
are efficiently and effectively employed, and (3) audit work conforms to the Standards for 
the Professional Practice of Internal Auditing .
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:

To direct independent reviews and evaluations of any and all management operations and activities to
appraise:
 • The reliability and integrity of financial and operational information

10 Chapter 4: Department Organization

Chapter 4: Department Organization 11

• Compliance with policies, plans, standards, laws, and regulations that could have significant impact
upon operations
• Measures taken to safeguard assets, including tests of existence and ownership as appropriate
• Economy and efficiency in the use of resources
• Effectiveness in the accomplishment of objectives and goals established for corporation operations
and projects

To coordinate activities to the extent possible with the public accountants to enhance audit efficiency.

To exercise discretion in the review of records to ensure confidentiality.

To present to a senior officer and/or the Audit Committee, a report on significant recommendations or
deficiencies on which audited management has not taken proper corrective action.

To ensure that the department does not develop or install procedures, prepare records, make management
decisions, or engage in any other activity that could be reasonably construed to compromise its independence.

The Director must have an in-depth knowledge of the audit profession as well as the audit function at Sam
Pole Company, from both conceptual and technical viewpoints. Therefore, the Director should maintain an
expert knowledge of auditing and the auditing profession.

The Director must have excellent written and verbal communication skills as well as excellent editing skills.
He/she is responsible for monthly activity reports to senior management and updates to the Corporate Audit
Procedures Manual. The Director will perform a final review of corporate audit reports.

The Director should have excellent interpersonal skills. These skills are critical to develop and maintain
effective working relationships with all levels of management, the external auditors, consultants, and various
industry representatives.

The Director will also need to counsel managers and audit staff members as to their performance and career
development.

 International:

Sam Pole Company is a dynamic company with significant operations all over the world. The Audit Director
will be involved with audits in foreign and domestic locations. This involvement will lead to travel to foreign
and domestic locations, where in some cases English may not be the first language.

CONTACTS&"para">Internally, the incumbent deals directly with all levels of management in the
company. The incumbent works with the corporate audit staff, managers, and senior officers of the
company.

Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the
Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public
Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The
incumbent has regular dealings with managers and partners of the company's external auditors to obtain
material including information that should be disseminated to the audit staff and management of the company.

The Director of Auditing develops contacts with suppliers of materials and other supplies for the functioning

of the Audit Department.

 QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:

Chapter 4: Department Organization 11

12 Chapter 4: Department Organization

This individual will have at least a four-year college degree and possess approximately 10 to 15 years of 
experience in internal auditing and external auditing, including at least seven years at the manager or director
level.

• A CPA or CIA certification and CISA is desirable.

• Experience with financial, operational, and management auditing.
• Experience in a manufacturing and/or distribution environment.
• A good understanding of IS auditing.
• The ideal candidate will also possess foreign language skills.

POSITION AUDIT MANAGER—INTERNATIONAL, PLANNING, AND CONTROL

NAME:
REPORTS Director of Auditing
TO:
FUNCTION: The position is responsible for overall audit planning, policies and procedures, coordination
with external audit and consultants, and quality assurance.

The position is responsible for ensuring that the overall audit function of the company
monitors trends in the auditing field and applies them when appropriate to the practice of 
auditing in the company. The position is also responsible for coordinating/initiating all
planning, quality assurance, and human resources-related functions for the Corporate Audit
Department. Furthermore, the position is responsible for the preparation and implementation
of a training plan for the department and the individual professionals therein and
coordinating the activities of internationally based auditors.
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:

The individual will have direct responsibility for preparing an Audit Department multi-year plan, and:

• Coordinate input from the Director of Auditing as well as audit managers in developing the plan
• Summarize input received from managers and Director of Auditing, with international plans, and
produces a draft plan for discussion
• Update drafts based on input received until final draft is approved
• Prepare six-month and one-year plans for the three-year plan

The individual will be responsible for the coordination and administration of the Audit Department, and:

• Develop and maintain the Audit Procedures Manual of the Corporate Audit Department
• Prepare the operating budget for the department for approval by the Director of Auditing
• Monitor expenses by overseeing purchases and payment of invoices, and recommending viable
alternatives to the audit management

• Prepare annual summaries of external audit fees for the Director of Auditing
• Prepare periodic reports for senior management for the Director's review; also oversee the preparation
and production of periodic and biannual audit report summaries to the Audit Committee
• Maintain a complete file on each member of the audit staff, with job descriptions, resumes, career
actions, performance appraisals, training plans, and development records; produce and analyze reports
on various personnel statistics
• Advise Corporate Audit management on training needs and availability

The individual will be responsible for developing and implementing the department's Quality Assurance
Program, and:
 12 Chapter 4: Department Organization

Chapter 4: Department Organization 13

• Maintain the department's policies regarding periodic reviews of entire assignments, summary
reviews of all assignments, and external peer review
• Schedule staff for reviews of entire engagements
• Schedule staff for summary reviews of each engagement on an availability basis
• Prepare reports for the Director of Auditing, discussing the areas where improvement is needed in the
audit process

 Internationally Based Auditors:

The individual will be responsible for coordinating the activities of the internationally based auditors, and:

• Coordinate the development of the international audit plans and integrate them into domestic plans
• Monitor the activities of the internationally based auditors
• Provide guidance on company developments

 Audits:

In addition to the significant administrative responsibilities discussed in the job description, the individual will
be involved in selected audits, both domestic and international.

This position is responsible for maintaining expert knowledge of the auditing profession. The incumbent must
keep abreast of new or proposed developments to the auditing function, and analyze their impact on the
company. In addition, the incumbent is an authoritative source of information to the audit group regarding the
practice of auditing.

• The incumbent must have an in-depth knowledge of the audit profession as well as the audit function
at Sam Pole Company, from both conceptual and technical viewpoints. Also the incumbent should
have a good understanding of the company's primary lines of business and organizational
structure—or if such knowledge is minimal, should be capable of quickly becoming familiar with
these activities.
• The incumbent must have excellent written and verbal communications skills as well as excellent
editing skills. In addition, the incumbent must prepare monthly activity reports to senior management
and update (as necessary) the Corporate Audit Procedures Manual. The manager must review and edit
corporate audit reports and be able to effectively communicate departmental policies and procedures
to staff.
• The incumbent must have well-developed interpersonal skills. They are critical to develop and
maintain effective working relationships with all levels of in-house management, the company's
external auditors and consultants, and various industry representatives. The incumbent also needs to
counsel audit staff members as to selected training and career development.
• The incumbent must develop and maintain ongoing contact with peers in industry for the purpose of 
gathering information and exchanging ideas.
• The incumbent must gather information on proposed legislation, analyze impact to the company, and
draft statements for consideration by the Director of Auditing.
• The incumbent must interact with associations and institutions to keep abreast of developments and
trends in the auditing profession and ensure that both the Audit Department and business units are
kept informed.

 International:

Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
 Chapter 4: Department Organization 13

14 Chapter 4: Department Organization

CONTACTS—INTERNAL AND EXTERNAL:

Internally, the incumbent deals directly with all levels of management in the audit function to the company, in
order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior
officers of the company including cross-relationships with Human Resources, Officer Services, and
Information Systems.

Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the
Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public
Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The
incumbent has regular dealings with managers and partners of the company's external auditors to obtain
material including information that should be disseminated to the audit staff and management of the company.

The Audit Manager develops contacts with suppliers of materials and other supplies for the functioning of the
Audit Department.

QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:

This individual will have a four-year college degree and possess approximately five to eight years of 
experience in internal auditing.

• A CPA, CISA, or CIA certification is desirable.

• The ideal candidate will also possess foreign language skills.

POSITION AUDIT MANAGER—FINANCIAL/OPERATIONAL AUDIT

NAME:
REPORTS Director of Auditing
TO:
FUNCTION: Responsible for properly maintaining the department so that (1) audit work fulfills the
purposes and responsibilities established in the department, (2) resources are efficiently and
effectively employed, and (3) audit work conforms to the Standards for the Professional
Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA) and the
General Standards for Information Systems Auditing published by the Information Systems
Audit and Control Foundation (ISACA).
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:

To direct independent reviews and evaluations of any and all management operations and activities to
appraise:

• Reliability and integrity of financial and operational information

• Compliance with policies, plans, standards, laws, and regulations that could have significant impact
upon operations
• Effectiveness in accomplishment of objectives and goals established for the corporation and projects
• Measures taken to safeguard assets, including tests of existence and ownership as appropriate
• Economy, effectiveness, and efficiency in use of resources (operational audits)
• Effectiveness of organizational structures to achieve corporate goals and ability of management to
plan, organize, direct, and control its function (management auditing)

To coordinate activities to the extent possible with the public accountants to enhance audit efficiency.

To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.
 14 Chapter 4: Department Organization

Chapter 4: Department Organization 15

 For All Assigned Audits:

• Scope and Procedures. Implement the department procedures for audit planning, establishing scope,
and determining appropriate audit procedures.
• Document Development/Review. Develop or review the following audit documents on audits
assigned:

♦ Preliminary survey: Review planned survey; review survey results

♦ Audit time budget
♦ Planning memo
♦ Audit programs
• Pre-Audit Conference. Establish audit objectives to be discussed at the conference.
• Field Work. Perform or review field work, as appropriate.
• Workpapers. Perform a limited review, as appropriate, based on senior detail review of workpapers;
approve reviewed workpapers for filing.
• Interim Recommendations. Prepare recommendations following field work and documentation of 
auditee position.
• Status Memo. The basis of memo contents, consider appropriateness of original audit plan and scope
or need to modify to attain audit objective.
• Closing Conference. Plan and conduct audit closing conference.
• Report Preparation/Review. Develop, review, and approve revisions before submitting reports to the
Director of Auditing and Audit Committee.
• Summary Memo. Review results of audit regarding attainment of objectives; review and approve
comparison of actual to budgeted hours and explanation for variance.
• Audit Management Letter. Review and follow up on all profit center responses to the public
accountants' Audit Management Letter, including a report to the Audit Committee.
• Performance Evaluation. Prepare evaluation of senior auditors and conduct review.
• Information Systems. Have sufficient basic IS knowledge to be able to discuss and determine
application of IS audit resources.
• Decision-Making Responsibility/Conclusions. Responsible for administrative and audit related
decision making and conclusions based upon completed audits.

• Counsel/Guide/Motivate. Provide direction to immediate assistants to enable them to counsel, guide,

and motivate staff. Empower assistants to be effective. Participate directly in these activities when
appropriate.
• Auditee Relationship. At executive management level, identify and develop audit opportunities to

provide a more effective audit service to management.

Other Matters:

• Special Investigations. Provide direction and guidance. Review results. Recommend action in
coordination with other interested company and outside parties.
• Continuing Education. Pursue regular program for continuing education for self (related to
certifications held). Pursue professional development for self, as appropriate (e.g., systems seminar in
area of emerging systems development within the company, courses to pursue certification,
management training). Review and approve suitable program for departmental staff.
• Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants.
• Professionalism. Demonstrate superior performance and direction in all attributes of professional
conduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and
corporate ethics.

 International:
 Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and

Chapter 4: Department Organization 15

16 Chapter 4: Department Organization

staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.

CONTACTS—INTERNAL AND EXTERNAL:

Internally, the incumbent deals directly with all levels of management in the audit function to the company, in
order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior
officers of the company especially with the accounting functions.

Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the
Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public
Accountants (AICPA), if applicable, in order to keep abreast of trends and developments in the auditing
profession. The incumbent has regular dealings with managers and partners of the company's external auditors
to obtain material including information that should be disseminated to the audit staff and management of the
company. Contact with organizations specializing in operational and management auditing must be
maintained.

QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:

• A degree in accounting or other qualified discipline

• CPA, CISA, or CIA certification
• Experience in a manufacturing and/or distribution environment

• Experience in a supervisory capacity and the ability to direct and develop others
• Experience with financial, operational, and management auditing

POSITION AUDIT MANAGER—IS AUDIT

NAME:
REPORTS Director of Auditing
TO:
FUNCTION: Responsible for properly maintaining the department so that (1) audit work fulfills the
purposes and responsibilities established in the department, (2) resources are efficiently and
effectively employed, and (3) audit work conforms to the Standards for the Professional
Practice of Internal Auditing, published by the Institute of Internal Auditors (IIA) and the
General Standards for Information Systems Auditing published by the Information Systems
Audit and Control Foundation (ISACA).
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:

This individual will have primary responsibility for reviews of the company's information systems (IS)
environment:

• Reliability and integrity of information systems (IS)

• Compliance with policies, plans, standards, laws, and regulations that could have significant impact
on IS or operations
• Effectiveness in accomplishment of objectives and goals established for IS
• Measures taken to safeguard IS assets, including tests of existence and ownership as appropriate
• Economy, effectiveness, and efficiency in use of IS
• Involvement in systems development audits to ensure controls are built in during the systems
development life cycle (SDLC) process

To develop an audit program to address systems in development including:

 • Analyses of SDLC methodology, providing for internal audit input at key points in the process
including the use of continuous assurance techniques including embedded audit modules and

16 Chapter 4: Department Organization

Chapter 4: Department Organization 17

intelligent agents
• Planning of audits of development projects (or ongoing audit involvements) to provide critical input
while the project is in process

The individual will be responsible for taking a leadership position in expanding the use of computers by the
audit staff:

• Expand use of computer-assisted audit techniques (CAATs) to support audit projects

• Monitor the department's data processing requirements for microcomputer based tools including audit
software and administrative packages
• Establish and maintain an automated time and expenses reporting system

The position is responsible for maintaining an expert knowledge of the IS audit profession. The individual
must keep abreast of new and proposed developments in the IS auditing field and analyze the impact on the
company. The individual should be an authoritative source of information to the audit group as regards the
practice of auditing.

• The incumbent must have a good working knowledge of the information systems development at Sam
Pole Company. Consideration should be given to attending IS Steering Committee meetings.
• The incumbent must have excellent written and verbal communication skills as well as excellent
editing skills. The individual must prepare monthly activity reports to senior management on IS
auditing activities.

To coordinate activities to the extent possible with the public accountants to enhance audit efficiency.

To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.

The position will be responsible for working on selected financial and operational audits. These will
supplement the primary area of responsibility of IS auditing.

 For All Assigned Audits:

• Scope and Procedures. Implement the Department procedures for audit planning, establishing scope,
and determining appropriate audit procedures.
• Document Development/Review. Develop or review the following audit documents on audits

assigned:
♦ Preliminary survey: Review planned survey; review survey results

♦
Audit time budget
♦ Planning memo
♦ Audit programs
• Pre-Audit Conference. Establish audit objectives to be discussed at the conference.
• Field Work. Perform or review field work, as appropriate.
• Workpapers. Perform a limited review, as appropriate, based on senior detail review of workpapers;
approve reviewed workpapers for filing.
• Interim Recommendations. Interim recommendations following field work and documentation of 
auditee position.
• Status Memo. The basis of memo contents, consider appropriateness of original audit plan and scope

or need to modify to attain audit objective.

• Closing Conference. Plan and conduct audit closing conference.
• Report Preparation/Review. Develop, review, and approve revisions before submitting reports to the
 Director of Auditing and Audit Committee.

Chapter 4: Department Organization 17

18 Chapter 4: Department Organization

• Summary Memo. Review results of audit regarding attainment of objectives; review and approve
comparison of actual to budgeted hours and explanation for variance.
• Audit Management Letter. Review and follow up on all responses to the public accountants' Audit
Management Letter, including a report to the Audit Committee.
• Performance Evaluation. Prepare evaluation of senior auditors and conduct review.
• Information Systems. Have sufficient IS knowledge to be able to discuss and determine application
of IS audit resources, to judge effectiveness of computer controls, and participate in systems
development projects.
• Decision-Making Responsibility/Conclusions. Responsible for administrative and audit-related
decision making and conclusions based upon completed audits.
• Counsel/Guide/Motivate. Provide direction to immediate assistants to enable them to counsel, guide,
and motivate staff. Empower assistants to be effective. Participate directly in these activities when
appropriate.
• Auditee Relationship. At executive management level, identify and develop audit opportunities to
provide a more effective audit service to management.

Other Matters:

• Special Investigations. Provide direction and guidance. Review results. Recommend action in
coordination with other interested company and outside parties.
• Continuing Education. Pursue regular program for continuing education for self (related to
certifications held). Pursue professional development for self, as appropriate (e.g., systems seminar in
area of emerging systems development within the company, courses to pursue certification,
management training). Review and approve suitable program for departmental staff.
• Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants.
• Professionalism. Demonstrate superior performance and direction in all attributes of professional
conduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and
corporate ethics.
• SDLC/Systems Projects. Preferably ensure that a CISA (or staff member if a CISA is not available) is
a part of any systems development teams or projects.

 International:

Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.

CONTACTS—INTERNAL AND EXTERNAL:

Internally, the incumbent deals directly with all levels of management in the audit function to the company, in
order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior
officers of the company, especially with Information Systems.

Externally, the incumbent maintains close relationships with the Information Systems Audit and Control
Association (ISACA), the Institute of Internal Auditors (IIA), and the American Institute of Certified Public
Accountants (AICPA), where applicable, in order to keep abreast of trends and developments in the IS
auditing profession. The individual has regular dealings with managers and partners of the company's external
auditors to obtain material including information that should be disseminated to the audit staff and
management of the company. The individual maintains contact with audit software vendors to stay abreast of 
developments in the field.
QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:
 18 Chapter 4: Department Organization

Chapter 4: Department Organization 19

• A four-year degree in accounting and/or an IS degree

• A Certified Information Systems Auditor (CISA) certification; CPA or CIA is not essential but is an
advantage
• Experience in a manufacturing and/or distribution environment
• Experience with computers, preferably both micro-computers (PCs) and either mainframe or
mini-computers (mid-range)
• Experience with local area networks (LANs) or wide area networks (WANs)
• Experience in a supervisory capacity

POSITION NAME: SENIOR AUDITOR

REPORTS TO: Internal Audit Manager
FUNCTION: Plan, organize, conduct, supervise, and formally report on a scheduled audit.
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:

• Planning Scope and Procedures. Develop or supervise assistants in planning the scope of audits and
selection and development of appropriate audit procedures for manager approval.
• Preliminary Survey. Direct the development and preparation of the survey approach. Participate and
oversee work by assistants, if applicable.
• Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating
performance and variance.

• Planning Memo. Review assistant input and document thorough and complete approved plan for
specific audits after obtaining general guidelines from manager.
• Audit Programs Development/Changes. With manager approval, develop audit programs necessary
to promote effective audit coverage.
• Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the
auditee before the audit.
• Field Work. Perform all field work in a competent and professional manner. Provide evidential
support for all report recommendations.
• Identifying System Control Points. Document controls or perform expert review of work by
assistants.
• Workpapers. Prepare selected workpapers and review assistants' workpapers.
• Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluate
assistants' recommendations, considering materiality, pertinence to audit and documentary evidence.
• Status Memo. Prepare or review draft and finalize status memo for presentation to manager.

• Closing Conference. Prepare or review agenda of recommendations and comments. Conduct with
support from assistants.
• Report Preparation/Review. Prepare or review detailed recommendations and comments for
materiality and relativity of items, adequacy of workpaper documentation and auditee position (if 
known). Responsible for completeness and accuracy of entire report subject to manager approval.
• Summary Memo. Prepare or review final summary memo based on review and evaluation of input by
assistants. Submit future audit planning recommendations.
• Performance Evaluation. Complete timely performance evaluations for assistant on audit and review
evaluations with them (if applicable).
• Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques.
• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity
of existing policies and procedures, and (2) recommend sound alternatives.
• Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective
decision making and drawing sound conclusions.
• Auditee Relationships. Ensure continuing development of effective professional relationships with
auditee personnel.
 • Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently
in sensitive, confidential circumstances.

Chapter 4: Department Organization 19

20 Chapter 4: Department Organization

• Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments,

associating that understanding with company audit applications. Recommend adaptation, where
appropriate, in our audit approach.
• Continuing Education. Pursue departmental-approved program for continuing education for self and
recommend suitable programs for department associates. Pursue professional development (PD) for
self, as appropriate, and recommend PD for department.
• Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective
realization of the department audit plan.
• Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or
need.

• Professionalism. Demonstrate superior performance in all attributes of professional conduct,

including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage
others toward comparable performance.

 International:

Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.

CONTACTS—INTERNAL AND EXTERNAL:

Internally, department management and associates; most levels of auditee management. Externally, technical
and other business professionals through societies and association memberships.

QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:

• Have achieved or work toward certification by examination

• Have a four-year degree in accounting (or qualified discipline)
• Have achieved high academic standing
• Have special skills or knowledge and the ability to instruct, train, and develop others in those skills
• Have apparent management potential

POSITION NAME: AUDITOR

REPORTS TO: Senior Auditor
FUNCTION: Plan, organize, conduct, and formally report on a scheduled audit.
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:

• Planning Scope and Procedures. Develop the scope for audits and selection and development of 
appropriate audit procedures for senior/manager approval.
• Preliminary Survey. Develop and prepare the survey.
• Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating
performance and variance.
• Planning Memo. Provide input and document plan for specific audits after obtaining general
guidelines from senior/manager.
• Audit Programs Development/Changes. With senior approval, develop audit programs necessary to
promote effective audit coverage.
• Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the
auditee before the audit.
• Field Work. Perform all field work in a competent and professional manner. Provide evidential
 support for all report recommendations.
• Identifying System Control Points. Document controls.

20 Chapter 4: Department Organization

Chapter 4: Department Organization 21

• Workpapers. Prepare selected workpapers.

• Interim Recommendations. Prepare recommendations for auditee consideration; review, considering
materiality, pertinence to audit and documentary evidence.
• Status Memo. Prepare draft status memo for presentation to manager.
• Closing Conference. Prepare preliminary agenda of recommendations and comments.
• Report Preparation/Review. Prepare detailed recommendations and comments.
• Summary Memo. Prepare preliminary summary memo. Submit future audit planning
recommendations.

• Performance Evaluation. Complete timely performance evaluations for assistants on audit and
review evaluations with them (if applicable).
• Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques.
• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity
of existing policies and procedures, and (2) recommend sound alternatives.
• Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective
decision making and drawing sound conclusions.
• Auditee Relationships. Ensure continuing development of effective professional relationships with
auditee personnel.
• Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently
in sensitive, confidential circumstances.
• Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments,
associating that understanding with company audit applications. Recommend adaptation, where
appropriate, in our audit approach.
• Continuing Education. Pursue departmental-approved program for continuing education for self.
s elf.
Pursue professional development (PD) for self, as appropriate.
• Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective
realization of the department audit plan.
• Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or
need.
• Professionalism. Demonstrate superior performance in all attributes of professional conduct,
including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage
others toward comparable performance.

 International:

Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.

CONTACTS—INTERNAL AND EXTERNAL:

Internally, department management and associates; most levels of auditee management. Externally, technical
and other business professionals through societies and association memberships.

QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:

• Have achieved or work toward certification by examination

• Have a four-year degree in accounting (or qualified discipline)
• Have achieved high academic standing

• Have ability to supervise and get along with people

• Have special skills or knowledge and the ability to instruct, train, and develop others in those skills
• Have apparent management potential
 Chapter 4: Department Organization 21

22 Chapter 4: Department Organization

POSITION SENIOR AUDITOR—EUROPE (INTERNATIONAL LOCATION)

NAME:
REPORTS TO: Audit Manager—Planning and Control
FUNCTION: This position is responsible for performing audits in Sam Pole's European operations.
Corporate audit procedures established in the United States, to the extent possible, will be
followed by the Senior Auditor—Europe.
A uditor—Europe.
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:

The individual will have direct responsibility for preparing preliminary, annual, and multi-year audit plans for
approval in the United States, for all European operations.

The individual will prepare drafts of expense budgets for one-year plans as appropriate, for approval in the
United States. The individual will maintain a copy of the Corporate Audit Policies and Procedures Manual of 
the Corporate Audit Department for use in Europe.

The individual will maintain contact and develop lines of communication with auditees throughout the
European operations.

The individual will attempt to maintain knowledge of developments in the various European operations. This
process will involve monitoring periodic management reports and staying apprised of economic developments
in each country. Periodically, reports on these developments will be made to the Manager—Planning and

Control.
 For All Assigned Audits:

• Planning Scope and Procedures. Develop the scope for audits and selection and development of 
appropriate audit procedures for senior/manager approval.
• Preliminary Survey. Direct the development and preparation of the survey approach. Participate and
oversee work by assistants, if applicable.
• Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating
performance and variance.
• Planning Memo. Review assistant input and document a thorough and completely approved plan for
specific audits after obtaining general guidelines from manager.
• Audit Programs Development/Changes. With manager approval, develop audit programs necessary
to promote effective audit coverage.

• Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the
auditee before the audit.
• Field Work. Perform all field work in a competent and professional manner. Provide evidential
support for all report recommendations.
• Identifying System Control Points. Perform expert review of work by assistants.
• Workpapers. Prepare selected workpapers and review assistants' workpapers.
• Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluate
assistants' recommendations, considering materiality, pertinence to audit and documentary evidence.
• Status Memo. Prepare or review draft and finalize status memo for presentation to manager.
• Closing Conference. Prepare or review agenda of recommendations and comments. Conduct with
support from assistants.
• Report Preparation/Review. Prepare or review detailed recommendations and comments for
materiality and relativity of items, adequacy of workpaper documentation and auditee position (if 
known). Responsible for completeness and accuracy of entire report subject to manager approval.
• Summary Memo. Prepare or review final summary memo based on review and evaluation of input by
assistants. Submit future audit planning recommendations.
 • Performance Evaluation. Complete timely performance evaluations for assistants on audit and
review evaluations with them (if applicable).

22 Chapter 4: Department Organization

Chapter 4: Department Organization 23

• Information Systems. Apply, in appropriate circumstances, knowledge of basic IS audit techniques.

• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity
of existing policies and procedures, and (2) recommend sound alternatives.
• Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective
decision making and drawing sound conclusions.
• Auditee Relationships. Ensure continuing development of effective professional relationships with
auditee personnel.

• Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently
in sensitive, confidential circumstances.
• Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments,
associating that understanding with company audit applications. Recommend adaptation, where
appropriate, in our audit approach.
• Continuing Education. Pursue departmental-approved program for continuing education for self s elf and
recommend suitable programs for the department. Pursue professional development (PD) for self, as
appropriate, and recommend programs for the department, where appropriate.
• Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective
realization of the department audit plan.
• Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or
need.
• Professionalism. Demonstrate superior performance in all attributes of professional conduct,
including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage
others toward comparable performance.

 International:

Sam Pole Company is a dynamic company with headquarters in the United States and significant operations
all over the world. All audit managers and staff are involved with audits in foreign and domestic locations.
This involvement includes travel to foreign locations, where, in some cases, language differences may be
encountered. The Senior Auditor—Europe will possess multi-language skills and/or recommend alternative
audit approaches, including use of outside accountants or other company personnel.

CONTACTS—INTERNAL AND EXTERNAL:

Internally, the incumbent deals directly with all levels of management in the European headquarters and
country operations. Requests for audit assistance by the operating units should be communicated to U.S.
headquarters and considered during the planning process. The position works closely with the Director of 
Finance for European Operations.

Externally, the incumbent should be a member of the Institute of Internal Auditors (in the United Kingdom)
and other appropriate audit institutes in Europe. The incumbent will have regular dealings with managers and
partners of the company's external auditors.

QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:

• Have achieved or work toward certification by examination

• Have a four-year degree in accounting (or qualified discipline)
• Have achieved high academic standing (i.e., honors)
• Have fluent command of English and other language skills

• Have experience in the multinational auditing environment

• Have ability to supervise and get along with people
• Have special skills or knowledge and the ability to instruct, train, and develop others in those skills
 • Have apparent management potential

Chapter 4: Department Organization 23

24 Chapter 4: Department Organization

• Independent thinker

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 4
NO 4..4 REV
REV NO:
NO: DATE
DATE::

TITLE: Audit Department Policies PAGES:

4.4 Audit Department Policies

In addition to the specific department procedures and administrative programs (see Chapter 5 5),
), the department
should have various policies. The examples of these policies include those in this chapter. However, these
should not be considered all-inclusive by any means. All departments should have confidentiality, travel, and
entertainment policies. These would be the minimum policies, and every effort should be made to document
policies on a case-by-case basis as they arise. This section can be used as the area to record all department
policies:

• Confidentiality
• Orientation (Training)
• Days Off for Extensive Travel
• Professional Certification

a. Confidentiality
In accordance with the approved Corporate Audit Department Charter under subsection Access and
Confidentiality, "in accomplishing his activities, the Director of Auditing and his staff are authorized to have
full, free, and unrestricted access to all corporation functions, activities, operations, records, data files,
computer programs, property, and personnel."

This access exposes the staff to confidential corporate information either by examination or discussion. The
privileged permission to be informed of confidential information carries a responsibility for the Audit
Department staff's confidentiality.

Confidentiality is defined as to "hold secret." The only exception is to report to audit management and others
on a defensible need-to-know basis.

i. Policy

All information known to require or deemed to (by a reasonable person test) require confidentiality should be
kept so.

ii. Discussion

Corporate Audit Department management is forced to guard their responsibility for staff confidentiality to
protect the department's reputation and credibility. This protection includes present staff, transfers, and past
employees.

Breaches of confidentiality may be either intentional or by accident, as being overheard in public places,
 elevators, or restaurants.

24 Chapter 4: Department Organization

Chapter 4: Department Organization 25

We are involved in and knowledgeable of a number of sensitive company situations including union
agreements, company politics, different pay scales, and special investigations that require good judgment and
limited exposure of details.

Another area of which the auditor must be constantly aware is gossip. Many people on the company grapevine
feel creditability is given to their conversation if they can include, "I heard it from an auditor." So beware of 
the person who asks a lot of questions.

It should be clear to current or past employees of the Corporate Audit Department violations of confidentiality
or gossip may result in:

• Immediate termination
• Probation
• Suspension without pay
• Warning
• Lawsuit

The consequences will be at the judgment of the Director of Auditing and/or Audit Committee. A lawsuit
could result from third-party damage as defamation of character from a libelous or slanderous statement. (See
"Responsibilities of an Auditor" in this chapter.)

b. Orientation (Training)
i. Objective

Provide reasonable assurance that the new employee will become promptly productive.

ii. Responsibility

Orientation is the responsibility of the manager to whom the new employee reports.

iii. Orientation Outline (See Section 5.6)

• Information about Sam Pole Company

• Information about the Internal Audit Department of the Company

• Introduction to audit staff personnel and other employees with whom the auditor will work 
• Discussion of duties and responsibilities
• Control of work:

♦Hours of work 
♦ Time reports
♦ Paycheck distribution
♦ Travel regulations
♦ Expense report preparation
♦ Supplies
• Readings:

♦ Audit manual
♦ Standards
♦ Literature on modern internal auditing
♦ Recent audit reports
 ♦ See recommended reading list

Chapter 4: Department Organization 25

26 Chapter 4: Department Organization

c. Days Off for Extensive Travel Policy

No specific corporate policy has been set forth on this subject. Therefore, the following policy for the Internal
Audit Department will apply:

• One day for each seven consecutive nights in an international location may be taken off with pay.
• One day for the first 14 consecutive days of domestic (North American) travel may be taken off with
pay. For every additional seven consecutive and contiguous days thereafter, one additional day off 
may be taken.
• Such days must be utilized by the end of the calendar year or they are automatically forfeited.

d. Professional Certification Policy

In order to encourage professional development within the Corporate Audit Department at Sam Pole
Company, the Company will support employees who wish to attain a recognized professional certification.
The programs currently being supported include the Certified Internal Auditor (CIA), the Certified
Information Systems Auditor (CISA), the Certified Public Accountant (CPA), the Certified Management
Accountant (CMA), the Certified Fraud Examiner (CFE), and the Certified Information Systems Security
Professional (CISSP). The successful completion of these written examinations will result in a demonstration
of personal achievement and enhance the professional posture for the department.

In order towill
Company encourage employees
assist staff to by
members attain professional recognition by passing an exam certification, the
providing:

1. The cost of registration and fees for the initial sitting for the examination.
2. Fifty percent of the cost for recognized preparation (review) courses to a maximum of $750. To avoid
misunderstanding, selected courses should be approved by the Director of Auditing prior to
registration and payment of fees. Attendance at classes is to be scheduled during non-working hours
(Monday through Friday) or, preferably, on weekends. Staff assignments to projects will consider
review course attendance, but Sam Pole work must take precedence in cases where staff members are
required to fulfill Company commitments.
3. Time for sitting for examinations will be considered authorized excused leave.

It is anticipated that the Company will benefit from the attainment of certifications through increased
professional knowledge and adherence to professional standards and codes of conduct.

Endnote
1. "Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing,"
Dale L. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.
 26 Chapter 4: Department Organization

Chapter 5: Personnel, Administration, and

Recruiting
Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 5.1
NO 5.1 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Introduction PAGES:

5.1 Introduction
Internal audit consists of people, information systems, and procedures. Talented people following
well-thought-out, tailored methodologies will produce consistent quality audit products. Organizations should
not lose sight of the support role of audit. Like the accounting department and other important groups in an
organization, audit does not produce the primary product or service. The audit mission (as defined in the audit
department charter), however, is crucial to the organization's success, providing independent review and
constructive advice.

In order to attract and maintain qualified staff, the corporate Audit Department has put in place a personnel
"Personal Development
development program (see "Personal Development"" in this chapter). However, the selection of the best
individuals is the first step in the process.

a. Sources of Personnel
Internal auditors are typically accountants who have an interest in auditing. In many cases, this interest is
combined with a desire to gain a good understanding of many business functions. The audit function exposes
auditors to a large number of areas in a company's operations. Therefore, it is considered an excellent training
ground. Consequently, some entry-level auditors will consider audit a stepping-stone in their career

progression. If the audit

remain and progress department
to audit is successful
management andBecause
positions. well respected, a percentageincluding
most organizations, of auditors willdepartments,
audit choose to
have pyramid structures, these career path issues must be managed effectively to promote audit staff 
development and progression.

Staff can be obtained from a number of sources, which include:

• Direct recruitment from colleges

• Transfers from other company functions
• Outside hires

i. Direct Recruitment from Colleges

To develop a professional-level internal audit program, most functions require a college degree for new hires.
Colleges and universities develop students' basic skills and most include an auditing course in the accounting
curriculum—a requirement in most degree programs. In addition, most colleges and universities try to
accommodate the 150-hour rule for the Certified Public Accountant (CPA) exam by offering graduate courses
 in accounting. A second auditing course is normally offered for those pursuing a master's degree.

Chapter 5: Personnel, Administration, and Recruiting 1

2 Chapter 5: Personnel, Administration, and Recruiting

Even more importantly, many universities are forming specialty degrees in systems, public accounting, and
internal auditing. The Institute of Internal Auditors (IIA) has a "Model Curricula for Classroom Use" that was
carefully constructed considering the Certified Internal Auditor (CIA), CPA, management consulting,
computer sciences; and considering the standards of the American Assembly of Collegiate Schools of 
Business (AACSB), the International Association for Management Education, and the American Accounting
Association (AAA). The IIA maintains information on its "IIA Academic Program" online including a
120-hour model curriculum, 150-hour model curriculum, and a list of Endorsed Internal Auditing Programs
all online at their web site. [1]

The first step in recruiting from colleges and universities is to identify the schools with which you may want
to work, and review their curriculum and program for compatibility. One resource might be the IIA's list of 
Endorsed Internal Auditing Programs, especially if one is fairly close by. Students in these programs have
already expressed an interest in internal audit, and are being educated more precisely (i.e., probably better
qualified than other accounting students) for internal audit jobs. Once you identify a school, it is beneficial to
develop a relationship with the accounting department and its students. Recruiting activities could include:

• Campus job placement department

• On-campus interview
• Job fairs
• Partnering with accounting department and its faculty
• Speaking to a class or accounting student club

Most schools encourage on-campus recruitment activities and have structured means to accommodate them.
For example, most schools have a department that specializes in job placement—typically called "Career
Services" or a similar name. This group is one important contact because they can facilitate conducting
interviews, screen candidates based on the audit department's criteria, and forward applicable student resumes.
Most schools today are associated with some sort of job fair, either on campus or in the local area. Many
professors or department chairs will also work with companies one-on-one. If, for example, the university is
an endorsed IIA program and if an audit department wanted to hire regularly over time, then the department
will probably be willing to partner with the audit department (company) and provide specialized services
concerning recruitment. All universities encourage professionals, such as internal auditors, to visit campus to
speak to either classes (e.g., auditing) or student clubs in accounting. These activities are opportunities to
observe first-hand potential job candidates before getting involved with interviews, etc. Schools benefit
tremendously by bringing the "real-world" professionals and their experience and views into the course.
Accounting academics will appreciate any internal auditor who contacts them to schedule speaking
engagements. All of these resources are valuable to recruitment because each one causes some of the work of 
the recruitment process to be transferred to the school, saving the audit department time and resources. And
together, they can expose the audit department to the best and brightest students for entry-level jobs.

ii. Transfers from Other Company Functions

In some cases, candidates may be available within the company. Most companies have sophisticated human
resource (HR) programs that can assist audit management with hiring and career progression issues. For
instance, many firms are employing elaborate systems that gather individual skills, training, and abilities.
These systems allow easy retrieval of people who fit a certain profile. Such a system is extremely helpful in
locating people with the interest and abilities related to internal auditing, and thus if your organization is using
this type of system, the corporate audit department needs to ensure coding is compatible with its needs. Audit
functions should always attempt to hire the best possible candidates and never "settle" or accept an individual
as an accommodation to another department.

iii. Outside Hires

 An excellent source of outside candidates is from public practice. Approximately two thirds of all entry level
auditors will leave public accounting within three years. Public accounting firms recruit primarily accounting

2 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 3

graduates and, in most cases, provide them with formal hands-on training programs in the early years of the
person's employment. Some also provide industry and computer training. Of course, large internal audit
departments are capable of organizing and providing similar professional development programs. In most
cases, however, they cannot provide the diversified experience available in public practice.

b. Recruitment Aids

Forethought
presented and
with planningstructure
company will improve
charts,recruiting results.
organization Candidates
charts, will be favorably
and a schematic impressed
of the personnel when
development
program similar to the one presented in the manual. Some audit departments develop brochures describing
functions, activities, and benefits (e.g., experience in many company operations, travel, and potential career
progression). The development of a summary of the current staff with qualifications may also add value.
Some departments that encourage career development in the audit department and within the company
develop career summaries on on current and
and preceding members of the department.

An interview questionnaire for new internal auditors should be developed and used to summarize interviews
and results. Exhibit 5.1 is a sample form.

Exhibit 5.1: Interview Questionnaire for New Internal Auditors

 Chapter 5: Personnel, Administration, and Recruiting 3

4 Chapter 5: Personnel, Administration, and Recruiting

 4 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 5

c. Management Development Programs

People can be products too! Some audit departments develop or participate in management development
programs. These programs can involve internal audit as an initial or mid-career step. For instance, new college
graduates can be hired by internal audit and assigned to other company operations for portions of the year.
After two or three years, they transfer to another unit on completion of a successful project. This process will
add work to the audit management function, and it will also create a positive deliverable or product. Such
programs would be discussed with senior management and/or the audit committee, and added to the audit
department function directly in the audit charter.

In some notable
function throughexamples, personnel
the addition development
of a tangible programs
measurable have
product: greatly
former enhanced
audit therising
personnel reputation of the
to higher audit
level
positions in the organization.
 Chapter 5: Personnel, Administration, and Recruiting 5

6 Chapter 5: Personnel, Administration, and Recruiting

d. Certifications
Certifications, including Certified Internal Auditor (CIA), Certified Public Accountant (CPA), Certified
Information Systems Auditor (CISA), and Certified Management Accountant (CMA) are significant personal
achievements, and provide evidence of basic skill levels and knowledge. In today's business environment, the
Certified Fraud Examiner (CFE) and Certified Information Systems Security Professional (CISSP) have
become both valuable and relevant. Any of these certifications also add to internal audit's image. Policies can

be developed
reviewing to encourage
new-hire staff members to attain certifications, which should be seriously considered in
qualifications.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 5
NO 5..2 REV
REV NO:
NO: DATE
DATE::
TITLE: Personal Development PAGES:
[1]See www.theiia.org/ecm/iiaap.cfm?doc_id=209 or www.theiia.org and do a search.

5.2 Personal Development

Internal auditing consists of quality people employing quality procedures and quality systems in an
independent and proactive manner. In order to sustain the implementation of the most appropriate procedures
and to provide for the continuing improvement of the auditors, a professional development program becomes
a critical component of the internal audit practice.

Consider the following quote from Future Shock , by Alvin Toffler:

 If society itself were standing still, there might be little pressure on the individual to update
his own supply of images, to bring them in line with the latest knowledge available in society.
So long as the society in which he is embedded is stable or slowly changing, the images on
which he bases his behavior can also change slowly. But to function in a fast-changing
society, to cope with swift and complex change, the individual must turn over his own stock of 
images at a rate that, in some way, correlates with the pace of change. His model must be
updated. To the degree that it lags, his responses to change become inappropriate, he
becomes increasingly thwarted, ineffective. Thus, there is intense pressure on the individual
to keep up with the generalized pace. Today, change is so swift and relentless in the
techno-sciences that yesterday's truths suddenly become today's fictions, and the most highly
skilled and intelligent members of society admit difficulty in keeping up with the deluge of 
new knowledge—even in extremely narrow fields. [2]

a. Introduction
In order to ensure that the Corporate Audit Department's education plan is implemented, the responsibility for
coordination has been assigned to the Manager of Policies and Control. As Coordinator of Education, the
Manager of Policies and Control will assist in the development of the departmental education plan and

individual of
objectives auditors' educational
the Professional plans. He/she
Development will work
Program andclosely
report with the stafftoand
periodically themanagers to Auditing
Director of achieve the
on the
 status of the program.

6 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 7

b. Objectives
The Corporate Audit Department Training Program has been designed to improve and maintain the
professional competence of the corporate auditors so that they can effectively perform their function to the
fullest extent. Additionally, it is intended to provide for personal professional growth and job satisfaction. The
program, combined with on-the-job experience and training, and a comprehensive evaluation process, is
intended to provide a basis for advancement in the Audit Department, or for potential placement in key

financial or general management positions within the company.

Every professional has a responsibility to maintain and advance his or her basic skills. The program is
intended to provide a vehicle for the individual to accomplish this requirement. The program will be as
successful for you as you make it. Additionally, to develop strong business acumen, daily reading of the
general financial press is essential. Auditors are generalists, to a large degree, and should always be cognizant
of current trends in business and finance, to ascertain the importance, if any, on their audit assignment.

c. Coordinator of Education
The Coordinator of Education is responsible for overseeing the educational needs of the department, and
ensuring that those needs are adequately met. The Coordinator reports to the Director of Auditing regarding
plans and resources needed to obtain and maintain an adequate level of knowledge and skills individually and
corporately in the department. Duties include:

• Assists the Director and audit managers in surveying staff and analyzing training needs.
• Recommends comprehensive, systematic training program for the Corporate Audit Department.
• Coordinates the training activities for corporate auditors and makes staff aware of all training
opportunities.
• Assists auditors in developing individual goals and training programs.
• Develops and implements evaluation programs for all training activities involving Internal Audit.
• Investigates specific training programs as requested by other members of the staff and authorized by
the Director of Auditing.
• Assists in the evaluation of training programs and review regular (quarterly) training reports on staff 
members for the Director of Auditing.
• Develops policies and procedures for maintaining and using the staff library. Assures audit
management that the library is adequately stocked and keeps staff informed of new acquisitions
pertinent to their particular needs.

d. Corporate Audit Training Model

(Exhibit 5.2
The Corporate Audit Training Model (Exhibit 5.2)) includes a structured approach to core training critical for
first- and second-year auditors. The model goes on to suggest a training program for auditors beyond the basic
core programs. These are labeled as "advanced," for the third year and thereafter.

Exhibit 5.2: Overview of Corporate Audit Training Model

 Chapter 5: Personnel, Administration, and Recruiting 7

8 Chapter 5: Personnel, Administration, and Recruiting

The core of the Corporate Audit Program is on-the-job training through effective supervision and constructive
evaluations covering areas of need. The program is two-fold: the Core Program covering new auditors, and
the Advanced, covering education for career-minded internal auditors for periods beyond two years of work 
experience.

On-the-job training is supplemented with the following types of formal and informal education:

• In-house seminars and self-study training through the use of audio and visual training courses, and
online courses via the web.
• Teaching or speaking engagements to help broaden one's knowledge and communications skills.
• Attendance at various outside seminars, workshops, lectures, and conferences, etc.&"listitem">

Availability of a library of texts and reference materials covering internal auditing, as well as specific
areas of business management, taxation, finance, purchasing, construction, contracts, etc.
• Online services: Examples include Lexis/Nexis, [3] the AICPA (Auditing Standards), [4] ISACA's
K-net and CobiT, [5] and other providers of reference materials. Lexis/Nexis provides authoritative
legal, news, public records, and business information online. K-net is a global knowledge network for
IT governance, control, and assurance. CobiT is a generally applicable and accepted standard for
information technology (IT) security and control practices, providing a framework for management,
users, and information systems (IS) audit, control, and security practitioners.
• Specialized courses, when available and/or practical, specially designed to meet the internal auditor's
needs.
• Routing of selected educational material to the Internal Audit staff to maintain current knowledge in
the field.

The Core Program requires a minimum of two weeks, or 80 hours, per year of formal education or teaching.
The Advanced Program requires a minimum of one week, or 40 hours, per year. These minimum
requirements do not include self-study courses, outside professional meetings, on-the-job training, research,
and the use of the library.

e. Core Program
 First Year:

During the first year of employment, attendance at various structured courses is required. The following
 schedule will be followed, interfaced with on-the-job training:

8 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 9

• All new hires will attend an orientation program on the company and the Corporate Audit
Department.
• All entry-level auditors will attend a one- to two-week course on Introduction to Corporate Auditing
Procedures. This subject could be administered in-house by experienced corporate auditors, or
provided by outside trainers.
• All auditors will attend at a minimum a five-day Introduction to Computer Auditing course.
• All staff members will attend audio/visual courses on audit-related topics during the year.
• There will be mandatory attendance at all staff meetings and in-house internal audit seminars on a
regional and centralized basis.

Second Year:

The training program will continue into subsequent years. By the end of the second year, the following should
have been attained:

• Continuation of Corporate Auditing procedures at the Intermediate Level as well as attendance at

courses relating to the evaluation of internal controls
• Attendance at an in-house or outside seminar on advanced computer audit techniques or software (i.e.,
Computer-Assisted Audit Tools and Techniques, or CAATTs)
• Participation in audio/visual courses on specific topics to be announced; that is, systems auditing,
statistical sampling, fraud detection, Internet security, and so on
• Attendance at in-house Corporate Audit seminars (one week) and regularly scheduled staff meetings

f. Advanced Program
The Advanced Program will involve specific tailoring to meet each individual's development needs. As the
internal auditor's career progresses, decisions need to be made regarding the individual's long-term objectives.
If those objectives lie in the Internal Audit area, provision should be made for the attendance at Internal Audit
management training and conferences. There may be a need for auditors to develop specific skills further. For
instance, operational auditing or IS auditing skills may be required by the department, and/or requested by
individuals in their career planning meetings. The professional development program can be tailored for each
individual, to help meet departmental, as well as individual, goals.

Included in the advanced stage of the program is an anticipation that the staff member will increase his or her
involvement with professional organizations such as the IIA, American Institute of Certified Public
Accountants (AICPA), American Management Association (AMA), Information Systems Audit and Control
Association (ISACA), and participate in their educational programs. Staff members, at this level, should be
strongly encouraged to develop their own expertise in specific areas and provide training courses to these
organizations. Committee assignments can, in some cases, be considered as continuing education endeavors.
These decisions must be made by audit management, and documented in the individual's professional
development plan.

g. Record-Keeping
Each auditor is responsible for maintaining a chronological record of his/her training or educational
accomplishments while on the Corporate Audit staff. This record will be forwarded quarterly to the
Coordinator of Education. (See Exhibit 5.3,
5.3, "Continuing Professional Education (CPE) Record.")

Exhibit 5.3: Continuing Professional Education (CPE) Record

NAME_________________________ PERIOD________________
 CPE HOURS
DATE ORGANIZATION COURSE INSTRUCTOR PREPARATION TEACHING ATTENDE

Chapter 5: Personnel, Administration, and Recruiting 9

10 Chapter 5: Personnel, Administration, and Recruiting

CPE
Provider
#

TOTAL

The coordinator will review the forms quarterly and submit them to the Director of Auditing for inclusion in
each Auditor's personnel file. Certain continuing education credits needed to maintain various professional
certifications should be pursued by each individual auditor and will be retained in his or her personnel file.
Individuals should keep copies of course outlines as required by various certifications for CPE requirements.

Performance evaluations will be conducted after each assignment or periodically by each level of supervision,
and also placed in the file, so that needs analysis can be made to determine what additional education is
required to maintain each staff member's proficiency.

Training records will be used as a reference in scheduling staff members to various assignments. These
assignments will help reinforce the retention of course curriculum obtained from the training programs. The
Director and Audit Managers will periodically assess the auditor's training needs, using the CPE record and/or
the section on development needs as shown on the performance evaluations. After training assessments are
 made, both individual and staff training goals and programs will be further developed as required.

10 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 11

The results of this training program should improve the professional competence of all staff members, thus
providing the knowledge to function and cope with our fast-changing, complex environment.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual

NO:: 5.3
NO 5.3 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Personnel Files PAGES:
[2]Future Shock , Alvin Toffler, Bantam Book, August 1971.

[3]See lexis.com and lexisnexis.com.

[4]See www.aicpa.org.

[5]See www.isaca.org.

5.3 Personnel Files

In order to properly manage the audit profession's department, personnel files will be maintained. Audit
Department personnel files should be multi-partition files and include, but not be limited to:

1. Employee resume and a copy of the original Company application (if appropriate)
appropriate)
2. Periodic performance appraisals
3. Summary of salary history and promotions
4. Corporate Audit Department Background Information Form (Exhibit
( Exhibit 5.4
5.4))

Exhibit 5.4: Corporate Audit Department Background Information Form

 Chapter 5: Personnel, Administration, and Recruiting 11

12 Chapter 5: Personnel, Administration, and Recruiting

5. Corporate Audit Department Interest Questionnaire (Exhibit

(Exhibit 5.5)
5.5)

Exhibit 5.5: Corporate Audit Department Interest Questionnaire Form

 12 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 13

These files should be maintained by the Audit Department in addition to files maintained by the Human
Resources (HR) function. To facilitate the development and maintenance of these audit departmental files and
facilitate the gathering of specific information necessary to proactively manage the corporate audit function,
two departmental forms should be completed by all employees and updated annually. These forms are:

• Corporate Audit Department Background Information Form

• Corporate Audit Department Interest Questionnaire

a. Corporate Audit Department Background Information Form

This form (Exhibit
(Exhibit 5.4)
5.4) facilitates two-way communications and helps standardize the basic information
required for each employee. The form should be kept in the inside cover of each personnel file. The form also
serves to reinforce interest in certifications and professional activities and provides a feedback mechanism for
information related to these activities.

b. Corporate Audit Department Interest Questionnaire

( Exhibit 5.5)
The Corporate Audit Department Interest Questionnaire (Exhibit 5.5) expands on the Corporate Audit
Department Background Information Form by requesting additional information related to the audit
professional's preferences. Not all preferences can be granted, but in some cases preferences can be
considered in planning.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 5.4
NO 5.4 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Pe
Periodic Pe
Performance Ev
Evaluation Re
Review PAGES:

5.4 Periodic Performance Evaluation Review

 Periodic performance evaluation is an essential part of our personnel development program. It is expected that
all staff members will become familiar with and understand the reporting requirements and instructive
guidelines. Staff evaluations, prepared accordingly, can then be expected to be fair and objective appraisals of 

Chapter 5: Personnel, Administration, and Recruiting 13

14 Chapter 5: Personnel, Administration, and Recruiting

the person's
person's performance.
performance. It cannot be emphasized too strongly the importance of timely, constructive interim
feedback by the supervisor. Such feedback will help to shape the end-of-assignment evaluation and will
expedite its completion and review in the shortest time. The Performance Evaluation Review Form is included
as Exhibit 5.6
5.6.. The report is to be prepared for staff personnel by the in-charge senior or manager promptly at
the end of the assignment.

Exhibit 5.6: Performance Evaluation Review Form

 14 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 15

 Chapter 5: Personnel, Administration, and Recruiting 15

16 Chapter 5: Personnel, Administration, and Recruiting

a. Performance Evaluation Review Guidelines for Preparation of Report

Continuous and timely review and evaluation of performance is essential to effective personnel development.
To provide for that continuity, the Performance Review report should be prepared promptly by the Auditor's
supervisor at the end of each assignment. The evaluation should be discussed with the Auditor in a
constructive manner to encourage continuing efforts toward improvement in performance and the elimination
of shortcomings.

The completed report, signed both by the preparer and the person evaluated, will document the following:

• Accurate, complete record of the auditor's performance

• Notification of observed strengths and weaknesses
• Basis for assessing training and development needs (correlated with the auditor's departmental
training record)
 ta g eco d)
• Basis for appraisal toward promotion or for transfer, salary review and warning or other
administrative action

16 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 17

The periodic, end-of-assignment review should be reinforced through effective interim oral or written
feedback by the supervisor during the assignment. Interim feedback is the continual process, an integral part
of the supervisor's functions. Failure to provide timely feedback is a weakness in the supervisor's
performance. The interim performance discussion should provide analysis of both strengths and areas for
improvement, emphasizing constructive actions for improving performance. Although interim evaluations
need not be in writing, the evaluation form can serve as a checklist for areas to be considered and for notes, as
both a basis for that evaluation and a reference point for the end-of-assignment evaluation.

i. Preparation

Report preparation is important, and ample time should be allotted to prepare the report.

(A) Assignment Responsibilities and Circumstances. The form is designed to obtain specific answers to
questions, amplified as appropriate by description, comment, or discussion.

Regarding the level at which the person was used on the assignment, indicate the level at which he or she
functioned rather than the actual level. Criteria should include the nature of the work, degree of supervision,
and prior staffing of the assignments.

The nature of the work, for the auditor's major responsibilities, should be described in sufficient detail. For
example: internal control (sales, cash receipts, payroll): documentation, audit program, walk-through;
inventory: observation, pricing finished stock; accrued liabilities: test for unrecorded liabilities. Unusually
difficult or simple situations should be identified.

(B) Manager/Director Approval. This approval is required on all evaluations prepared by staff-level
personnel, namely supervising senior, senior, and so forth. Approval should be indicative of Manager/Director
concurrence with the evaluation (see Manager/Director Comments section) and that it contains the appropriate
information. When prepared by staff-level personnel, it is recommended that the report be read by the
Manager prior to review with the individual. Manager/Director approval should occur after the report has been
discussed with the individual and finalized. Any Manager/Director comments should be included in the
evaluation at the time the individual signs off on the report.

(C) Comments Section. When completing this section, the auditor's experience level should be considered in
evaluating his or her performance. For example, the criteria for measuring a staff auditor's technical skills
would differ significantly from those used in evaluating a senior. It is expected that completion of all
categories will generally be appropriate except for the Development of Assistants category for evaluations of 
staff auditors.

The boxes at the right margin are to be used to insert the abbreviation for the effectiveness level of each listed
qualification. Effectiveness levels are defined on the last page. It is expected that everyone will become
familiar with the definitions and use them as explained. Although the ratings "OUTSTANDING" and
"UNSATISFACTORY" should be clearly explained, specific comments should also be given for other
effectiveness levels for informative reporting to the auditor and the reader.

Areas noted for improvement should include any recommendations for the individual's development. In
discussing weaknesses, the evaluation should assess the progress made in correcting those weaknesses during
the course of the engagement. In situations when mitigating circumstances may have contributed to a
weakness, appropriate details should be provided. However, it is not appropriate, for example, to discuss
budget overruns when it clearly was not within the control of the individual. When one weakness impacts
several qualification categories, the evaluation should clarify this fact so as not to mislead the reader into
 concluding that several weaknesses exist.

Chapter 5: Personnel, Administration, and Recruiting 17

18 Chapter 5: Personnel, Administration, and Recruiting

(D) Appraisal Section. The last page of the report summarizes the results of the performance evaluations, both
interim and end-of-assignment.

Where completing the sections dealing with Developmental Needs and Promotability, comments, reasons, and
recommendations should be expressed clearly and constructively to provide reliable source information to
audit management for future assignments and indicated training and development needs.

The Manager/Director Comments section is required for all evaluations where that level of approval is
necessary. The basis for approval may be discussions with the in-charge senior, review of work papers or
personal contact. The Manager or Director may also include other significant comments.

The Summary Evaluation section should be completed subsequent to the Comments section and should be
supported by the written comments. Because it represents a summary of the written comments, emphasis is
again placed on the need to rate individuals on the basis of their experience level and standards normally
expected at that level. In rating an individual's effectiveness level, supervisors should refer to the definitions
provided on the form. Ratings other than these should not be used. The most appropriate rating must be
chosen. Written comments should explain borderline decisions.

ii. Performance Appraisal Meeting

Performance appraisal meetings provide a very important opportunity to discuss and improve employee
performance. Such meetings are a major element in a personnel development program. At every opportunity,
the Audit Department culture should emphasize the importance placed on continuing personnel improvement
and development. The Audit Department is only as good as the personnel performing the work. To the extent
that employees' performance can be improved, the overall quality of the audit products will be improved.

It is important that adequate time be allowed to plan for and conduct a performance appraisal meeting. The
meeting should be scheduled with the employee to reduce the anxiety usually associated with performance
appraisal meetings. All attempts should be made to create a comfortable atmosphere and reduce or eliminate
interruptions. The performance meeting presents an opportunity to review progress and priorities, resolve any
problems with performance, discuss future potential development needs, and the needs to meet
them&"para">Conducting the performance review can be a challenging endeavor, and efforts should be made
to train supervisory staffs to better conduct performance review meetings. During the meetings, it is important
to create two-way communications. One objective of the meeting is to get the employee to open up. The
evaluator will be prepared with his or her comments. The meeting atmosphere should be informal and
unhurried. This objective can be accomplished by meeting in a conference room or away from a manager or
supervisor's desk, if possible. It is also important to emphasize the good work that the employee has
accomplished. There should be an emphasis on "praise" in the appraisal. It is important that the reviewer
probe and ask questions, and most importantly, listen to the answers. This approach will provide ample time
for the employee to discuss thoughts on his or her mind.

One of the objectives of the review process is to allow the employee to face up to any problems that might
exist. In some cases, the best approach to mentioning a problem is to use the self-appraisal approach. Under
the self-appraisal approach, the supervisor or manager will ask the employee to discuss his or her performance
from their perspective. It is very important to always discuss the performance—and not the individual's
personality. Any criticism should be made in a positive manner. For instance, talk about how the person can
make needed improvements.

There should be few surprises in the appraisal meeting. Problems should be discussed with the staff when they
are recognized. This method will allow the supervisor to correct the problem earlier and also demonstrate by
example the existence of the problem. When this method is not used, specific examples should be raised
during the appraisal review meeting. However, this method is not as good an alternative as actually having
 mentioned the problems as they occurred.

18 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 19

Before the meeting is concluded, you should agree on a plan of action. Outline your thoughts on action points
prior to the performance meeting. Focus on facts and avoid general judgments. Set objectives and goals, and
agree upon completion dates.

SAM POLE COMPANY  Corporate Audit

Department Procedures

Manual
NO:: 5.5
NO 5.5 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Annual Staff Meeting/Conference PAGES:

5.5 Annual Staff Meeting/Conference

As pointed out in this manual, personnel development is critical to the development and maintenance of a
quality audit program. The Core and Advanced Personnel Development Programs are set out in Personnel
Development in this chapter. One of the key programs in any audit department is the Annual Staff 
Meeting/Conference. The meeting has many objectives, including:

• Setting aside some time for department-wide administrative updates

• Discussions of company developments
• Audit training
• Reports on results of quality assurance reviews and related changes
• Opportunity for feedback from the staff and for suggestions for improvement of department
operations

The location of the meeting is very important to the overall success of the meeting. Meetings should be
planned outside the office for a maximum impact. In addition, it may be combined with a social or sports
activity to help build morale and camaraderie among the staff.

The program can include a State of the Department Address by the Chief Auditor. Presentations by
department managers are also very important. Each functional leader should also provide an update on their
administrative activities, including the quality assurance program and the personnel development program.

a. Group Discussions
In order to provide a form for feedback from the staff, consideration should be given to holding group
discussions. These sessions would allow staff members to discuss any topic related to their department. Plan
for a sufficient amo
amount
unt of time—a minimum of two hours—for group discussions. The staff should be broken
down by groups, and these sub-groups should be provided with private meeting space to hold these
discussions. In order to organize the group discussion, prepare a Group Discussions Instruction Sheet. Exhibit
5.7 illustrates this document for a fictional meeting. The groups should have a Group Leader and a Scribe.
The role of the Group Leader and the Scribe should be set out in the Group Discussion Instruction Sheet.

Exhibit 5.7: Group Discussions Instruction Sheet

Objective

•
• To
To provide
provide afeedback
forum for
to the staff
Audit to discuss their
Management as toconcerns
what areand
the hear
mainother members'
concerns of theconcerns
staff and what
 possible solutions they project

Group Leader's Role

Chapter 5: Personnel, Administration, and Recruiting 19

20 Chapter 5: Personnel, Administration, and Recruiting

• Set the stage by informing the staff that this is their time to talk about anything related to the
Corporate Internal Audit Department's organization or activities. Tell them you have a list of some
items of potential interest you will use to generate conversation when there is none or to improve the
productivity of the conversation if it gets way off course.

Explain that there is a scribe to take notes on what is said, not who said it, and that we will provide
feedback later in the day.

Ask the group to begin and wait a few minutes. Give the group a good chance to start on their own.

Keep the meeting moving. If too much time is spent on a topic, ask to move on to another topic.

Scribe's Role

• Listen carefully and make notes of key concerns, suggestions, items of interest, etc. If you don't
understand what someone is trying to say, ask questions to clarify the issue.

Observer's Role

• Listen in on a portion of each meeting

Potential Topics

1. How important is audit planning? Is our approach adequate? How should we approach it?
2. Should we employ management by objectives and goal setting?
3. Should we require certification of some kind (CPA, CIA, CISA, CDP) within a given time frame?

4. How much of a factor should evaluations of performance be in determining raises and promotions?
5. Other:

♦ Annual Staff Meetings

♦ IS Audits/Training Participation in Audits
♦ Job/Career Future
♦ Audit Staff; Administrative Matters; Travel, Advances, Accommodations, etc.

The Leader's role is to set the stage by informing the staff that this meeting is their time and that they could
talk about anything related to the department's organization or activities. The Leader should be provided with
a list of some potential items of interest to generate conversation if necessary. However, there should be
sufficient time allotted before this list is introduced to ensure that the staff has an opportunity to bring their
own thoughts and ideas. The role of the Scribe is to listen carefully and make notes of key concerns,
suggestions, and items of interest. Having someone perform this role frees the Group Leader to concentrate on
the Leader's role—keeping the meeting moving. The Scribe will produce a list that should be provided to
audit management. The list should not indicate who made what recommendation—anonymity adds credibility
to comments by mitigating "groupthink" problems.

In many group discussion meetings, an Observer is also involved. The Observer could be the Chief Auditor or
Audit Management. The role is to listen in on a portion of each meeting to gain an understanding of the
temperament and direction of each meeting. The Observer should not speak at any meeting. The purpose of 
the meeting is not to provide answers but to develop questions of interest and proposed solutions.

Group discussions require feedback from Audit Management. The Scribe's individual meeting summaries
 should be combined for review by Audit Management at a subsequent meeting or responded to at the
conclusion of the Annual Staff Meeting/Conference. The sooner the feedback is reviewed, the better. For
instance, if simple issues or ideas are brought up that could be acted upon immediately, these responses

20 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 21

should be included in the closing remarks of the Chief Auditor. Those issues and suggestions that require
more careful attention should be thought through and summarized in a memorandum to all participants in the
Annual Meeting.

Annual Meetings usually prove to be very productive, if proper attention is paid to planning and arrangements.

SAM POLE COMPANY  Corporate

DepartmentAudit
Procedures
Manual
NO:: 5.6
NO 5.6 RE
REV
V NO:
NO: DATE
DATE::
TITLE: New Staff Orientation PAGES:

5.6 New Staff Orientation

Welcome to Sam Pole Audit. We hope you find your position with us beneficial and rewarding. One of the
first projects necessary to acquaint you with Sam Pole and Corporate Audit is orientation. Orientation is
designed to formally introduce you to our company and significant department policies and procedures. A
checklist has been provided to ensure your orientation is thorough and that you receive all materials. The
checklist is to be signed off by you and the person making the orientation presentation. This form will be
retained in your personnel file.

Many of these items may already have been discussed during your interview with Sam Pole. However,
orientation will give you a more detailed explanation. We encourage you to ask questions; people on the staff 
will be happy to help you, or many questions can be answered by reading the procedures manual. Please ask 
any questions you may have.

These welcoming remarks are often used when new personnel join the department. A sample orientation
checklist can be found in Exhibit 5.8
5.8.. A general description is provided here for each item on the orientation
checklist.

Exhibit 5.8: Orientation Checklist

DATE INITIALS
Introduction to St
Staff _______________ _______________
Facility _______________ __
_______________
Parking _______________ __
_______________
Key Personnel/Or
Personnel/Organiz
ganization
ation Review __________
_______________
_____ _________
______________
______
_
Annual Report Issued _______________ _______________
Employee Benefits _______________ _______________
Job Description _______________ _______________
Pe
Perf
rfor
orma
manc
ncee Ev
Eval
alua
uati
tion
on Revi
Review
ew ____
______
____
____
____
____
___
_ __
____
____
____
____
____
____
___
_
Three-Month Probation _______________ _______________
Work
Workin
ing
g Hour
Hours/
s/Sal
Salar
ary/
y/Ov
Over
ertim
timee ____
______
____
____
____
____
___
_ ____
______
____
____
____
____
___
_
Vacations _______________ __
_ ______________
Sick Leave _______________ __
_ ______________
 Personal L
Leeave _______________ _______________
Time Reports _______________ _______________
Travel _______________ __
_______________

Chapter 5: Personnel, Administration, and Recruiting 21

22 Chapter 5: Personnel, Administration, and Recruiting

Cash Advances _______________ _______________

Air/Rail Travel _______________ _______________
Expenses _______________ __
_______________
Keys (Sign Out) _______________ _______________
Library _______________ __
_______________
Data
Data Proc
Process
essin
ing
g Se
Secu
curi
rity
ty/B
/Bad
adge
gess ____
______
____
____
____
____
___
_ ____
______
____
____
____
____
___
_

Professionalism _______________ _______________

Procedures Manual _______________ _______________
Safety Equipment Issues _______________ _______________
_________
______________
______
_ __________
______________
_____
_
• Hard Hat
_________
______________
______
_ __________
______________
_____
_
•Glasses
All items listed above have been explained to me, and I have no further questions at this time.

_________
______________
_________
_________
_______
__ ____
_________
______
_ __________
______________
_________
__________
______
_ __________
__________
Orientation Supervisor Date Employee Signature Date

• Introduction to Staff. The person presenting the orientation will introduce you to members of the
staff in the office. That person will also identify those staff members who are not present and provide
you with a list of the staff in the Audit Department.
• Facility. You will be given a guided tour of the Corporate Audit Department and other nearby
facilities.
• Parking. Parking will depend on the division where you work. Additional parking facilities are
available at a cost to you.

When you
you are in the
the field, during your initial visit to the auditee's office, identify where you have
parked and ask about their parking requirements.
• Organization. Organization charts of the Corporate Audit Department and the Corporation are in
Chapter 4 of this manual.
• Annual Report. You will receive the current annual report of Sam Pole Corporation. Key officials are
identified in the annual report, along with major components of the Sam Pole organization. You
should study this report thoroughly.
• Employee Benefits. You will be issued employee benefit authorization cards that must be filled out
and signed. You will be issued an employee benefits manual. Read it carefully, and if you have any
questions, discuss them with Audit Department management. If we do not know the answers, we will
obtain them from the Employee Benefits office or refer you to the Human Resources Department.

• Job Descriptions. Job descriptions are available

available in the P
Procedures
rocedures Manual. Your job description will
be carefully discussed with you during orientation. If you have any questions, please see the Manager.
• Performance Evaluation Reviews. The form that is used for performance evaluations will be
discussed with you. It is contained in Chapter 5 of the procedures manual. Study the form; if you have
any questions, please ask them.
• Three-Month Probation. All employees hired by the Corporate Audit Department are subject to a
three-month probationary period. This procedure is for the evaluation of initial performance.
• Working Hours. Normally, the office hours are from 8:00 A.M. to 5:00 P.M. Monday through Friday.

The exception to this standard is when auditing outside of your home location. If 40 hours can be
accomplished Monday through Thursday by working 10-hour days, then at the discretion of audit
 management, you may return home Thursday night.

22 Chapter 5: Personnel, Administration, and Recruiting

Chapter 5: Personnel, Administration, and Recruiting 23

Auditing, however, is a concerted task-oriented profession. As professionals, when circumstances

warrant, expect to spend the necessary additional hours to accomplish our objectives in a timely
manner.
• Salaries. Professionals employed by the Corporate Audit Department are salaried personnel.
Overtime is not paid.
• Vacations. The Corporate Audit Department follows vacation schedules as set forth in the Sam Pole
personnel policy manual.
• Sick Leave. The Corporate Audit Department will follow Corporate sick pay policy. If you are sick,
you are to notify the office and the in-charge auditor as early as possible in the morning.
• Personal Leave. Personal time is provided by the Corporate Policy providing three personal days per
year. There are times when personal business, such as studying for certification exams, may be
conducted during working hours—if prior permission is obtained from the Manager of Corporate
Audit.
• Time Reports. Time reports are required on a semi-monthly basis. A form will be shown to you, and
you will be instructed on how to complete it correctly.
• Travel. With audit functions situated away from home offices, there is a need for travel to these
locations. For travel information, refer to the Corporate Audit Department procedures manual—travel
policies.

• Advances. Each division may make temporary cash advances for expenses. Advances must be shown
on expense reports and accounted for monthly. Unused advances must be remitted to the company
monthly.
• Air/Rail Travel. Tickets for air/rail travel can be obtained from the travel department (and accounted
for in the same manner as cash advances) or purchased directly by the auditor and reported on the
expense report.
• Expenses. Sam Pole has issued a pamphlet, "Reporting of Travel and Business Expenses," to be used
with the exception of those items that are specifically provided for by the Corporate Audit
Department.
• Keys. The new employee will be given certain keys where appropriate. These must be signed out on
the log maintained by the secretary at your location.
• Library. The department office library contains various Sam Pole manuals. You should become
acquainted with these manuals. Other publications available for education or research are also in the
office library. You will see these, as well as checkout procedure applicable to the local offices (see
Recommended Reading List).
• Security Badges. Where badges are required, you will be evaluated on an as-needed basis before
badges will be issued to you. Necessary security codes, computer/network passwords and log-in
access, and/or badges will be arranged through the Manager of Corporate Audit.
• Professionalism. Corporate Audit is striving to make our department a world-class department. A
friendly, courteous relationship with auditees, outside auditors, and other Sam Pole employees is
paramount in establishing and maintaining good public relations. We consider ourselves professionals
and should act and dress accordingly. Dress should be in good taste. Try not to have extremes in
either direction.
• Procedures Manual. The master manual is retained in the office; in-charge auditors have a copy to be
used at the work sites. A better option would be to keep an electronic copy of the manual on the Audit
Department Intranet site for easier access (e.g., 24/7 availability to anyone). This manual was
developed for the benefit of new employees and to document procedures to be followed. It is
important to become familiar with the manual because we follow these procedures and are evaluated
accordingly.
• Safety Requirements. There are occasions when we must work in areas that require safety equipment.
Typically, the location will provide the equipment. In the division where visits to the factories are
customary, the department issues a hard hat and safety glasses.
 Chapter 5: Personnel, Administration, and Recruiting 23

24 Chapter 5: Personnel, Administration, and Recruiting

Endnotes
Endnotes

1. See www.theiia.org/ecm/iiaap.cfm?doc_id=209 or www.theiia.org and do a search.

2. Future Shock , Alvin Toffler, Bantam Book, August 1971.

3. See lexis.com and lexisnexis.com.

4. See www.aicpa.org.

5. See www.isaca.org.
 24 Chapter 5: Personnel, Administration, and Recruiting

Part III: Technical Procedures

Chapter List
Chapter 6: Audit Planning
Chapter 7: Audit Performance
Chapter 8: Audit Reporting
 Part III: Technical Procedures 1

2 Part III: Technical Procedures

 2 Part III: Technical Procedures

Chapter 6: Audit Planning

Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 6.1
NO 6.1 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Corporate Audit Planning, Scheduling, and PAGES:
Staffing

6.1 Corporate Audit Planning, Scheduling, and Staffing

In January 2002, the Institute of Internal Auditors' (IIA) Standards for the Professional Practice of Internal
 Auditing (SPPIA) became effective. These standards emphasize the need for planning (see section 2010 in
particular). One Guideline states, "The chief audit executive should establish policies and procedures to guide
the internal audit activity" (IIA — SPPIA, 2040). Under the Performance Standards of the SPPIA, the first
topic is Planning (section 2010): "The chief audit executive should establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the organization's goals."

The Information Systems Audit and Control Association (ISACA) also has established a similar emphasis on
planning. One guideline states, "The information systems auditor is to plan the information systems audit
work to address the audit objectives and to comply with applicable professional auditing standards"
(ISACA—IS Audit Guideline 050.010 [Audit Planning]). Additionally, another ISACA guideline addresses
planning related to day-to-day activities: "Before beginning an audit, the IS auditor's work should be planned
in a manner appropriate for meeting the audit objectives" (ISACA—IS Audit Guideline 050.010.2.1.1).

Planning is a very basic element of all business activities. The Audit Department is no exception. The
long-term departmental operating plan will demonstrate an organized approach to systematically auditing all
company operations. In this book, a three-year operating plan has been developed. The extended cycle of 
audit coverage should be discussed with management and, if appropriate, with the Audit Committee. This
process would establish the overall strategy for auditing company locations. In many companies, every aspect
of the company's operations should be audited, to some extent, on a formal rotation basis (see Section 6.3).
6.3).
Even small operations should be considered for audit visits. The audit "deterrent factor" should not be
underestimated.

( Exhibit 6.1
To accomplish the responsibility for planning for internal audit activities, a planning matrix (Exhibit 6.1)) has
been developed as a tool. It illustrates the flow and relationship of the three-year plan to the annual operating
budget, six-month audit plan, three-month audit schedule, and two-month staff schedule. By beginning with
the long-term planning exercise, the work investment naturally flows down to the planning for the shorter
periods. Here is where the chief internal audit executive looks for integration of activities to save work later
on. In formulating the three-year plan, one should consider the subsequent shorter-term plans by developing a
long term in six-month or other appropriate sub-periods to feed into the shorter-term planning process.

Exhibit 6.1: Corporate Audit Planning, Scheduling, and Staffing

Three-Year Annual Budget Six-Month Audit Three-Month Two-Month

 Three Year Annual Budget Six Month Audit Three Month Two Month
Operating Plan and Plan Plan Audit Schedule Staff Schedule
Purpose Document Forecast Plan detail of Schedule Notify

Chapter 6: Audit Planning 1

2 Chapter 6: Audit Planning

department calendar-year audit assignments: three-month supervision and

operating plan audit plan as basis nature of audit; segment of  staff of 
for Audit for financial scope; timing; six-month plan. assignment
Committee and budget. manpower. schedules.
Management.

Coordinate audit

coverage
public with
accountants.
Basis Owner's request Audit plans: Specific Attainable audit Three-month
to provide total Second half  implementation of  objectives for audit schedule.
coverage of  current year; first each six-month three months
principal audit half next year. period of the based upon Manager
areas over a three-year plan. six-month plan. discretion.
three-year cycle. Manpower,
traveling, Budget Management
Audit professional constraints. discretion.
management development and
decision administration Audit
regarding costs. Audit management

rotation. management discretion.

discretion.
Timing Timing: Timing: Timing: Timing: Timing:
Revision
Annually in Annually in Semiannually: 60 Beginning of  Beginning of first
August August days prior to first month for month of each
six-month period each three-month two-month
period period;
administrative
Revision: assistant to staff 

As required Revision:

As required
Responsibility Primary - Primary - Primary - Primary - Primary
-Manager
Manager - P&C Manager - P&C Manager - P&C Manager - P&C
Secondary - Sr.
Secondary - Sr. Secondary - Sr. Secondary - Sr. Secondary - Sr.

a. Three-Year Operating Plan

One of the responsibilities designated by the Corporate Audit Charter is for the Director of Auditing of the
corporation to establish a plan of audit. The three-year audit plan (Exhibit
( Exhibit 6.2)
6.2) provides long-term forecasting.
It also establishes the coverage of audits for a three-year cycle approach to total coverage of locations,
branches, or companies with the organization. The objective to audit all company operations over a period or
cycle can be difficult to achieve. Of course, the number of personnel required on the staff to achieve this
objective will need to be calculated.
 Exhibit 6.2: Sample Three-Year Audit Plan

2 Chapter 6: Audit Planning

Chapter 6: Audit Planning 3

Sam Pole Company Corporate Audit Department Three-Year Audit Plan

Audit Audit Risk Risk Risk Risk Jan.–June July–Dec. Estimated Audit Hours
Unit Unit Factor Factor Factor Profile 20xx 20xx Jan.–June July–Dec. Jan.–June July–D
Number × wt. 1 × wt. 2 × wt. 3 20xx + l 20xx + l 20xx + 2 20xx

The three-year plan optimizes staffing requirements and the cost effectiveness of the Audit Department. The
plan is based on materiality and exposure to risk for establishing priorities of the audit entities and number of 
hours for the audits. The three-year plan may be developed in detailed increments of six-month time periods.
Circumstances that affect change to the plan are management requests and detailed monthly planning.

i. Auditable Units

In order to develop an audit plan, a company's auditable unit must be selected. An audit unit can be a
subsidiary operation, a department, a division, a system, or even an account. For instance, the XYZ Company
may be audited. Alternatively, the XYZ Company's sales cycle (sales, accounts receivable, and cash receipts
systems) can be audited or its accounts receivable balance can be subject to audit verification. A logical
approach for each company must be developed based on infrastructure, resources, system specifics, and
corporate strategies. In many cases, combinations of audit types will result. Often, various audit units at a
specific location will be combined to create a logical audit unit.

b. Risk Analysis
Risk analysis, or assessment, has become the preeminent method of guiding audits. External auditors have
long begun their process of financial audits with the audit formula—assessing inherent risk, control risk,
detection risk, and audit risk. In Statement on Auditing Standards No. 78, Consideration of Internal Control
in a Financial Statement Audit , the American Institute of Certified Public Accountants (AICPA)
institutionalized as guidelines the Committee of Sponsoring Organizations (COSO)
(COSO ) model of of internal control.
The five major areas of internal control include (1) control environment, (2) risk assessment, (3) information
and communication, (4) monitoring, and (5) control activities. The COSO model has also become a common
methodology used to design the internal control environment (see Chapter 3 3).
). Lately, internal auditing has
also put more focus on risk assessment. The current definition of internal auditing by the HA states:

• Internal auditing is an independent, objective assurance and consulting activity to add value and 
improve an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.

In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Nature
of Work section (Standard 2100), the first standard relates to risk management (Standard 2110). It states: "The
internal audit activity should assist the organization by identifying and evaluating significant exposures to risk 
and contributing to the improvement of risk management and control systems." In order to develop effective
audit planning, some type of risk analysis is necessary because it provides strategic direction for limited
resources.

For example, one published survey on best practices for audit efficiency concluded that correlating audit
 efforts to the levels of risk and materiality helped increase audit efficiency. Thus auditors should try to limit
procedures in low-risk areas and focus their attention on trouble spots. [1]

Chapter 6: Audit Planning 3

4 Chapter 6: Audit Planning

Depending on your company's specific operations and management concerns, the various risk factors are
identified in the plan. Care must be taken to analyze the cost versus benefit of a complex risk-based audit
plan. Many risk analyses result in a potentially complex summary of mostly subjective criteria, such as results
of previous audits or the control concern level of management, and a restatement of obvious objective criteria,
such as materiality. However, a basic summary of risk analysis should be performed. Since all risks are not
equal, each risk factor is assigned a weighting factor. The following is an example:

Risk Factor Weight Factor (1 = lowest, 5 = highest)

Materiality 5
Results of Prior Audits 3
For each audit, a score for each risk factor should be developed and multiplied by the risk factor weighting.
For instance, a scale of 1 to 5 can be used with 5 representing high risk and 1 representing low risk or a good
control environment. The following is an example:

Risk Factor Weight Factor (1 = lowest, 5 = highest) Risk Score

Materiality 5 5
Results of Previous Audits 3 1
From this type of analysis, a risk profile can be developed to support decisions of audit frequency or scope.
Finally, audit review and management judgment should be applied to the plan and risk assessment. All audit
managers should be encouraged to provide input and review.

c. Annual Budget and Plan

The company utilizes many budgets to operate its various companies, divisions, and so on. Local budgets
consolidate into corporate budgets, production forecasts, capital appropriations budgets, and many other
budgets. Auditing, along with all other departments within the company, must comply with these accounting
practices.

Departmental budgets and plans are the direct responsibility of the Director of Auditing. Departmental
budgets and plans include the annual departmental budget, the three-year audit plan, annual audit plan, and
monthly staff assignments. Each kind of plan is discussed in more detail in subsequent sections.

i. Annual Department Budget

The Audit Committee requests the annual departmental budget each fiscal year. The Director of Auditing
must present the departmental budget as a corporate cost center to the Chief Financial Officer (CFO) and the
corporate budget department after the Audit Committee has approved it.

The annual departmental budget covers all facets of the department's expenditures for the following calendar
year. This budget includes the number of personnel, salaries, salary raises, supplies, conferences, travel,
employment fees, benefits, and several other expenses. Once the budget is developed and approved, it
becomes difficult to substantially change the direction of the department when additional costs will be
incurred. However if circumstances warrant a scope change, discussions with the audit committee should be
scheduled.

ii. Annual Audit Plan

 An annual audit plan is primarily developed from the three-year plan and becomes a determinant in preparing
the department budget. The annual audit plan is principally a summary of the next two applicable six-month
periods of the three-year plan. The annual plan is used to support the manpower and travel expense estimates

4 Chapter 6: Audit Planning

Chapter 6: Audit Planning 5

used in the annual budget.

d. Six-Month Audit Plan

Most audit departments prepare an annual audit plan. Our example is broken down into six-month modules to
provide for synchronization with external auditors (if applicable). Most external auditors plan for the next
annual audit in the spring (assuming a calendar year end). This plan may inhibit coordination if the internal
audit plan is fixed for the calendar year. Therefore, the internal audit plan is projected for the year, but fixed in
six-month modules to provide for some flexibility in the second half of the year. This flexibility is also
desirable in order to be able to plan audits consistent with changes in the company's direction.

e. Three-Month Audit Schedule

The six-month plan is used to develop the department schedule for the next three months. The schedules are
required to be in place at the beginning of each three-month period. Nevertheless, it is desirable that they be
prepared at least 15 days before the beginning of the period.

f. Two-Month Staff Schedule

For the purpose of providing as much advance notice of pending audits as possible, a Corporate Audit Staff 
Schedule form is completed two months in advance for distribution. The form is designed by listing staff 
along the left side of the form and days of the month across the top. Assignments are written for each staff 
member across this matrix. The schedule allows the staff to plan the beginning of audits and project travel
assignments for personnel purposes.

Although the best intentions and forethought go into developing the Corporate Audit staff schedule, not all
circumstances can be anticipated. Auditees may require or request different time periods for their audit than
those scheduled. Management may request an audit not previously scheduled or change the timing of others. It
means that auditors must remain flexible.

When scheduling changes affect your plans, it may be possible to make other arrangements. Contact the
Internal Audit Manager to see what can be worked out.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 6.
NO 6.2 REV NO
NO: DATE:
TITLE: Internal Controls PAGES:
[1]September 2000 issue, "Best Practices for Audit Efficiency." Found at

www.aicpa.org/pubs/jofa/sep2000/dennis.htm.

6.2 Internal Controls

Evaluating internal controls is such a significant part of Audit Planning that a separate chapter has been
devoted to the subject. Chapter 3 provides more information that is relevant to audit planning.
 SAM POLE COMPANY 

Chapter 6: Audit Planning 5

6 Chapter 6: Audit Planning

Corporate Audit
Department Procedures
Manual
NO:: 6
NO 6..3 REV
REV NO:
NO: DATE
DATE::
TITLE: Materiality PAGES:

6.3 Materiality
A significant function of auditing is to express an opinion regarding the fair representation of financial
statements and the adequacy of the system of internal controls or other audited areas. In forming this opinion,
 judgment must be exercised involving the materiality of exceptions to mathematical accuracy, auditing
procedures, compliance with Generally Accepted Accounting Principles (GAAP) and consistency in the
application of those principles.

In their pronouncements, the American Institute of Certified Public Accountants (AICPA), the Securities and
Exchange Commission (SEC), and Financial Accounting Standards Board (FASB) stress materiality.
Bulletins of committees of the AICPA relating to accounting and auditing procedure remind readers that they
apply only to "items material and significant in the relative circumstances" and that "items of little or no
consequence may be dealt with as expediency may suggest." Regulations of the SEC require that the

accountant
reflected in express an opinion
the financial as to "any
statements material
and those differences
reflected between the accounting principles and practices
in the accounts."

How is the auditor to determine what is material, significant, or of consequence? The courts and the SEC have
furnished a few guidelines, including:

A. Where a misrepresentation would be likely to affect the conduct of a reasonable man with reference to
a transaction with another person, the misrepresentation is material (Restatement of the Law of 
Contracts).
B. A material fact . . . (is) a fact which if it had been correctly stated or disclosed would have deterred or
tended to deter the average prudent investor from purchasing the securities in question (Securities and
Exchange Commission. In Matter of Howard et al., 1 SEC 6).
C. The term "material," when used to qualify a requirement for the furnishing of information as to any
subject, limits the information required to those matters as to which an average prudent investor ought
reasonably to be informed before purchasing the security registered (Securities and Exchange
Commission. Regulation C, Rule 405, of Securities Act Regulations).
D. The U.S. Supreme Court held that a fact is material if there is "a substantial likelihood that the . . . fact
would have been viewed by the reasonable investor as having significantly altered the 'total mix' of 
information made available"
available" ( Basic,
 Basic, Inc. v. Levinson, 485 U.S. 224, 1988).

The FASB defined "materiality

"materiality"" in Financial Accounting Concepts Statement No. 2, Qualitative
Characteristics of Accounting Information: "The magnitude of an omission or misstatement of accounting
information that, in the light of surrounding circumstances, makes it probable that the judgment of a
reasonable person relying on the information would have been changed or influenced by the omission or
misstatement." As a response to some concerns raised by Chairman Levitt, the SEC issued Staff Accounting
Bulletin (SAB) No. 99 in August 1999. The Bulletin contends that FASB's definition is similar to the
interpretation of materiality upheld by the courts under federal securities laws. [2]

From these definitions, we may conclude that materiality depends on surrounding circumstances, the setting
 in which the item appears, and the setting in which it will be used. If the probable effects of the
item—whether through omission or commission—would be to give rise to misleading inferences by the
person or class of persons whom it will logically reach, it is material, significant, consequential, and

6 Chapter 6: Audit Planning

Chapter 6: Audit Planning 7

important. For this purpose, these four words are practically synonymous, although some make a distinction
between material and significant, attaching material primarily to a dollar amount.

Clearly, there are degrees of materiality and, as a consequence, there will be borderline cases. These will
require all the good judgment that the auditor can summon. Standards that would guide an auditor in
determining whether or not a deviation would require correction, disclosure, or qualification of an opinion
would be of immense help to auditors.

Research shows that the assessment of materiality differs among individual accountants and among public
accounting firms and that it varies with the size and geographical location of the practice. In arriving at these
decisions, the auditor should keep these matters in mind:

• Relative size of the item. Failure to disclose a liability of $5,000 in the balance sheet of an enterprise
with net assets of $40,000 would result in a material misstatement. In a balance sheet showing net
assets of $3 million, it would ordinarily not be material.
• Absolute size of the item. In spite of the importance of relativity, size alone may be important. Many
accountants would consider a large amount important, even though it is only 3 to 4% of net assets, or
3 to 4% of net income before taxes.
• The nature of disclosure. The fact that a company has pledged its accounts receivable as security for
a loan is significant because it discloses that the company is using a comparatively expensive form of 
financing and is therefore a material fact—even though the amount may not be material in relation to
the working capital.
• Use to be made of the report. If it is known that the report will be used for the sale of stock or for
obtaining long- or short-term credit, the effect the item might have on purchasers or long- or
short-term creditors would be considered.

• Evidence of a desire to mislead. The existence of an incentive for error would be considered. An
accidental error would have less significance than a deliberate departure from accepted procedure.
• Favorable or unfavorable effect of adjustment or disclosure. Unfavorable ones are usually given
more weight.
• Stability of income. If net pre-tax income fluctuates widely, unusual items are more important.
• Effect of future earnings. Items whose effect will continue into the future are more important than
those with only current significance.

Materiality may determine not only the need for exception or disclosure but also the extent of the audit work 
necessary to sustain an informed opinion. Inventories of a manufacturing company are of greater relative
importance that those of a personal service organization, not only in size and amount but also because of the
greater number of ways in which they may be improperly handled, both physically and in the records. Where
accounts receivable consist of relatively few, but large, balances, the percentage of accounts confirmed should
normally be much higher than if they comprise a large number of small balances, even though the total may
be the same.

In summary, sound judgment is required in determining what is or is not material. No definition of materiality
need deter you from recommending adjustments of errors or omissions on the books or financial statements.
Auditees, as mentioned earlier, generally wish to have errors or deficiencies corrected.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 6.4
NO 6.4 RE
REV
V NO:
NO: DATE
DATE::
 TITLE: Types of Audits PAGES:
[2]C.T. Grant, C.M. Depree Jr., and G.H. Grant, "Earnings Management and the Abuse of Materiality,"

 Journal of Accountancy , September 2000, pp. 41–43.

Chapter 6: Audit Planning 7

8 Chapter 6: Audit Planning

6.4 Types of Audits

The following descriptions are of the audit types performed by the Internal Audit Department. The majority of 
audits performed by the department are financial, operational (managerial), and information systems. (For a
discussion of control self assessment (CSA) or self audits, see Section 4.1(e).) The type of audit performed on
a particular auditable unit can be any combination of the types described below. The type of audit to be
performed is determined in the initial planning process.

a. High-Level Review of Procedures

A high-level review is a special type of review that measures general compliance with key corporate policies
and with sound business practices. The objectives of this review are to provide the auditor with an
understanding of an operation and to determine the nature of detailed testing that may be needed in certain
areas.

Procedures for this review follow the general guidelines for external auditors, as specified in Statement on
Auditing Standards (SAS) No. 36: Review of Interim Financial Information. These procedures consist
primarily of inquiries and analytical review concerning significant accounting matters related to financial
information being reviewed. Additionally, the internal auditor should obtain an understanding of the entity's
systems of accounting and internal controls.

Our high-level review includes other tests outlined in greater detail than in SAS No. 36. Compliance and some
substantive tests are to be performed over certain areas of an entity; including cash, accounts receivable,
credit, travel and expense, brand sales, product costing, marketing variable, fixed assets, debts, and inventory.

b. Financial Audit
A financial audit is a study of the current financial position of an operation to evaluate the fair presentation of 
the financial position as reported on the balance sheet, income statement, and the statement of cash flows. Full
financial audits of significant company operations and subsidiaries are typically performed by external,
independent auditors. In some cases, however, full financial audits may be performed by Sam Pole's internal
auditors.

The primary reason for a financial audit is to assure parties relying on financial statements that the data are
presented fairly in accordance with GAAP. A financial audit would be appropriate before tax reporting,
expansion ventures, mergers, acquisitions, disposal, economy fluctuations, and periodic presentations of 
financial position.

The approach to a financial audit would be governed by the purpose of the audit. If current liquidity were of 
prime importance, collectibility of trade receivables, short-term investments, turnover of inventory, and
liquidation of accounts payable would be considered. If expansion or acquisition were of prime importance,
both long- and short-term debt would be considered. If economic fluctuations called for entrenchment, then
purchasing practices, inventory stockpiling, overhead reductions, and other operating costs would be
considered. Regardless of the purpose of the audit, financial controls would always be of prime consideration
in evaluating audit risk.
 In all financial audits, the general ledger, general and specific journals, voucher registers, bank reconciliation,
and account analyses would be reviewed. These records would tell the auditor where the operation's assets
were utilized and why. Depending on the purpose of the audit, a review of the following reports would be

8 Chapter 6: Audit Planning

Chapter 6: Audit Planning 9

considered:

• Accounts Receivable Aging

• Accounts Payable Aging
• Inventory Aging
• Discount Income versus Discount Expense
• Physical Inventory Reconciliations
•
• Inventory/Receivable
Variance Analyses Turnover Ratios
• Standard Cost Revisions
• Transportation Costs
• Capital Expenditures versus Return on Investments
• Purchasing Cost Savings

These records and reports would tell the auditor where the operation was, where it is, and how it got there.
They would highlight efficiencies and inefficiencies in vital areas such as credit and collections, inventory
control, production scheduling, capital investments, and purchasing coordination.

Given all the above factors, the audit plan would then be devised, giving consideration to:

• Objective of the audit

• Time requirements

• Staff requirements
• Starting and concluding dates
• Auditor assignments

c. Operational/Managerial Audit
An operational audit can be defined as an extension of a financial audit. A financial audit tells where the entity
was and where it is; an operational audit tends to answer the questions why the entity is where it is and how it
got there. In this sense, the operational audit falls into the category of a management service by evaluating the
four functions of management: (1) planning, (2) organizing, (3) directing, and (4) controlling. The operational
audit can be broken down further as a functional review; for example, Purchasing as a department versus the
overall Procurement operation in coordination with production scheduling and market forecasting. There are

several reasons
returns, for performing
equipment an operational:
down time, adverse compliance
variances, proposedwith policies
product and procedures,
changes, excessive
theft, or personnel customer
turnover. The
timeliness of an operational audit is determined by the reason for the audit and the areas to be audited.

To formulate the approach to an operational audit, an auditor must first establish the scope. This step
determines the extent of the audit. The next step is to become familiar with an auditee's operation, its purpose
in the total structure of the entity, its history, its staff, and its reporting path. The reporting path is of prime
importance because this path is the communication route along which audit results and conclusions will flow.
The auditor should advise the location's management in advance of a planned visit so that suitable working
and living accommodations may be arranged.

The prime records to be obtained in an operational audit are the organizational chart of the function/operation,
applicable policy guides, and procedures directives. These will outline each employee's responsibility and
authority. The function's/operation's performance reports for at least one year prior to the audit should be
reviewed to determine trends that have developed over the past year. These records and reports could indicate
such trouble areas as segregation of duties, imbalance in reporting path, over- or under-staffing,
 noncompliance with corporate policies and procedures, weaknesses in internal controls, or inadequate job
rotations. These indications could aid the auditor in determining priorities as to depth of investigation and
areas of potential improvement. Reports must be informative and timely, and directed to the proper levels of 

Chapter 6: Audit Planning 9

10 Chapter 6: Audit Planning

management.

d. Compliance Audit
A compliance audit involves two different, though closely related, types of issues:

1. The nature and scope of the transaction against which the compliance is to be ascertained
2. The degree to which it is practicable, or even desirable, to determine the compliance
Therefore, a compliance audit can be defined as a rerun of a given task over a prescribed course that is
monitored by various checkpoints to reach a desired conclusion.

Reasons for a compliance audit can vary with the size and complexity of the organization, type of product,
market involvement, quantity and locations of sites or levels of standardization. A compliance audit may be
performed due to a recent history of excess customer returns, unusual buildup of inventory, increase in scrap,
increase in bad debt write-offs, proposed realignment of responsibilities, manpower turnover, or a routine
review of procedures.

e. Contract Audit
A contract audit is defined as the review and evaluation of a contract (terms, conditions, etc.) and its related
financial transactions. The terms construction and contracts are sometimes used interchangeably in the audit
profession because a construction project requires a contract. Contracts, however, cover a wide range of areas
such as repairs, maintenance, rentals, and consulting.

Contract audit objectives are segregated into:

Corporate Audit Objectives:

• Assess the adequacy of internal accounting control systems and operating procedures.
• Monitor compliance with corporate policies and procedures, contractual provisions, budgetary
guidelines, and operating safeguards and controls.
• Highlight problem/opportunity areas and make appropriate recommendations to management for the
development of new operating and control procedures.

Contract Audit Objectives:

• The contract specifically includes the right-to-audit clause.

• Controls exist to assure that construction or other costs, which are billed by the contractor, are in
accordance with the terms of the contract.

• Contactor controls and procedures are adequate to assure that the billed costs are proper and
reasonable.
• Controls exist to assure that other charges to the project are proper and reasonable.

Contract audits are appropriate on a continuing basis when:

• Contracts are issued for significant amounts.

• Actual expenditures exceed budget.

• Control weaknesses are noted during a financial audit.

 • A unit experiences management turnover.
• Integrity of personnel is questioned.
• A request is received from management (corporate or unit).

10 Chapter 6: Audit Planning

Chapter 6: Audit Planning 11

The approach to a contract audit includes the following steps:

1. Review the contract to determine that it is in accordance with established company policies (e.g.,
competitive bidding).
2. Document and evaluate the system of internal control.
3. Review pertinent data (project expenditures) to determine test criteria.
4. Perform a review to ascertain that all expenditures (included in test) are accurate, properly supported,

5. and in agreement
If considered with terms
necessary, visitand
the conditions
contractor'sofoffice
contract.
and review records to determine that charges to
the company are proper.

Ongoing contract audits require the preparation of periodic interim reports to management advising on
situations encountered so that prompt corrective action can be taken. A formal report is also required on
completion of an assignment, and status reports to audit management should also be issued from time to time.

f. Desk Review
In a desk review, the internal auditor will obtain a package of financial and other documentary information
from the auditee and perform limited procedures. In most cases, all procedures will be performed from
corporate offices and not at the auditee location.

Several benefits result from frequent desk reviews. First, the internal auditor can determine if the auditee is
currently in compliance with previous recommendations. Second, internal auditors can expand the coverage of 
their audits to nearly the entire organization without making trips to every location. A related benefit is
reduced travel time and travel expenses. Finally, the desk review is ideal for training new in ternal auditors,
auditors,
allowing them to gain an understanding of an entity's operations prior to doing a field audit.

A desk review can be combined with a control self-assessment review, see Chapter 4
4.1(e).
.1(e).

(g) Follow-Up Audits

Follow-up audits are performed 6 to 12 months after a major audit has been completed, to ensure that
previously accepted audit recommendations have been effectively implemented. These audits are typically
performed if the audit identified significant conditions.

[3]
h. Information Systems Audits
Information systems (IS), or electronic data processing (EDP), audits are the examination of significant
aspects of the IS environment. The company may have several different IS environments, such as: mainframe,
mini-computer, microcomputer (PCs), local area networks (LANs), wide area networks (WANs), electronic
data interchange (EDI), and Internet hosts (servers, electronic commerce).

The nature of business systems changed dramatically in the 1990s. More and more businesses went to
real-time, online systems. The Internet expanded into the World Wide Web (WWW, web) where a geometric
growth of pure digital business transactions has occurred (i.e., electronic commerce). In general, more
accounting functions are computerized and more business transactions are now entirely in digital form.
Therefore, IS audits are becoming increasingly more important for data integrity, system availability, and
security. For those businesses that have some or all of their business transactions embedded within IS, the
availability of the system has become critical to the success of the firm. Even for external audits, the "white
 box" technique [4] of financial audits is becoming more necessary and will become more and more common.

The internal auditor should have identified audit units for each of the IS environments above applicable to the
firm. The COSO model is an excellent way of identifying such units. Using both COSO and other sources, the

Chapter 6: Audit Planning 11

12 Chapter 6: Audit Planning

following is a list of major audit units to be considered for each environment, although it is not
comprehensive:

• System Control Activities: General Controls Review. Review of general control units such as
organizational structure policies and controls related to all information systems or technologies. This
review could be done in conjunction with other audits (i.e., integrated approach). An examination of 
general controls might include units such as:

♦ Access Security

◊
"Top Secret," RAC-F, ACF-2
♦ System Availability/Continuity of Operations
♦ Documentation Standards
♦ Program Development and Change Control

◊ Program change control—"PanValet"

♦ Disaster Recovery/Business Recovery
• System Control Activities: Application Controls Review. Application controls are embedded in the
code. Hopefully, internal auditors (such as CIAs or Certified Informations Systems Auditors, or
CISAs) provided guidance in developing the controls as each application was being produced.
Basically, auditors will examine software systems' controls for processing applications such as:

♦Revenue cycle programs (e.g., accounts receivable, sales)

♦ Expenditure cycle programs (e.g., accounts payable, purchases)
♦ Payroll cycle programs
♦ Inventory cycle programs
♦ General ledger
♦ All other financial applications
• Physical Control Activities. An examination of various physical controls. They include controls such
as:

♦ Transaction authorization
♦ Segregation of duties
♦ Compensating controls (often necessary in IS environments)
♦ Accounting records (especially audit trails)
♦ Independent verification (management's assessment of individuals, integrity of Accounting
Information System (AIS), and integrity of the data in the records)
• Detailed Examination of Operating System. Audit specific to MVS operating system, AS/400, Unix,
Linux, Novell, Windows, etc. The audit should have at least these objectives:

♦ Protect itself from users

♦ Protect users from each other
♦ Protect users from themselves
♦ Be protected from itself 
♦ Be protected from its environment

i. General Controls: Disaster Recovery Review

A Disaster Recovery Plan (DRP) is a comprehensive statement of all actions to be taken before, during, and
after a disaster, along with documented, tested procedures that will ensure the continuity of operations. [5] The
DRP starts with a written plan that also identifies the procedures for restoring operations with the DRP
 elements. The procedures should rank critical applications for the restoring process so as to minimize the loss
of critical transactions during the down time. The plan also identifies the DRP team. Every organization needs
an appropriate DRP. A review of the DRP includes at least the following items:

12 Chapter 6: Audit Planning

Chapter 6: Audit Planning 13

• Backup Site. An offsite facility equipped to restore operations (e.g., hot sites, such as the recovery
operations center); cold sites, with equipment backup separate; and mutual-aid pact).
• Backup Data. An offsite receptacle for archived data, stored frequently and timely (e.g., online data
vaulting and data sets such as tapes, disk packs, etc., stored in a fireproof vault, etc.). This process
should have been tested for reliability.
• Backup Software. Backup copies of all relevant software and applications. These should be stored
offsite at the site backup or with the data backup.
•
 Backup Resources.
checks) and Items such
other supplies as paper
necessary for supplies
systems (e.g., continuous
to function. Theseforms
itemsfor printing
should invoices
be stored ornear
at or
the backup site.
• Backup Documentation. Any manuals or documentation that are necessary for operations. Again,
stored at or near the backup site.
• Backup Team. The identification of the DRP team, with responsibilities for each member having
been described in the written DRP. All of the DRP recovery processes should be made the
responsibility of various team members with overlap or backups for personnel in case of the greatest
tragedy—the death of a DRP team member.
• Critical Applications. A ranking of all applications to be restored. The ranking provides a way to
prioritize DRP recovery processes.
• Tested. Has the plan been tested in a realistic manner?

ii. Applications Controls Review: Further Guidance

Application controls can be tested and examined using the system model: input controls, processing controls,
and output controls.

A. Input Controls. Input controls would focus on maintaining the integrity of data entry and assertions
such as completeness and existence (occurrence). They are designed to ensure that the transactions
that bring data into the system are valid, accurate, and complete. Data input procedures can be either
source document-triggered (batch) or direct input (real-time). Source document input requires human
involvement and is prone to clerical errors. Direct input employs real-time editing techniques to
identify and correct errors immediately. The following is a list of some input control areas for which
to plan and investigate:

♦ Source document controls

♦ Data coding controls
♦ Batch controls (where applicable)
♦ Validation controls (e.g., field characteristics)
♦ Input error correction controls
B. Processing Controls. Processing controls are the most important and most difficult because they
involve the computer processing steps inside the system. Applications and systems need expert design
features to have adequate processing controls, which can be provided by CIAs, CISAs, or other
qualified auditors. The following is a list of some processing control areas for which to plan and
investigate:

♦ Run-to-run controls (during posting, etc.)

♦ Operator intervention controls (i.e., minimize human intervention, build audit trails when they
do)

♦ Audit trail controls (building an adequate digital audit trail of internal processing activities)
♦ Logic testing (formulas, etc.)
 The latter area is a real key to most systems and is extremely valuable for reviews of new or significantly
revised applications. In order to conduct a white-box-type IS audit, an in-depth understanding of the internal
logic of the application being tested is imperative. There are several techniques for testing logic directly.

Chapter 6: Audit Planning 13

14 Chapter 6: Audit Planning

These approaches use small numbers of specially and expertly crafted test transactions used to verify aspects
of the application's logic and controls. With known variables and calculated results, auditors can then conduct
precise tests, obtain computerized results, and compare them against the objective set. The following list is
indicative of the types of tests that could be run to test application logic:

• Authenticity Tests. Verify that an individual, a programmed procedure, or a message attempting to

access a system is authentic.
•
 Accuracy
tolerances.Tests. Ensure that the system processes only data values that conform to specified
• Completeness Tests. Identify missing data within a single record and entire records missing from a
batch or file.
• Redundancy Tests. Determine that an application processes each record only once.
• Access Tests. Ensure that the application prevents authorized users from unauthorized access to data.
• Audit Trail Tests. Ensure that the application creates an adequate audit trail. This test should verify
that the system produces complete transaction listings, and generates error files and reports for all
exceptions.
• Rounding Error Tests. Verify the correctness of rounding procedures. Failure to properly account for
this rounding difference can result in an imbalance between the total (control) interest amount and the
sum of the individual interest calculations for each account. Rounding problems are particularly
susceptible to so-called salami slicing, a criminal technique that tends to affect a large number of 
victims, but the harm to each is immaterial. Each victim only sees one of the small pieces and is
usually unaware of being defrauded. Operating system audit trails and audit software (i.e., GAS) can
detect excessive or unusual file activity. In the case of the salami fraud, there would be thousands of 
entries into the computer criminal's personal account that may be detected using generalized audit
software (GAS) or computer-aided auditing tools (CAATs).

C. Output Controls. Lastly, internal auditors should plan for an examination of output controls. Output
controls are intended to ensure that system output is not lost, misdirected, or corrupted, and that
privacy is not violated. The type of processing method in use influences the choice of controls
employed to protect system output. Batch systems are more susceptible to exposure and require a
greater degree of control than real-time systems. These controls are much easier to audit than
processing or input controls. The following is a list of some output control areas for which to plan and
investigate:

♦ Batch systems output controls

♦ Output spooling controls (print spooler)
♦ Print program controls
♦ Bursting controls (if applicable)
♦ Waste controls
♦ Data control group control
♦ Report distribution controls
♦ End user controls
♦ Real-time systems output controls

Another key element to IS audits is the use of computer-assisted audit tools and techniques (CAATTs). The
internal auditor should make an assessment of applicable tools and techniques for the specific unit and audit
objectives. The following is a list of possible tools and techniques, but is not fully inclusive:

• Generalized audit software (GAS)

• Embedded audit modules (EAM)
• Generalized data input systems (GDIS)
 14 Chapter 6: Audit Planning

Chapter 6: Audit Planning 15

i. E-Commerce Audits
Electronic commerce (e-commerce) has some special considerations beyond those identified in the IS audits
section because the IS audit is typically conducted on the "back office" system. E-commerce is the "front end"
system. The audit of e-commerce will focus on controls, access, security, and availability. The higher risks in
e-commerce at the present are viruses, hackers and crackers, and activities intended to crash the system. Some
CAATs provide auditors the ability to probe for weaknesses—to play the devil's advocate on their own
systems (e.g., SAINT). These tools are extremely beneficial in doing e-commerce audits. A review should
include the following applicable units or areas, although this list is not exhaustive:

• Unauthorized access [6]

• Firewalls [7]
• Intrusion detection
• Data encryption [8]
• Transaction and access logs
• Challenge-response activities
• Authentication methods [9]
• E-commerce protocols [10 10]]

• Non-repudiation controls
• System availability, fail-safe controls
• Anti-virus protection

j. International Audits
An international audit is a full-scope audit of a particular division or subsidiary. These are performed on a
regular basis or on request. The scope of this type of audit includes a financial section, an operational section,
an IS section, and a section addressing the unique characteristics of the location's customs and duties and
governmental affairs. Depending on staff levels, distance and capabilities, international audits may be a good
candidate for outsourcing.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 6.5
NO 6.5 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Time Reporting PAGES:
[3]See Section 3.6 for more on IS audits. Some of the material in this section is from the following book:

James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000.

[4]This term refers to the approach where the auditor audits through the computer system rather than around it
(i.e., black box).

[5]James A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000.

[6]More than passwords, because secured access for e-commerce is usually multi-faceted. For example, a
firewall, intrusion detection system, and passwords combined for access control(s).

[7]Overlaps with unauthorized access and system availability.

[8]
 Online and offline: almost all credit card theft over the Internet has been from files on the system, not from
stealing them during transactions.

Chapter 6: Audit Planning 15

16 Chapter 6: Audit Planning

[9]Digitalsignatures, digital certificates, call-back modems, multi-faceted access methods (e.g., a password
and a PIN generated via pager; an access ID and password, and another ID and password for access to
applications or data).

[10]
10]For example, SSL, SET, S-HTTP.

6.5 Time Reporting

Planning and budgeting are important procedures that should be performed as integral elements of every audit.
Time records aid these functions because they provide cumulative data regarding the actual time spent
accomplishing specific assignments on previous or similar engagements. As a result, the senior auditor can
use this data, along with an evaluation of the procedures to be performed and the capabilities of the applicable
personnel in order to better estimate (budget) the time required for the current audit.

Other benefits of time reporting are:

• Providing the quantitative support necessary at the staff level. Accurate budgeting of all audit
activities throughout the year will summarize into a viable total from which to determine the number
of auditors required.
• Adding to job control. Prompt time reporting enables the in-charge manager to effectively analyze
how much time has been spent, how matters stand against the budget, and how much further time is
required for completion.
• Supporting productivity. Time reporting provides the ability to monitor actual time spent on audits
versus administrative and other lost productive time.

The following discussion is an explanation of a basic time reporting form as well as a listing of basic reports.
Each audit assignment should be given a number indicating the year and the audit number—beginning with
001, followed by 002, etc. Task and audit type codes should be added as described below.

a. Form: Corporate Audit Time Report

A form is to be completed semimonthly and approved by the senior, supervising senior, or manager. A sample
( Exhibit 6.4).
of this form is provided at the end of this section (Exhibit 6.4).

To use the Corporate Audit Time Summary:

1. Complete the form in detail. Be neat.

2. Account for eight hours per day and 40 hours per week.
3. Corporate Audit time reports are due semimonthly.
4. Record time accurately to within half hour.

b. Report for the Period Ending

The form is designed to be used for either the first through the fifteenth, or the sixteenth through the
thirty-first of the month.
 c. Auditor s Name/Employee Number
The auditor to whom the time report pertains should sign the time report. Each auditor should have been
assigned an employee for time reporting purposes.

16 Chapter 6: Audit Planning

Chapter 6: Audit Planning 17

d. Job Number
Each assignment will have a specific job number. Job numbers assist in the identification and accumulation of 
time reported by several individuals on various jobs. If you are asked to perform a task, obtain the appropriate
 job number from your supervisor or get the number from the planning memo in the administrative binder for
that job.

e. Audit Codes
Audit codes relate to the type of audit. A listing of these and task codes follows. (See Exhibit 6.3.)
6.3.)

Exhibit 6.3: Time System Codes: Audit Type Codes and Task Codes

Audit Type Codes

01 High
High-L
-Lev
evel
el Rev
Review
iew 05 Co
Cont
ntra
ract
ct Aud
Audit
it
02 Financial Au
Audit 06 Other Au
Audit
03 Operat
Operation
ional
al Audit
Audit
04 IIS
S Audit 99 No
N on—audit
[a]Details to be listed on back of time
report.
Task Type Codes
01 Planning/Planning Memo 40 Pre-implementation System Review
02 Audit
Audit Progra
Program/I
m/ICEG
CEG Devel
Developm
opment
ent 41 Post-im
Post-imple
plemen
mentat
tation
ion System
System Revi
Review
ew
03 Technical Re
Research 42 Systems—Operational
04 Supervision 50 Co
Contract Review
05 Review Workpapers 51 Contract Procedures/Controls
06 Write Reports/Memos 52 Contract Billing
07 Ge
General 53 Investigation
08 Cash 54 Benefit Plans
09 A/R Confirmation P rojects[a]
55 Pr
10 Inve
Invent
ntor
orie
ies/
s/Ph
Phys
ysic
ical
al Obse
Observ
rvat
atio
ion
n 60 Qual
Qualit
ity
yCCon
ontr
trol
ol

1 I Supplies Inventory 61 Performance Evaluation

12 Inventories—G/L 62 Or
O rientation
13 Other Assets 63 Scheduling
14 Liabilities 64 In
I nterviewing/Recruiting
15 Revenue/Expense 65 Education and Training Administration
16 Payroll 66 Administrative—Other[a]
17 Revenue Sy
System—Cycle 70 Staff Tr
Training—Internal
18 Expenditures System—Cycle 71 Conferences/Seminars
19 Payroll Sy
System—Cycle 72 Education Co
Course—CPE
20 Production System—Cycle 73 Professional Organization
21 Auditee Conferences 74 Self Study
22 Permanent Files 75 Ti
T ime Report Input
23 System Files 80 Sick
 23 System Files 80 Sick  
24 Travel—Work Time 81 P
Peersonal
25 Travel—Other 82 Vacation
30 Data Center Review 83 Ho
H oliday

Chapter 6: Audit Planning 17

18 Chapter 6: Audit Planning

31 Applications Review 84 Compensation

32 Production/Maintenance 90 Administrative—Department[a]
33 Computer Program Changes 91 Peer Review
34 Conversions 92 St
Status Reports
35 IS Operating System 99 Ot
O ther
[a]Details to be listed on back of time report.

f. Task
Task Code
Codes
s
Task codes should be used to detail the specific work performed. A listing of these codes follows. (See
6.3.)
Exhibit 6.3 .) Consult your supervisor or the job budget in the planning memo for the proper task code.

g. Hours
Only total hours for the semimonthly period need to be recorded in the "hours
" hours"" column. The daily hours are
accumulated on the right side of the sheet. Hours should be reported to the half hour.

h. Productive Time

night, inall
Record thetime applicable
motel, to the
or at home. job. This
Think record includes
of reporting time spent
time as though youworking at the
were going job site,
to bill yourin theto
time office
the at
auditee. Remember, future projects will be understated if actual time spent on an audit is not recorded and
remains hidden. Record travel as work time only between the normal work hours of 8:00 A.M. and 5:00 P.M.,
or normal hours applicable to your organization. This travel time should be charged to the normal job number,
audit code, and task 24.

i. Nonproductive Time
Record travel time outside normal working hours of 8:00 A.M. to 5:00 P.M., Monday through Friday or after
a 40-hour week of flexible hours has been worked. An example is to assume you left the job at 4:00 P.M. after
you have spent seven hours on the audit at the job site. One hour should be recorded as productive time and
the remainder of the time spent traveling should be recorded as nonproductive.

Travel time is defined as the time required to commute to the airport, from departure airport to destination
airport, and the commute from destination airport to office, home, or motel. If you are traveling by
automobile, it is that time you leave the home, office, job site, etc., until you arrive at your destination. Travel
during non-work hours should be charged to the job number, audit code 99, and task 25.

Other nonproductive time—including vacation, holidays, sick leave, personal leave, training, and
seminars—has specific task codes that are self-explanatory. Time charged to the administrative category must
be explained on the back of the time report to avoid making it a catch-all task code. All nonproductive charges
go to job number 000, audit code 99, with the appropriate task.

"Administrative" is defined as work that is beneficial to all jobs, not just one. If an auditor is writing the report
for job number 01-010 in the office, it would be chargeable to job number 01-010. But, if the same person
were writing a policy statement that applies to office procedure and would affect the conduct of all jobs, then
the hours would be charged to administrative. One would normally expect very little staff time charged to the
 administrative
filling out timecategory. As a general
reports, expense rule,
reports, allshould
etc., staff time should be charged
be considered to a job. However, time spent
administrative.

18 Chapter 6: Audit Planning

Chapter 6: Audit Planning 19

j. Summarizing Time
Each individual's time is entered into a time reporting application after it has been approved. Once all time
sheets are input, the data is compiled into various reports by the application. The following reports should be
considered:

• Report 10—Listing of employee names and numbers

• Report 20—Listing of job numbers and job names
• Report 30—Listing of audit numbers and names

• Report 40—Listing of task numbers and task names

• Report 50—Semimonthly input summarized by employee number within date
• Report 60—Listing of hours by job number, employee, and task 
• Report 70—Listing of hours by employee, by job, and by task 
• Report 80—Listing of hours by audit, by job, employee, and task 
• Report 90—Listing of total audit and non-audit hours by employee
• Report 100—Listing of non-audit hours by employee, by task 
• Report 110—Listing of budgeted versus actual hours by job, by task 
• Report 120—Listing of budget to actual hours for all jobs

Exhibit 6.4: Sample Corporate Audit Time Summary Form

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 6.6
NO 6.6 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Expense Reporting PAGES:

6.6 Expense Reporting

All approved expense reports should be submitted to the Audit Director. A copy should be retained for the
department's records. This process will provide a means for reconciling the monthly Departmental Budget
 Progress Reports on a timely basis and will provide auditors with a record, if necessary.

Chapter 6: Audit Planning 19

20 Chapter 6: Audit Planning

a. Travel Expenses
General guidelines for travel arrangements and travel expenses:

• Airfare.Flight arrangements should be made through the travel department in accordance with
corporate policy.
• Lodging. Lodging arrangements are to be made through the travel department, but are first to be

approved by the manager level or above.

• Meals. Reasonable meal expenses will be reimbursed.
• Local Transportation. The decision of whether to lease a car or use cabs is to be discussed at the
manager level or above. Car rental is to be arranged through the travel department.
• Telephone. Non-excessive expenses for personal calls will be reimbursed. Personal calls, however,
should be limited to one per day.
• Advances. Expense advances are to be obtained through the accounting department and are to be
approved by the manager level or above.
• Expense Report Settlements. Individual auditors are responsible for settling their own expense
reports with the accounting department.
• Mileage. Mileage expenses will be reimbursed at the current rate acceptable by the Internal Revenue
Service.

This list serves as only a general guideline, and exceptions will occur; you will be asked, however, to explain
deviations. When in doubt, general company guidelines apply. Before leaving on a trip, any expected
exceptions must be discussed at the manager or director level.

Endnotes

1. September 2000 issue, "Best Practices for Audit Efficiency." Found at

www.aicpa.org/pubs/jofa/sep2000/dennis.htm.

2. C.T. Grant, C.M. Depree Jr., and G.H. Grant, "Earnings Management and the Abuse of Materiality,"
 Journal of Accountancy , September 2000, pp. 41–43.

3. See Section 3.6 for more on IS audits. Some of the material in this section is from the following book:
James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000.

4. This term refers to the approach where the auditor audits through the computer system rather than around it
(i.e., black box).

5. James A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000.

6. More than passwords, because secured access for e-commerce is usually multi-faceted. For example, a
firewall, intrusion detection system, and passwords combined for access control(s).

7. Overlaps with unauthorized access and system availability.

 8. Online and offline: almost all credit card theft over the Internet has been from files on the system, not from
stealing them during transactions.

9. Digital signatures, digital certificates, call-back modems, multi-faceted access methods (e.g., a password
and a PIN generated via pager; an access ID and password, and another ID and password for access to

20 Chapter 6: Audit Planning

Chapter 6: Audit Planning 21

applications or data).

10. For example, SSL, SET, S-HTTP.

 Chapter 6: Audit Planning 21

22 Chapter 6: Audit Planning

 22 Chapter 6: Audit Planning

Chapter 7: Audit Performance

Performance
Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 7.1
NO 7.1 RE
REV
V NO:
NO: DATE
DATE::
TITL
TITLE:
E: Corp
Corpor
orat
atee Audi
Auditt Pe
Perf
rfor
orma
manc
ncee Pr
Proc
ocess
ess Matr
Matrix
ix PAGES
PAGES::

7.1 Corporate Audit Performance Process Matrix

This chapter presents a number of audit tasks and documents that are necessary for effective audits. They also
are compatible with audit standards such as the Institute of Internal Auditors' (IIA's) Standards for the
Professional Practice of Internal Auditing. [1]

The audit process begins with the notification of the auditee and concludes with the performance evaluation of 
( Exhibit 7.1)
each staff member on the project. The corporate audit performance matrix (Exhibit 7.1) summarizes the
activities contained within our sample audit process. This sample process places a heavy emphasis on
organization and implementation of all authorized department procedures. It is a structured program with a
great deal of attention to planning. The importance of structuring the audit process and following documented
department procedures cannot be overemphasized. It is through strict adherence to procedures performed by
competent staff that good audit reports will result.

Exhibit 7.1: Corporate Audit Performance Process Matrix

Assignment Engagement Planning Status Memo Tentative Audit Audit Report

Check List Memo—Notice Memo Recommendations Distribution
to Auditee Worksheet Worksheet
(Section 7.2)
7.2)
PURPOSE Establish Announ
Announce
ce audit.
audit. Establ
Establish
ish Interim field audit Document Track report
control over audit report of  significant findings. preparation and
audit; assign objective, significant issuance.
number and scope, and findings/problems
log it. approach.
TIMING Begin two Approximately Before or at As required, based Promptly upon audit Upon
weeks before four weeks beginning upon existing disclosure completion of 
audit; before audit of audit circumstances field work 
complete
one week 
after report
is issued.
AUTHOR Senior I.A. Manager Senior Auditor Auditor Senior/Manager
ADDRESSEE
 COPIES Workpapers Unit Head I.A. Auditee Auditee Workpapers
Manager
None Unit Controller, Workpapers Workpapers None
Manager, others Manager
CONTENTS

Chapter 7: Audit Performance 1

2 Chapter 7: Audit Performance

Calendar of  Audit entity or Audit Outline of  Findings Calendar of  ID of a
audit location, audit objective, significant audit documentation, checkpoints; transm
checkpoints objectives, audit audit scope developments, status and distribution of  Audit
period start date, timing, timing problems, disposition copies highlig
end date, request budget need to alter audited
response hours objective or scope, scope
detailed by high-level auditor
area, budget/actual conclu
significant hours comparison detaile
audit comme
areas/audit, recom
approach (for m
staffing only)

APPPROVAL None None Manager None Senior Manager None

The example included in this manual requires the audit team to formally notify the auditee and develop a
detailed audit plan and budget. The purpose of the detailed plan is to ensure that the objectives of the audit are
the most appropriate for the circumstances. Given the limitation of time for each audit, the scope and
objectives should be seriously considered not only by field staff auditors, but also by the audit management.
This process is institutionalized through the development of a proper audit planning document.

The budget will help guide the staff to put their time into the proper areas. It will also assist audit management
in explaining why audits have taken more or less time than originally planned. Budgets also help refine the
long-term planning process and provide improved credibility for the audit function. One must always keep in
mind that it is very difficult to measure audit productivity. With budgets in place, some of the management
and auditee doubts are mitigated.

a. Assignment Log and Checklist

At the commencement of an audit assignment, a number is given to the audit project. The number consis ts of 
two digits for the year and a three-digit number designating the particular engagement.

One of the first steps in the audit performance process is to initiate an assignment checklist (see Exhibit 7.2).
7.2).
The checklist is used as an overall control form and should be the first paper seen on the top of a workpaper
binder set. This checklist is a guide to ensure that all critical elements of the audit performance process are
completed.

Exhibit 7.2: Sam Pole Company Corporate Audit Department Assignment Checklist

Audit #01 -nnn

Company: ____________________________________
_______________________________________________
___________

Location: _____________________________________
________________________________________________
___________

Assignment: _____________________________________
______________________________________________
_________

Date: _____________________________________
__________________________________________________
_____________
 Date
___/___/___
1. Notice to Auditee

2 Chapter 7: Audit Performance

Chapter 7: Audit Performance 3

2. Planning Memo ___/___/___

3. Field Work 
___/___/___
• Preaudit Conference
___/___/___
• Begun
___/___/___
• Status Memo
___/___/___
• Completed
___/___/___
4. Closing Conference
___/___/___
5. Senior Finalization of workpapers
___/___/___
6. Manager review (two days before outside
deadlines)
___/___/___

7. Audit Report draft

___/___/___
8. Summary Memo
___/___/___
9. Audit Report issued
___/___/___
10. Performance Evaluations
Name Completed by Date
Su
Supe
perv
rvisi
ising
ng:: ____
______
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__ ___/
___/__
___/
_/__
___
_
In Char
Charge
ge:: ____
______
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
__ ___/
___/__
___/
_/__
___
_
Assist
Assistan
ant:
t: ____
______
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
____
___
_ ___/
___/__
___/
_/__
___
_

i. Audit Performance Process Log

In order to maintain control over all audit assignments, a log is kept by the department administrator. The log
consists of a column to the left indicating the year and audit number. These are followed by columns to the
right indicating the status of the audit and the beginning of the report initiation and completion process.

b. Description of Notice to Auditee

As discussed in Corporate Audit Performance Process Matrix in our example, we have opted to notify
auditees in advance of audits. In general, it is more appropriate to notify the auditee that an audit will take
place. This notification allows for a more orderly project. In some cases, this approach may not be
appropriate. For instance, petty cash counts are usually performed on a surprise basis.

Some audit departments do not notify auditees because they can improve or address areas that may come
under audit procedures. If the notice of audit provides the impetus for the auditee department to improve, that
 result is accomplishing the spirit of the audit mission. What follows in Exhibit 7.3 is a sample notice to the
auditee. The manual should contain a sample so that there is a consistency within the audit function and
between all audits.

Exhibit 7.3: Sample Notice to Auditee

Chapter 7: Audit Performance 3

4 Chapter 7: Audit Performance

September 10, 200x

Mr. E.S. Jones

Sam Pole Company
2010 Main Street
Anytown, USA

Dear Mr. Jones:

In accordance with our audit plan, we have scheduled an audit during the period from September 1 through
September 9, 200x. It will be performed under the supervision of Mr. Justin Tyme, who will arrive in the
office on September 1st.

A full financial audit will be conducted, including the evaluation of internal controls and tests of transactions
supporting related account balances as well as verification of physical inventory valuations and circulation of 
customer accounts receivable balances.

Please contact me if you have any questions related to our visit or if you have areas of concern that you may
wish to have reviewed.

Very truly yours,

Newley A. Pointed
Audit Manager

c. Preliminary Survey
i. Purpose

The purpose of a preliminary survey is to

• Gain a basic understanding of the entity to be audited, especially related to risk assessment
•
Begin the planning process
These purposes relate to Generally Accepted Auditing Standards and IIA Standards. The following standards
apply to the practical aspects of the audit planning process including: adequate skills, competencies, and
knowledge; adequate resources; the underlying role of risk assessment; and the nature of the work.

• Attribute Standard No. 1210 (Proficiency). Internal auditors should possess the knowledge, skills,
and other competencies needed to perform their individual responsibilities. The internal audit activity
collectively should possess or obtain the knowledge, skills, and other competencies needed to perform
its responsibilities.

• Attribute Standard No. 1210.A1. The chief audit executive should obtain competent advice and 
assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to
 perform all or part of the engagement.
•
  Performance
 plans Standard
to determine the internalThe
No. 2010of(Planning).
the priorities chief
audit audit consistent
activity, executive should
with theestablish risk-based 
organization's goals.
(Note: Subsection A1 further states that a "risk assessment should be undertaken at least annually.")
• Performance Standard No. 2030 (Resource Management). The chief audit executive should ensure
that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the

4 Chapter 7: Audit Performance

Chapter 7: Audit Performance 5

approved plan.
• Performance Standard No. 2100 (Nature of Work). The internal audit activity evaluates and 
contributes to the improvement of risk management, control and governance systems.

Auditors should obtain background information about the activities to be audited. This process is
accomplished by performing, as appropriate, an on-site survey to become familiar with risks, and activities
and controls to be audited; to identify areas for audit emphasis; and to invite comments and suggestions. To
perform an audit in accordance with Generally Accepted Auditing Standards and IIA's Standards, a properly
conducted preliminary survey is required.

ii. Progression of and Procedures for Preliminary Survey

Review the scope of the pending audit.

The comprehensiveness of the survey depends on the scope of audit. For example, if the audit is limited in
scope, then the survey will be limited. A memo should be prepared discussing:

• Purpose of the engagement

• Nature of the final report, if any
• Timing of the engagement
• Auditee contacts

Arrange a preliminary meeting with management.

The purposes of this meeting are to:

• Meet management and inform them of the objectives of the survey

• Arrange for working space
• Prepare preliminary time tables
• Gain the confidence of location management
• Gain an understanding of management's objectives
• Gain understanding of problems as perceived by local management
• Gain understanding to determine if a new risk assessment needs to be undertaken

Write a memo documenting the preliminary meeting with management. The following information should be
included in the memo:

• Time, date, and participation (who was there)

• Summary of topics discussed
• Potential problem areas noted
• Potential conflicts
• Office policies peculiar to that location

After a memo is prepared documenting the preliminary meeting with management, the fieldwork portion of 
the survey is ready to begin.

Complete preliminary survey field procedures.

The field survey procedures for a full scope audit are:

 • Through interview, observation, and documentation, gain an understanding of the following
characteristics of the entity:

Chapter 7: Audit Performance 5

6 Chapter 7: Audit Performance

♦ Brief history of entity

♦ Size of entity
♦ Products produced

♦ Process flow
♦ Principal customers
♦ Principal supplies

♦ Current trends
The understanding should be documented in memorandum form. The purpose is to provide the reader with an
overall understanding of the entity as it relates to Sam Pole Company.

• Perform a cursory review of the accounting system by obtaining and preparing the appropriate
documents and memoranda:

♦ Obtain an organizational chart

♦ Determine the extent of information system (IS) and information technology (IT) usage
♦ Briefly describe the following systems. Note the volume of transactions and the apparent
control points and control weaknesses:

◊ Purchasing, accounts payable, and cash disbursements

◊
◊
Order entry,
Product sales, accounts
inventory, aging andreceivable, andreview
obsolescence cash receipts
procedures
◊ Supply inventory system
◊ Cost accounting system
◊ Environmental accounting system (if applicable)
◊ Fixed assets and depreciation
◊ General ledger system

The following questions should be answered for each system:

• What is the job?

• Who does it?
• Why is it done?
• How is it done?

• Where is it done?
• When is it done?
• How is it monitored?
• How much does it cost?

Prepare a schedule of all significant books of original entry. For computer systems' master files, and
transaction registers.

Prepare a schedule of primary management reports.

Overview systems flowcharts may be prepared for any of the accounting systems if they enhance the
understanding.

• In connection with the review of the accounting system, the following documents should be
 identified, if available:

♦ Internal accounting procedures and practice manuals

♦ Governmental regulatory reports

6 Chapter 7: Audit Performance

Chapter 7: Audit Performance 7

♦ Prior audit reports, both internal and external

♦ Authoritative accounting publications related to the industry
♦ Industry standards
♦ Perform a risk analysis: Professional practice standards (see "Purpose
" Purpose")
") require the auditor to
exercise due professional care. Due professional care is not intended to mean that the auditor
is infallible or that extraordinary performance is to be expected. But it does require that
reasonable care be taken. In order to exercise due professional care, the auditor must be aware
of potential risks.
A risk can be defined as an exposure to loss or to less than the maximization of efficiency
resulting from the lack of internal controls.

Common risks include:

◊ Inadequate controls
◊ Inadequate planning and organizing
◊ Inadequate directing and controlling

Perhaps the easiest and most expedient means to detect common risks is a cursory internal
control review using standard internal control questionnaires. These questionnaires will
contain questions that point out unique risks for each system under review. An analysis of 

answers
confinedtotothe formssystem,
a single will aidand
the (2)
auditor
if theinnature
determining: (1) if theisnature
of the weakness of thethroughout
pervasive weakness the
is
entire organization.

For example, if auditors note a lack of segregation of duties of cash, they should determine
whether it is unique to cash or pervasive throughout the whole system of internal control. If 
the weaknesses are pervasive throughout the whole system, then the problem would be one of 
inadequate planning and organizing. If the weaknesses are confined only to cash, then the
problem would be one of inadequate directing and controlling.

Collation of risks—To assess the effectiveness of internal controls, it is necessary to relate

risks to exposure, to controls, to planned audit effort, and then to the eventual results of the
audit procedures. A suggested format is to schedule the above on work-papers that will be
used during the actual performance of the audit.

 Evaluation of risks—Evaluation of risks consists of the auditor's evaluation of the exposure

resulting from the lack of functioning of an internal control over the particular risk. It consists
of the auditor's answers to the question, "What is the maximum exposure to the corporation if 
this particular internal control is not functioning effectively?" In answering the question, the
auditor must consider any compensating controls that may be in existence. To write an
effective audit plan, it will be necessary to identify, relate, and evaluate the risks.

d. Planning Memo
i. Purpose

The planning memo outlines the manner in which the department audit plan is to be implemented for a
specific audit, special assignment, or other activity. Planning represents an extremely important aspect of 
 auditing
Statementand
onisAuditing
requiredStandards
by the IIAofand theWork
Field American
No. 1.Institute of Certified Public Accountants' (AICPA)

Before each assignment, a planning memo is required to establish coordination between internal audit staff 
and management. This document will ensure that the objectives and scheduling of the audit are being

Chapter 7: Audit Performance 7

8 Chapter 7: Audit Performance

communicated and understood by all involved. Properly implemented, it ensures that the more experienced
auditors (management) consider scope and procedures prior to implementation.

ii. Objective

The planning memo serves several purposes; namely, to document audit objectives, auditee background
information, and financial highlights; to describe significant audit procedures, budgeted hours, engagement
timing and personnel assigned.
iii. Procedure

Planning memos are to be typed on interoffice stationery and addressed to the Director of Auditing. A copy is
also included in the workpapers.

The planning memo should be completed far enough in advance of an assignment for manager review and
approval. Prior to preparing the memo, the senior auditor, if circumstances warrant, may have to visit the audit
site to conduct a preliminary survey to obtain sufficient information to complete the planning memo. Only in
unusual circumstances will the planning memo be accepted after the audit has been started. If after the audit
begins, conditions change affecting the initial planning memo, an addendum should be written and forwarded
to the manager. The addendum should explain and document the reason for the changes, even if previous
approval has been obtained.

iv. Format

The format designed to be used consistently for a planning memo is shown in Exhibit 7.4.
7.4. A brief explanation
for each section f ollows:
ollows:

• Introduction—The first brief paragraph outlines what was stated in the "Notice to Auditee" (see
Matrix").
"Corporate Audit Performance Process Matrix "). It should contain the name and location of the entity
to be audited, scheduled dates to begin and complete field work, a brief description of the type of 
audit, and the audit date(s).
• Objective—The deliverable product of an assignment requires a conclusion that will provide
management with either assurances or reasons for action concerning, for example, account balances,
internal controls, various functions or operational procedures, etc. Prior to the audit, we must plan for
the objective to direct our efforts toward that end result. Establishing objectives encourages an orderly

work process
directed and
toward concentration
potential of the
high-risk andaudit effort
material toward a predefined goal. Consideration should be
areas.

• Scope—Once the objective is documented, the planning memo then logically leads into the scope
section. If the objective is to state an opinion on the adequacy of a certain system, then the scope will
explain compliance, and the substantive testing necessary to arrive at an opinion. Areas of emphasis
should be defined along with significant audit steps and procedures.
• Background —Background
—Background information is necessary in order to give the reader a description of the
entity or area to be audited. It does not need to be long or detailed, but should contain the entity name,
location, and procedures or description of operations. Facts that are unusual or pertinent should be
identified. Examples include situations where the controller is new, the location is known to have had
internal control problems in the past, sales have fallen off heavily, or operating costs have increased
substantially.
• Financial Highlights—The financial highlights section includes a summary of major account
balances. Accounts outlined in the objective section are also included in order to bring these accounts
 to the attention of the reader. Comparative figures for two corresponding periods should be included.
• Significant Audit Areas/Audit Approach—This section identifies and outlines the more significant
areas mentioned in the scope section. It also states the audit approach to be used in these areas. This
method will assist all parties in understanding the areas of concern and how these areas are to be

8 Chapter 7: Audit Performance

Chapter 7: Audit Performance 9

audited.

• Staff and Timing—This section lists the staff assigned to the audit, their job level, and the dates
assigned to the audit. Planning in this area is necessary to ensure that the fieldwork will be completed
within the audit budget.
• Budget —The
—The audit budget is a compromise between what audit management would like to
accomplish and that for which it can effectively allow time in meeting the overall department
objectives. Normally, total hours will be estimated in a three-year plan. An appraisal is made of the
objective and scope of work to be performed and the number of hours to complete each area of the
assignments. The hours for each area should agree with total budgeted hours.

Exhibit 7.4: Sample Planning Memo

Date: October 20, 200x

From: Senior
To: Manager
Subject: Planning Memo—Sam Pole's Best Ozone Paint Manufacturing Facility
Field work for the manufacturing facility interim audit will begin on Monday, October 26, 200x, and will be
completed on Friday, November 20, 200x. The interim audit as of September 30, 200x, will include a
financial audit. A year-end audit will also be performed by the internal audit department in January 200x.

Objective

The interim audit will be conducted to determine the adequacy of internal accounting controls (through a
review of accounting systems and a test of transactions) as a basis for the formulation of year-end balances.

A year-end review will also be conducted to determine the validity of accounting data that will be included in
your company's consolidated general ledger trial balance as of December 31, 200x.

Scope—Interim

The audit will include the documentation, review, and detail compliance testing of existing key internal
accounting controls in significant financial areas as of September 30, 200x, trial balance.

Emphasis will be on inventory, sales billing, accounts payable, and payroll. A variation analysis will be
performed of all accounts with significant changes in comparison with the 200x year-end balance. A review of 
the August 31, 200x, physical inventory compilation and a follow-up of previous audit comments will also be
conducted.

 Background 

Sam Pole's Best Ozone Paint—located in Anytown, AZ, USA—is a key location for the company's ozone
paint manufacturing. It joined the company in 200x and experienced several startup problems.

Financial Highlights For the six months ended June 30 ($000's omitted)

Balance Sheet 200x 200x

 Inventories $ 4,000 $ 5,000
Other Current Assets 100 300
Total Current Assets 4,100 5,300
Net Fixed Assets 13,000 15,000

Chapter 7: Audit Performance 9

10 Chapter 7: Audit Performance

Total Assets $17,100 $20,300

Total Liabilities 12,000 14,000
Equity 5,100 6,300
Nett L
Ne Lia
iabi
bili
liti
ties
es an
and
d Equ
Equit
ity
y $17,
$17,10
100
0 $20,
$20,30
300
0
Income Statement 200x 200x
Net Sales $24,000 $35,000
Cost of Sales 18,800 23,500
Gross Profit 5,200 11,500
SG&A 3,200 7,500
Nett IInc
Ne ncom
omee Befo
Beforre Tax
Taxes
es $ 2,00
2,000
0 $ 4,
4,000
000

Significant Audit Areas/Audit Approach

Inventory—Inventory is considered to be the most significant area at Sam Pole's Best Ozone Paint
manufacturing facility. Our audit procedures will include observation of the physical inventory, testing of the
system of internal controls, testing of the inventory compilation, review, and testing of the roll forward from
the physical to September 30, 200x.

Payables—Payables are significant because of the amount of volume and its interrelationship with inventory.
Our procedures will include flowcharting and testing of the system, testing of cutoff, vouching of selected
account, reviewing and preparing reconciliations of vendor statements and examining subsequent payments.

Other Balance Sheet Accounts—Our approach to auditing these accounts will be to perform an analytical
review to compare current-year balances to prior-year and accounting for all significant changes. Substantive
audit procedures will be used on all material balances.

Other Areas

Other areas that will be given emphasis in the current audit include:

• Analysis of repair and maintenance accounts

• Analysis of all outside service accounts

• Review of controls over customer returns

Staff and Timing

The audit will be conducted by both the Internal Audit Manager and J. Smith, a new audit senior. Field work 
will begin on October 26 and will last for two weeks.

 Budget (in Hours)

Planning 6
Supervision 2
General 4
Meetings, tours, etc. 4
 Analytical review 4
Flowcharting and review of systems controls:
12
• Inventory ledger
8

10 Chapter 7: Audit Performance

Chapter 7: Audit Performance 11

• Purchasing/Accounts Payable
8
• Payroll
8
• Sales/Billing
Cycle Tests 10

Trial Balance 3
Cash 2
Accounts Receivable 4
Inventory 20
Fixed Assets 6

Other Assets 3
Accounts Payable 6
Accruals 4
Income and Expense 6
Internal Control:
4
• Questionnaire Review
Travel 4
Finalization of W/P 8
Report 16
TOTAL: 152

e. Audit Status Report

The purpose of a status report is to provide audit management with a progress report of the assignment. On
assignments scheduled for more than four weeks, a status report is required. A typical report would outline
significant findings, audit scope changes and rationale, work completed, and an estimate of time to complete
the assignment. This information documents and enables the manager to make a decision on additional scope
changes, staffing (increase or decrease), and staff schedule changes. The in-charge auditor has the
responsibility for the status report. In some instances, due to the importance of the matter, the manager will
issue a memo to the Director of Auditing.

A formal status report is not usually required for a short period assignment. However, an informal report can
be phoned into the manager, describing significant findings, the status of the work completed, the estimate of 
time of completion, and other situations affecting the audit.

Communication keeps the manager aware of current situations and assists in the decision making on that
assignment as well as scheduling other audits. It also provides documentation, as required in our corporate
audit performance process, in our project control file.

f. Developing Audit Recommendations

An audit recommendation is a condition that, in the auditor's judgment, requires change or action and is of 
 sufficient magnitude to warrant the attention of management. Discovery of an exception is the starting point in
developing a recommendation. When an exception is revealed during audit testing, development of a
recommendation may require a series of expanded audit tests, research, and communication. The problem or
situation as it exists must be fully defined and explained. The ability to express the results of an audit in
well-written audit recommendations is a measure of assurance that management will take appropriate action

Chapter 7: Audit Performance 11

12 Chapter 7: Audit Performance

and one of the principal bases on which audit performance will be judged. Each auditor must assume
individual responsibility for improving proficiency in this respect.

A. Basic Criteria

Some basic criteria for effective writing that should be observed in the preparation of audit
recommendations are:

1. Accuracy. Recommendations in audit reports must be verified thoroughly so that there are no
factual errors. The auditor should be careful not so use data that could be misleading.
2. Objectivity. Include all significant, relevant information, even if it indicates disagreement
with the auditor's position. Do not rely on inferences and implications. Adequate background
information should be provided so that the reader can grasp the significance of the situation
being reported.
3. Readability. In preparing an audit recommendation, the auditor should be continuously
conscious of how it will be perceived by the reader. Avoid disagreeable or inflammatory tone,
sarcasm, ridicule, or oratory. Try to foresee the reader's reactions to certain words or phrases.
Be tactful. The use of correct grammar and proper punctuation is an imperative for
well-written recommendations.
4. Clarity. To the extent possible, clarity should be interpreted as requiring that every statement
cannot only be understood, but that it cannot reasonably be misunderstood.

B. General Characteristics
1. Evaluate the significance of what you are reporting.
2. Write in simple, non-technical, clear language.
3. If you refer to a form number, state its name or subject somewhere in the report.
4. If you use abbreviations, spell out their meaning when they first appear.
5. Reasonable logic is important.
6. Be concise. Avoid wordiness and inclusion of extraneous matter.
7. Do not be evasive. If you have something to say and can support it, then say it.
8. Write constructively. Stress the need for improvements in the future rather than focusing on
deficiencies in the past.

9. Provide support to all information in recommendations.

10. Present relevant comments and reviews of the issues being discussed.

11.
12. Clearly identify opinions,
Do not generalize especially
by simply if they
saying that concern
a practice significant
"weakens matters.Specify how it
controls."
weakens controls.
C. Development Process

The following steps should be followed in order to provide for systematic development of a
recommendation after an exception is revealed:

1. The problem or situation as it exists must be fully defined and explained.

2. The criteria or standards for an activity should be re-evaluated as to applicability and
adequacy at this point in the development of the recommendation. Some criteria regarding the
performance of the activity must be established based on authority, generally accepted
principles, or reasonableness.
3. It is necessary to look at the effect and significance of the problem. Through further testing
and gathering of data, the extent of a problem and its importance must be determined. Efforts
 should be made to obtain quantification in the gathering of measures of effect.
4. If the effect is minimal, this condition is the auditor's notice to discuss the problem with the
operating level of management. A recommendation is not required in an audit report when the
effect is minimal.

12 Chapter 7: Audit Performance

Chapter 7: Audit Performance 13

5. If, in the auditor's opinion, the effect is significant, the auditor should proceed with the
development of the recommendation.
6. The auditor must seek to find out, through expanded testing and gathering of data, what
caused the problem or situation. Frequently, this step is the most difficult one in the
development of an audit recommendation. However, without it, you have an incomplete
recommendation and can offer management only a correction of the existing problem. You
cannot provide a statement of action that will give assurance that a situation will not recur.

If the actual cause of the problem cannot be disclosed through expanded testing and gathering of data, the
auditor should discuss the situation with responsible management. In this discussion, the auditor should seek 
to obtain a response as to what would improve the condition or situation. Based on the outcome of this
discussion with the auditee, the auditor will be guided as to the statement of action that should be made for
correcting the condition. If an actual cause of the condition is revealed, the statement of action should be
directed at the correction of the cause. A discussion with the responsible management as to the problem, the
criteria, the effect, and the cause should be held to obtain their comments in order to further substantiate the
accuracy of the developed recommendation.

D. Developing Recommendation Data

1. Statement of Condition. In this section, the auditor should state the circumstances surrounding
the recommendation. In a logical sequence, present the facts and specific illustrations

describing the condition. Each statement of condition must contain sufficient qualitative and
quantitative information to fully support the conclusions or main point. The statement of 
condition should be brief, but not to the point where completeness is sacrificed.
2. Criteria. The criteria represent the standards against which the auditor is measuring a
questionable condition or practice. The criteria applied may vary; however, the auditor should
concentrate on the criteria that are important to the objective of the audit. Some examples of 
criteria are:

a. Written requirements (laws, regulations, instructions, manuals, directives, etc.)

b. Independent opinion of experts outside the organization
c. Prudent business practice
d. Verbal instruction
e. Managerial expertise
f. Unwritten overall objectives as explained by management officials

g. Common
Published criteria sense
may be directly quoted, summarized, or paraphrased. If criteria are not
already set forth in writing, the auditor may have to obtain information that will serve as
evidence of criteria. If common-sense subjective judgment is to be used as a criterion, it
should be both logical and convincing to the reader.
3. Effect. Effect is the actual or potential adverse impact, which has resulted or can result from
the condition being questioned, in dollars or other terms. Some examples of effect are:

a. Uneconomical or inefficient use of resources (time, money, labor)

b. Loss of potential income
c. Violation of law
d. Funds spent improperly
e. Information or records that are meaningless or inaccurate
f. Ineffectiveness; the job not being accomplished as well as it could be or as intended
 g. Inadequate control or loss of control over resources or actions
h. Lack of assurance that the job is being done properly
i. Lack of assurance that objectives are being met. If the auditor does not present
information on the actual or potential adverse effect, the reader might assume that the

Chapter 7: Audit Performance 13

14 Chapter 7: Audit Performance

apparent lack of concern means that the recommendation is not very important. If the
effect is not significant, the recommendation should not be included in the report.
Caution should be exercised not to create an issue larger than facts actually warrant.
4. Cause. The cause is the underlying reason why questionable behavior or condition occurs.
This sensitive, and usually highly judgmental, area requires the most penetrating efforts and
insights of the auditor. As a minimum effort, the auditor should have explored the situation
thoroughly enough to be able to generate what is termed a "first-level statement of action."
That is, one that is sufficiently detailed or specific enough to enable the recipient of the
recommendation to correct the conditions. It is necessary to get as close to the real cause of 
the problem as possible, or at least to one or more causes that will put the recommendation in
perspective; make the recommendation convincing and lead to a sensitive, specific statement
of corrective action. Simply stating that the problem or adverse condition exists because
someone did not comply with company policy is not very meaningful. Also, this approach
usually confines the auditor to the rather superficial statement of action to "comply with
company policy." Some examples of cause are:

a. Lack of training
b. Lack of communications
c. Unfamiliarity with requirements
d. Negligence or carelessness

e. Guidelines or standards (criteria) are inadequate, not provided, obsolete, or

impractical
f. Conscious decision or instruction to deviate from requirements (for any of a variety
of reasons)
g. Lack of resources (funds or staff)
h. Failure to use good judgment or common sense
i. Dishonesty or personal gain
 j. Lack of effective or sufficient supervision, or lack of supervisory review
k. Unwillingness to change
l. Lack of planning, faulty or ineffective organizational arrangement, or delegations of 
authority
5. Statement of Action. Generally, each recommendation will result in one or more statements of 
action. Experience indicates a great receptivity to constructive audit statements of action.
Some basic guidelines for developing statements of action are:

a. Present statements of action as a logical sequence to the related statement of 

conditions.
b. Present statements of action that are as specific, realistic, and as helpful as possible
and related directly to the cause of the weakness or deficiency. State what action will
provide a meaningful solution to the problems, and not simply recommend that
"regulations be complied with," "controls be strengthened," or "procedures be
established."
c. Direct the statements of action toward the audited organization and to the specific
persons, by title, who have responsibility and authority to take corrective action.
d. Do not include statements of action on which adequate action has been taken before
the report is issued. Instead, report, in the body of the recommendation, what action
has been taken to correct the situation and only present additional statements of 
recommended action as warranted.
e. Avoid the use of extreme language in making statements of action, such as
 "immediately," "expedite," "without delay," "as soon as possible," unless the nature
of the problem is so serious that such language seems particularly appropriate.

f. The expression "for consideration" should not be used in presenting statements of 

14 Chapter 7: Audit Performance

Chapter 7: Audit Performance 15

action. Since the Audit Department is a staff function and its service advisory, all
statements of action are "for consideration."
g. Material, thoughts, or information that were not developed in the body of the
recommendation should not be introduced in the statement of action. The statement
of action should follow logically from what is presented in the recommendation.

i. Recommendatio
Recommendation
n Worksheet
Worksheet

A form should be created for the purpose of writing up the recommendations as they are initially discovered
(see Exhibit 7.5 for an example of a worksheet format). A copy should then be given to the auditee. There are
many good reasons for following this procedure.

Exhibit 7.5: Recommendation Worksheet Example

Audit Job No.______

Recommendation No.______

Workpaper Ref.______

Audite
Auditeee _____
______
_ Audit
Audit Date
Date ____
______
__
Statement of Condition: (What is)
is ) _________________________________

Criteria: (What it should be) _____________________________________

______________________________________
_

Effect: (So what?) ______________________________________

_______________________________________________
_________

Cause: (Reason for deviation)__________________________________

deviation)______________________________________
____

Statement of Action: ____________________________________________

Present Status: ________________________________________________

• Recommendation corrected during audit____________________________

• Auditee agreed with recommendation______________________________
recommendation______________________________
• Detailed support for adjustment/correction provided to auditee ____________
• In process of implementing _____________________________________
________________________________________ ___
• Auditee disagrees with recommendation/comment ______________________

Preparer signature: ____________________________

____________________________

Senior Auditor signature:

si gnature: _______________________

Provide a copy of this completed form to auditee ASAP/Use form for the Closing Conference.

1. If recommendations are neat and well written at the time of discovery and copies given to the auditee,
valuable research and input can be obtained before the closing conference. This makes the closing
 conference more productive as both sides are knowledgeable on the subject. Generally, the auditee is
blindsided at the closing conference if recommendations have not been previously presented.
2. The procedure lends itself to better written, more factual audit recommendations because the material
is fresh on the auditor's mind—preferable to writing the recommendation later in time (i.e., at the end
of the audit). Strengths and weaknesses can be reconciled to improve the quality of the

Chapter 7: Audit Performance 15

16 Chapter 7: Audit Performance

recommendations.
3. Why take many recommendations to the closing conference when a "climate for change" can be
initiated during the course of the audit? Too many recommendations presented at one time tends to
make the auditee nervous and worrisome about how the report is going to look to others. Tentative
recommendations should be provided to the auditee periodically, once a week, and not on a daily
basis.
4. If the recommendation has been resolved by the auditee during the audit, it is much more agreeable to
the auditee if only mention is made summarizing items corrected during the audit.
5. The interim communication also gives the auditor a written workpaper document to use in discussing
recommendations at the closing conference.
6. Once written recommendations are resolved to the degree possible, corrections should be made and
submitted for typing the final report.

ii. Form Format

The form is designed to be as functional as possible, but it is limited in space to encourage factual, precise
write-up of recommendations.

 Recommendation/Discussion Item—A recommendation is a material exception to corporate policy,

procedures, as examples, which are controllable by the auditee. The auditee is required to submit a written
response to the recommendations. A discussion item is also an exception that may be material, but is not
controlled by the auditee. Therefore, the auditee is not required to respond to the discussion item.
 Audit—Write the name of the branch or location in the space provided to facilitate audit identification.

Subject—Identify the subject area where the exception occurred as payroll, accounts payable. For example:

• CAJ No.—Corporate Audit Job Number

• CAR No.—Corporate Audit Recommendation Number

Corporate Audit Job Numbers will be standardized and assigned by the audit division offices. The Corporate
Audit Recommendation Number is the sequenced number of the recommendation developed as the audit work 
progresses. The Corporate Audit Recommendation Number is to be used as a control point.

 Recommendation/Facts—Remembering that a statement of action is a call for action by management and

must be written on that basis, the facts follow the attributes of a recommendation:
A. Statement of condition (what is)
B. Criteria (what it should be)
C. Effect (so what?)
D. Cause (reason for deviation)

 Present Status—A space provided for comments by the auditee to elaborate on original intentions or reaction
to the audit recommendation. It may only be necessary to check one of the preprinted comments such as
"Recommendation Implemented During Audit."

SAM POLE COMPANY  Corporate Audit

Department Procedures
 Manual
NO:: 7
NO 7..2 REV
REV NO:
NO: DATE
DATE::
TITLE: Workpapers PAGES:
[1]TheInstitute of Internal Auditors officially revised the "Red Book," or Standards for the Professional
Practice of Internal Auditing. At the end of 2001, this new version became effective for auditors and

16 Chapter 7: Audit Performance

Chapter 7: Audit Performance 17

interested parties.

7.2 Workpapers
Workpapers serve mainly to aid the auditor in conducting work and provide important support for the
auditor's opinion. Such language as "Workpapers are a record ... of tests and procedures," "Workpapers,
accordingly, may include work programs, analysis memoranda, letters of representation, confirmations,
abstracts of company documents, schedules, and commentaries prepared by the auditor," further attempt to
describe workpapers and some of their contents. Other comments, such as "Workpapers should fit the
circumstances and the auditor's needs on the engagement to which they apply," are from Statement of 
Auditing Standards (SAS) No. 1, Section 338. Although SASs are written for public accountants, these
comments are also applicable to internal auditors. For external auditors to rely on our workpapers, internal
auditors must produce documents of the same quality. It is imperative that standards of compliance be
established to help ensure quality workpapers.

Before preparation, give consideration to the objectives for creating your workpapers. Only information
supporting your objectives should be included. Envision how the workpaper will look after it is completed.
Does it appear logically organized, relevant, and neat—without half erasures, with figures and comments not
crowded together? Is it complete—without loose ends that need to be addressed?

A second thought, and one that should be seriously considered, is that the IRS can and has subpoenaed
internal auditors' workpapers into court. The question is, would you be embarrassed if your workpaper was
made a document of the court? What if the court made an enlargement of your workpaper and it was
displayed on a screen for all to see?

Other factors to consider in developing workpapers are:

• Control
• Retention
• Headings
• Permanent files: contents and format
• Current files: contents and format
• General organization
• Detailed workpaper section organization
• Indexing and cross referencing
• Referencing
• Standard tick marks

a. Control
For Corporate Audit purposes, workpapers are confidential documents used to support our conclusions. In
order to maintain our independence and protect confidentiality, audit bags containing workpapers must be
locked if left overnight at the auditee's office.

During working hours, workpapers should be retained in a controlled, orderly fashion. That is, they should not
 be left lying around the work area or left out in the auditee's office where they can be seen, handled, or
misplaced by the auditee employees.

In the office, workpapers should be filed in secured cabinets. During work hours, care should be exercised
ensuring that visitors do not inadvertently observe confidential information lying on desks. Prior to leaving

Chapter 7: Audit Performance 17

18 Chapter 7: Audit Performance

the office, workpapers should be secured in locked cabinets or desks.

b. Retention
The retention period for both workpapers and reports is five years. If an exception arises in which the
retention period is to be extended beyond this period, a notation indicating the destruction date should be
boldly printed on the outside cover of the workpaper binder or on the face of the report.

c. Headings
In order to standardize Corporate Audit workpaper headings, the following information should be used for all
workpapers:

Description on Workpapers Location of Workpapers

Name of auditee—location Top-Center
As-of date of audit Top-Center
Identification of workpaper Top-Center
Initials
Initials of auditor
auditor performing
performing the work
work Bottom-Righ
Bottom-Rightt (area provided)
provided)
Init
Initia
ials
ls of
of in-c
in-cha
harg
rgee seni
senior
or mana
manage
gerr Bott
Bottom
om-R
-Rig
ight
ht

Work
Workpa
pape
perr inde
index
x (red
(red pen
penci
cill only
only)) Bott
Bottom
om-R
-Rig
ight
ht (ar
(area
ea pro
provi
vide
ded)
d)
WORKPAPER "DOS" AND DON'TS"

Do

1. While the audit is in progress, prepare a to-do list of points that have not been resolved.
2. Resolve points with auditee at one time during the day.

3. For those workpapers kept by hand, be neat, write legibly, use a medium-hard lead pencil, keep
figures in proper columns. For workpapers on computer, develop a professional look with consistent
formatting.
4. If done by hand, use a ruler; single line for subtotals, double line for totals. If done by computer, use
the same guideline.
5. Avoid crowding on a single page.
6. Be accurate; be sure amounts are accurate and footings are correct. If using a computer, double-check 
all formulas. It is recommended that the auditor print out the worksheet formulas and audit them
before relying upon them.
7. Head every workpaper (see headings above).
8. Identify the source of information on each workpaper, reference books or original entry, voucher
numbers, conversations with employees, and so forth. Distinguish between fact and opinion.
9. If a workpaper is "prepared by auditee," indicate so with "PBA" on the workpaper. Indicate the name
of employee performing the task.
10. Initial and date each workpaper (printed version if using a computer).
11. Indicate analysis that requires more than one workpaper by: 1 of 5, 2 of 5, etc.
12. Adequately explain all tick marks other than the standard tick marks. Summarize explanations at the
bottom of each workpaper by using a legend.
13. Use proper grammar.
14. When referring to auditee employees, spell their names and titles completely and correctly.
15. Indicate clearly the extent of tests made.
 16. Write your opinions and conclusions, using care to differentiate among facts, opinions, and
explanation.
17. If memoranda are done by hand: All memoranda should be prepared on memo pad paper. Skip every
other line and write only to the right-hand margin line. If memoranda are done by computer, set
formatting according to this guideline.

18 Chapter 7: Audit Performance

Chapter 7: Audit Performance 19

18. Write on just one side of a working paper, if done by hand.

19. Remove all items that have no value in supporting the conclusion.

20. Verify that the final figures on each workpaper agree with the lead sheets, working trial balance, and
cross-reference thereto.
21. Reference and cross-reference to other workpaper and interim recommendation worksheets.
22. Leave enough space on each workpaper to clearly identify adjusting entries and comments. If using a
spreadsheet, avoid using "comments" for substantive remarks; rather, add a column for remarks on the
worksheet.
23. Use legal size paper; set electronic document margins to the equivalent size.
24. Use red pencil; use red fonts if the workpaper is in electronic form.

Don't

1. Do not prepare workpapers without first considering the objectives.

2. Do not follow previous audit workpapers blindly, but have a logical reason for changes.
3. Do not prepare separate income and expense account analyses when the accounts can be more
effectively covered in conjunction with balance sheet items.
4. Do not leave open points or questions on your workpapers.
5. Do not merely cross over points or questions, but explain disposition.
6. Do not repeat scope of work when steps are outlined in the audit program. Indicate the audit program

7. followed.
Do not make workpapers available to anyone without prior approval from the manager.

d. Permanent Files: Contents and Format

Permanent files are to be used for documents that will be needed in audits for a number of years. The binder
should be labeled "Permanent Folder" and contain an index showing the contents of  of the
the folder.

Permanent files should be economical in content. They should not be cluttered with documents that cannot
effectively help or provide information for future audits. Exhibit 7.6 outlines the format of the permanent file.
This outline will also act as the index for the file. For example, consider A-Corporate Audit
Reports/Responses. The first report entered into the permanent folder will be indexed in A-1, the second in
A-2, and so on. Each document entered into the permanent file must include the date and initials of the
auditor. Revisions of modifications must also be initialized and dated. Use red pencil for this purpose.

Exhibit 7.6: Permanent Files Index

Sam Pole Company

Corporate Audit Department

Permanent Folder Index

A. Corporate Audit Reports/Responses

B. Reports (Other)
C. Carry Forward Comments
D. Organization Charts/Key Personnel
E. Internal Control Questionnaire/Audit Programs
 F. Contracts/Lease Agreements
G. Labor Agreements
H. Historical Information/Pictures/Nature of Business Unit
I. Correspondence (Major)
J. Excerpts from Meeting (i.e., plant, branch, board)

Chapter 7: Audit Performance 19

20 Chapter 7: Audit Performance

K. Company Directives Memoranda

L. Account Analysis
M. Other

e. Current Files: Contents and Format

The criterion for determining whether information should be included either in the permanent file or the
current file is the useful life of the information. Place information into the permanent file if the usefulness of 
the information is longer than two years. The majority of information obtained during an audit usually applies
to the current year and will only be used for comparison and guidance in the subsequent year. Accordingly,
such expected useful life would be less than two years and is filed in the current file.

f. General Organization
Use the printed workpaper binder cover and back furnished by the department. Note that certain information
is to be completed on the cover of the binder: company identification, contents of the binder, the names of 
auditors who worked on sections included in the binder, review signatures, and the name of the audit office
producing the file.

Acco fasteners have 2 3/4-inch centers with 2-inch capacity. If files exceed two inches, Acco fasteners of 
greater capacity can be obtained.

All workpapers are to be 8 1/2 inches by 14 inches—legal size paper. If auditee documents are less than legal
size, attach the document to heavy-grade legal size paper and then file it. Do not waste memo or 17-column
paper for this purpose.

Create dividers by using heavy-grade paper and attaching a tab at the bottom of the sheet. A second method is
to use 14-column paper as a wraparound for the individual section. The section name and indexing letter
should be indicated in red at the bottom right-hand corner after the 14-column paper is folded in half.

g. Detailed Workpaper Section Organization

Each job will have a systems binder to be updated yearly. The following sequence will be utilized to organize
the systems binder where the "S" denotes systems documentation work:

SA-1 Flowchart
Flowchart (manual/IS)
(manual/IS)
SA-2 Narrative
Narrative description
description
SA-3 List of key reports (official report title and informal user name)
SA-4 Internal
Internal control
control questionna
questionnaire
ire
SA-5 Summary
Summary of major strengths
strengths and weaknesses
weaknesses
SA-6 Audit approach
approach memo
SA-7 Other systems
systems informatio
information
n as needed

The compliance and substantive work for each account will be organized in the following sequence in a
separate current file:
 A/C Overall scope and conclusion
A/P Audit program
A Lead sheets

20 Chapter 7: Audit Performance

Chapter 7: Audit Performance 21

A-1 to Account detail (substantive testing), cycle testing (compliance testing), comments for future audits
A-nn and confirmation forms: detailed audit work supporting lead sheet balances
Note The audit procedures performed and workpapers generated should be organized in a manner
deemed to be logical and expedient in the senior's judgment.

• SA-1, Flowcharting. Include both the manual and data-processing flow of documents as you
flowchart the system. Graphically depict the inputs, processing, and outputs of each system.
• SA-2, Narrative system description. Narratives may be used to describe a system on a step-by-step
basis. The narrative system description can supplement flowcharts or stand alone if it best fits the
system.
• SA-3, Key reports listing. The key report listing should list important reports by their official title and
also by informal names used by the auditee. This listing will greatly assist the following year's audit.
• SA-4, Internal control evaluation guide. The internal control evaluation guide should be developed
to include only questions applicable to the section involved. "A," the cash section, should include the
internal control questionnaire evaluations guides only for cash.
• SA-5, Summary of major strengths and weaknesses. Once the flowchart and internal control
questionnaire have been prepared, a summary of the system's major strengths and weaknesses should
be prepared. This summary will aid in the development of the audit approach.
• SA-6, Audit approach memo. Based on the above procedures, the auditor should have a good idea of 
the strengths and weaknesses of the system. The logic behind the selected audit procedures should be
written up in a memorandum and included in this section.
• A/C, Overall scope and conclusion. This workpaper will be the last item completed in the section, but
it is the first in the organization sequence. Identify the work involved to support your
conclusion—procedures such as sample size, extent of testing, and compliance with audit program. In
the conclusion section, state your opinion based on the testing performed in the scope. Make
references and cross-references to adjustments and recommendations or comments that were the result
of your work.
• A/P, Audit programs. Audit programs should include all the steps necessary to test the system and
reach a logical conclusion. Such tests will include substantive tests of account balances and
compliance tests of the system.
• A, Lead sheets. The auditor should give advance thought to the preparation of lead sheets. Minimum
information includes a comparative schedule showing account balances at the prior year audit date
and the book balance for the current audit date. Also, columns are prepared for adjustments and final
balances. These schedules should reference the working trial balance.
• A-1 to A-NN, Account detail (substantive testing). The evidential matter obtained through two

general classes of auditing procedures: (1) test of details of transactions and balances and (2)
analytical reviews of significant ratios and trends, and the investigation of unusual fluctuations and
questionable items.
• A-100 to A-NNN, Cycle testing (compliance testing). The purpose for tests of compliance is to
provide reasonable assurance that accounting control procedures are being applied as prescribed.

h. Indexing and Cross Referencing

Workpapers should be indexed using the prescribed standard index. Each schedule should be marked in red
pencil (or font) in the designated box at the bottom right corner. The index can then be utilized throughout the
files whenever a cross-indexing reference is made to that particular schedule or to an amount therein.

An index has been assigned to each major account classification. Single alpha letters are used for asset section
designations. Double alpha letters are used for liabilities or capital accounts. Numbers are used to indicate
 accounts in the income statement. These sections will be preceded by "PL" before the number indicated later
in the index sample.

The first section of the indexing system is referred to as the administrative section. The index to reference this
section is "AD."

Chapter 7: Audit Performance 21

22 Chapter 7: Audit Performance

The workpaper sections will include subaccounts under the major account classification. For example, cash,
the major account, also includes subaccounts of Cash in Bank, Cash on Hand, and so on. The lead sheet
(indexed "A") for this section should show the applicable subaccount balances for the current period and the
prior period. These columns should be footed to show the total balance in the major account. The analysis of 
the subaccounts should be documented on supporting schedules (i.e., A-1—Analysis of Cash in Bank,
A-2—Analysis of Cash on Hand, etc.).

Occasionally, a section within a file binder may become too large to control effectively. In that instance, the
section may be extended into another binder. The indexing for the extended file binder becomes X. For
example, if section CC Accounts Payable becomes too large, part of the file can be stored in another file
binder indexed CCX. Appropriate referencing should be indicated in the working papers.

Three separate sections have been included for the work performed on confirmations, inventory observation,
and inventory compilation. The section for confirmations is to be used when the number of confirmations sent
is too large to be practically included in the applicable account classification. The other two sections are to be
used when a physical inventory observation and a review of the inventory compilation are included within the
scope of the audit. Be sure to appropriately reference these sections in the working papers.

The following is a listing of the indexes that should be used:

 Ind
 Index
ex Desc
Descri
ript
ptio
ion
n
Administrative
AD1
AD1 Copy
Copy of th
thee au
audi
ditt re
repo
port
rt
AD2
AD2 Assi
Assign
gnme
ment
nt che
check
ckli
list
st
AD3
AD3 Copy
Copy o
off fina
financ
ncia
iall stat
statem
emen
ents
ts
AD4
AD4 Su
Summ
mmar
ary
y memo
memo—i
—in-
n-ch
char
arge
ge
AD5 Manager
Manager commen
comments—int
ts—interpre
erpretive
tive comments,
comments, major
major problems
problems and their solutions
solutions
AD6
AD6 Work
Workin
ing
g tr
tria
iall ba
bala
lanc
nces
es
AD7
AD7 Adju
Adjust
stin
ing
g jou
journ
rnal
al en
entr
trie
iess
AD8 Analyt
Analytica
icall revie
review
w and
and inter
interim
im fina
financi
ncial
al stat
stateme
ements
nts
AD9
AD9 Aud
Audit pla
lann
nnin
ing
g memo
memo
AD 10
10 Ti
Time
me bud
budge
gett
AD11 Interim
Interim audit recomme
recommendatio
ndations
ns and comments
comments summary
summary (AUD
(AUD form 1)
AD12
AD12 Prior
Prior au
audit
dit repor
reports
ts and foll
follow-
ow-up
up
AD13
AD13 Othe
Otherr co
corr
rres
espo
pond
nden
ence
ce
AD1
AD14 As ne
need
eded
ed
Assets
A Cash
B Securities and othe
ther negotiable asset
sets
C Sales, sh
shiipping, and trade receivables

D Inter-company receivables
E (Used for other accounts)
F Inventory
 G Prepaid expenses and other assets
H (Used for other accounts)
I (Used for other accounts)
M Other tangible assets

22 Chapter 7: Audit Performance

Chapter 7: Audit Performance 23

S Property, plant, and equipment

Liabilities
BB Notes payable
CC Accounts payable
DD Acco
Accou
unt
ntss p
pay
ayab
able
le inte
interr-c
-com
omp
pany
any
FF Compensation
GG (Use
Used for other accounts)
HH Ot
Othe
herr llia
iabi
bili
liti
ties
es an
and
d def
defer
erre
red
d cre
credi
dits
ts
WW Capi
Capita
tall st
stoc
ock
k an
and
d surp
surplu
luss
PP Note
tess and inter-company debt
Income Statement and Other
PL1 Sales and revenue
PL2 Cost of goods sold
PL3
PL3 Se
Sell
llin
ing,
g, gen
gener
eral
al,, and
and admi
admini
nist
stra
rati
tive
ve exp
expen
ense
sess
X Extended file
i. Referencing
Normally, detail sub-schedules support the amounts shown on the lead schedules. Also, the lead schedules
support the amounts shown on the trial balance. These workpapers should be cross-referenced to one another.
Referencing should be done by inserting the page index next to the corresponding amount. Writing the page
index to the right of the amount indicates "going to" a certain page. Writing a page index to the left of the
amount indicates "coming from" a certain page. The referencing of final totals (double underscored) may be
done by inserting the page index directly below the applicable amount.

When referencing on the same page, either a circled number or a circled capital letter should be used. A
circled number is used when referencing a number to a number. A circled capital letter is used when
referencing a number (or any other section or symbol on the workpaper) to a note. All referencing should be
done in red pencil (or font if electronic).

j. Standard Tick Marks

Standardizing certain tick marks will result in uniformity and time saving for the preparer and reviewer by
duplicating the tick marks and writing one explanation. Tick marks should be simple in design. Always
explain tick marks in a legend located in the workpapers. Use a "Standard Tick Mark Sheet" to explain
standard tick marks. Basic tick marks should be placed after the figure being checked. Prepare all tick marks
in red pencil (or font if electronic).

Standard tick marks are as follows:

F (under number) footed

F (to rig
right
ht of number
number)) cross-f
cross-foot
ooted
ed
T/B agreed to trial balance
G/L agreed to general ledger
SAM POLE COMPANY  Corporate Audit
Department Procedures
 Department Procedures
Manual
NO:: 7.3
NO 7.3 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Audit Objectives PAGES:

Chapter 7: Audit Performance 23

24 Chapter 7: Audit Performance

7.3 Audit Objectives

As described in Chapter 6 of this manual, the Corporate Audit Department may be responsible for conducting
a variety of different types of audits. These types of audits may have different overall objectives that the
auditor must satisfy through the performance of audit procedures.

The most common type of audit for which auditors are responsible is the financial audit. Broadly described,
the overall objective of a financial audit is to assure that the financial statements are fairly stated, that they are
in conformity with Generally Accepted Accounting Principles (GAAP), and that the accounting principles that
were applied are consistent from year to year. In order to satisfy this overall objective, it is necessary to satisfy
specific objectives that apply to the various accounts that comprise the financial statements. The following is a
listing of objectives that apply to the various audit areas (accounts) that normally are included in a financial
audit. This listing is not all-inclusive, and all of the objectives may not apply in every circumstance. They
should be used as a guide and should be included, excluded, and/or modified as dictated by the audit
situations encountered. The list provides examples of assessing the five major management assertions in
financial statements: existence or occurrence, rights and obligations, presentation and disclosure, valuation or
allocation, and completeness.

Cash

• Cash recorded properly represents cash and cash items on hand, in transit, or in banks.
• Adequate disclosure is made of restricted or committed funds and of cash not subject to immediate
withdrawal.
• All receipts are properly identified, deposited, and recorded.
• There is a proper accounting for all inter-company and inter-bank transfers.
• All bank accounts and cash on hand are subject to effective custodial accountability procedures and
physical safeguards.

Receivables

• Recorded receivables exist and are carried at net collectible amounts.

• All collections are properly identified, control totals are developed, and collections are promptly
deposited.
• Billings and collections are properly recorded in individual customer accounts.

• Allowance for doubtful accounts is adequate.

Inventories

• Periodic physical inventories, or cycle counts, are taken and are valued in accordance with company
policies that are in accordance with GAAP.
• The quantities properly represent products, materials, and supplies on hand, in transit, in storage, or
on consignment that belong to the company.
• All receipts, transfers, and withdrawals of stock are properly and accurately recorded.
• All production activity and costs are properly and accurately reported and maintained in up-to-date
cost records.
• The items are priced in accordance with GAAP, consistently applied, at the lower of cost or market.
• Excess, slow-moving, obsolete, and defective items are reduced to net realizable values.
• Adequate provision for losses on purchases or sales commitments exist.
 •
The
on a ending inventories
basis consistent arethe
with determined as at
inventories tothe
quantities, prices,
end of the computations,
preceding year. excess stocks, and so on,

24 Chapter 7: Audit Performance

Chapter 7: Audit Performance 25

Investments

• The physical evidence of the ownership of investments is on hand or held in custody or safekeeping
by others for account of the company.
• The basis on which the investments are stated conforms to GAAP and is consistently applied.
• All purchases or sales are initiated by authorized individuals and are properly approved.
• Income from investments is accounted for properly.

Fixed Assets

• All recorded assets exist.

• The basis upon which the property accounts are stated is proper, conforms to GAAP, and has been
consistently followed.
• All productive asset transactions are initiated by authorized individuals after advance approval has
been obtained.

• The additions during the period under audit are proper capital charges and represent actual physical
property installed or constructed.
• Adequate cost records are maintained for all in-progress and completed projects.
• Physical inventories of recorded productive assets are taken at periodic intervals.
• Depreciation charged to income during the period is adequate but not excessive, and has been
computed on an acceptable basis consistent with that used in prior periods.
• The balance in accumulated depreciation accounts is reasonable, considering the expected useful lives
of the property units and possible net salvage values.

Other Assets

• Recorded prepaid and deferred expenses represent proper charges against future operations.
• The additions during the audit period are proper charges to those accounts and represent actual cost.
• Amortization or write-offs against revenues in the current period, and to date, are reasonable under
the circumstances, and have been computed on an acceptable basis consistent with prior periods.

Purchasing, Accounts Payable, and Disbursements

• All costs are properly recorded and classified as expense, inventory, fixed assets, and other assets.
• All purchase requisitions are initiated and approved by authorized individuals.

• All material and services received agree with original purchase orders.
• All invoices processed for payment represent goods and services received and are accurate as to
terms, quantities, prices, extensions, and account distributions.
• All checks are prepared on the basis of adequate and approved documentation and are compared with
supporting data.
• All checks are properly approved, signed, and mailed.
• All disbursements are properly recorded.
• All accrued expenses relate to goods and services received as of the end of the fiscal period.

Notes and Loans Payable

• All amounts owed are properly recorded.

• Accrued interest is recorded.
• Compliance with all provisions of loan agreements has occurred.
 •
All debt transactions
Directors aretoinitiated
or executives by authorized
whom this individuals
authority has and are approved by the Board of 
been delegated.

Chapter 7: Audit Performance 25

26 Chapter 7: Audit Performance

Capital Stock and Surplus

• The capital stock and surplus accounts are properly classified, described, and stated in accordance
with GAAP, and are not in conflict with the requirements of the corporate charter (or articles of 
incorporation) or with the applicable statutes of the state of incorporation.
• Transactions in the capital stock and surplus accounts during the audit period are properly authorized
or approved where necessary, and are recorded in accordance with GAAP.

Revenues, Costs, and Expenses

• Reported revenues, costs, and expenses are properly applicable to the accounting period under
examination.
• Reported revenues and applicable costs are recorded on a timely basis.
• Charges to customers are for valid claims for sales rendered in accordance with established pricing
policies.
• Costs and expenses are properly matched with revenues.
• Recognition has been given to revenues, costs, and expenses (including losses) which should be so
recognized.
• Revenues, costs, and expenses are appropriately classified and described in the statement of income.

Payroll

• Compensation costs reflect the aggregate cost of employee services during the period and are
distributed to appropriate inventory and expense accounts.

• Compensation rates are in accordance with applicable union agreements and/or approved rates.
• Additions, separations, wage rates, salaries, and other deductions are authorized and recorded on a
timely basis.
• Employee time and attendance data are properly reviewed, approved, and processed on a timely basis.
• Payroll deductions are determined in accordance with legal requirements or employee authorizations
and are paid to the government, unions, and other specified parties in a timely fashion.
• Payments for compensation and benefits are made only to bonafide employees.
• All authorized employee benefit plans and related costs are appropriately controlled and administered.

Travel and Entertainment Expense

• All expenses recorded must be "ordinary," meaning "customary and usual" within the experience of 
the particular community.
• All expenses recorded must be "necessary," meaning "appropriate and helpful" for the development of 
the entity's business.
• Sufficient documentation must exist. Specifically, the amount, time, place, business purpose, and
business relationship of the entertained party must be recorded.
• Reimbursements to employees must be fully accountable, so as not to be considered compensatory. If 
any reimbursements are compensatory, appropriate tax information must be retained.

Endnote
 1. The Institute of Internal Auditors officially revised the "Red Book," or Standards for the Professional
Practice of Internal Auditing. At the end of 2001, this new version became effective for auditors and
interested parties.

26 Chapter 7: Audit Performance

Chapter 7: Audit Performance 27

 Chapter 7: Audit Performance 27

28 Chapter 7: Audit Performance

 28 Chapter 7: Audit Performance

Chapter 8: Audit Reporting

Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 8.1
NO 8.1 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Corporate Audit Report Process PAGES:

8.1 Corporate Audit Report Process

The Corporate Audit Report is perhaps the most significant product of the audit function. The procedures
contained in this section of the manual are designed to help ensure that the best possible quality product is
prepared.

The objectives of the report process include:

• To ensure the development of comprehensive and accurate reports

• To provide guidelines resulting in timely issuance of final reports
• To provide the opportunity to convey additional related information to readers of the report

Since the audit report is the most significant product issued by the Audit Department, the report format should
be carefully considered. It is the policy of Sam Pole Company to issue a summary-and-detail report for each
significant audit completed. The purpose of the summary report is to provide, in brief presentation format, the
essence of the scope and results of the audit. It also allows for a profile section to convey additional
information of interest to the Audit Committee and senior management. The thoughtful and creative use of the
profile section provides a vehicle for the Audit Department to convey information beyond the negative
reporting process that is inherent in internal auditing. To put it another way: the use of the profile section
enables us to convey information that may contribute positively to the management of the corporation. In
some instances, this information would be basic financial or operational, which helps put the audit results in
the proper context. Detailed descriptions of the summary and detailed report formats, with examples, are
contained in other sections of the manual.

The reporting process begins with the draft audit comments and follows through to the issuance of reports and
8.1,,
the report to the Audit Committee (if appropriate). The corporate audit reporting process matrix, Exhibit 8.1
summarizes the activities contained in this process.

Exhibit 8.1: Corporate Audit Reporting Process Matrix

Assign No.
Report Inclusion Issue Fin
Assign No. Draft Distribution Draft to of Auditee Report t
Comments Worksheet Draf
raft Re
Reports Auditee Comments Managem
 PURPOSE Document audit
findings, Log/track 
report Formalize audit
conclusions, Obtain
agreement on Incorporate
auditee Apprise Au
Committee
comments, and preparation findings, facts and responses audit results
recommendations and comments, and circumstances, into draft
for review, distribution recommendations substance, and reports

Chapter 8: Audit Reporting 1

2 Chapter 8: Audit Reporting

approval, and for review, materiality of  agr

resolution approval, and issues for pla
reporting audited entity acti
As disclosed or Regularly In office upon Within two Within 30 Promptly upon 30
periodically from completion of  weeks days reply and foll
during audit completion field work  following exit following resolution of  tra
TIMING
of field work  conference receipt Director of  of 
to issued Auditing rep
report consideration
PREPARED BY Staff or Senior Senior Senior Senior Senior Manager Au
Senior or Manager Manager Manager Director of   Sen
Senior
ior/Ma
/Manag
nager
er Ma
REVIEWED BY
Manager Auditing afte
Senior or Senior Senior/Manager Manager Manager Manager Ma
RESPONSIBILITY
Manager
Per tentative Per Develop Auditee Revise Audit report to:
recommendations distribution comments into comments and detailed Audit
worksheet worksheet summary and responses reports for Committee
detailed reports auditee
CONTENTS
(see AU/ED) responses;
DOCUMENTATION
comment in
summary
report on
responses
Manager Manager Manager Financial, Comptroller (See IA
official at and Chief  Distribution
audited unit: Accountant Section
DISTRIBUTION manager of audited AU/ED)
entity

Audit
Audit workpa
workpaper
perss Audit
Audit Audit
Audit wor
workpa
kpaper
perss Audit
Audit Audit Corporate Wo
workpapers workpapers workpapers Secretary; IA IA
Manager, Au
workpapers Co
file

a. Draft Reports
The audit report process begins with a review of the tentative audit recommendations worksheets prepared
during the audit performance process. Each individual page contains comments accumulated during the audit
process. These pages will have been preliminarily reviewed by the auditee during the audit process. The
manager will review all comments in conjunction with his review of the workpapers, ensuring that all
comments are adequately supported. Within approximately one week from the completion of the audit field
work—or the closing conference of the audit team—the audit manager or his designee will draft an audit
finding and recommendation for each of the tentative audit recommendation worksheets. These comments
will then form the basis of the detailed audit report draft.
 The audit manager will begin the preparation of the summary audit report. Information regarding the scope
and highlight sections will be based on information contained within the planning, status, and summary
memos as well as the detailed finding and recommendation report. The Director of Auditing will review the
draft and provide input.

2 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 3

b. Draft to Auditee
Various practices regarding distribution of draft audit reports to auditees exist within the internal auditing
profession. The trade-off issues involve the interest in accuracy and fair presentation versus the issue of 
timeliness. Some audit departments believe that timeliness is not the most critical factor, and obtaining input
from auditees and incorporating it in the audit report provides for increased accuracy and a more level
"playing field." Still other audit departments believe that the function of the audit is to issue comments as
soon as possible, and they bypass or reduce the auditee review process. The auditee will then issue a response
and discussion of implementation plans.

The policy of Sam Pole Company is to review comments with the auditee as they are developed. Once the
audit draft has been
been developed,
developed, the draft is forwarded to the auditee for review. Auditees will have two weeks
to review the comments and prepare a paragraph detailing their actions or position on the comment.

Exhibit 8.2 provides an example of a transmittal of the report draft to audit entry, and Exhibit 8.3 is an
example of a transmittal of the report to senior financial officials.

Exhibit 8.2: Transmittal of Report Draft to Audit Entity Example

Date: [date]

To: Financial Official, Audited Entity

From: Audit Manager
Subject: Corporate Audit Report Draft
The enclosed draft of a report on the recently completed [ kind of audit ] at [audit location] is for limited
distribution to you and the Audit Director.

Please review the draft to confirm (or not) that the recommendations and comments agree with those
presented to and discussed with you at the closing audit conference. Also include your response in one or two
paragraphs for inclusion in the detailed audit report. Please reply to me or [ designate] by phone by [date], so
that we may proceed to issue the final report.

 /S/ Manager

Enclosures

cc: Audit Director

Exhibit 8.3: Transmittal of Report Draft to Senior Financial Officials Example

Date: [date]
To: J.K. Smith
From: L. Gordon
Subject: Corporate Audit Report Draft
The enclosed draft of a report on the recently completed [ kind of audit ] at [audit location] has been reviewed
with [ financial
 financial official] at [audited entity], who is in agreement with the content of the report and detailed
 comments.
I would appreciate receiving your comments, if any, by [ date] on the issues discussed in the report so that we
may proceed to issue the final report at the next meeting of the Audit Committee.

Chapter 8: Audit Reporting 3

4 Chapter 8: Audit Reporting

 /S/ Audit Manager

Enclosures

cc: Audit Director

c. Inclusion of Auditee Comments

In the example here, the auditees' responses have been incorporated into the audit report. Upon receipt of the
auditee's comments, the Audit Manager will review their comments and integrate them into the draft audit
report. The revised draft, with the auditee comments clearly identified, will be provided to the Director of 
Auditing for review. The Director of Auditing, upon satisfaction with the foregoing steps, will approve the
final audit report for issuance. The Audit Manager will be advised of any final changes to the report and will
have the report dated, processed, and transmitted in final form for signature and reproduction.

i. Audit Report Responses

The objectives of monitoring audit report responses are:

• To provide a framework to monitor, obtain, and evaluate such responses from audited units
• To enable the Director of Auditing to report on the adequacy of responses to, as appropriate, senior
management and the Audit Committee

Each auditor will develop and implement procedures to attain the objectives outlined above and ensure that
the total audit process is completed for both this department and the public accountants.

In cases when audited units have not responded within the prescribed period of time, standard 30-day
(overdue reports) and 60-day (delinquent reports) letters are to be issued by the affected auditor and Director
of Auditing, respectively. (See Exhibits 8.4 and 8.5
8.5.)
.)

Exhibit 8.4: Overdue Response to Audit Report—30-Day Letter Example

Date: [date]
To: Financial Official, Audited Entity
From: Audit Manager
Subject: Response to Audit Report
[The Corporate Audit Department ]/[
]/[ public
 public accountants] issued its report, dated _____________ on the results
of its examination [covering internal accounting controls]/[of balance sheet accounts]/ of 
[______________________]
[___________________ ___] for the period ended _____________ [date].

This letter is to remind you that a written response to the audit report is due no later than 30 days following
the report transmittal date. Please advise when we can expect your response.

Audit Manager
 cc: Audit Director

Public Accountants (if appropriate)

4 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 5

Exhibit 8.5: Delinquent Response to Audit Report—60-Day Letter Example

Date: [date]
To: Financial Official, Audited Entity
From: Audit Manager
Subject: Response to Audit Report
Sixty days have now passed since [ The Corporate Audit Department ]/[
]/[ public
 public accountants ] issued its report,
dated ______________, on the results of its examination [covering internal accounting controls]/[of balance
sheet accounts]/ of [_____________________] for the period ended ______________ [date].

You will recall that ____________, our manager in _______________, reminded you one month earlier that
corporate policy requires a written response to the audit report no later than 30 days following the report
transmittal date.

In the event you have compelling reasons for not responding, please call me or _____________ immediately.
Otherwise, we expect your response within a week's time. My responsibilities to the Audit Committee and
senior management require regular reports on the adequacy and timeliness of responses to audit reports.

Audit Manager
cc: Audit Director

Public accountants (if appropriate)

In addition to monitoring and accounting for responses, each manager is responsible for evaluating them to
determine that satisfactory management action has or will be taken. Evaluation of responses is to be
documented in the workpapers or, when pertinent, advised in writing to the public accountants.

Management recommendations issued by the public accountants require

require similar responses from appropriate
division or department management. A letter should be sent to the appropriate auditee which includes the
company policy on responding to comments by public accountants and includes the public accountants'

comments or is a transmittal for the comments. (See Exhibit 8.6.)

8.6.)
Exhibit 8.6: Transmittal of Policy on Reports of Public Accountants

Date: [date]
To: Division or Department Manager
From: Audit Director
Subject: Reports of Independent Public Accountants
 Purpose

This memorandum provides additional procedures implementing the policy covering the distribution of 
reports of independent accountants and, when required, management responses to them.
  Policy

The Sam Pole Company auditing policy states the following:

• Audit findings, recommendations and other matters deemed to be significant by the public
accountants are reported directly by them to the Audit Manager, Chief Financial Officer, and the

Chapter 8: Audit Reporting 5

6 Chapter 8: Audit Reporting

Audit Committee.

The policy further requires with respect to management responses:

• A prompt
prompt formal written
written response to the Audit Manager, covering internal control and management
recommendations made by both the public accountants and corporate auditors. Responses are due no
later than 30 days following the date of the auditor's report and in the format as shown on attached
Exhibit 8.7
8.7..

Insert comments here or note regarding attachment of comments from public accountants.

Subsequent audit procedures to test completed/proposed corrective action would be adequately

ad equately documented
documented
and outlined for either Corporate Audit or public accountants' performance. When responses do not deal
satisfactorily with audit recommendations, the auditor should advise the auditee and Audit Manager, in
writing, concerning additional audit requirements and resolution of the issues. Exhibit 8.7 is the standard form
on which the audited unit should reply. These should be sent to the unit along with the final report.

Exhibit 8.7: Audit Response Example

Company: ____________________
_______________________________________
____________________________________
_________________

Operating Unit: ___________________________________________________

Audited By: ___________________

_______________________________________
___________________________________
_______________

Submitted By: _________________

_____________________________________
___________________________________
_______________

NO.. RECO
NO RECOMM
MMEN
ENDA
DATI
TION
ON IMPL
IMPLEM
EMEN
ENTA
TATI
TION
ON RESP
RESPON
ONSI
SIBL
BLE
E PERS
PERSON
ON TARG
TARGET
ET DATE
DATE

ii. Additional Procedures

The following amplifies the policies covering the distribution of public accountants' reports and related
responses to ensure that they are distributed properly:

• Reports of Independent (Public) Accountants

• Reports on internal control recommendations are issued to the individual with overall responsibility
for the location under audit (i.e., President, General Manager, Plant Manager) and the Chief Financial
Officer. Copies are distributed to the Vice President and Comptroller, the Secretary (for the official
 company record), and the Audit Manager.
• Management Responses
• Audited entities respond in writing to internal control recommendations in accordance with the
aforementioned policy. The response is addressed to the Director of Auditing, with copies to the Vice

6 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 7

President and Comptroller, other key financial officials and the public accountants.

The additional procedures outlined above enable implementation of effective and consistent practices to
monitor and report on the results of audits by public accountants in the United States and other countries.

d. Issue Final Report to Management

After approval by the Director of Auditing, the final report will be distributed in accordance with the
distribution policy discussed in the following sections of the manual. It should be noted that there will be
different levels of distribution for the summary and detailed reports. However, anyone receiving the summary
report can request a copy of the detailed report.

i. Audit Report Format

The audit report and the detailed recommendations and comments section have a standard format that will be
adequate for writing most reports. There may be times when it will be appropriate to deviate from the standard
format. These instances must be discussed with the manager before proceeding. Exhibit 8.8 is an example of 
an audit report.

Exhibit 8.8: Corporate Audit Report Example

Company Location:
Audit Date: Audit Manager:
Datee Co
Dat Comp
mplet
leted:
ed: Audit
Audit O
Offi
ffice:
ce:
Auditors:
Date of Report:
The Audit Committee

Sam Pole Company

This report summarizes the results of our audit of the company's accounting records and selected internal
control procedures. Detailed recommendations and comments, after review with local management, were
provided to the local accounting personnel for written responses to this office, and to other key officials, and
to the public accountants for their information.

Sam Pole Company Profile

The manufacturing plant produces approximately NNN square yards of carpet tile per month. Comparative
operating data are as follows:

2002 2003
Sales $xxx,x
$xxx,xxx
xx $xxx,x
$xxx,xxx
xx
Cost of Sales xxx,x
xx,xxx
xx xxx,x
xx,xxx
xx
Inventory xxx,x
xx,xxx
xx xxx,x
xx,xxx
xx
SALES
Backlog x,xxx x,xxx
 Number of Employees xxx xxx
Scope of Audit

Our examination included a review and evaluation of accounting systems, internal control procedures, and
tests of account balances.

Chapter 8: Audit Reporting 7

8 Chapter 8: Audit Reporting

Conclusion

In our opinion, internal controls are adequate, and account balances, as adjusted, are fairly stated in all
material respects. Quantities of inventory on hand December 31, 200x, are fairly stated. Weaknesses outlined
in the detailed recommendations and comments provided to local management did not have a material effect
on the account balances at December 31, 200x.

Summary

The significant matters discussed in the detailed report include the following:

• A Disaster Recovery Plan should be developed for the data processing operation.
• Procedures to ensure that computer program changes are properly authorized should be developed.
• Documentation for significant computer applications is weak and should be improved.

Manager

Internal Audit Department

Distribution:

Headquarters

President

Chief Financial Officer

Local President

Local Accountant

ii. Standard Format

I. Audit Report—Su
Report—Summary
mmary II. In-Depth
In-Depth Recommend
Recommendation
ationss and Comments—De
Comments—Detail
tail
Heading Cover Page (Optional)
Salutations Heading
Lead Paragraph Lead Paragraph
Profile Categories
Scope Recommendations
Conclusion Comments
Summary Discussion Items
Manager's Signature Manager's Signature
Distribution Exhibits (Optional)

I. Audit Report—Summary
  Heading. The heading is preprinted on the Corporate Audit Report preprinted form. Company/location, Audit
Date, Audit Office, and Audit Manager are all self-explanatory.

 Date Audit Completed. The date of the closing conference or last day of fieldwork, whichever is later.

8 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 9

 Auditors. All auditors who participated in the audit. Use the first two initials in all names.

 Date of Report. The date the report is issued for distribution.

Salutation. This item will generally be addressed as follows:

The Audit Committee

Sam Pole Company

 Lead Paragraph. The lead or introduction paragraph indicates to the Audit Committee that this report is a
summary of the results or our audit or review. It refers to the detail section that recommendations and
comments have been discussed with local management and require a response. It also states that the detail has
been distributed to key officials and the public accountants.

It should not be necessary to restate the auditee's name or dates, because this information is included in the
heading.

Profile. "Profile" is generally preceded by "plant, company, or department," which refers to the auditee. The
profile section is intended to be informative to the reader. In some instances, the reader has not had the
opportunity to visit the auditee's facility. The profile section should be designated to be a "stage setter" for the
reader. It should help the reader visualize the entity, number of employees, production, or implications of 
adjustments attributable to company size. The profile, as the situation warrants, may be excluded or contain a
narrative description or financial schedules.

The profile should not dominate the report. Instead, it should be limited in size to approximately one
informative paragraph. Comparative financial information, if included, should not leave the reader with
unanswered questions. Significant variations should be explained.

Keep in mind that the profile should not distract from the purposes of the report, which are the summary,
scope, and conclusion sections.

Scope. The scope section has two principal functions. One is to identify exactly what was done during the
audit and the second is to delineate in writing that which was not done.

The scope should clearly state the work that was limited to or restricted to the payroll system, as an example.
If internal controls were reviewed on certain systems, but not others, it must be clearly indicated. A general
statement such as, "we reviewed the plant's systems of internal controls," is not specific to the reader and
leaves the audit open for question later. To state "certain" systems were reviewed is better, but not as good as
indicating that specific systems such as payroll, accounts payable, and accounts receivable were not reviewed.
Clearly stating what was done in the audit leaves no doubt as to what was not done. In certain situations, it
may be necessary to clearly qualify the scope section by saying, "we did not review, test, etc."

Conclusion. The conclusions can only be written on the basis of the work performed in the scope section and
subject to the major exceptions contained in the summary section. No new or additional information can be
interjected into the conclusion that has not been specifically stated in these two areas (scope and summary).

The auditors should conclude or state their opinion on the fairness of the account balances, financial
 statements, the adequacy of internal controls, or the reliability of systems.
Summary. The summary component summarizes the detailed recommendations and comments section of the
report. The detailed recommendations and comments section does not accompany the audit report issued to
the Audit Committee. Therefore, the summary never contains information not published in the detailed

Chapter 8: Audit Reporting 9

10 Chapter 8: Audit Reporting

recommendations and comments section.

Of the five attributes that are used as a basis for writing a recommendation, only a statement of condition and
a statement of action are used to write the points of the summary.

The summary only includes major or material exceptions resulting from the audit. Considerable thought
should be given to what is included in the summary and, second, to how it is written. Problems may arise if 
the auditor overreacts or improperly states the situation. Therefore, the summary may indicate that an audit
disclosed no material weaknesses. Other recommendations and comments that are not considered "material"
should be addressed in the summary by referring to them in total as one item covered by a few sentences.

Statement of action to summary items may either be included with the summary items individually or
prepared in a trailing paragraph to the last summary item.

Discussion items may be included in the summary if material. Because discussion items are written with the
same attributes as recommendations, the statement of condition and statement of action will be included.
Discussion items are generally only used when auditees object to recommendations on the grounds that they
have no control over the subject. If auditors feel strongly that the item should be included in the report, the
discussion item approach is a way around the situation. Discussion items do not require a response from the
auditee, but still communicate the problem to management and the Audit Committee.

Examples of summary items are as follows:

• Accrued payroll was understated $1 million at December 31. It was recommended that management
investigate and adjust the account. This account was adjusted January 7, 200x.
• Contract terms covering sales of real estate should be reviewed by counsel and entries properly
recorded in accordance with Generally Accepted Accounting Principles (GAAP).
• Fifty thousand dollars were lost due to weak internal controls in the data processing area. We
recommend system changes to help prevent future occurrences.

 Manager's Signature. The Audit Manager is responsible for the review and signing of the audit report issued
to the Audit Committee of the Board of Directors. He may assign this responsibility to others under certain
circumstances.

 Distribution. The distribution is a multi-step process. After the report is written in draft form, a copy is sent to
the Director of Auditing and the auditee simultaneously. A specific designed cover letter is used to convey the
drafts to the auditee. This cover letter indicates the draft has been sent to the auditee first for comments and
that time is of the essence.

The second step toward distribution, after review and corrections are accomplished, is to send the draft to the
Corporate Controller and Director of Auditing, or the next level of authority over the auditee.

After the drafts clear the second step and adjustments or corrections are made, it may be necessary to send a
copy to the auditee and Director of Auditing, a second time. But, pending this situation, the report is ready for
distribution. Standard distributions for the report consist of:

Sam Pole Company

Audit Committee
 Chief Operating Officer

Company Level 

10 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 11

Director of Auditing

Chief Financial Officer

 Division/Branch/Department

(as applicable)

Branch Manager/Division President

Comptroller

Chief Accountant, etc.

 Public Accounting Firm

Partner

Manager

II. In-Depth Recommendations and Comments—Detail

This section is issued with the audit report, but is not distributed to everyone on the distribution list. See
distribution of the audit report in a prior section. Because this section may become separated from the audit
report, it must be written to stand alone as an independent document. Exhibit 8.9,8.9, "Corporate Audit Detail
Recommendations and Comments," presents an example of this report.

Exhibit 8.9: Corporate Audit Detail Recommendations and Comments Example

SAM POLE COMPANY

Corporate Audit

Recommendations & Comments

December 31, 200x

These detailed recommendations and comments supplement our report to the Audit Committee, in which we
concluded that account balances as adjusted were fairly stated in all material respects and controls were
adequate at December 31, 200x. These detailed recommendations and comments were reviewed with
appropriate levels of management and, in accordance with corporate policy, are subject to their written
response.

Disaster Recovery

In the event of emergency or disaster in which the AS/400 system is not available for long-term use, there are
no contingent plans in effect for the continuance of processing on the AS/400. This weakness could result in a
 delay of processing transactions and have an adverse effect on business operations.

• Recommendations/Comments
• We recommend that management initiate efforts to develop a Disaster Recovery Plan. In the event
that the AS/400 System is disabled, contingency plans would then be in place to allow continued
processing at an off-site facility. A Disaster Recovery Plan should meet the following criteria:

Chapter 8: Audit Reporting 11

12 Chapter 8: Audit Reporting

♦ To identify a location for further processing. This site could be a cold site in which a third
party has another AS/400, which the company would have access to, or an arrangement with
IBM that would permit them to be provided with another AS/400 on short notice.
♦ A list of contacts and responsibilities in the event of emergency.
♦ A list of programs and data files needed for recovery, including a ranking of critical
applications and adequate method of creating, testing, and storing data backups.
♦ Detailed instructions on execution of a Disaster Recovery Plan.

Program Change Control

Program change control is not formally addressed. Requests for changes to programs should be authorized by
user departments. To be properly controlled, a formal authorization form should be developed, indicating the
reason for the change, user approval to initiate the project, and final sign-off. Only properly authorized,
changed programs should be placed into production libraries.

• Recommendation
• All program change requests should be properly authorized in writing by the manager or supervisor of 
the user departments. When the program change has been made, the manager or supervisor of the user
department should sign the program change form, signifying that the program has been changed
according to the original instructions. The program change form should then be filed in numerical
sequence. A copy of the program change form should also be filed with the system's documentation
such that a record of each change made to the system is kept in chronological sequence.

Documentation

Good documentation of computerized applications is necessary to document the methods and formulas
utilized in the computer operation, to provide a tool to train new personnel, to provide operators with
instructions, and to assist programmers with systems development and program modification work.

We believe documentation is an important area and should be implemented. This process may require
management support for the development of a plan to document systems by certain key target dates. We
suggest that documentation along the following lines be considered:

• Systems documentation includes:

♦
System description
♦ System flowcharts, showing the flow of data through the system and the relationship between
processing and computer steps
♦ Input descriptions
♦ Output descriptions
♦ File descriptions
♦ Copies of authorizations and their effective dates for system changes that have been
implemented.
• Program documentation consists of:

♦ Brief narrative description

♦ Flowcharts
♦ Sources statements or parameter listings
 ♦ Control features
♦ File formats and record layouts
♦ Record of program changes
♦ Input/output formats
♦ Operating instructions.

12 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 13

• Operation documentation includes:

♦Descriptions of functions
♦ Inputs and outputs
♦ Sequence of cards, tapes, disks, and files
♦ Setup instructions and operating system requirements
♦ Operating notes listing program messages, halts, and action to signal the end of jobs
♦ Control procedures to be performed by operations
♦ Recovery and restart procedures
♦ Estimated normal and maximum run-time
♦ Instructions to the operator in the event of an emergency
• User documentation consists of:

♦ Description of the system

♦ Error correction procedures
♦ List of control procedures and an indication of who is responsible for performing those
procedures
♦ Cutoff procedures for submission of data to the data processing department
♦ Description of how the user department should check reports for accuracy
♦ Application analyst support (i.e., name of contact)
♦ Impact on operations (i.e., resources consumed, response time, turn-around time, elapsed

time, manual labor time, user training/impact.

♦ Testing plan (i.e., individuals responsible and titles, testing schedule, test results)

♦ Authorization (i.e., data center approval, programmer and project manager, quality assurance,
and user approval)
♦ A log to permit the tracing of transmittals through the change control cycle.
• Establishment of formal testing procedures to include:

♦ Identification of the person responsible

♦ When the test will take place/begin
♦ When the test will be completed
♦ Details of the test
♦ Actual results of the test
♦ Approval of test results by the data center, programmer, and user.

Manager

—Internal Audit Department

Cover Page. An optional cover page may be developed to separate the audit report from the detailed
recommendations and comments section. If you elect to insert this page, it could contain "Detailed
Recommendations and Comments" as a title and be centered on the page.

 Heading. The heading consists of the auditee name, the name of the section, "Corporate Audit Detailed
Recommendations and Comments," and the "as of" date of the audit.

Lead Paragraph. The purpose of the lead or introduction paragraph is to convey to the reader three points.
  Lead Paragraph. The purpose of the lead or introduction paragraph is to convey to the reader three points.

First, this document supplements the summary audit report to the Audit Committee. Second, there is a
summarized restatement of the conclusion. Finally, a written response is required. For example:

• These detailed recommendations and comments supplement our summary audit report to the Audit
Committee of the Board of Directors in which we concluded that internal controls for the payroll and
account balances were fairly stated in all material respects as of April 30, 200x. These detailed

Chapter 8: Audit Reporting 13

14 Chapter 8: Audit Reporting

recommendations and comments were reviewed with appropriate levels of branch management and
are subject to their written response in accordance with corporate policy.

Categories. For purposes of organization, subtitles are used to group recommendations and comments relating
to the same subject; that is, all recommendations and comments relating to accounts payable should be
numbered under the subtitle "accounts payable." The subtitles are typed on the left margin in bold type and
underlined. To emphasize the subtitle, double spacing is used before and after the subtitle. The numbering
sequence starts with the first recommendation and is continuous to the last recommendation under that
subtitle. Numbers start over for each subtitle.

 Recommendations. Use "recommendations" rather than "findings" to describe the audit exceptions because it
has a more positive connotation. Recommendations are one of the five attributes that make up a finding, as
published by the Institute of Internal Auditors. In lieu of saying, "These are our findings," inferring something
wrong was found, present a more positive image by saying, "These are our recommendations for
improvement." Do not report something was wrong merely that the auditee can improve existing conditions.
A more positive approach implies professionalism by suggesting improvements as opposed to dwelling on or
publishing problems and failings.

Comments. Comments differ from recommendations in that the five attributes—condition, criteria, effect,
cause, and recommendation—are not present. Comments are more of a remark or brief statement of fact or
opinion. To lessen the confusion, the attribute recommendation has also been renamed statement of action.
Care should be used in that generally, anything material enough for the report should be adequately supported.

 Discussion Items. Discussion items are developed and written as recommendations, but differ in that the
auditee is not required to respond to these items. Discussion items are used in instances where auditees object
to an item being included in the report when they are not directly responsible for the situation. The auditors
feel strongly that the situation needs exposure in a written report. A compromise is the discussion item
approach, which could be used only as a last resort.

 Manager's Signature. The manager is responsible for signing the recommendation and comments section.

 Exhibits. The exhibit section is optional, but should be considered if additional information will help make the
audit recommendations and comments clear to the auditee or management. Exhibits may take the form of 
photographs, flowcharts, financial schedules, adjustment schedules, or other sundry schedules of supporting
information. Like pictures, exhibits are worth a thousand words. Supporting exhibits not only add clarity, but
if properly done, add a degree of professionalism to the auditor's work.

e. Open Audit Results and Comments

A task listing will be prepared containing all open audit issues and comments on date of implementation. This
list will be used to monitor the implementation of audit comments. Periodically, management will be queried
on the status of open issues. Follow-up compliance audits will take place one year after the date of the audit,
and these task lists will be updated and, in most instances, closed out.

SAM POLE COMPANY  Corporate Audit

Department Procedures
 Manual
NO:: 8
NO 8..2 REV
REV NO:
NO: DATE
DATE::
TITLE: Report to Management PAGES:

14 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 15

8.2 Report to Management

The report to management should summarize the activities of the department in the interim since the last
report to management. These activities should include audits performed and planned or changes made to
plans. All department administrative activities including quality assurance, personal development programs,
and participation in other company-sponsored programs should be considered. The report should be prepared

on a detailed
inform basis prior
management to theofnext
of some the scheduled Audit
items that will beCommittee
included inmeeting. This process
the administrative will enable
section auditors
of the report to to
the
Audit Committee. It will also enable auditors to integrate the text of this material into the Audit Committee
report to save work when that report is being developed.

Communications with management is a very important element of an internal audit function. It is more
important than in some other operations because the management issues and output of the audit function are
more qualitative than quantitative. In a manufacturing or distribution operation, one can measure the output in
units and analyze it in many ways. Audit functions have a lot of control over the quantity and quality of the
work they perform. However,
However, it is difficult for management
manag ement to understand the issues involved in running a
successful audit function and
and producing quality audit reports. Audit management has a number of 
opportunities to express their issues and report on activities. The formal process involves issuing audit reports
"Corporate Audit Report Process
(see "Corporate Process")
") and issuing reports to the Audit Committee (see "Report
" Report to Audit
Committee").
Committee "). In this section, we deal with the opportunity to report on a somewhat more detailed basis to

management.
As noted earlier in this section, if possible, the Report to Management should be prepared prior to Audit
Committee meetings. This sequence will enable the material developed
d eveloped for this report to be reworked for
inclusion in the report to the Audit Committee. There are no formal guidelines for what should be included in
the Report to Management. Therefore, wide latitude should be used to help explain issues and promote
progress achieved within the audit operation. Exhibit 8.10 is an example of a Report to Management. The
format is simple and self-explanatory. However, great care should be taken to include all relevant activities on
a prospective basis, as well as activities that have already taken place. In order to demonstrate the tone and
range that a Report to Management can take, a number of sample report elements have been included in the
example. In addition, the report could be patterned after other similar reports required within the organization.
Some of the sections that should be considered include: Corporate Audit Department personnel issues;
activities related to the external accounting firm; education; internal audit reports issued, pending and in
process; and budget status.

Exhibit 8.10: Report to Management Example

SAM POLE COMPANY

INTEROFFICE CORRESPONDENCE

TO: Senior Management OFFICE: New York 

FROM: Chief Auditor OFFICE: New York 
SUBJECT: Internal Audit Status Report DATE: September 10, 200x
This report summarizes the department and my activities since the status report date July 15, 200x.

BUDGET FOR 200x

 The Budget for 200x has been drafted and will be presented to you and the Audit Committee on schedule. Due
to the addition of a Director and an operational audit unit, the total budget will grow beyond normal inflation.

INTERNAL AUDITS

Chapter 8: Audit Reporting 15

16 Chapter 8: Audit Reporting

• Audit Reports
• We continue to strive for timely report issuance. At this date, we have the following audit report
status:

♦ Issued Since July Status Report 

◊ XYZ Subsidiary
◊ Tulane Contract Audit
◊ Purchasing Department Audit
♦ Pending Issuance

◊
Transportation Department
◊ ABC Subsidiary
• Physical Inventories
• In cases where reports are to be issued upon completion of location audits, inventory audit findings
will also be included. In other cases, only exception reports will be issued regarding observations and
review of compilations. We observed these physical inventories since the July status report:

♦ XYZ Subsidiary
♦ ABC Subsidiary
♦ Main Supplies Inventory

ORGANIZATION/PERSONNEL

The department is currently comprised of 37 professionals and two secretaries at September 1, which reflects
the termination of John Doe and the resignation of Jane Smith in the East and the hiring of Pay Plum
(CPA-CISA) as a semi-senior in the West. We continue to attempt further East staff reduction by transfer to
other departments. To date, the West manager is pleased with the performance of his staff. He is now
recruiting another semi-senior.

Total
tal East West International
Professionals 35 15 14 6
Secretaries 2 1 1 0
37 16 15 6

Annual performance reviews were discussed with each eligible East staff member in conjunction with salary
increases granted effective September 1. The staff generally responded receptively to constructive criticism
designed to insist on or encourage, at minimum, competent professional performance. With certain
exceptions, staff members considered salary increases equitable.

EDUCATION/TRAINING

• Advance Systems, Inc.

• Jim will lead a one-day, in-house, videotape-supported orientation program on IS audit concepts for
the East staff (scheduled for August 25 at the East office). The West staff participated in a similar
program on August 15. These in-house seminars are designed to provide basic background and set the
tone for maximum benefit from the MPC Institute course.
 MPC Institute
•
The MPC Institute
September staff
14, for the will professional
entire conduct, at their
staff,New York offices,
concentrating a week-long
on auditing in a seminar beginning
contemporary on
computer
environment. We have also invited Sam Pole personnel from other departments/locations to join us
for some of the more technical sessions dealing with controls, to convey to them the significance of 
controls and also to improve their understanding of the auditor's purpose and responsibilities in a
computer environment.

16 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 17

• Other
• In a less formal, yet structured manner, individual staff members are involved with IIA self-study
courses dealing with internal audit theory and practice, and statistical sampling. This work is
monitored by our Personnel Development Coordinator.
• In order to enable staff members to prepare for the CPA examination and still fulfill audit schedule
responsibilities, we have arranged with XYZ to use their self-study guides, at no cost to Sam Pole.

MANAGEMENT DEVELOPMENT PROGRAM PARTICIPANTS— OFF-STAFF ASSIGNMENTS

Bill Clark, between audit assignments, will assist the CFO during October in assembling, reviewing, and
analyzing operating companies' 200x budget proposals. We have also offered to assist the Director of 
Financial Analysis on 200x budget matters, by making Peter Daily (East) or Rod Stewart (West) available for
six weeks to two months. These opportunities have a two-fold purpose: (1) to broaden participants' exposure
and experience in Sam Pole, and (2) to add another dimension in the evaluation process from sources outside
internal audit.

We do foresee a potential problem associated with these off-staff assignments. The demand for Management
Development Program participants to work outside the department is likely to conflict with our peak workload
period—the Fall—when we experience our heaviest external audit coordination commitment. We are
developing our audit plans and schedules to attempt effective attainment of both goals.

SPECIAL STAFF ASSIGNMENTS

• New Jersey Mill

• John Jones continues to assist in the development of a plant cost accounting manual. We have
received favorable feedback regarding his contribution. Out-of-pocket expense and pro-rata salary is
billed to the plant, relieving department expenses.
• Atlanta Foundry
• At the ADC Division's request, Jane Paul and Marc John were given a two-week assignment to
develop overview flow charts of the plant cost accounting system. Having completed a portion of the
work, continuing the assignment has been suspended pending agreement on the scope of the work.
Out-of-pocket expenses were billed to ABC.

POLICY STATEMENTS

• Compliance Program
• Results of circularization for employee acknowledgment of compliance with our code of conduct are
virtually complete. Responses received at this office disclosed no conflict or other situations that
warrant reporting. We plan to issue a brief formal report on the results of our review.
• Policy Statement Booklet
• The supply of booklets in New York is exhausted. We have submitted suggested changes to the text
of the booklet to the General Council. We also offered to assist them toward publication of the next
revision.

OTHER MATTERS
 • Security

• As noted in my prior status reports and memos, we have been working with the Finance Director to
assess ways to improve the corporation's focus on security. We are considering the need for
centralizing the responsibility for all aspects of security within the company. Our recommendation
was for a high-level survey of our current practices and security plans. To further our groundwork, we
have set up a meeting with the General Council to apprise him of our activities to date and get his

Chapter 8: Audit Reporting 17

18 Chapter 8: Audit Reporting

input.
• Professional Activities
• As president of the New York Chapter, ISACA, John Jones presides over monthly board meetings
and plans education events for members.
• On July 24, the Chief Auditor addressed our external audit firm's seminar for internal auditors on
internal audit department practices.
• Marc John serves on the IIA Board of Governors and as Chairman of the Editorial Committee.
• Jane Paul serves on the IIA International Research Committee.

Regards,

The Report to Management should be addressed to the management reporting line of the Chief Auditor. This
report is generally not copied to the Audit Committee, but should be copied to the President or CEO, if 
appropriate.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 8
NO 8..3 REV
REV NO:
NO: DATE
DATE::
TITLE: Report to Audit Committee PAGES:

8.3 Report to Audit Committee

In addition to the distribution of reports as audits are completed, periodically a summary report will be made
to the Audit Committee. This report will include
includ e a report on internal controls and summary of items of 
significance, the summary
summary of the Corporate Audit Department reports, and Audit Department status reports.
This report provides the opportunity to explain the accomplishments of the department and should be viewed
as a critical Audit Department product. Exhibit 8.11 presents a sample of a report to the Audit Committee.
Also review Section 9.5
9.5,, "Marketing the Audit Function."

Exhibit 8.11: Report to Audit Committee Example

SAM POLE COMPANY

101 Mapole Street East
Flagstaff, AZ 12345

February 28, 200x

Gentlemen:

I am pleased to present this report to the Audit Committee, comprising:

1. Report on internal controls and summary of items of significance

2. Summary of Corporate Audit Department reports
 3. Corporate Audit Department status report

Audits in process and concluded since our report dated December xx, 200x, have not disclosed any
developments that require action by the Committee.

18 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 19

I look forward to meeting with you to review the contents of this report and any other matters you may wish
to discuss.

Very truly yours,

S. Jones

Internal Audit Director

SAM POLE COMPANY

Report to the Audit Committee

February 28, 200x

SECTION I

Report on Internal Controls

Sam Pole Company maintains systems of internal accounting controls and procedures designed to provide
reasonable assurance that all transactions are properly recorded in the books and records, that prescribed
policies and procedures are adhered to, and that the corporation's assets are protected from unauthorized use.

Based on continuing reviews of internal controls at company locations, nothing has come to our attention
since our prior report that would indicate that the existing systems of internal controls are not effective.
However, as commented on in our December report, the company must be continually alert, so that the
changing conditions in Sam Pole Company's operations— primarily reductions in the number of salaried
employees—are not accompanied by a weakening of existing internal controls, more specifically, the
segregation of duties. We plan to continually focus on such areas of potential weaknesses and report situations
where we believe action is required.

Summary of Items of Significance

Although we have made recommendations to management to improve internal controls, nothing of a

significant nature was disclosed that would require action by the Audit Committee. We have received full
cooperation from all levels of management and have been permitted access to all requested company records
and documents.

SECTION II

Summary of Corporate Audit Department Reports

The following audit reports, issued since the December 5, 200x, Audit Committee meeting, are enclosed for
your review:
 •
• Corporate Data Center
Sam Pole Antenna Company
• Payroll System
• Products Company
• Sales Company—Trading and Logistics

Chapter 8: Audit Reporting 19

20 Chapter 8: Audit Reporting

Recommendations relate to internal controls that can be improved; however, no material exceptions were
noted. In the event of significant findings, we would promptly advise the Committee and issue a preliminary
report.

Our comments and recommendations have involved matters significant to the organizational units audited.
Based on our evaluation of auditee responses, we believe that our recommendations have been or are being
given considerable management attention and action.

SECTION III

Audits and Related Activities

 Audit Activities

Audits pertinent to annual corporate financial statement reporting centered primarily on completing interim
and year-end audits under the rotation plan with our external auditors. We also continued our reviews of 
automated systems, including customer accounts receivable, salaried payroll, and accounts payable.

Supplies Inventories

At the December meeting of the Audit Committee, we reported on our management-requested special review
of supplies inventories. Since our last report. . .

Steering Committee

The Director of Auditing, while not a member, attends by invitation the Information Resource Steering
Committee meetings. Briefly, this involvement provides input to the Committee and knowledge of company
plans to the Director. As a result of attending these meetings, we are planning special audit training in the
following areas . . .

 Disposition Audits

As previously reported, we have been significantly involved in disposition audits of the various units. Most
recently, we assisted in the development of data that allowed for timely ...

Administrative and Other Matters

 Professional Staff 

The current field staff, meeting our authorized complement, totals 20: six in New York and fourteen in
Denver (as compared to 19 in 200x). Our current three-year plan indicates a need for approximately 21
auditors. We will adjust this plan and reevaluate staffing requirements after developing the rotation program,
based upon the company's new operating structure, with the public accountants.

High turnover has continued in Denver, due to the company's situation and increased salaries available in an
area with a high employment rate. Future recruiting, unless otherwise required, will be at the entry level.
 We are pleased to report that we have promoted Mr. Sharp to manager in New York and Jane Pink to
supervising senior in Detroit. Two individuals transferred from the audit staff— one to the Controller's staff 
and the other to MIS.

Quality Assurance Program

20 Chapter 8: Audit Reporting

Chapter 8: Audit Reporting 21

A responsibility of the Director, as described in the department's charter, is that audit work conform to the
Standards for the Professional Practice of Internal Auditing . The Standards call for an independent external
review at least once every three years, to appraise the quality of the department's operations. Accordingly, we
have tentatively agreed to reciprocal department reviews with IPL Corporation in 200x and 200x. Preliminary
discussions will be held in late February, with a review of our department planned for June 200x.

We have been planning this independent review of our total department performance for several years.
Initially, we had each audit group perform a high-level quality assurance review. In 200x, we had a more
in-depth review in New York and Detroit with a good appraisal (on a test basis) of the adequacy of each
other's performance. We are now looking forward to this independent peer review to see how we can improve
our operations.

 Professional Certification

We have developed a professional certification policy for the internal audit department. We are strongly
encouraging certification (CPA, CIA, CISA, CMA, etc.) within the first five years or before promotion to
senior. We are providing partial company assistance to provide further incentive and yet ensure the
individual's own sincere interest. A copy of the policy for your review is enclosed in Appendix XX. (Not
shown here—see "Policies" section of the manual).
 Chapter 8: Audit Reporting 21

22 Chapter 8: Audit Reporting

 22 Chapter 8: Audit Reporting

Part IV: Long-Term Effectiveness

Effectiveness
Chapter List
Chapter 9: Managing the Effectiveness of the Audit Department
 Part IV: Long-Term Effectiveness 1

2 Part IV: Long-Term Effectiveness

 2 Part IV: Long-Term Effectiveness

Chapter 9: Managing the Effectiveness of the Audit

Department
Overview

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 9.1
NO 9.1 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Introduction PAGES:

9.1 Introduction
The internal audit (IA) function should be more than activities as prescribed by management and professional
organizations. By choice, the IA department can be a "world-class" entity—achieving excellence and
maintaining it. But that will only happen with a great deal of commitment and effort. There are a number of 
methods, techniques, programs, and tools available to assist IA in attaining the highest level of excellence
possible. In order to achieve the status of a world-class entity, and to be as effective as possible, IA will need
to address issues such as corporate governance, quality assurance, continuous improvement systems, and
marketing the IA function.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 9.2
NO 9.2 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Corporate Governance PAGES:

9.2 Corporate Governance [1]

Recent financial failures such as Enron, WorldCom, and Adelphia remind managers, board members,
auditors, and other stakeholders of the risks that exist even for those businesses that seem to be immune to
fraud. These events also show the need for effective corporate governance. Enron proved that large companies
with billions of dollars in assets can go bankrupt under the noses of well-intended board members—and
despite the fact an internal audit function is present. (Note: At one time, Enron outsourced its IA to its external
auditor—Arthur Andersen.) Earlier in 2001, Enron had a $10 billion book value and a $60 billion market
value. Their latest audited financial reports showed $1 billion in profits. Enron had an audit committee made
up of distinguished members with financial accounting pedigrees. Yet this large firm went bankrupt after
booking a $600 million entry to revise its earnings in late 2001, followed by a loss of confidence in credit
markets.
 In 2002, the U.S. Congress passed the Sarbanes-Oxley Act as a result of these and other financial failures. In
general, the law supports efforts to make corporate governance more effective. For example, at least one
member of the audit committee is required to be an expert in financial accounting, members are required to be
independent, and the committee is required to perform certain interactive activities and processes associated
with audits—such as being responsible for hiring external auditors and maintaining regular communications
with the IA function. (See also Sections 1.6(e) and 3.4(e) for more on the Sarbanes-Oxley Act.)

Chapter 9: Managing the Effectiveness of the Audit Department 1

2 Chapter 9: Managing the Effectiveness of the Audit Department

Effective corporate governance is a synergy between internal auditors, the board of directors, senior
management, and external auditors. The importance of corporate governance is illustrated by a McKinsey
report that stated that investors are willing to pay a premium on shares of companies that had a corporate
governance framework in place: 12 to 14% in North America and Western Europe, 20 to 25% in Asia and
Latin America, and 30% in Eastern Europe and Africa. [2] The IIA believes that good corporate governance
principles could prevent some of the frauds that have been investigated by the Securities and Exchange
Commission (SEC).

The National Association of Corporate Directors has recommended that the SEC require public companies to
disclose the extent to which they meet endorsed standards developed by the listing exchanges. Codes of 
governance in the United Kingdom, Canada, South Africa, and other countries already require disclosure of 
conformity to certain recommended governance practices. In the United States, governance policies and
practices vary considerably from state to state, and from company to company.

One emerging model has been proposed by the Corporate Governance Center at Kennesaw State University in
Kennesaw, Georgia [3]; it has been endorsed by the IIA. Their model of principles includes:

1. Interaction. Sound governance requires effective interaction among the board, management, the
external auditor, and the internal auditor.
2. Board Purpose. The board of directors should understand that its purpose is to protect the interests of 
the corporation's stockholders while considering the interests of other stakeholders (e.g., creditors,
employees, etc.).
3. Board Responsibilities. The board's major areas of responsibility should be monitoring the chief 
executive officer (CEO), overseeing the corporation's strategy, and monitoring risks and the
corporation's control system. Directors should employ healthy skepticism in meeting these
responsibilities.
4. Independence. The major stock exchanges should define an "independent" director as one who has no
professional or personal ties (either current or former) to the corporation or its management other then
service as a director. The vast majority of the directors should be independent in both fact and
appearance so as to promote arms-length oversight.
5. Expertise. The directors should possess relevant industry, company, functional area, and governance
expertise. The directors should reflect a mix of backgrounds and perspectives. All directors should
receive detailed orientation and continuing education to assure they achieve and maintain the
necessary level of expertise.
6. Meetings and Information. The board should meet frequently for extended periods of time and
should have access to the information and personnel it needs to perform its duties.
7. Leadership. The roles of board chair and CEO should be separate.
8. Disclosure. Proxy statements and other board communications should reflect board activities and
transactions (e.g., insider trades) in a transparent and timely manner.
9. Committees. The nominating, compensation, and audit committees of the board should be composed
only of independent directors.
10. Internal Audit. All public companies should maintain an effective, full-time internal audit function
that reports directly to the audit committee.

In addition, the IIA recommends:

• Internal Controls. The board of directors of all publicly traded companies should be required to
 publicly disclose an assessment of the effectiveness of internal controls within their organizations.
Such disc
disclosures should address internal controls broadly, rather than being limited to accounting
controls over the recording and reporting of financial information. This recommendation includes the
suggested usage of the Committee of Sponsoring Organizations (COSO) model described in Chapter
3.
• Internal Audit Function. All publicly held companies should establish and maintain an independent,

2 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 3

adequately resourced, and competently staffed internal auditing function to provide management and
the audit committee with ongoing assessments of the organization's risk management processes and
the accompanying system of internal control. If an internal audit function is not present, the board of 
directors should be required to disclose in the company's annual report why the function is not in
place. Consideration of the work of internal auditors is essential for the audit committee to gain a
complete understanding of an organization's operations.
• Internal Audit Independence. In establishing and providing oversight for an internal audit function,
audit committees should ensure that the function is structured in a manner that achieves organizational
independence and permits full and unrestricted access to top management, the audit committee, and
the board.
• Internal Audit Professionalism. In establishing and providing oversight for the internal auditing
function, audit committees should charge chief audit executives (CAE) with the responsibility of 
ensuring that internal audit work is performed in accordance with the IIA's Standards. Internal
auditors, and especially CAEs, should demonstrate their professional competency by attaining
appropriate professional certification.

Insight into the audit committee element of corporate governance can be drawn from a study by COSO. In
1999, COSO issued a study on the SEC enforcement activities from 1987 to 1997. The study analyzed 200
randomly selected cases of alleged financial fraud investigated by the SEC during the decade, which is about
two-thirds of all the SEC probes into fraud during the time period.
period. The results of the study provide valuable
information for any organization in protecting against fraud, but prove especially valuable in developing audit
committees. The "COSO Landmark Study on Fraud in Financial Reporting" points to several common factors
about the companies in the study (see Exhibit 9.1
9.1).
).

Exhibit 9.1: Commonalities of Fraud Entities from COSO Study

Smaller firms vs. larger firms were investigated

Lack of experience in board members
Lack of independence of audit committee/board members
Absence of audit committee or infrequent audit committee meetings
Likelihood of involvement of executive managers in financial fraud
Most of the auditors explicitly named in SEC enforcement releases were non-Big Five auditors
Audit firms of all sizes were associated with companies committing financial statement fraud (i.e., you

cannot depend on your external auditors to detect fraud based on their size)
Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies
involved-the average misstatement or misappropriation was $25 million

First, most fraud in financial reporting among public companies was committed by smaller
corporations—well below $100 million in assets. Most were not listed on the New York or American Stock 
Exchanges.

Second, the boards of directors of the companies investigated were dominated by insiders and directors with
significant equity ownership. They also had little apparent experience in serving on the boards of other
companies.
 Third, most audit committees of the firms investigated met only about once a year, or the company had no

audit committee at all. The absence of an active audit committee leaves a gap in the enterprise internal control
environment.

Last, the riskiest group of perpetrators was executive managers—83% of the cases appeared to involve either
the CEO or chief financial officer (CFO), and the CEO appeared to be involved in the financial frauds in 72%
of the cases. This statistic is particularly chilling because of the role executives play in the business, of their

Chapter 9: Managing the Effectiveness of the Audit Department 3

4 Chapter 9: Managing the Effectiveness of the Audit Department

ability to override internal controls, and of the difficulty in recognizing the involvement of executives in
financial frauds. One way to provide a control against management fraud is to have an effective, aggressive
audit committee that is willing to challenge management, when necessary, and an audit committee vigilant in
looking for signs indicative of ongoing fraud in management.

From this data, a model for audit committees can be developed. This model of attributes was developed based
on existing standards, SEC rules, and the COSO fraud report (see Exhibit 9.2).
9.2). The model attributes include
independence, competence, organizational structure, leadership, and a proactive approach.

Exhibit 9.2: Model of Attributes for Effective Audit Committee [4]

Independence (outside directors)

Competence (knowledge and understanding of accounting, auditing, and internal controls; critical thinkers)
Organizational Structure (reporting channels direct from internal audit function, external auditors, whistle
blowers)
Leadership (active, strong, decisive chair)
Proactive Approach

These points are made to assist IA in providing input into audit committee members, board members, and
other responsibilities it has related to both corporate governance and quality. IA is an integral part of effective
corporate governance.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 9
NO 9..3 REV
REV NO:
NO: DATE
DATE::
TITLE: Quality Assurance PAGES:
[1]Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance," a

position paper presented to U.S. Congress, April 8, 2002. It is available online at

www.theiia.org/ecm/guide-pc.cfm?doc_id=3602.
www.theiia.org/ecm/guide-pc.cfm?doc_id=3602

[2]Global Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online at
www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf .
[3]Corporate Governance Center, Kennesaw State University, 21st Century Governance and Financial
 Reporting Principles for U.S. Public Companies , 2002. The University of Delaware also sponsors a Center for
Corporate Governance at www.be.udel.edu/ccg/staff.htm.

[4]From "Effective Audit Committees for Cooperatives: Part I — What, Why and How," The Cooperative
 Accountant , Summer 2002, pp. 22–30, T. Singleton.

9.3 Quality Assurance

 Quality assurance provides a similar service to IA that IA provides to management. It is an independent
review of the quality of its service, much like a review of quality of earnings, operations, and so on, that IA
provides. IIA Attribute Standard No. 1300 requires directors to develop and maintain a QA program.

4 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 5

a. Objective
The objective of the quality control program is to ensure that all assignments are completed in accordance
with the department, IIA, and Information Systems Audit and Control Association (ISACA) standards where
applicable.

b. Responsibility
It is the responsibility of the Director of Auditing to have quality audits completed on all assignments and to
maintain a quality control program to evaluate the operations of the department. The Director of Auditing will
appoint a Quality Assurance Coordinator, who will be responsible for the quality control program, and for
keeping the Director of Auditing informed of all results.

c. Method
The program is in four parts:

1. Summarized review of all assignments by unassigned auditors

2. Detailed review of selected assignments
3. Annual self-assessment of department-wide standards, policies, and procedures
4. Tri-annual external review

i. Summarized Review of All Assignments by Unassigned Auditors

• Objective.The objective is to ensure that all assignments meet minimum standards for planning
supervision, and documentation.
• Responsibility. The manager on the engagement is responsible for ensuring:

♦ The workpapers are complete.

♦ The work was properly planned.

♦ The work was properly supervised.

♦ The workpapers were properly reviewed.
It is the responsibility of the Quality Assurance Coordinator to have all assignments reviewed for
meeting of minimum department standards. The Coordinator is also responsible for communicating
the deficiencies noted to the Audit Manager and to follow up on correcting the deficiency.
• Method . Unassigned auditors will be required to review assignments on which they did not work. The
review will be completed by answering the questions in the quality control checklist (see Exhibit 9.3
for checklist). All "no" and "N/A" answers must be fully explained. The completed checklist, together
with the workpapers, are then forwarded to the Quality Assurance Coordinator for follow-up.

Exhibit 9.3: Quality Assurance Checklist

I. GENERAL

A. Is the General section complete? __________

B. Are the workpapers in a binder and ready for filing?
 B. Are the workpapers in a binder and ready for filing? __________
C. Are all review notes and pending matters complete and removed from
the binder? __________
D. Are workpapers properly ordered? Do they contain indexes and lead
sheets where appropriate? __________
E. Is the engagement checklist complete? __________

Chapter 9: Managing the Effectiveness of the Audit Department 5

6 Chapter 9: Managing the Effectiveness of the Audit Department

F. Have all employee evaluation forms been completed? __________

G. Was timely notice given to auditee?
H. Has the auditee response been:
◊ 1. Received? __________
◊ 2. Reviewed: By Manager? By In-Charge? __________
II. REPORTING AND CONTROL SECTION

A. Audit Report ____________

◊ 1. Is a final copy included in the workpapers? __________
◊ 2. Is the report in standard format? The following should be
included:
◊ ⋅ a. Introduction __________
◊ ⋅ b. Profile and/or financial highlights __________
◊ ⋅ c. Scope of audit __________
◊ ⋅ d. Conclusion __________
◊ ⋅ e. Summary __________
◊ ⋅ f. Other comments __________
◊ ⋅ g. Detailed recommendations __________

◊ 3. Do the detailed recommendations contain the following five

attributes? __________
◊ ⋅ a. Statement of condition __________
◊ ⋅ b. Criteria __________
◊ ⋅ c. Cause __________
◊ ⋅ d. Effect __________
◊ ⋅ e. Statement of action __________
◊ 4. Was the report issued timely? If not, is the reason explained
on the report distribution worksheet? __________
B. Is a copy of the year-end financials, or other meaningful reports,
included? __________
C. Summary Memorandum
◊ 1. Is it completed? __________
◊ 2. Was it prepared by senior or other appropriate individual? __________
◊ 3. Does it contain the following:
◊ ⋅ a. Audit objectives __________
◊ ⋅ b. Audit results __________
◊ ⋅ c. Auditee background information __________
◊ ⋅ d. Budgeted hours to actual hours analysis, and
explanations of significant variations __________
◊ ⋅ e. Comments for subsequent audits, if applicable __________
D. Manager Comments — Are all significant accounting and auditing
 problems fully documented? __________
E. Working Trial Balance (for year-end financial audits) — Is a
working trial balance complete and cross-referenced to the
supporting workpapers? __________
F. Audit Planning Memorandum
◊ 1. Was it completed prior to the audit field work? __________

6 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 7

◊ 2. Approved by manager and Director of Auditing? __________

◊ 3. Does it contain the following:
◊ ⋅ a. Audit objectives __________
◊ ⋅ b. Background information __________
◊ ⋅ c. Financial highlights __________
◊ ⋅ d. Description of significant audit procedures __________
◊ ⋅ e. Budgeted audit hours __________
◊ ⋅ f. Timing of audit __________
◊ ⋅ g. Auditors assigned __________
G. Audit Programs __________
◊ 1. Are they complete? __________
◊ 2. Are they approved by manager and senior? __________
◊ 3. Are changes approved by manager and senior? __________
H. Fluctuation Analysis — Has it been completed and are all significant
fluctuations explained? __________
I. Time Budget __________
◊ 1. Is it completed? __________

◊ 2. Does it agree to hours reported per semimonthly Corporate

Audit progress reports? __________
J. Audit Recommendation Summary/Interim Recommendation
Worksheet __________
◊ 1. Is it complete? __________
◊ 2. Are comments appropriately cross-referenced to detailed
workpapers? __________
◊ 3. Are all recommendations not included in the detailed Report
of Recommendations and Comments explained? __________
K. Were prior audit reports included? Did the auditee implement the
items noted? Have the comments been repeated in the current year's
report? __________
L. Is the notice to auditee and other appropriate correspondence __________
included in the binder?
M. Noted for Future Audits __________
◊ 1. Has consideration been given to developing CAAPs? __________
◊ 2. Are the significant comments included in the summary
memorandum? __________
N. Is the closing conference documented? __________
III. AUDIT WORKPAPERS

A. Have they been properly reviewed, as evidenced by:

◊ 1. All workpapers referenced? __________
◊ 2. All workpapers signed off? __________
 ◊ 3. Do all workpapers contain headings? __________

◊ 4. Do workpapers contain evidence of review? __________

◊ 5. Have internal controls been considered and, if appropriate,
tested? __________
◊ 6. Are conclusions on major accounts or areas stated and
properly supported? __________

Chapter 9: Managing the Effectiveness of the Audit Department 7

8 Chapter 9: Managing the Effectiveness of the Audit Department

◊ 7. Were all material adjustments approved by the senior and

manager? __________
◊ 8. Do the workpapers include a final report copy? __________

The Quality Assurance Coordinator will review all deficiencies noted with the senior and the manager
of the assignment. The manager is responsible to see that the deficiencies are corrected. Once all
deficiencies are corrected, the Quality Assurance Coordinator will sign off on the engagement
checklist.

ii. Detailed Review of Selected Assignments

• Objective.
The objective of this phase of the quality control program is to see that Corporate Audit
workpapers:

♦ Support the conclusions reached

♦ Are efficient
♦ Are appropriate in
in the circumstances
circumstances
♦ Comply with department and professional standards
• Responsibility. The selection of assignments to be reviewed will be made by the Quality Assurance
Coordinator (see Exhibit 9.4 for criteria). The Coordinator will assign the detail review of workpapers

to two seniors, preferably from two different locations or groups.

Exhibit 9.4: Selection of Assignments for Detailed Review

1. Audits and special projects would be selected to meet the following criteria:

◊ Minimum 10% of all assignments

◊ Minimum 10% of audit hours incurred during the year
◊ At least one assignment for each senior or supervising senior
◊ At least one of all types of audits:

⋅ Financial
⋅ Systems review
⋅ Special projects
⋅
2. Assignments willData center audits
be selected at random, supplemented by the Quality Assurance
Coordinator's judgment, to meet all of the above criteria.

• Method . Workpapers will be reviewed in detail using a published checklist (if appropriate). All "no"
answers will be reviewed with the manager and the senior in-charge. All noted items, or the fact that
there are no items, will be reported to the Quality Assurance Coordinator in selected assignment
review memoranda.

The Quality Assurance Coordinator will summarize all items noted in these reviews and prepare the
selected assignments review memo to the Director of Auditing.

iii. Annual Self-Assessment

Self-Assessment of Department-Wide Standards, Policies, and Procedures
 • Objective.The objective of this review is to ensure that the department is in compliance with
department, corporate, and professional standards (e.g., IIA, ISACA).
• Responsibility. The Quality Assurance Coordinator is responsible for completion of this review.
• Method. The Quality Assurance Coordinator will compare the actual operating procedures of the
department with the Standards of Professional Practice of Internal Audit , ISACA Standards, and
other corporate and department standards as appropriate. This process will be accomplished through

8 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 9

review of documentation, interviews, and actual experience. Upon completion, the Quality Assurance
Coordinator will prepare the annual report to the Director of Auditing.

iv. Tri-Annual External Review

• Objective. The objectives of this review are to:

♦Obtain an outside view of the department's performance versus professional and internal
standards
♦ Obtain suggestions for improving operating efficiencies
• Responsibility. It will be the responsibility of the Director of Auditing, upon the recommendation of 
the Quality Assurance Coordinator, to have a tri-annual review performed.
• Method. The method of review—public accounting, other internal auditors, or an IIA team—will be
decided upon a complete review of the alternatives. Items that must be considered are:

♦ Cost
♦ Confidentiality of records
♦ Expertise in performing reviews
♦ Knowledge of business and operating environment

d. Reports
There are several key reports. They include:

• Annual Report to the Audit Committee of the Board of Directors

• Annual Report to the Director of Auditing
• Selected Assignments Review

i. Annual Report to the Audit Committee of the Board of Directors

This report is a summarized one, prepared by the Director of Auditing, sent to the Audit Committee, reporting
on the quality control program and the results of the annual self-assessment.

ii. Annual Report to the Director of Auditing

This report is a summarized one of the quality control program for the year that includes results of the annual
self-assessment, summary of deficiencies noted, and suggestions for improvement.

iii. Selected Assignments Review

This report is a summary memorandum and detailed checklist, enumerating the deficiencies and findings from
the detailed review of selected audits, prepared for each assignment selected in the annual review process
discussed below. This memo is first reviewed with the assignment manager and in-charge accountant before
being given to the Quality Assurance Coordinator.

e. Summary of Review
 The Quality Assurance Coordinator prepares a summary of the detailed deficiencies noted in the ongoing
review of all workpapers. This memorandum is sent to the Director of Auditing and is discussed with the
entire staff during an annual meeting.

Chapter 9: Managing the Effectiveness of the Audit Department 9

10 Chapter 9: Managing the Effectiveness of the Audit Department

f. Quality Assurance Checklist

Prepared by unassigned auditors, the checklist will be completed on all assignments after they have been
approved for filing by the manager, and the report has been issued (see Exhibit 9.3 for a checklist). Upon
completion, the checklist will be forwarded to the Quality Assurance Coordinator who is responsible for
follow-up, to ensure the elimination of any deficiency noted.

SAM POLE COMPANY  Corporate Audit

Department Procedures
Manual
NO:: 9
NO 9..4 REV
REV NO:
NO: DATE
DATE::
TITLE: Continuous Improvement Systems for Internal PAGES:
Auditors

9.4 Continuous Improvement Systems for Internal Auditors

Continuous quality improvement methodologies can provide the tools to lead IA into becoming, or

maintaining,
manufacturinga world-class status.toMost
and then adopted of the
service current continuous
organizations. improvement
They include: programs
Total Quality were designed
Management for
(TQM),
Six Sigma, Baldrige National Quality Program, Kaizen, Theory of Constraints, Balanced Scorecard,
Value-Based Metrics (VBM), and the International Organization for Standardization (ISO) 9000 family. Other
improvement methodologies that are not necessarily continuous include Activity-Based Costing and Business
Process Reengineering (BPR). From these systems, the ones that should be most applicable to the IA
department are Balanced Scorecard, VBM, ABC, TQM, ISO 9000, and maybe Baldrige.

a. Balanced Scorecard [5]

The center of the Balanced Scorecard System is the entity's strategy and vision. For the IA department, that
would be related to the mission statement discussed in Section 4.1 (a) i. The strategic objectives related to
audits and services provided by IA are translated into measures that can be used to track how IA's services
create value for its customers (see Section 9.5(b) later in this chapter for discussion of IA's "customers"), how
internal processes can be enhanced, and how the investment in people supports improved future performance.
The Balanced Scorecard System combines both financial and non-financial performance
performance measures; in fact,
users of Balanced Scorecard only have about 20% of their measures as financial. Users of Balanced Scorecard
learn to take advantage of non-financial measures successfully. Measures are made from four perspectives
(presented as originally developed for businesses in general — see Exhibit 9.5):
9.5):

• Customers. Focuses on the external environment to understand, discover, and emphasize customer
needs. Common measures include customer satisfaction, customer loyalty, and customer retention.
• Internal Business Processes. Focuses internally along a value chain comprising innovation,
operations, and post-delivery service processes. Common measures include research and development
expenditures, sales from new products, productivity, cycle time, and throughput efficiency.
• Learning and Growth. Provides the foundation, or infrastructure, needed to meet the objectives from
the other two operational perspectives. Common measures include employee satisfaction, dollars
 spent on training, and voluntary turnover.

• Financial. Focuses on shareholders. Every measure in the Balanced Scorecard System should be part
of a causal link that ends in financial measures. Common measures include economic value-added
(EVA®), return on investment, and net income.

Exhibit 9.5: Balanced Scorecard System Model

10 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 11

Some of the above measures and concepts do not apply to IA, or do not directly apply. The Internal Audit
department would obviously use what can apply and ignore the rest. For customers, the customer satisfaction
component is important and can be measured by a survey instrument. Customer loyalty and retention,
however, do not easily apply (i.e., captive audience exists).

In the area of internal business processes, innovation could be things such as new computer-aided audit tools
and techniques (CAATTs) applied to audits, and even Balanced Scorecard System itself being applied to IA.
Post-delivery services could include gathering empirical data, on the effectiveness of audit recommendations
from audits (i.e., were they implemented, what improvements were realized, etc.), or follow-up procedures to
audit recommendations. Applicable measures include productivity, cycle time, and efficiency. The documents
and processes recommended
recommended throughout
throughout the manual provide
provide source documents to assist in these measures,
recognizing that an appropriate Balanced Scorecard System would likely include other documents and
measures. Comparing budgeted hours for audit projects versus actual time is a good measure for efficiency
(see Exhibit 6.2 and Section 6.1(a), "Three-Year
"Three-Year Operating Plan
Plan").
").

For Learning and Growth, employee satisfaction

satisfaction within the department can easily be measured, if it can be
done anonymously. Training can be measured by PD/CPE hours and the annual staff conference (see Section
5.5).
5.5). Voluntary turnover can be measured from the Human Resource Summary recommended in Section
9.5(d) (see Exhibit 9.6).
9.6).

Exhibit 9.6: Summary of Personal Activities

 Chapter 9: Managing the Effectiveness of the Audit Department 11

12 Chapter 9: Managing the Effectiveness of the Audit Department

Financial could be measured by using IA as a profit center, or even a cost center with budget variances.
Shareholders could be extended to stakeholders as a more effective scope. Stakeholders would include:
executive management (CEO, CFO, etc.), the Audit Committee, the Board of Directors in general, and
shareholders or the public. That focus is more aligned to the responsibilities of the IA function.

Altogether, the Balanced Scorecard System provides an excellent model for IA to use in pursuing world-class
quality in its processes, duties, and services. Balanced Scorecard can be adopted, fairly easily, by the IA
department.

b. Value-Based Metrics
A system similar to Balanced Scorecard is Value-Based Metrics (VBM). Like Balanced Scorecard, the VBM
approach ties measures into strategic objectives. VBM are particularly useful as the basis for incentive
compensation, resource allocation, investor relations, and other areas. The true drivers of VBM are often
non-financial. In the VBM system, VBM and targets are set that are aligned (linked) to business strategies.
The following is a sample of possible non-financial measures in VBM: innovation, growth, operating
effectiveness, operating efficiency, employee skills and training, on-time delivery of services, customer
satisfaction and retention, and value chain.

c. Activity-Based Costing
 Activity-based costing (ABC) is a cost accounting theory used to allocate overhead costs to products based on
the cost of the activities that are required to produce the product or deliver the service. The allocation bases
are cost drivers&"drive" the costs.

An ABC system usually involves two stages. In the first stage, costs are allocated to activity pools according
to the type of activity carried out in each pool. For example, a pool for training would include costs associated
with the Annual Staff Conference, Continuing Professional Education/Professional Development (CPE/PD)

12 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 13

seminars attended by staff, and other training costs. In the second stage, costs are allocated from the activity
pools to a cost object, such as a good or service (e.g., an audit project).

Appropriate application of ABC for service entities can be effective if the entity focuses on core activities and
reducing non-core activities. For IA, the core activity would be audits.

While ABC is not a continuous improvement program, it can help to control departmental overhead on a
continual basis and keep it current.

d. Total Quality Management

Total Quality Management (TQM) is another strategic approach to business improvement. Its unique feature
is the emphasis of quality from the customer's viewpoint, rather than the producer's. Quality is, therefore,
defined by customers; that is, the product or service must meet or exceed the requirements or expectations of 
customers for that product or service. These expectations may involve attributes such as performance,
reliability, durability, responsiveness, aesthetics, after-sale service, timeliness of delivery, and product or
service features. TQM may use a variety of tools and techniques to seek continuous improvement of quality,
productivity, flexibility, durability, and customer responsiveness. Entities that use TQM need to commit to [6]:

• Even better, more appealing, less-variable quality of the product or service

• Even quicker, less-variable response — from design and development through supplier and sales
channels, offices, and plants all the way to the final user
• Even greater flexibility in adjusting to customers' shifting volume and mix requirement
• Even lower cost through quality improvement, rework reduction, and non-value adding waste
elimination

Total Quality Management (TQM) is an applicable continuous improvement approach, which applied
appropriately, should be effective in achieving and maintaining high quality.

e. ISO 9000 Family [7]

The International Organization for Standardization (ISO) is another continuous improvement system. ISO has
been developing voluntary technical standards over almost all sectors of business, industry and technology

since
other 1947. ISOspecialists
technical standards concerned
were, before
by ISO 9000 and
the precise ISOaddressed
scope 14000, principally of concern
in the standard. Then,toinengineers andISO
1987, came
9000, followed nearly 10 years later by ISO 14000, which have brought ISO to the attention of a much wider
business community. However, both ISO 9000 and ISO 14000 are known as generic management system
standards.

Generic means that the same standards can be applied to any organization, large or small, whatever its product
— even if the "product" is actually a service — in any sector of activity, and whether it is a business
enterprise, a public administration, or a government department. Management system refers to what the
organization does to manage its processes, or activities. In a very small organization, there is probably no
"system," as such, just "our way of doing things," and "our way" is probably not written down, but all in the
manager's or owner's head. The larger the organization, and the more people involved, the more the likelihood
that there are some written procedures, instructions, forms or records. These help ensure that everyone is not
  just "doing his or her thing," and that there is a minimum of order in the way the organization goes about its
business, so that time, money and other resources are utilized efficiently. To be really efficient and effective,
the organization can manage its way of doing things by systemizing it. This ensures that nothing important is
left out and that everyone is clear about who is responsible for doing what, when, how, why and where.
 Management system standards provide the organization with a model to follow in setting up and operating the
management system. This model incorporates the features that experts in the field have agreed upon as
representing the state of the art. A management system that follows the model — or "conforms to the

Chapter 9: Managing the Effectiveness of the Audit Department 13

14 Chapter 9: Managing the Effectiveness of the Audit Department

standard"—is built on a firm foundation of state-of-the-art practices.

Both ISO 9000 and ISO 14000 are actually families of standards. Both families consist of standards and
guidelines relating to management systems, and supporting standards on terminology and specific tools, such
as auditing (the process of checking that the management system conforms to the standard). ISO 9000 is
primarily concerned with "quality management." The standardized definition of "quality" in ISO 9000 refers
to all those features of a product (or service) that are required by the customer. "Quality management" means
what the organization does to ensure that its products conform to the customer's requirements.

If a business or organization has invested time, energy and money to meet the ISO criteria, it obtains an ISO
9000 certificate. While the IA department will probably not seek the certificate unless the entire organization
does, the principles of ISO 9000 can guide IA into becoming a world-class IA function.

f. Baldrige National Quality Program/Baldrige Award [8]

The Malcolm Baldrige National Quality Award was created by Public Law 100–107, signed into law on
August 20, 1987. The award program, responsive to the purposes of Public Law 100–107, led to the creation
of a new public-private partnership. Principal support for the program comes from the Foundation for the
Malcolm Baldrige National Quality Award, established in 1988. The award is named for Malcolm Baldrige,
who served as secretary of commerce from 1981 until his tragic death in a rodeo accident in 1987. His
managerial excellence contributed to long-term improvement in efficiency and effectiveness of government.

The Baldrige National Quality Program (BNQP) is supervised by the National Institute of Standards and
Technology, and it makes awards each year. Applicants must meet stringent self-assessment criteria before
being selected for the Baldrige Award. The Award criteria, continually improved since 1988, include seven
categories:

1. Leadership
2. Strategic planning
3. Customer and market focus
4. Information and analysis
5. Human resource focus
6. Process management
7. Business results

The criteria are built on a set of core values and concepts that are embedded behaviors in well-managed
companies. Such companies use the Baldrige criteria to assess their management systems and improve
performance in their most vital areas. Although BNQP applies only to organizations as a whole, the principles
could be followed without officially applying for the Baldrige Award with successful results.

g. Conclusions
An overlap in criteria between these programs is clearly evident (e.g., customer focus). It is recommended that
IA and the Director of Audit in conjunction with corporate management consider using one of these programs,
or some other continuous improvement system, in addition to the quality assurance program in order to
establish and maintain a world-class audit function.
 SAM POLE COMPANY  Corporate
DepartmentAudit
Procedures
Manual
NO:: 9
NO 9..5 REV
REV NO:
NO: DATE
DATE::
TITLE: Marketing the Audit Function PAGES:

14 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 15

[5]For
the definitive book on Balanced Scorecard, read The Balanced Scorecard by R.S. Kaplan and D.P.
Norton, Harvard Business School Press, 1996. Parts of this section are based on this book.

[6]Accordingto TQM expert Richard Schonberger. See Total Quality Management:

Management: A Survey
Survey of Its Important 
 Aspects by C. Carl Pegels, from Boyd & Fraser Publishing Co., 1995.

[7]Much of this section was taken from the ISO web site at www.iso.org.

[8]For more information on Baldrige, see www.quality.nist.gov/ .

9.5 Marketing the Audit Function

A series of books was published in the 1980s that examined what made successful companies so. Strengths
included an obsession with quality, building a family or families out of employee groups, sound long-range
planning, price value of products and services, and closeness to the customer. The need to be close to the
customer and driven to satisfying the customer are basic principles learned in business school — but
sometimes businesses or operations, such as audit functions, lose this focus.

Audit departments need to be addressing all of these areas of their operations. Should an audit department get
close to customers? Should IA have marketing functions? Do auditors produce products? Within the limits of 
independence and objective review of operations and financial position, the answers are yes. Who are your
customers as the IA department? There are many types, and they may not all want the same products.

The objective of this section is to remind auditors to think about who their customers are, what products are
produced, and to attempt to improve the delivery of the products by using some basic marketing concepts.

a. What Is Marketing?
A conventional definition of marketing includes all the steps to place a product in the hands of a consumer.
Marketing should be involved when the product is being developed to consider whom the different customers
are and how the product should be delivered to each. For instance, the audit department produces audit
reports. Who reads the audit reports? The answer may include divisional financial managers and controllers,
divisional operations managers, corporate financial managers and the CFO, corporate managers and the CEO,
the audit committee, and the independent auditors.
auditors. These ar
aree all customers, and they may want different
products.

The audit report is discussed in Section 8.1 and includes a two-level reporting process that allows for some
product differentiation and divides the product logically to allow for different combinations for different
customers. Marketing involves studying the customers' wants and satisfaction with the product. Does the
corporate CEO want the same level of detail as the divisional controller? Th ere is a very good chance the
CEO does not.

8.1,, to allow for a summary audit report

The audit report product has been designed, as discussed in Section 8.1
and a detailed audit report. To respect the time commitments of the CEO-type customer, the summary report
 and a detailed audit report. To respect the time commitments of the CEO type customer, the summary report
is limited to two pages. The reader of the summary report is always offered the full detailed report on request.
To help differentiate this important report from others arriving on the customer's desk, a color banner is
suggested to highlight the product.

Chapter 9: Managing the Effectiveness of the Audit Department 15

16 Chapter 9: Managing the Effectiveness of the Audit Department

b. Understanding the Customers

Marketing requires understanding the needs of customers and assessing their understanding of the product and
their satisfaction with the product. Marketing and successful acceptance of products can be enhanced by
studying and understanding customers' profiles, including age, background, time commitments, priorities, and
need for information. For example, most financial managers have a financial background that enables them to

understand more
time available forfully
everyfinancial
divisionaudit reports;
and may onlyhowever, corporate
want summary financial on
information managers may not
non-problem have
audit the same
reports.

Operations managers may not understand as fully the implications of the audit findings. Consider adding a
separate background report or glossary when applicable. To respect the time availability of customers and the
need to commit the audit department to clear reporting of results, an opinion paragraph is included in the
summary audit report. Some audit departments include a quantified score or grade for each audit. Therefore,
by considering the customer, the audit department adds value to its product by constructing products that
customers (users) want and with which they will be satisfied.

c. Getting the Audit Message Out

In addition to audit reports, the Audit Department produces many products including written reports such as:
reports to the Audit Committee, reports to management, and budget reports. The preparation of all reports
should include the study and evaluation of the intended customer and how the product could be developed and
delivered in a better, more comprehensive, and more highly productive way.

Audit Department brochures are marketing tools that can help the department improve the understanding of 
the IA function and improve its image. This brochure is a form of adverting, the objective of which is to show
the product or service in a positive way while still respecting the professional image. The brochure becomes a
recruitment tool as well as an orientation tool for new Audit Committee members and corporate and other
senior management. The department brochure could include a message from the CEO and the Chief Auditor,
and sections on Audit Department objectives and services, management's requests, who to contact, staff 
qualifications and organization, the role of the Audit Committee, what to do if a fraud is suspected, and other
important information.

Audit staff should be encouraged to be professionally active to develop professionally, to gain solid
knowledge of emerging developments and solutions, and to promote the audit department. High visibility in

the audit profession

be included will
in reports to also enhance the
management andAudit Department
reports image.
to the Audit ReportsAs
Committee. ondiscussed
professional activities
above, should
these are
different customers with different information needs, which should be considered as the product (report) is
developed.

Issuing control-related brochures to improve the organization

organization's
's system of internal control can add value and
reduce the negative reporting image of internal audit. For example, a brochure on basic personal computer
controls (backups, password security, etc.) can improve individual employees' control awareness and improve
the overall system of internal control. (See Chapter 3 for more details on internal controls that might be useful
in developing such a brochure.) This approach markets the Audit Department in a positive way.

d. Human Resources
 As discussed in more detail in Chapter 5,
5, audit departments are developers of people. The department can be
used as a training ground f or
or financial and operational managers. If this approach is taken, human resource
development becomes a significant Audit Department product. To manage this program, a summary should be
kept of all audit personnel hired each year with information on promotions, transfers, and separations. From
this summary (see Exhibit 9.6),
9.6), statistics can be developed on number of personnel transferred and promoted.

16 Chapter 9: Managing the Effectiveness of the Audit Department

Chapter 9: Managing the Effectiveness of the Audit Department 17

Using the Audit Department as a training ground also helps address the issues of career-path opportunities for
the Audit Department. It produces a tangible additional and positive audit product for the organization. Of 
course, it requires more work on the part of audit management. Planned turnover will result, and staff 
scheduling becomes more complex. If the Audit Department is going to be used as a training ground, a formal
Management Development Training Program should be developed outlining the plan's objectives and
guidelines.

e. Summary
Marketing considerations are important elements in every business operation, including the audit function.
Constantly be on the look-out for opportunities to market the audit function and produce positive deliverables
and new products and services.

Endnotes

1. Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance," a
position paper presented to U.S. Congress, April 8, 2002. It is available online at
ecm/guide-pc.cfm?doc_id=3602.
www.theiia.org/ ecm/guide-pc.cfm?doc_id=3602

2. Global Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online at
www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf .

3. Corporate Governance Center, Kennesaw State University, 21st Century Governance and Financial
 Reporting Principles for U.S. Public Companies , 2002. The University of Delaware also sponsors a Center for
Corporate Governance at www.be.udel.edu/ccg/staff.htm.

4. For the definitive book on Balanced Scorecard, read The Balanced Scorecard by R.S. Kaplan and D.P.
Norton, Harvard Business School Press, 1996. Parts of this section are based on this book.

5. According to TQM expert Richard Schonberger. See Total Quality Management:

Management: A Survey
Survey of Its Important 
 Aspects by C. Carl Pegels, from Boyd & Fraser Publishing Co., 1995.

6. Much of this section was taken from the ISO web site at www.iso.org.

7. For more information on Baldrige, see www.quality.nist.gov/ .

 Chapter 9: Managing the Effectiveness of the Audit Department 17

18 Chapter 9: Managing the Effectiveness of the Audit Department

 18 Chapter 9: Managing the Effectiveness of the Audit Department

Index

A
AICPA
Founding, 7
SysTrust, 78–83
Association of Information Technology Professionals (AI (AITP), 41
Auditing
Frauds
COSO Study (SEC fraud violations), 99, 99, 115–117
115–117,, 344–345
Equity Funding, 1973, 19–20
Ivar Kreuger, 1932, 8
McKesson & Robbins, 1938, 8–9
South Sea Bubble, 6
Ultramares, 1925, 7
Risk Assessment, 97–104,
97–104, 230
230–231
–231
Standards
AICPA—GAAS, 52
IIA—SPPIA, 46–48,
46–48, 97
97,, 227
227,, 263
263,, 265
ISACA—Standards, 48–52
SDLC, 53–57,
53–57, 90
 Index 1

2 Index
 2 Index

Index
C
COSO (Treadway Commission)

COSO, 13
COSO Model, 72–74,
72–74, 85
85,, 243
Computer Crimes
Criminals/Intruders, 70
70,, 92
92,, 123
Denial of Service/Distributed DoS, 
DoS, 100
100, 10
106
6
Financial Fraud, 122
Misappropriation of Assets (theft)
(theft),, 122
Unethical E-Mail, 94,
94, 102
Viruses/Worms, 94,
94, 100–101
Virus Hoaxes, 94,
94, 101–102
101–102,, 106
 Index 1

2 Index
 2 Index

Index
E
Ethics, 41–45

IIA Code
ISACA of Ethics
Code , 42–44 Ethics , 44–45
of Professional
 Index 1

2 Index
 2 Index

Index
F
Federal Laws

Copyright Laws,Practices
Foreign Corrupt 30
30,, 87–88Act, 1977, 30,
30, 87
Income Tax (Sixteenth Amendment), 1913, 7, 29, 29,61
Sarbanes-Oxley Act, 2002, 31 31,, 88–89
88–89,, 342
Securities Act, 1933, 7–8,
7–8, 29
29,, 61
61,, 87
Securities Exchange Commission Act, 1934, 7–8, 7–8, 29,
29, 61,
61, 87
 Index 1

2 Index
 2 Index

Index
G
GAO

Yellow Book, 15
 Index 1

2 Index
 2 Index

Index
I

Information
CobiT, 74–75 Systems Audit & Control Association
Founding, 1969, 21–22,
21–22, 48
Institute of Internal Auditors
Founding, 1941, 10–14
SAC Study, 20–21
20–21,, 76–77
Internal Audit
Annual Staff Meeting, 214–216
Audit Recommendations, 275–283,
275–283, 311,
311, 318–320
318–320
Budget Planning, 232
Continuous Improvement
Activity-Based Costing, 358358, 630
Balanced Scorecard, 356–358
Baldrige National Quality Program, 361–3361–362
62
ISO 9000, 360–361
Total Quality Management (TQM), 360
Value-Based Metrics, 358
Coordinator of Education,
Education,  192
Corporate Audit Charter, 144–147
Corporate Audit Training Model,
Model, 193–195
193–195
CPE, 197
Department Policies
Confidentiality, 177–178
Days Off for Extensive Travel, 179 179
Orientation/Training, 178–179
178–179
Professional Certification, 180
Job Descriptions, 149–176
Marketing, 363–365
Mission Statement, 136–137
Orientation, 217–220
Outsourcing, 139–141
Performance Evaluation, 204–213
Personnel Files, 199–203
Planning Memo, 269–275
Preliminary Survey, 236–269
Professional Certification,
Certification, 185
185,, 336
Quality Assurance, 347–355
Recruiting
Aids, 184–185
Management Development ProgramsPrograms 185
185
Sources, 182–184
 Reporting
Expense Reporting, 256
Time Reporting, 250–255
Scope, 314
Types
Compliance Audits, 241
Contract Audits, 241–242

Index 1

2 Index

Desk Review, 242–243

E-Commerce Audits, 249
Financial Audits, 238–240
Follow-Up Audits, 243
High-Level Review of Procedur
Procedures,
es, 238
Information System Audits,
Audits, 243–248
243–248

International Audits,240
Operational Audits, 249
Workpapers, 284–294
Internal Auditing
Audit Committee, 31,
31, 114–119
114–119,, 331–336
31–336,, 342–346
Control Self-Assessment,
Self-Assessment, 141
141–142
–142
Corporate Governance,
Governance, 114–119
114–119,, 342–346
IT Governance, 119–120
Independence, 60–61
Materiality, 235–237
Responsibilities, 59–61
Internal Controls
Basic Assumptions, 69–70
69–70
Business Recovery/ Disaster
Disaster Recovery, 94–96
94–96,, 245–246
CAATTs
Authentication, 124–125
Biometrics, 124–125
124–125
Call-back Modems, 125
Computer Logs, 120
Firewalls, 126–127
Generalized Audit Softwa
Softwarre, 12
127–128
7–128
Internet Storm Watcher,
Watcher, 105–106
Intrusion Detection Systems (monitoring),
(monitoring), 126
Passwords, 92–93,
92–93, 124
CobiT, 74–75
Computer Controls, Application, 112–113,
112–113, 24 2444, 246–248
Computer Controls, General, 111–
111–112
112,, 243–244
COSO Model, 72–74
72–74, 85
85,, 243
COSO Study (SEC
(SEC f raud
raud violations), 99
99,, 115–117,
115–117, 344–345
Cost-Benefit Analysis, 71
Definitions, 65–66
Models, 68,
68, 91
PDC Model (expanded), 105–108
Physical Controls, 109–111
109–111, 244–245
Policies
Business Recovery /Disaster
 /Disaster Recovery, 94–96
Computer Usage,
Usage, 92
E-Mail, 94
Password, 92–93
Privacy, 95
SDLC, 90
 Security, 92
Risk Assessment, 97–104
SAC/eSAC, 76–7
76–77
7
Sarbanes-Oxley Act, 88–89
Segregation of Duties, 121
SysTrust, 78–83

2 Index

Index 3
 Index 3

4 Index
 4 Index

Index
S
Sarbanes-Oxley Act (2002)

Corporate Governanc
Governance,
Internal Controls e, 342
342
Requirements, 88–89
Legal Requirements, 31
SEC, 7–8
7–8,, 29
29,, 61
61,, 87
87,, 114–115
COSO Study (SEC fraud violations), 115–117,
115–117, 344–345
Sarbanes-Oxley Act, 31, 31, 88–89
 Index 1

2 Index
 2 Index

List of Tables
Tables
Chapter 6: Audit Planning
Sam Pole Company Corporate Audit Department Three-Year Audit Plan

Chapter 7: Audit Performance

Financial Highlights For the six months ended June 30 ($000's omitted)
 List of Tables 1

2 List of Tables
 2 List of Tables

List of Exhibits
Chapter 2: Audi
Auditing
ting Standards and Responsibilities
Exhibit 2.1: ISACA Auditing Standards Guidelines
Exhibit 2.2: SD
SDLC
LC Steering Committee/Cross-Functional
Committee/Cross-Functional Team Matrix
Exhibit 2.3: SDLC Guidelines

Chapter 3: Inter
Internal
nal Control System
Exhibit 3.1: Inte
Internal
rnal Control Environment Model
Exhibit 3.2: Con
Controls
trols Decision
Decision Making Overview
Exhibit 3.3: CO
COSOSO Model
Exhibit 3.4: eSA
eSAC C Model
Exhibit 3.5: Sys
SysTrust
Trust Model
Exhibit 3.6: Com
Comparison
parison of Internal
Internal Control Models
Exhibit 3.7: Inte
Internal
rnal Control System Model
Exhibit 3.8: Pas
Password
sword Policy
Exhibit 3.9: E-M
E-Mailail Questionnaire
Questionnaire
Exhibit 3.10: Disaster
Disaster Recovery
Recovery Plan
Exhibit 3.11: An
Anti-Virus
ti-Virus System/Model
System/Model
Exhibit 3.12: A Basic Vulnerability
Vulnerability Plan
Exhibit 3.13: Sa
Sample
mple Questionnaire/Inquiry
Questionnaire/Inquiry
Exhibit 3.14: SA
SANSNS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502)
Exhibit 3.15: IS Model of Controls
Controls
Exhibit 3.16: Ph
Physical
ysical Controls
Controls
Exhibit 3.17: Audit Committee Oversight Areas—In Order of Importance
Exhibit 3.18: Co
Commonalities
mmonalities of Fra
Fraud
ud Entities from COSO Study
Exhibit 3.19: Model of Attributes for Effective Audit Committee

Chapter 4: Dep
Department
artment Organization

Exhibit 4.1: Sample Corporate Audit Charter

Exhibit 4.2: Sam Pole Company Organization
Organization Chart
Exhibit 4.3: Sam Pole Company Audit Department Organization Chart

Chapter 5: Pers
Personnel,
onnel, Administration, and Recruiting
Exhibit 5.1: Inte
Interview
rview Questionnaire
Questionnaire for New Internal Auditors
Exhibit 5.2: Ove
Overview
rview of Corporate
Corporate Audit Training Model
Exhibit 5.3: Con
Continuing
tinuing Prof essional
essional Education (CPE) Record
Exhibit 5.4: Cor
Corporate
porate Audit Department Background Information Form
Exhibit 5.5: Cor
Corporate
porate Audit Department Interest Questionnaire Form
 Exhibit 5.6: Performance Evaluation Review Form
Exhibit 5.7: Gro
Group
up Discussions Instruction
Instruction Sheet
Exhibit 5.8: Orientation Checklist

Chapter 6: Audi
Auditt Planning
Exhibit 6.1: Corporate Audit Planning, Scheduling, and Staffing
Exhibit 6.2: Sample Three-Year Audit Plan

List of Exhibits 1

2 List of Exhibits

Exhibit 6.3: Time System Codes:

Codes: Audit Type Codes and Task Codes
Exhibit 6.4: Sample Corporate Audit Time Summary Form

Cha
Chapter
pter 7: 
7: Audit Performance
Exhibit 7.1: Corpora
Corporate
te Audit Performance Process Matrix
Exhibit 7.2: Sam Pole
Pole Company Corporate Audit Department Assignment Checklist
Exhibit 7.3: Sample Notice to Auditee
Exhibit 7.4: Sample Planning Memo
Exhibit 7.5: Recommendati
Recommendationon Worksheet Example
Exhibit 7.6: Permanent Files Index

Chapter 8: Audit Reporting