Professional Documents
Culture Documents
PDF Managing The Audit Function 3rd Edition John Wiley Amp Sons Compress
PDF Managing The Audit Function 3rd Edition John Wiley Amp Sons Compress
toc
toc
Table of Contents
Managing the Audit Function—A Corporate Audit Department Procedures Guide, Third Edition........1
Foreword
Forewo rd.......
...............
...............
..................................................
.......................................................................................................................................1
..............................................................................................1
Prefacee.......
Prefac ..............
......................................................................................................
....................................................................................................................................................1
.....................................................1
Standing at the Rubi Rubicon con!!....
......
......................................
..........................................................................
.............................................................................
.........................................1
..1
Chapter 1: Background
Background...................................
..................................................
...................................................................................................1
....................................................................................1
1.1 Introduction..........................................................
.......................................................................................................................................1
.............................................................................1
1.2 History of Auditing
Auditing [1] [1].......................................
........................................................
...............................................................................1
..............................................................1
1.3 History of Internal
Internal Auditing......................................
..................................................
.........................................................................4
.............................................................4
1.4 Auditing Government
Government Agencies.........................
Agencies...................................
...............................................................................8
.....................................................................8
1.5 History of Information
Information Systems Auditing...................................
Auditing.................................................................
......................................................8
........................8
a. Birth of Information
Information Systems Auditing Auditing..................................
............................................................
......................................................9
............................9
b. Commercialization
Commercialization of Computers.................
Computers.......................................................
.............................................................................
.........................................9
..9
c. AUDITAPE: Breakthrough for Information Systems Auditors Auditors.......................................................10
...........................................10
d. Equity Funding
e. Systems, Fundi ng Scandal:
Auditability, andAbuse
Control of Information
Infor
Researchmation Technology....................................................
Technology.............
Study—Institute .......................................11
of Internal
of Interna l Audito
Auditors rs.......
.............. 11
..........12
...12
f. Electronic Data Data Processing Auditors Association.........................
A ssociation.......................................................................13
g. Emerging Technologies
Technologies.................................
.......................................................................
.............................................
.......................................14
................................14
1.6 History of Federal
Federal Regulations
Regulat ions RelatedRelat ed to Auditing....... .........
.................................................................19
...............................................................19
a. Income Tax Law (Sixteenth Amendment): 1913 1913.......................................
.......................................................................19
................................19
b. Securities and and Exchange Commission Acts: Acts: 1933, 1934 1934.................................
...........................................................20
..........................20
c. Foreign Corrupt
Corrupt Practices Act: 1977 1977......................................
....................................................
....................................................20
......................................20
d. Copyright Laws: Laws: 1976 et al.............................
al........................................................................................................21
...........................................................................21
e. Sarbanes-Oxley
Sarbanes-Oxley Act: 2002...................................
....................................................................
.......................................................................21
......................................21
1.7 Professional Organizations
Organizations Related to t o Internal Auditing................................................................21
Auditing................................................................21
a. Institute of Internal
Internal Auditors.....
Auditors....................................
.................................................................................................22
..................................................................22
b. Information Systems Audit and Control Association Association.................................
.................................................................22
................................22
c. American Institute
Institute of Certified Public Accountants........... ...................................................................23
........................................................23
d. American Accounting
Accounting Association...................................
.......................................
..........................................................24
......................................................24
e. Financial Executiv
Executives es International...
International.........................................
.............................................................................
....................................................24
.............24
f. Association
Ass ociation of Government Accountants...................................................................................
Accountants...................................................................................25 25
g. Association
Association of Certified Fraud Examiners Examiners........................
.................................................................................25
.........................................................25
Endnotess.......
Endnote ............
......................
........................................................
.............................................................................
.............................................................................
.......................................26
26
i
toc
Table of Contents
Contents
Auditing
Chapter 2: Auditin g Standards and Responsibilities
Responsibilities
2.6 Responsibilities
Responsibilities of a Corporate Auditor..........................................................................................12
Auditor..........................................................................................12
a. Nature.........................
Nature.............................................................
..........................................................................
............................................................................1
......................................13
3
b. Objective
Objective and Scope.............................................
Scope....................................................................................
......................................................................13
...............................13
c. Responsib
Responsibility
ility and Authority......................................
.............................................................................
................................................................13
.........................13
d. Independence.....................................
...........................................................................
.............................................................................
...................................................13
............13
e. Regulat
Regulatory ory Issues
Issues.......
..............
..............
...........................................
.........................................................................
................................................................14
.........................14
Endnotes.......
Endnotes..............
.........
...................................
........................................................................
.............................................................................
.........................................................15
...................15
Chapter 3: Internal
Internal Control System......................
System............................................................
.............................................................
.....................................................1
..............................1
Overview.................................................................................................
Overview.... .............................................................................................................................................1
................................................1
3.1 Definition
Definition...................................
.........................................................................
...................................................
..................................................................1
.....................................................1
3.2 Fundamental
Fundamental Assumptions in Establishing an Internal Control System.................................... ............................................2
........2
a. Business
Business Reasons for a Strong S trong Internal Control System S ystem..................
..............................................................3
............................................3
b. Legal
Legal Reasons for a Strong Internal Control Control SystemSystem..................................
...................................................................3
.................................3
c. Basic
Basic Assumptions for the Internal Control Co ntrol System............................
System...................................................................
........................................4
.4
d. Evolution
Evolution of Attacks and Intruders' Technical Knowledge.........................................................4
Knowledge.........................................................4
e. Cost-Benefit
Cost-Benefit Analysi
An alysiss of Controls....
Controls................................................................................................5
............................................................................................5
3.3 Effective
Effective Internal Control Models....................
Models.....................................................................................................5
.................................................................................5
a. The COSO Model (AICPA, AAA, FEI, FEI, IIA, and IMA)..............................................................5
IMA)..............................................................5
b. The
c. The
T CobiTand
he SAC ModeleSAC
eSAC (ISACA)....................................................
(ISACA)....................
Reports (IIA) .....................................................................................7
(IIA).................................... .....................................................7
..........................................................................
...........................................................8
.....................8
d. SysTrust
SysTrust (AICPA and CICA).....................................
.................................................
..................................................................9
......................................................9
e. Conclusion:
Conclusion: Comparing and Contrasting the Models..................................
.................................................................13
...............................13
3.4 Regulations..............................................
Regulations......................................................................................................................................15
........................................................................................15
a. Securities
Securities and Exchange Commission (1933, (1933, 1934)
1934)...................................
..................................................................15
...............................15
b. Foreign
Foreign Corrupt Practices Act (1977) (1977).....................................
............................................................................
...................................................16
............16
c. Copyright
Copyright Laws (1976 et al.) al.)......................................
.............................................................................
................................................................16
.........................16
d. Environmental
Environmental Laws Law s (Various)
(Various).............................
..................................................................................................16
.....................................................................16
e. Sarbanes-Oxley
Sarbanes-Oxley Act (2002) (2002)..........................
........................................................................................................17
..............................................................................17
3.5 Policies [7].........................
[7]..........................................................
........................................................................
.............................................................................1
......................................177
a. Systems
Systems Development Life Life Cycle Policy Policy.......................................
.............................................................................
............................................18
......18
b. Systems
Systems Usage Policy (End Users) Users)...................................
.........................................................................
.........................................................19
...................19
c. Security
Security Policy
Policy.......
..............
..............
...............
..........
...............................................................................................19
.............................................................................................19
d. Password
Password Policy.............................................
Policy...................................................................................
............................................................................1
......................................199
e. E-Mail
E-Mail Policy
Poli cy.......
..............
...........................................
..........................................................................
............................................................................2
......................................200
f. Business
Business Recovery Policy Policy..................................
...........................................................................................................20
.........................................................................20
g. Privacy
Privacy Policy....................................
.....................................................
.........................................................................................21
........................................................................21
3.6 Risk Assessment...............
Risk Assessment..................................................
.........................................................................
............................................................................2
......................................222
a. Risk Assessment:
Risk Assessment: Internal Perspective Perspecti ve.................
.......................................................................................23
......................................................................23
b. Risk Assessment:
Risk Assessment: External Perspective.................. ......................................................................................24
....................................................................24
3.7 Control Strategies.................................
Strategies............................................................................................................................28
...........................................................................................28
a. Fourf old
old Perspective of Controls Controls Model Model.................................
........................................................................
...................................................28
............28
b. Information
Information Systems and Controls Controls Model............................................................................
..................................................................................30
......30
c. An Internal
Internal Audit FunctioF unction n.....
.........................................
...........................................................................
................................................................34
.........................34
d. Corporate
Corporate Governance.......
Governance.............. ..........
..................................................................................................34
...............................................................................................34
e. Logs
Logs and Auditability...........................................
Auditability..................................................................................
......................................................................38
...............................38
f. Segregation
Segregation of Duties
Duties......................................
.........................................
............................................................................38
.........................................................................38
g. Investigation
Investigation Procedures......
Procedures........................................
......................................................................................................38
....................................................................38
3.8 Malicious Activities
Activities......................................
.............................................................................
.............................................................................
............................................39
......39
a. Crime and Misappropriation
Mis appropriation of Assets Assets....................................
...........................................................................
...................................................39
............39
b. Unauthorized Access and Authentication......................................................................
Authentication..................................................................................41
............41
ii
toc
Table of
of Contents
Controll System
Chapter 3: Internal Contro
3.9 Specific Controls/Caatts......................................
Controls/Caatts..................................................................................................................43
............................................................................43
a. Monitoring Systems
Systems.......................................
..................................................
.............................................................................43
..................................................................43
b. Firewalls..................
Firewalls........................................................
............................................................................
.............................................................................
.......................................43
43
c. Generalized
Generalized Audit Software......
Software.............................................
..............................................................................
..........................................................43
...................43
d. Other Potential Controls/CAATTs
Controls/CAATTs...................................
..........................................................................
..........................................................44
...................44
References.......................................
References ...................................................................
.......................................................................................................45
...........................................................................45
Endnotess.......
Endnote ............
.........................
........................................................
..........................................................................
.............................................................................
.......................................45
45
e. Control Self-Assessment...................
f. IntegratingSelf-Assessment..............................................................................................................5
...........................................................................................5
the Auditing Process...........................
the ...................................................................................................6
........................................................................6
4.2 Corporate Audit Charter...................................................
Charter....................................................................................................................6
.................................................................6
4.3 Company Organization................................
Organization......................................................................................................................8
......................................................................................8
a. Audit Department
Department Organization...................................................................................................9
Organization...................................................................................................9
b. Job Classifications
Classifications and Descriptions..........................................................................................10
Descriptions..........................................................................................10
4.4 Audit Department
Department Policies Policies..................................
.................................................
.............................................................................24
..............................................................24
a. Confidentiality
Confidentiality..................................
.......................................................
..........................................................................................24
.....................................................................24
b. Orientation
Orientation (Training)...
(Training).........................................
.............................................................................
.......................................................................25
................................25
c. Days Off for Extensive Travel Policy........... Policy.................................................
.............................................................................
.......................................26
26
d. Professional
Professional Certification Policy Policy......................................
..........................................
..........................................................26
......................................................26
Endnote............. .................
........................................................
.............................................................................
.............................................................................
.......................................26
26
iii
toc
Table of Contents
Chapter 5: Personnel,
Personnel, Administration, and and Recruiting
a. Performance
Performance Evaluation Review Review Guidelines for Preparation of Report.....................................16
.....................................16
5.5 Annual
Annual Staff Meeting/Conference
Staff Meeting/Conference...................................
..........................................................................
................................................................19
.........................19
a. Group Discussions
Discussions...................................
..........................................................................
.............................................................................
............................................19
......19
5.6 New Staff Orientation............
Orientation................................................
...........................................................................
......................................................................21
...............................21
Endnotess.......
Endnote ..............
............
..........................................
...........................................................................
.............................................................................
...................................................24
............24
6.2
6.3 Internal
MaterialControls..............................................
Controls................................................................................................................................5
Materiality........................... ..................................................................................5
ity........................... .......................................
..............................................................................
........................................................................6
.................................6
6.4 Types of Audits
of Audits.......................................
..........................................
...........................................................................................8
........................................................................................8
a. High-Level
High-Level Review of Procedures.......................
Procedures..............................................................
........................................................................8
.................................8
b. Financial
Financial Audit..............................................
Audit.....................................................................................
..............................................................................
........................................8
.8
c. Operational/Manager
Operational/Managerial ial Audit
Audit....................................
...........................................................................
..................................................................9
...........................9
d. Complianc
Compliancee Audit..............
....... .........
...................................
........................................................................
......................................................................10
...............................10
e. Contract
Contract Audit.........
Audit.........................................
...................................................................................................................10
...................................................................................10
f. Desk Review.........................
Desk Review...............................................................
.............................................................................
................................................................11
.........................11
(g) Follow-Up
Follow-Up Audits Audits..............
...............................................
........................................................................
......................................................................11
...............................11
h. Information
Information Systems Audits [3] [3].................................
........................................................................
................................................................11
.........................11
i. E-Commerce
E-Commerce Audits Audits.................................
........................................
...................................................................................15
............................................................................15
j. International
International Audits.....................................................................................................................15
Audits.....................................................................................................................15
6.5 Time Reporting
Reporting.......................................
..................................................
.........................................................................................16
..............................................................................16
a. Form:
Form: Corporate Audit Audit Time Report Report.................................
.......................................................................
.........................................................16
...................16
b. Report
Report for the Period Ending......................................
.............................................................................
................................................................16
.........................16
c. Auditor's
Auditor's Name/Employee
Name/Employee Number...........................
Number..................................................................
................................................................16
.........................16
d. Job Number....
Number.......................................
.........................................................................
.............................................................................
...................................................17
............17
e. Audit
Audit Codes
Codes.....................
..........................................................
............................................................................
......................................................................17
...............................17
f. Task Codes............................
Task Codes............................ ......................................
.............................................................................
................................................................18
.........................18
g. Hours..................................
Hours....................................................................
.........................................................................
......................................................................18
...............................18
h. Productive
Productive Time Time............
...................................................
..............................................................................
......................................................................18
...............................18
i. Nonproductive
Nonproductive Time.............................................
Time....................................................................................
......................................................................18
...............................18
j. Summarizi
Summarizing ng Time
Time...................................
..........................................................................
.............................................................................
............................................19
......19
6.6 Expense Reporting
Reporting..................................
........................................................................
.............................................................................
...................................................19
............19
a. Travel Expenses......
Expenses..............
..........
......................................
...........................................................................
......................................................................20
...............................20
Endnotess.......
Endnote ..............
.........
...................................
........................................................................
.............................................................................
.........................................................20
...................20
iv
toc
Table of Contents
Contents
Performance
Chapter 7: Audit Performa nce
b. Description of
of Notice
Notic e to Auditee
Audi tee......
..................................................................................................3
............................................................................................3
c. Preliminary Survey
Survey.................................
.......................................................
......................................................................................4
................................................................4
d. Planning Memo...............
Memo...................................................
...........................................................................
.........................................................................7
..................................7
e. Audit Status Report.......
Report.............................................
.............................................................................
.......................................................................11
................................11
f. Developing Audit
Audit Recommendations
Recommendations.....................................
............................................................................
....................................................11
.............11
7.2 Workpapers........
Workpapers............................
.......................................................
..........................................................................
.......................................................................17
................................17
a. Control.............................................................................
Control........................................................................................................................................17
...........................................................17
b. Retention....................................................................
Retention....................................................................................................................................18
................................................................18
c. Headings..............................................
Headings.....................................................................................................................................18
.......................................................................................18
d. Permanent Files: Files: Contents and Format......................................................................................19
Format......................................................................................19
e. Current Files:
Files: Contents and Format.............. ....... ...............
..............................................................................20
......................................................................20
f. General Organization............
Organization............ ......................................
............................................................................
................................................................20
..........................20
g. Detailed Workpaper
Workpaper Section Organization Organization....................................
..........................................................................
.............................................20
.......20
h. Indexing and Cross Referencing......
Referencing............................................
.............................................................................
....................................................21
.............21
i. Referencing
Referencing... ............
..........................................
........................................................................
.............................................................................
.............................................23
.......23
j. Standard Tick Marks Marks......................................
............................................................................
.............................................................................
.......................................23
23
7.3 Audit Objectives..........
Objectives.................................................
.............................................................................
.............................................................................
.......................................24
24
Cash
Cas h...................................
..............................................
.............................................
........................................................................
................................................................24
..........................24
Endnote............. .................
........................................................
.............................................................................
.............................................................................
.......................................26
26
v
toc
Table
Table of Contents
Chapter 9: Managing
Managing the Effectiveness
Effectiveness of the Audit Department
e. ISO
ISO 9000 Family [7].......................
...................................................................................................................13
............................................................................................13
f. Baldrige
Baldrige National Quality Program/Baldrige
Program/Baldrige Award [8] [8]...................................
............................................................14
.........................14
g. Conclusions.........................................
Conclusions................................................................................................................................14
.......................................................................................14
9.5 Marketing
Marketing the Audit Function
Functi on.......
..............
..............
.............................................................................................15
a. What Is Marketing?
Marketing?...........
..............................................
..........................................................................
......................................................................15
...............................15
b. Understanding
Understanding the the Customers........................
Customers..............................................................
............................................................................1
......................................16
6
c. Getting
Getting the the Audit Message Out Out..................................
.........................................................................
................................................................16
.........................16
d. Human Resources....................................
...........................................................................
.............................................................................
............................................16
......16
e. Summary.....................................
............................................................................
.............................................................................
.........................................................17
...................17
Endnotes...
Endnote s....................................
........................................................................
..............................................................................
......................................................................17
...............................17
Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
A....
.......
......
.......
.....................................
........................................................................
..............................................................................
........................................................................1
.................................1
Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
C..............
C.......... .....................................
........................................................................
..............................................................................
........................................................................1
.................................1
Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
E.............
E.......... .....................................
.........................................................................
..............................................................................
........................................................................1
.................................1
Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
F..............
F.......... .....................................
........................................................................
..............................................................................
........................................................................1
.................................1
Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
G....
.......
......
......
.....................................
.........................................................................
..............................................................................
........................................................................1
.................................1
Index..............
Index................................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
I..............
I........... .....................................
.........................................................................
..............................................................................
........................................................................1
.................................1
Index............................
Index.............................................................
.......................................................................
.............................................................................
..................................................................1
...........................1
S.....................................................
S.......... ............................................................................
........................................................................
........................................................................1
.................................1
List of Tables
Tables..................................
.........................................................................
.............................................................................
.............................................................................
........................................1
.1
Chapter 6: Audit
Audit Planning....................
Planning...........................................................
.............................................................................
...........................................................1
.....................1
Chapter 7: Audit Performance
Performance..................................
...............................................
..............................................................................1
.................................................................1
List of Exhibits............................................................
Exhibits....................................................................................................................................................1
........................................................................................1
Chapter 2: Auditing Standards and Responsibilities.................
Responsibilities..............................................................................1
.............................................................1
Chapter 3: Internal Control System......................................
System.............................................................................
..................................................................1
...........................1
Chapter 4: Department Organization
Organization.... ......................................................................................................1
..................................................................................................1
Chapter 5: Personnel, Administration,
Administration, and Recruiting Recruiting...................................
..........................................................................
........................................1
.1
Chapter 6: Audit Planning....................
Planning...........................................................
.............................................................................
...........................................................1
.....................1
Chapter 7: Audit Performance
Performance.................................
........................................................................
..............................................................................
........................................2
.2
Chapter 8: Audit Reporting......................................
.............................................................................
..............................................................................
........................................2
.2
vi
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under
Section 107 or 108
108 of the 1976 United
United States Copyright Act, without either the prior written permission of the
Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance
Center, Inc., 222 Rosewood Drive, Danvers,
Danvers, MA 01923, 978-750-840
978-750-8400,0, fax 978-750-4470, or on the web at
www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax
<permcoordinator@wiley.com>.
201-748-6008, e-mail: <permcoordinator@wiley.com >.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in
preparing this book, they make no representations or warranties with respect to the accuracy or completeness
of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a
particular purpose. No warranty may be created or extended by sales representatives or written sales materials.
The advice and strategies contained herein may not be suitable for your situation. You should consult with a
professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any
other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services, or technical support, please contact our Customer
Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993, or fax
317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content th at appears in print
print may not
be available in electronic books.
For more information about Wiley products, visit our web site at www.wiley.com.
Managi
Managing
ng the
the Audit
Audit Funct
Function
ion—A
—A Corp
Corpora
orate
te Audi
Auditt Depart
Departmen
mentt Proced
Procedure
ures
s Guide,
Guide, Thir
Third
d Editio
Edition
n 1
2 Managi
Managing
ng the
the Audit
Audit Fun
Functi
ction
on—A
—A Corpo
Corporat
rate
e Audit
Audit Depa
Departm
rtment
ent P
Proc
rocedu
edures
res Guid
Guide,
e, Third
Third Edit
Editio
ion
n
1. Auditing,
Auditing, Inte
Internal—H
rnal—Handbo
andbooks,
oks, manuals,
manuals, etc
etc.
. 2. Corporation
Corporations—
s— Auditing—Ha
Auditing—Handbook
ndbooks,
s, manua
manuals,
ls, etc. I. Si
2 Managi
Managing
ng the
the Audit
Audit Fun
Functi
ction
on—A
—A Corpo
Corporat
rate
e Audit
Audit Depa
Departm
rtment
ent P
Proc
rocedu
edures
res Guid
Guide,
e, Third
Third Edit
Editio
ion
n
Foreword
At the turn of the century, copper mining companies such as Phelps Dodge Corporation were the darlings of
Wall Street. They were growth plays at the dawn of the new age of electricity and communications. The
demand for wiring throughout the country seemed endless. By the early 1900s, Phelps Dodge Corporation had
already achieved a proud heritage. Formed in the early 1800s as a trading company, it wisely invested its
profits in the copper mining business.
By the late 1970s when I joined Phelps Dodge Corporation as Chief Financial Officer, much had changed. I
was asked by my good friend, then Chairman and CEO, George B. Munroe, to assist him and the Company in
meeting the challenges ahead. The Management Information Systems (MIS) operating areas and the Internal
Audit function were to receive special attention.
George and I found that the audit resource should be more consistently applied across company operations,
and that the reputation of the audit function and the results of its efforts could be improved.
Michael Cangemi joined Phelps Dodge as Director of Internal Audit. My background as a Public Accountant
and Chairman of BDO Seidman CPAs helped me to recognize the need for a strong internal audit function.
Internal auditing is a difficult function to develop in a company. To allow it to contribute to the company, the
internal audit management must be empowered with wide-ranging authority. The director of audit must
possess integrity, initiative, and excellent communication skills.
Michael Cangemi
audit personnel had the
would personal
be trained in traits we were
the areas looking for.
of information In addition,
technology andhethe
hadapplication
a programoftothe
ensure that all
technology
to the audit function. Based on his work as Director, Computer Audit at the New York Office of Arthur
Young & Company (now Ernst & Young LLP), Michael decided to integrate EDP audit and financial audit.
His audit personnel team was designed to be capable of advancing with the Company into the information
age.
Over the next two years, Michael proceeded, with the help of his audit team, to produce an audit methodology
that resulted in a most successful audit function at Phelps Dodge Corporation. This book outlines the
methodology that was implemented, and much more.
After those two years, Michael was promoted to General Auditor of Phelps Dodge Corporation. This was a
high honor in a company that had a very lean corporate management structure. At the age of 33, he was one of
the youngest officers in the history of the company. More importantly, he had gained the respect of the senior
Michael was fond of saying that "good people using good procedures will produce an audit product with a
reliable, high-quality level." This was the result at Phelps Dodge Corporation.
Personnel development was a very high priority of the new audit program. Audit conferences were serious
training and key team-building events.
The audit group was also assigned to activities such as contract, acquisition, and disposition audits. Contract
audits alone have saved the company millions of dollars a year in contracting fees.
Foreword 1
2 Foreword
Once Michael had the audit function organized and had built a team that was capable of proper succession, he
moved on to become a successful corporate vice president with responsibility for all of the company's
information systems and benefit plans as well as internal audit.
You can take the methodology outlined in this book and improve your own company's audit program or use it
as a basis for forming a new, modern audit program. Any chapter in this book provides ideas that are worth
the price of the entire publication.
November 1995
Washington, DC
2 Foreword
Preface
Standing at the Rubicon!
The Emperor Julius Caesar had to cross a river to launch a civil war against General Pompey in the year 49
B.C. The description of that act has become a metaphor meaning standing at a point at which there is no
turning back or new beginnings. The world of internal auditing is now at the Rubicon!
The first edition of this book was published in 1991. At that point, internal auditing outsourcing was on the
rise. Could this trend have been a symptom of the decline in corporate governance and the rise of aggressive
accounting to boost earnings? Enron Corp., at times, outsourced their internal audit functions. WorldCom,
Inc.'s accounting issues were discovered by an internal auditor.
The theme of this book is very simple. Quality internal auditors utilizing tested and proven procedures in a
proactive way will produce beneficial tangible results.
Auditing is as exciting as the world in which we audit. In fact, anticipating and preparing for the changes that
constantly take place in the business world makes auditing even more challenging. Coexisting with other
management and partnering in the company's mission, while maintaining a healthy dose of skepticism,
provides a significant interpersonal and intellectual challenge. However, many auditors have attempted to live
in a slow-paced, reactive world.
As a profession, internal auditing has been evolving for less than one hundred years. The profession continued
to grow steadily through the 1950s and into the 1960s. The business community was changing dramatically,
with technological leaps and global expansion leading the way. Internal control, as it was known, was
destined to change to address the issues and complexities of the modern day.
The first wake-up call came in 1977 with the passage of the Foreign Corrupt Practices Act. Passed to address
the practices of paying bribes in foreign countries, the law had requirements that adequate systems of internal
control be maintained. Internal audit's role in management rose to new heights. The internal auditing
professionals reacted swiftly and implemented new programs to strengthen internal controls and checks and
balances. Those internal audit departments that were capable and proactive produced solid returns on
investments for their organizations. Many branched out into operational audit areas that were heretofore only
discussed. All audit functions addressed information technology in one way or another. Auditors met at
conferences and shared information and best practices in a way that should be the envy of all professional
groups.
In the 1990s, internal control was redefined. The Committee of Sponsoring Organizations (COSO) issued its
landmark definitional study of internal control. The product amounted to a five-volume publication which has,
for the first time ever, attempted to define all of the intricacies and the subtleties of internal control and
achieve agreement among leading professional organizations.
The 1990s also saw the profession of internal auditing as a candidate function for outsourcing. Is internal
auditing a core capability? Can professionals from outside the organization perform studies of internal control
without a thorough understanding of the personality of the organization? The debate on outsourcing is an
interesting challenge for the profession of internal auditing.
During these decades, internal auditing groups that were proactive and worked hard to create excellent
internal audit programs, have continued to satisfy their management. They searched for new requirements,
responsibilities, and ways to contribute to their organization. The first thing that all successful audit
organizations have done is to organize themselves. It has always been my hope that this book would help
audit departments improve their organization and operations so that they can improve their overall
performance.
Preface 1
2 Preface
As noted above, internal auditing is a very challenging profession, and once the fundamentals of an audit
organization are established through the development of a policies and procedures manual, the audit
department can focus more of its energies on the delivery of internal audit services.
This third edition of Managing the Audit Function greatly expands on the prior edition. In addition to a
general update, a new chapter on internal controls has been added. This chapter defines internal control, risk
assessment, control strategies and malicious activities. The subject should be studied and understood not just
by internal auditors but all managers and board members as well. The recent developments with accounting
irregularities demonstrates a clear need for an education on the complex subject of internal control! In
addition, a section on the history of audit was greatly expanded and integrated into the background materials.
As the finishing touches were being made to this edition of Managing the Audit Function, the U.S. Congress
passed the Sarbanes-Oxley Act of 2002. This act makes reporting on internal control a requirement for public
companies registered with the Securities and Exchange Commission (SEC). The law requires annual reports
to contain an assessment of the effectiveness of internal control over financial reporting. In addition, it
requires the adoption of standards for independent auditors to attest to management's report on internal
control. Separately, the act requires a company's CEO and CFO to certify quarterly and annual reports. These
developments will focus senior management's attention on ensuring the adequacy and effectiveness of their
internal audit department to assist management with these requirements. Senior management can use this
book as a primer on the elements of a modern internal audit function.
As the original author, there is little doubt that I am fascinated with auditing in general, and specifically the
internal auditing profession! I first observed internal and external auditing as a member of the operations staff
of a brokerage house in my college years. I then spent a number of years in public practice at Ernst & Young
before joining a large corporation as Director, Internal Audit. After rising to General Auditor, I moved out of
internal auditing and into a financial officer position. Internal auditing continued to report to me during this
period, and I attended all audit committee meetings. I then rejoined the public practice at BDO Seidman as
National Director of EDP Auditing and Internal Audit Services. I joined Aigner Group, Inc. in a senior
management position and after eight years as CFO, I am currently the President and Chief Executive Officer
of the company.
I have seen internal control and auditing from a number of interesting vantage points. My current position
affords me one of the best views from the standpoint of how internal auditing should fit in to and contribute to
an organization. All corporate managers have a desire to run a well-controlled operation. We need to be able
to rely on the integrity of the data and results of our operations. However, I am now further convinced of the
need for the audit department to be proactive and seek out ways to contribute positively to the corporate
mission.
As pointed out in this book, the audit function does not have the same performance measurements available to
them as do other line functions within the organization. I am also now more aware than ever of the need for
cost justification for every dollar spent, especially dollars that are not spent in the direct pursuit of revenue.
Internal audit departments must have the disciplines and measurements proposed in this book. These issues
have come more clearly into view, and as a result of my current position, I am certain that the methodologies
suggested in this book are essential principles of internal audit management.
To add new dimensions and perspective to this methodology, I asked Tommie Singleton to join with me on
this third edition. After a career in industry, Tommie Singleton went back to school and devoted himself to
accounting and auditing all the way to the PhD level. We met while working on publishing segments of his
dissertation on the history of IS auditing in the IS Control Journal, where I am to this day the Editor-in-Chief.
Dr. Singleton
Alabama. is Professor
He added of Accounting
tremendously and Computer
to this book Information
as co-author, Systems
giving his insightsatand
the knowledge
University of
onNorth
the
complex subject of internal control and sharing his vast acumen on our profession's history.
2 Preface
Preface 3
We are both very active with professional associations, which keeps us at the forefront of developments
affecting internal auditing. We owe a debt of gratitude to our colleagues at the IIA and ISACA who keep us
connected to this interesting world of auditing. We are also very busy with our "real" jobs and rely heavily on
our co-workers. We would especially like to thank Deb Urquhart, my Executive Assistant, for her untiring
efforts and dedication to this book project.
I would also like to thank my associates at ISACA, Susan Caldwell, Jennifer Blader and Jane Seago, who care
so much about the profession's response to technological developments and who work to make IS Control
Journal a significant contributor to the expansion of the professional literature. Finally, last but certainly not
least, I'd like to thank Sheck Cho, our editor, who guided me through editions one, two, and now three and is
always there for support and encouragement.
MICHAEL P. CANGEMI
November 2002
Edison, New Jersey
Preface 3
4 Preface
4 Preface
Chapter 1: Background
1.1 Introduction
It is the goal of this manual to provide a broad scope of information in assisting you in developing your
auditing function into a well-respected contributor to the company's mission and a world-class audit
department.
This manual will serve to document approved departmental procedures. It will be the basis for establishing
methods to ensure the highest level of performance and quality in the department. These procedures
procedu res should be
evaluated and updated on an ongoing basis to keep pace with changing conditions.
This book has been set up in the format of a procedures manual. Beginning with Chapter 2, 2, each page has a
heading consisting of the company name, the title of the manual (Corporate Audit Department Procedures
Manual, if appropriate), the section number, the revision number (if you choose to keep track of the number of
changes made in a particular section), and the date of the revision. Much of the text has been written so that it
can be considered boilerplate and be used with your modifications to easily create your own manual.
The manual is based on a methodology employed very successfully at Phelps Dodge Corporation.
Corporati on.
Subsequently, the methodology was used as a basis for audit management
management workshops
workshops and consulting projects.
Through these processes,
processes, the
the material contained in the methodolo
methodology
gy was analyzed and improved over
over a
10-year period. The methodology
methodology is brok enen down into four main components: Part One:
One: Fundamentals
Fundamentals of the
Internal Auditing Function (Chapter 1, 1, "Background";
"Background"; Chapter 2,
2, "Auditing Standards
Standards and Responsibilities";
Chapter 3,
3, "Internal Control System"), Part Two
Two:: Management
Management and Administration (Chapter
(Chapter 4,
4, "Department
Organization"; Chapter 5 5,, "Personnel Administration and Recruiting"), Part Three
Three:: Technical Procedures
(Chapter 6,
6, "Audit Planning"; Chapter 7, 7, "Audit Performance"; Chapter 8,
8, "Audit Reporting"), and Part Four:
Four:
Long-Term Effectiveness (Chapter
(Chapter 9,
9, "Managing the Effectiveness of the Audit Department"). Other
programs can be added to your manual. The technical chapters all begin with a matrix that outlines the various
tasks or functions addressed in that chapter.
In order to achieve the above goals, a brief overview of historical events affecting the audit is beneficial. Thus
this chapter is written to familiarize auditors with historical events that directly relate to audits, audit planning,
and in particular the management of a world-class audit function. This section will review the history of
auditing before information systems (IS), the history of IS auditing, the history of federal regulations related
to auditing, and professional organizations related to auditing. An understanding of these events and
organizations should provide substantial benefits in managing your auditing function.
The ancient history of accounting and auditing left sparse documentation, but possibly did predate the
invention of writing, circa 8,500 B.C. The earliest surviving records in double-entry form are those of the
Medici family of Florence, Italy, from 1397.
The "modern" era of accounting dates from the year 1494, when a monk named Luca Pacioli published the
Chapter 1: Background 1
2 Chapter 1: Background
accounting principles.
Auditing, too, is one of the oldest professions. Writing was invented in part to satisfy the need for audits.
Zenon papyri record the application of audits on the Egyptian estate of the Greek ruler Ptolemy Philadelphus
II as early as 2,500 years ago. Early Greek and Roman writers such as Aristophanes, Caesar, and Cicero make
mention of accountants, auditors, and auditing accounts and audit rooms. As early as the Middle Ages, a form
of internal auditing existed among the manor houses of England where the lord served as manager of the audit
function.
The earliest external audit by an independent public accountant was in 1720 by Charles Snell as a result of the
South Sea Bubble scandal in England. The total market value of the South Sea Company, chartered in 1710,
eventually exceeded the value of all money in England. Thus when the company crashed, it was an extremely
significant public event in the English economy. Fictitious entries were discovered in the books. This event
set a precedent in the history of auditing. In fact, many, if not most, major auditing events, improvements, and
standards tend to follow public exposure of scandals and/or fraud.
Later, the industrial revolution in England resulted in factory systems that were financed by stockholders. This
situation necessitated the need for auditors, both internal and external. To protect the public, the British
Companies Act of 1844 provided for mandatory audits. Soon afterward, in 1853, organizations of chartered
accountants were formed in Scotland. Then in 1880, five organizations were melded into the unified Institute
of Chartered Accountants in England and Wales. By 1881, it had a membership of more than 1,000 members.
The same industrial revolution was occurring across the Atlantic in the United States. By the late nineteenth
century, British auditors were being sent to audit American companies. For example, the British firm Price
Waterhouse was sending over auditors as early as 1873. Soon, New York offices existed for British firms
Price Waterhouse, Peat Marwick & Company, and Arthur Young & Company. Thus it was the British who
built the infrastructure for professional auditing in the United States.
One of the first key events in the history of the U.S. audit profession was the establishment of what was the
forerunner of the American Institute of Certified Public Accountants (AICPA) in 1887. In 1896, New York
law provided for the issuance of CPA certificates to those who could pass a qualifying examination. Initially,
experienced practitioners were "grandfathered" in by being granted CPA certificates without having to take
the examination. Eventually, all states passed CPA laws. At first, each state prepared its own CPA
examination, but in 1917 the American Institute of Accountants began preparing a uniform CPA examination
that could be used by all states.
Another early event of note is the 1913 passage of the Sixteenth Amendment legalizing income taxes. [2] One
provision of the law required all companies to maintain adequate accounting records. Thus, even small firms
that did not need accounting for management control purposes suddenly had to have accounting records.
The audits of the late 1800s and early 1900s were largely devoted to the accuracy of bookkeeping detail. In
most cases, all vouchers were examined and all footings verified. Hence, items omitted from the records were
overlooked by the auditors, and the result was an auditing profession that was viewed by outsiders as more
clerical than professional.
This view was to change between 1900 and 1917, because bankers became more important as sources of
financing and because practice began to catch up with the auditing literature. The change in philosophy
mirrored the recommendations in the leading auditing book of the time, which was written by Robert
Montgomery. Bankers were less concerned with clerical accuracy than with balance-sheet quality. Thus, as
bankers became major users of audited financial statements, the objective of the audit became more concerned
2 Chapter 1: Background
Chapter 1: Background 3
American Institute and the Federal Trade Commission, which also had the endorsement of the Federal
Reserve Board. This publication was reissued, with minor changes, in 1918 under the title Approved Methods
for the Preparation of Balance-Sheet Statements. This document was the first formal declaration of generally
accepted accounting principles and auditing standards. It outlined a complete audit program, instructions for
auditing specific account balances, and a standardized audit report. In 1929, another revision included more
emphasis on the income statement and internal controls. Still another revision in 1936 placed equal emphasis
on the balance sheet and income statement. The 1917 document and its revisions became the bible of the
auditing profession for more than two decades.
The recent history of external auditing is more events-oriented. In other words, little has occurred in recent
years that was not brought about by some catastrophic event such as a lawsuit, financial disaster, or a major
fraud case. One of the earliest important auditing cases was that of Ultramares Corporation v. Touche, Niven
& Company (1931). Ultramares had loaned money to Fred Stern and Company in 1924 on the basis of
financial statements prepared by Touche. On those statements, accounts receivable had been overstated.
Subsequently, in 1925, Fred Stern and Company filed for bankruptcy. A lower court found Touche guilty of
negligence, but the firm was declared not liable to Ultramares because there was no privity of contract
between the auditor and Ultramares. The New York Court of Appeals agreed that third parties could not hold
an auditor liable for ordinary negligence, only for fraud. However, gross negligence could be construed as
fraud, which opened up the auditor to lawsuits even though there was no way of knowing who was going to
rely on the misleading financial statements. Thus, the auditor became subject to almost infinite third-party
liability. This liability was further expanded at the federal level in the securities acts of 1933 and 1934.
By the time of the 1929 stock market crash, external auditing had become a somewhat standardized
profession, but not a particularly large profession. Since bankers were the primary users of financial
statements, the only companies needing audits were those that depended on banks for capital. Companies that
depended on stockholder financing were not required to have audits. Consequently, even companies listed on
the New York Stock Exchange often did not issue audited financial statements. That was to change because of
Ivar Kreuger—one of the greatest swindlers the world has ever seen.
The most widely held securities in the United States—and the world—during the 1920s were the stocks and
bonds of Kreuger & Toll, Inc., a Swedish match conglomerate. The company was founded and headed by Ivar
Kreuger, supposedly the richest man in the world. Kreuger's securities were popular because they sold in
small denominations and paid high dividends and interest (often 20% annually). Financial reporting as we
know it today was in its infancy; stockholders based their investment decisions solely on dividend payments.
Kreuger's dividends were paid, however, out of capital, not profits. Kreuger was essentially operating a giant
pyramid scheme, which was hidden from the investing public by Kreuger's insistence that financial statements
not be audited. He advocated that financial secrecy was paramount to corporate success. In Kreuger's defense,
some amount of secrecy was needed because he was often dealing with foreign kings and dictators about
government monopolies and taxes on wooden matches. Subsequently, it was discovered that many of his
companies' assets were in the form of intangible monopolies.
The stock market crash of 1929 made it more difficult for Kreuger to sell new securities to fuel his pyramid
scheme. Thus, he committed suicide in March 1932. Within three weeks, his companies were in bankruptcy as
it became apparent that there were few assets to support the unaudited financial statements that had been
issued over the years. The bankruptcy was the largest on record up to that time and resulted in numerous
changes in financial reporting.
Newspaper articles kept U.S. citizens aware of the extent of Kreuger's fraud at the same time that Congress
was considering passage of the federal securities laws. Thus, the timing of the bankruptcy and the
corresponding media coverage made it politically expedient to pass laws that would make similar schemes
difficult
providedinthe
themedia
future. A single
event of theevent, the corruption of Ivar Kreuger, had shaken investors' confidence and
decade.
Chapter 1: Background 3
4 Chapter 1: Background
As a result, the Securities Act of 1933 was passed, and the New York Stock Exchange issued rules mandating
audits of listed companies. Even a movement toward uniformity in accounting principles can be laid at the
feet of Kreuger. Auditors thus owe much of their livelihood to the fraud perpetrated by Ivar Kreuger. In fact,
some might say that because of the resulting improvements to financial reporting, Kreuger did more good than
harm for the financial community. A person of his ilk was needed to show the world that auditors are
necessary and can make a contribution to a regulated securities market.
The 1936 version of the American Institute's 1917 joint pronouncement with the Federal Trade Commission
on auditing standards suggested that auditors might want to observe inventories and confirm receivables, but
there was no requirement for these procedures. Many auditors had long opposed observing inventories under
the theory that CPAs were not skilled appraisers and that a statement that they had physically inspected
inventories might be construed as a guarantee of the inventory valuation. This lack of a requirement for
inventory observations and receivable confirmations proved to be an embarrassment to the profession when
the McKesson & Robbins scandal surfaced in 1938. The senior management of McKesson & Robbins had
used a facade of false documents to conceal the fact that $19 million in inventory and receivables were
nonexistent. A Securities and Exchange Commission (SEC) investigation concluded that Price Waterhouse &
Company had adhered to generally accepted auditing procedures as recommended in the 1936 Institute
pronouncement. The auditors had obtained management assurances as to the value of the inventories and had
test-checked the inventories to purchase orders (which were fabricated to conceal the fraud). But the SEC
concluded that although general accepted procedures had been followed, those procedures were inadequate.
As a result, in 1939 the American Institute issued Statement on Auditing Procedure (SAP) No. 1 that required
auditors to observe inventories and confirm receivables. The McKesson & Robbins case was a turning point
in auditing history. No longer was the auditor responsible for auditing the accounts of management;
responsibility was extended to an audit of the business itself. And the profession began to issue promulgated
statements and standards related to the specific procedures and standards of audits.
Other cases have influenced auditors in recent years, but none to the extent of the frauds associated with
Ultramares, Kreuger, and McKesson & Robbins. Continental Vending Machine Corporation (1968) was
unusual in that it marked the first instance of an external auditor being criminally convicted for fraud. The
overriding conclusion of all of this activity is that the (external) auditing profession has long been reactive
rather than proactive. On the whole, the recent history of auditing has been centered on reacting to adverse
events affecting the profession.
[1]Special
thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing Before
EDP," The EDP Auditor Journal, Vol. III, 1993, pp. 38–47. Most of this section came from this article.
[2]Interestingly
enough, a similar law was passed during the Civil War but was later ruled to be
unconstitutional by the U.S. Supreme Court.
Some types of internal audits date back thousands of years. As mentioned earlier, the Greeks, Romans, and
Egyptians were conducting audits before the birth of Christ. Interestingly, the scope of these early audits was
in many ways akin to that of modern internal audits; both included an examination of the correctness of
accounting records and an evaluation of the propriety of activities reflected in the accounts. Emphasis was on
improving management control over the activities of the organization. Such broad emphasis was not to
reappear on a wide scale until after World War II. [3]
4 Chapter 1: Background
Chapter 1: Background 5
In the United States, there was little need for internal auditing in the colonial period because there was little in
the way of large industry. In fact, accounting textbooks of the period never referred to the subjects of internal
auditing or internal control. In government, however, the need for an audit function was recognized. The first
U.S. Congress in 1789 approved an act that included a provision for the appointment of a secretary of the
treasury, a comptroller, and an auditor. The auditor's job, basically a clerical function, was to receive all
public accounts, examine them, and certify the balances.
Despite the aforementioned early references, railroad companies are usually credited with being the first
modern employers of internal auditors. It was during the latter part of the nineteenth century that these first
real internal auditors became commonplace. The title applied to these employees was traveling auditors, and
their duty was to visit the railroads' ticket agents and determine that all the accounting for all monies was
properly handled.
Other early industries to use internal auditors included the large Krupp Company in Germany. Krupp
apparently employed some type of internal audit staff at least as early as 1875 since there is a company audit
manual dated January 17, 1875, which includes the following provisions:
Although the roots of internal auditing do date back into the nineteenth century, real expansion did not occur
until the early part of the twentieth century with the growth of the large corporate form of business. The major
factor in the emergence of internal auditing was the extended span of control faced by management in
business employing thousands of people and conducting operations in many locations. Defalcations and
improperly maintained accounting records were major problems, and the growth in the volume of transactions
resulted in a substantial bill for public accounting services for the organization that tried to maintain control
by continuing the traditional form of audit by the public accountant.
The objectives of early internal auditors were primarily built around the protection of assets. The National
Industrial Conference Board's study of internal auditing explained the early motives as follows:
• Protection of company assets and detection of fraud were the principal objectives. Consequently, the
auditors concentrated most of their attention on examinations of financial records and on the
verification of assets that were most easily misappropriated. A popular idea among management
people a generation ago was that the main purpose of an auditing program was to serve as a
psychological deterrent against wrongdoing by other employees.
That same study recognized the internal auditor of yesteryear did not perform the same duties as the
modern-day internal auditor. In addition, there was no need for the pioneer internal auditor to perform all of
the functions that are handled by today's internal auditors.
• In less complicated times, of course, management frequently maintained control over company
operations by personal supervision. There were not so many levels
level s of authority separating policy
makers from production workers, and demands on senior executives' time
ti me were neither so numerous
nor so urgent.
Prior to 1941, internal auditing (IA) was essentially a clerical function with no organization and no standards
of conduct. Because of the nature of accounting record keeping at the time (i.e., manual), auditors were
needed to check the records after they were created for accuracy—for errors in postings or footings. Auditors
were also concerned with the possibility of fraud. Thus, the internal auditor was a verifier, or a "cop," to
protect organizational assets.
Chapter 1: Background 5
6 Chapter 1: Background
The old concept of internal auditing can be compared to a form of insurance: The major objective was to
discover fraud more quickly than it could be discovered by a public accountant during an annual audit. That
is, the internal auditor was performing a function similar to a police officer or detective. The modern concept
of internal auditing is that of an arm of management. Today, internal auditors are an integral link in the
management process and are just as concerned with waste and inefficiency as with fraud. Part of the
development probably can be attributed to the change in technology. As accounting became mechanized and
computerized, records became subject to automatic checking procedures. Thus, the need to check every
transaction declined, giving internal auditors time to reach beyond the historical clerical limits.
The year 1941 marked a turning point in the development of internal auditing as two significant events
occurred. One of those events was the publication of the first major book on the subject—Victor Z. Brink's
Internal Auditing. Also in 1941, 24 individuals joined together to form The Institute of Internal Auditors
(IIA).
During the 1940s, internal auditors began to expand their audits to encompass more than the traditional
financial audit. The shift to a war economy in the early 1940s was the primary cause for the expansion of
internal audit scope. Management became more concerned with production scheduling, shortages of materials
and laborers, and compliance with regulations. Also, cost reporting became more important than external
reporting. As a result, internal auditors began directing their efforts toward assisting management in whatever
way possible. Following the war, the benefit of the auditor's assistance was so obvious to management that
there was no consideration of reducing the auditor's scope to prewar levels.
The term operations or operational auditing was adopted to describe the expanded activity. In March 1948,
Arthur H. Kent's work, "Audits of Operations," published in The Internal Auditor , was the first article to
describe the expanded-scope audit. In that piece, Kent made frequent mention of an operations audit. Other
authors had discussed the subject, but had referred to non-accounting matters, instead of operational subjects.
The first technical paper to use the phrase operational auditing in the title was published in The Internal
Auditor in June 1954 and written by Frederic E. Mints.
By the mid-1950s, others were using the term in speeches, articles, and technical publications. At about the
same time, accounting became more mechanized and computerized, and records became subject to automatic
checking procedures once performed by internal auditors. That trend was reflected in the 1957 Statement of
Responsibilities of Internal Auditing , published by the IIA.
The growth in the internal auditor's scope of responsibility can be observed through a comparison of the 1947
Statement of Responsibilities of the Internal Auditor and the 1957 revision of the same document. The 1947
version stated that internal auditing dealt primarily with accounting and financial matters but may also
properly deal with matters of an operational nature. That emphasis was to change in just one decade. The IIA
described the broad role of internal auditing with its 1957 Statement of Responsibilities of the Internal
Auditor . Whereas the 1947 Statement said that an auditor might also deal with operating matters, the 1957
Statement stated that the auditor should be concerned with any phase of business activity. The 1957 Statement
included these internal auditor (IA) duties:
• Reviewing and appraising the soundness, adequacy, and application of accounting, financial, and
operating controls
• Ascertaining the extent of compliance with established policies, plans, and procedures
• Ascertaining the extent to which organizational assets are accounted for, and safeguarded from, losses
of all kinds
• Ascertaining the reliability of accounting and other data developed within the organization
• Appraising the quality of performance in carrying out assigned responsibilities
As previously mentioned, there were two significant events in 1941—the publication of the first major book
on internal auditing and the founding of the IIA. Interestingly, the latter event was related to the former.
Victor Z. Brink's doctoral dissertation was published in January 1941 by Ronald Press. At the same time, John
6 Chapter 1: Background
Chapter 1: Background 7
B. Thurston, internal auditor for the North American Company in New York, had been contemplating
establishing an organization for internal auditors. Thurston and Robert B. Milne had served together on an
internal auditing subcommittee formed jointly by the Edison Electric Institute and the American Gas
Association. These two had decided that further progress in bringing internal auditing to its proper level of
recognition would be difficult in the two organizations. Instead, what was needed was an independent
organization for internal auditors. When Brink's book came to the attention of Thurston, the two men got
together and found they had a mutual interest in furthering the role of internal auditing.
Only 11 members were present at the first annual meeting of the IIA. Thurston was elected as its first
president. Membership grew quickly. The original 24 increased to 104 by the end of the first year, to 1,018 at
the end of five years, and to 3,700 by 1957, with 20% of the latter figure located outside the United States.
The new group was quick to begin its activities to further the development of its members. A director of
research approved in January 1942 the first book published under the IIA auspices, and it was issued in March
1943. A journal, The Internal Auditor , was begun in September 1944. Membership was divided into local
chapters beginning in December 1942, when the New York chapter was formed. The Detroit, Chicago, Los
Angeles, and Philadelphia chapters followed in 1943. Additional chapters were formed the following year in
Dayton, Cleveland, and Toronto, the first outside the United States. By the end of 1947, 19 chapters operated
throughout North America. The first chapters outside North America were formed in London and Manila in
1948 to begin the trend toward true internationalization.
Other developments would further focus IA on operational audits. In 1963, the National Industrial Conference
Board studied 177 organizations' objectives for their internal auditing programs. The Board concluded with
five primary objectives:
In 1975, the IIA found that 95% of all respondents to a survey conducted operational audits for purposes of
judging efficiency, effectiveness, and economy. The same study found that 51% of the total audit time was
spent on operational auditing activities. Thus the shift from financial to operational had become profound and
permanent. The modern work of the internal auditor had become auditing for efficiency and effectiveness
more than financial propriety. The internal auditor had also become an integral part of the management team.
Another dramatic change in the IA function in the United States occurred in 1987 with the Treadway
Commission report. The Commission was organized by five accounting organizations—IIA, AICPA,
American Accounting Association (AAA), Institute of Management Accountants (IMA), and Financial
Executives International (FEI)—known as the Committee of Sponsoring Organizations (COSO). The
commission was formed to study the cause of fraudulent financial reporting. The committee concluded: (1) an
internal audit function should exist in every public corporation, and (2) there should be a corporate audit
committee composed of non-management directors of the corporation. These conclusions not only enhanced
the IA profession but also brought fraud to the forefront of IA functions, like it had been before 1941.
Also in the 1990s, one trend caused a change in the way the IA function was carried out. Outsourcing became
a popular way for organizations to employ the IA function. The role of the IA function was served by public
accounting and other providers. The IIA Standards and Statement have evolved further and now have the
cornerstone of risk assessment.
Chapter 1: Background 7
8 Chapter 1: Background
The internal auditing function has undergone significant changes in the last century. The main objective of the
IA function has moved from that of fraud detection to assisting management in making decisions beginning
with a risk assessment. The IA staff of today is considered a good training ground for management-level
personnel, but many organizations have out-sourced the entire IA function.
[3]Someof the material from this section was taken from The Institute of Internal Auditors: 50 Years of
Progress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 Maitland
Avenue, Altamonte Springs, FL 32701-4201. Reprinted with permission.
Various governmental audit agencies throughout the world have played a role in the movement toward the
modernization of internal audit procedures. In the United States, the General Accounting Office (GAO) has
played a major part in broadening the role of the auditor. The GAO's publication, Standards for Audit of
Governmental Organizations, Programs, Activities and Functions (commonly called the "Yellow Book"
because of the color of its cover) explains the metamorphosis in the following manner:
• This demand for information has widened the scope of governmental auditing so that such auditing no
longer
now is a function
is also concerned
concerned primarily
with whether with financial
governmental operations.
organizations areInstead, governmental
achieving auditing
the purposes for which
programs are authorized and funds are made available, are doing so economically and efficiently,
and are complying with applicable laws and regulations.
Basically, the recommended standards encompass those standards that have been adopted by the AICPA for
use in audits to express an opinion on the fairness of financial statements. Governmental audits, however, go a
step beyond those standards that are applicable to audits of financial statements. The scope of a governmental
audit (e.g., an audit of or for a government agency) is composed of three elements:
1. Financial compliance,
2. Economy and efficiency, and
3. Program results.
The typical definition of a financial audit would not include elements 2 and 3. These are operational auditing
techniques.
The technology revolution in accounting and auditing began in the summer of 1954 with the first operational
business computer. Information technology (IT) changed the way accounting data was stored, retrieved, and
handled. These new systems led to radically different audit trails, if one at all. The revolution became a
dynamic evolution as the computer industry sustained continuous, rapid technical innovations.
In addition to the introduction of computers to the business world, other IT-related events have also had a
profound effect on the auditing profession and the way audits are conducted. These events included: (1) the
commercialization of computers; (2) the introduction of AUDI-TAPE; (3) the Equity Funding scandal; (4) the
8 Chapter 1: Background
Chapter 1: Background 9
emergence of Information Systems Audit and Control Association (ISACA); (5) the Systems, Auditability,
and Control (SAC) studies by the Institute of Internal Auditors (IIA); and (6) constant emerging technologies.
Information technology affected, and continues to affect, auditing. It became necessary to add new standards,
affecting the body of auditing standards. The audit process itself has become different from traditional audits
prior to 1954 (e.g., audit tools and techniques). It was possible for an auditor to retire in the 1950s having used
similar audit programs throughout one's career. That will never happen again! The effects of IT on auditing
have culminated in a set of knowledge, skills, and standards necessary to conduct the contemporary audit that
were nonexistent in 1954.
A seminal event occurred very early in the history of business computers. This notable example of early
innovation was an article, "Using a Computer to Reconcile Inventory Counts to Books," published in N.A.C.A.
Bulletin (National Association of Cost Accountants) in June 1956. In the article, the author, Frank Howell,
member of the Auditor General's staff for the United States Air Force (USAF) in Washington, D.C., described
how an organization used the computer to reconcile inventory counts to books. The computer was
programmed to print out major differences between counts and inventory records while automatically
adjusting the books to the count for minor differences. The program even evaluated the effectiveness of
inventory operations in various departments and determined which supervisors were doing the best job of
counting inventory. Taking into account the length of publication cycles, this technique was being used as
early as 1955, that is, at the beginning of IT history. Some nascent articles and discussions deliberated the
possibility of using information technology (i.e., the computer) as an audit tool, but Howell at the USAF was
actually using technology as an audit tool. At the time, this idea was radical and innovative. Thus, one early
effect of information technology was to provide the very tools auditors would need to adequately audit
accounting data. This effect became perpetual as future technologies would also be used as tools in audits of
EDP systems.
Not all creative tools and techniques were delivered using emerging technologies. As early as 1961, the U.S.
Air Force adapted traditional separation of duties between programmers, systems designers, and keypunch
operators. Other traditional auditing principles would be similarly altered to accommodate the effects of IT on
auditing.
In the beginning, IT itself provided an inherent protection. From 1955 to the mid-1960s, the computer world
included only mainframes. During this time, few people had the knowledge and expertise to program a
computer. This situation prevented most accountants from preparing programs to audit through the system. It
also provided its own form of security, because few people knew enough to violate the systems.
b. Commercialization of Computers
Beginning in 1963, the escalation of computer usage in accounting systems caused auditors to think about
how they were going to deal with this new technology. Several organizations had begun to manufacture
computers to be used in business during the late 1950s and early 1960s. Some manufacturers, such as Singer
and General Electric, soon exited the computer market. Others, such as Burroughs and IBM, became major
suppliers of business computers. Up until then, all of the computers were mainframes. The cost of these
machines made it prohibitive for most companies to purchase one.
Chapter 1: Background 9
10 Chapter 1: Background
The use of computers in accounting began to escalate in 1963 with the introduction of a new, lower-cost
computer by IBM—the IBM 360. The plan at IBM was to introduce smaller machines at more affordable
costs to businesses. The IBM 360 accomplished this objective, and a rapid increase in sales of commercial-use
computers ensued. This increase in computer sales was instrumental in creating a greater need for EDP
auditing concepts in businesses and a need for auditors skilled and knowledgeable about EDP. And the spiral
of better IT, cheaper IT, and smaller-size IT was off and running.
Meanwhile, the number and variety of financial accounting systems and clients with computers greatly
increased in the last half of the 1960s. The need for skills required to handle the audit of computerized data
significantly increased beyond those of an EDP technician. Together, these needs drove the development of
generalized audit software (GAS).
A series of events and projects at Haskins & Sells (H&S) led to the initial GAS package. In the late 1950s,
Kenneth Stringer began to develop a statistical sampling plan. In 1962, H&S formerly adopted the plan,
Probability Proportional to Size Sampling (PPS). PPS was a precursor to AUDITAPE, but it was not the only
motivation, or even the primary motivation, in developing AUDITAPE. Stringer and the management at H&S
were also motivated by the fact that the more clients computerized their accounting, the more dependent
auditors would become on computer expertise. The growth of computerized accounting systems would create
an environment in which auditors would be unable to perform the audit steps once done manually. That is,
access to data was gradually slipping away from auditors.
The introduction of AUDITAPE in October 1967 by Haskins & Sells at the American Accounting Association
(AAA) annual meeting in Portland, Oregon, was a key event for external auditors in particular (at that time),
and internal auditors (later). Practitioners were excited when they saw the potential of AUDITAPE because
external auditors who were not highly technical could now run the computer and use it as an audit tool. Very
few auditors had yet acquired a high level of technical skills in 1967.
As a direct response to the introduction of AUDITAPE, several GAS packages were developed from 1968 to
the early 1970s. Every Big Eight public accounting firm developed its own proprietary GAS package during
this time. Independent organizations, such as Computer Audit Systems, Inc. (Joseph Wasserman, CARS
software) and, in the late 1970s, P.J. Corum (later Pansophic, Panaudit software), also developed GAS
packages.
The development and use of GAS was a breakthrough in audit tools. In 1967, very few audit tools existed, and
there was a meager use of the tools that did exist. AUDITAPE was the impetus that led to the development
and use of audit tools, specifically GAS, in EDP audits. AUDITAPE also affected other aspects of auditing.
Although statistical sampling preceded AUDITAPE by several years, AUDITAPE affected the use of
statistical sampling as much as it affected anything. Thus, AUDITAPE was born from a need to audit through
the computers (information technology) in a simple, efficient, and effective manner. Information technology's
effect on access to data by external auditors (i.e., difficult to examine) drove the need for better audit tools. To
this day, GAS is perhaps the most valuable tool an auditor has to audit data embedded in IT.
The AICPA added its contribution to EDP audits, even though it was without official standards or guidance.
In 1968, Robert Trueblood of Touche Ross, president of the AICPA, pursued the theme of computers in
10 Chapter 1: Background
Chapter 1: Background 11
accounting during his term. Trueblood used his influence to have the AICPA hire Gordon Davis to both assist
CPAs in the use of computers and codify EDP auditing. Dr. Davis, a professor at the University of Minnesota,
accepted the responsibility and took a leave of absence to be de facto chairman of the committee appointed by
the AICPA. Each of the Big Eight firms was invited by the AICPA to participate on the committee in the
development of this project, and seven firms provided representatives. The major result of the project was a
book entitled Auditing & EDP. This popular book went through many printings and a revision in 1983. It
included examples of how to document an EDP audit and a sample questionnaire for processing internal
control review.
The Auditing & EDP project led to several changes in the auditing profession. Although the book itself did
not present the official position of the AICPA (i.e., it was not promulgated standards), it did present a number
of audit and control concepts and procedures as an unofficial document. Perhaps the most important chapter
was one dedicated to explaining when and how to audit around the computer. In the 1960s, auditors could
officially audit input and output and still be in compliance with AICPA standards. If auditors did choose to
audit around the computer, the chapter recommended that an evaluation of internal control be made to both
review and test the system. Auditors could not simply ignore the presence of EDP in the accounting system.
This recommendation was essentially the context of Statement on Auditing Standards (SAS) No. 3: The
Effects of EDP on the Auditor's Study and Evaluation of Internal Control, promulgated six years later in
December 1974.
Another result of the Auditing and EDP Task Force was the establishment of a permanent EDP auditing
committee within the AICPA. The committee's efforts eventually led to the issuance of several audit guides
and SAS No. 3.
Managers at Equity Funding Corporation of America used a series of frauds beginning in 1964 to show false
profits, thus increasing the company's stock price. The primary fraud was the use of phony insurance policies.
Equity Funding used several tactics to perpetrate the fraud. One was to use different external auditors in order
to confound the audit process and prevent detection of the fraud. The company used another deceptive tactic
during confirmation of receivables. When the external auditing firm tried to confirm receivables (policies) by
phone, the Equity Funding switchboard operator simply patched them through to Equity Funding employees
in the building. That is, EF employees were in on the fraud and actually provided external auditors with false
information. The most amazing fact of the case is that it went undetected for so long. Many people inside the
company knew about the fraud, and yet the fraud was a better-kept secret than some of our military secrets of
the time. The fraud was exposed when a disgruntled ex-employee blew the whistle. In March 1973, the SEC
suspended trading of Equity Funding stock.
The subsequent audit by Touche Ross was definitely not traditional. First, the auditors were trying to prove
that the insurance policies did not exist. Second, it was a fraud audit, not a financial audit. Touche Ross
auditors used the opportunity to apply a variety of new techniques to satisfy audit requirements in terms of
information and how the system reports and files data. The audit took two years to complete. Touche Ross
found about $2 billion of phony insurance policies—two-thirds of the policies Equity Funding claimed to
have in force.
Chapter 1: Background 11
12 Chapter 1: Background
For the most part, the external auditors before Touche Ross failed to follow up on numerous clues that
indicated something was wrong. The use of audit software could have detected the fact that the policy file was
fraudulent. For example, all bogus policies were coded to department "99." The auditors also did not review
system flowcharts or program code but treated the computer as a black box. Not only did the external auditors
overlook the clues, but the SEC could be accused of the same thing. An SEC staff member wrote memos 15
months prior to Equity Funding's collapse reporting rumors of irregularities. The SEC, however, dropped the
investigation shortly after receiving the memos.
The popular press treated the fraud as a computer fraud, but it really was not—it was a management fraud.
Still, the fact is that Equity Funding management probably could not have perpetrated the fraud without the
use of computers. The public's perception of the part that the computer played in the fraud caused a new wave
of interest in audit procedures where computers were a component of the accounting system. The prevailing
belief at this time was that traditional audits (those that audited around the computer) were sufficient to detect
the existence of material and significant frauds, such as the Equity Funding fraud. Others, primarily EDP
auditors, had espoused the need for auditing through the computer. These people were now receiving attention
from accountants, auditors, and management.
This financial fraud affected a wide range of constituencies. These included insurance regulators, bank
regulators, postal inspectors, the FBI, and the U.S. Attorney's office. At least 12 different federal and state
agencies were involved in the aftermath of exposure of the scandal. Equity Funding did more for the rise of
EDP auditing (i.e., more EDP auditor jobs) than any other single event. For example, Harold Weiss was
credited with providing the only major EDP auditing training during the late 1960s and early 1970s. He said
that his activity increased so significantly after Equity Funding that he had trouble filling all of the requests.
He also said most of the managers that had previously told him "no" to his requests of EDP audits or the use
of EDP audit techniques were now calling and asking for his help to institute computer controls and EDP
audit techniques.
The Equity Funding scandal had a domino effect in the auditing community. The attitude of isolating the
computer system from the EDP auditors, held by some corporate management, changed after Equity Funding.
In addition, auditing procedures were being challenged; some of the customary policies and procedures that
had been acceptable began to be questioned. Equity Funding highlighted the need for audit standards that
apply directly to EDP auditing (these were non-existent at the time). Security became an increasingly
significant issue for all auditors—up until Equity Funding, auditors were absorbed with accounting-related
issues in EDP.
Auditing literature was also affected. An analysis of citations prior to 1973 show an insignificant amount of
research and publications on EDP auditing issues by such organizations as the AICPA, Big Eight firms, and
IIA. From 1955 through 1970 (16 years), the AICPA published only 21 articles, two chapters in a book, and
Auditing & EDP, according to Accountants' Index published by the American Institute of Accountants. The
IIA published 10 articles and no books in the same period. State societies published 25 articles. None of these
institutions averaged two articles per year. The more active Big Eight published about 40 articles (some
overlap with the AICPA publications in The Journal of Accountancy and state society publications).
Between 1973 and 1977, however, numerous activities followed Equity Funding: publications, standards,
research, and seminars. Even IBM changed; management at IBM decided to make a substantive effort to
change the image of the computer from a villain to a hero. A comparison of the EDP auditing profession prior
to 1973 and immediately thereafter leads to the conclusion that the Equity Funding scandal was the single
most important event in EDP audit history.
12 Chapter 1: Background
Chapter 1: Background 13
York City. After Equity Funding, IBM established a liaison position to cooperate with the public accounting
community.
As a result of these relationships, IBM instituted auditability and security programs for its computers and for
auditors, a two-way communication line intended to benefit both parties. For example, every IBM computer
had a technical guide on the security and auditability features of that particular computer. Auditors benefited
from these guides when conducting their audits. Also, IBM invited accountants to training, even if they did
not own an IBM computer (IBM normally required training attendees to be owners of IBM equipment). While
other computer manufacturers were offering only technically oriented training, IBM offered training that was
less technical, and thus more useful to accountants. In return, feedback from auditors led to improvements in
the security and auditability features of IBM computers, and the referrals from accountants led to sales.
Auditors were assisting IBM, to some degree, in becoming the leading manufacturer of computers.
Members of the IIA staff had been planning a large-scale research project into information systems and
auditing called Systems, Auditability, and Control (SAC). In 1973, the IIA formally approached the IBM
liaison, Sam Albert, about the possibility of IBM's financial support for the SAC research. Albert eagerly
agreed to pursue possible financial support from IBM and was able to convince IBM management to invest in
the project. Albert unilaterally decided it was in the best interests of IBM to be the sole sponsor of the project,
and he secured a financial commitment of $500,000 from IBM.
In 1975, no entity had been able to define EDP auditing precisely and communicate that definition nationally.
State-of-the-art tools, techniques, and procedures also suffered from a lack of exposure and codification. The
SAC study had the ambitious goal of making a definitive evaluation of EDP auditing. In 1977, SAC was
published. Due to this effort, SAC managed to define EDP auditing because SAC provided some prescription
of how to approach EDP auditing. In addition, SAC codified tools and techniques into a benchmark or
standard. That is, SAC established what effective EDP audit shops were doing, especially best practices.
Others believed SAC legitimized the need for an EDP auditing staff and function. SAC's contributions made
an impact, moving EDP auditing forward significantly.
SAC was a landmark study in changing the audit profession and controlling computer systems. The IIA and
IBM gave away hundreds and thousands of copies for free. The prestige of IBM, the notoriety of the
individual members of the Advisory Committee, and the IIA lent credibility to SAC. At least up until the
mid-1980s, SAC was probably the most widely publicized, read, accepted, and applied publication that
encapsulated a comprehensive set of principles for EDP auditing. SAC has been updated several times since
its initial publication (in 1991, 1994, and eSAC 2001). It is currently referred to as eSAC (Electronic Systems
Assurance and Control), and available online from the IIA.
In 1977, the EDPAA's Foundation (EDPAF) published its first edition of Control Objectives, a compilation of
guidelines, procedures, best practices, and standards for conducting EDP audits. It was intended to provide a
normative model for EDP auditors in performing their duties. The publication was revised and updated
frequently in the subsequent years (1980, 1983, 1990, and 1992). Between 1992 and 1996, Control Objectives
underwent a major revision. Since 1996, the document goes by the title CobiT (Control Objectives for
Information and Related Technology). CobiT was revised in 1998 and 2000 (third edition), and is available on
CD-ROM and online. CobiT has become an authoritative, up-to-date, international set of generally accepted
Chapter 1: Background 13
14 Chapter 1: Background
IT control objectives for day-to-day use by business managers, users of IT, and IS auditors.
In June 1978, the EDP Auditors Foundation (EDPAF) introduced its certification program—Certified
Information Systems Auditor (CISA). Because of information technology, some internal and external auditors
wanted a separate certification for auditors of Information Technology; the CISA provided the vehicle. The
first CISA exam was given in 1981 and offered in two languages. In 2002, more than 10,000 candidates
around the world took the CISA exam in their choice of nine languages: English, Dutch, French, German,
Italian, Japanese, Spanish, Chinese, or Korean. The introduction of the CISA certification program brought a
standard for IS auditors that came to be respected throughout the auditing profession. Today, more than
27,000 professionals in dozens of countries have become certified through the CISA program.
By 1984, the international growth of the EDPAA began to accelerate. Many international chapters were
chartered beginning about this time. For example, in 1985, Region 10—encompassing Japan, Hong Kong,
Singapore, Malaysia, India, and the Philippines—was activated. The EDPAA began to translate key
documents into foreign languages. When Control Objectives was translated into Japanese in 1986, it soon
became a best seller—selling more than 10,000 copies. By 1988, the CISA exam and other documents were
also translated into foreign languages. In 1989, the EDPAF issued its 10 worldwide General Standards for IS
Auditing, and its first two worldwide Statements on IS Auditing Standards. In 1991, the EDPAA elected its
first international president living outside North America—Deepak Sarup. The Information System, Audit and
Control Association (ISACA) has become the only true international professional auditing organization, with
international members, international chapters, and international standards (applicable on an international
scale)—all within a single entity.
In June 1994, the EDPAA formally changed its name to Information Systems Audit and Control Association
(ISACA). Over the years, EDPAA/ISACA has held training seminars, sponsored technical journals, and
assumed sponsorship of Computer Audit, Control and Security conferences (CACS) begun by Harold Weiss
in the 1960s. The activities of EDPAA/ISACA have contributed to the emergence of the large number of IS
auditing experts today.
ISACA is known today for its CobiT project, its services, CISA certification, training, information—topics
such as corporate governance and Global Knowledge Network (Global Information Repository)—and it
continues to publish its technical journal, Information Systems Control Journal. ISACA has more than 26,000
members internationally in more than 100 countries.
g. Emerging Technologies
Technology continued to change at a rapid pace until the introduction of the microcomputer in the late 1970s.
At that time, information technology became portable and distributed, carrying with it new control problems.
While the pioneers did blaze a trail for others to follow (in the mainframe area), all the trails seemed to change
by 1979, and the walls around the data center were no longer secure. In addition, EDP auditing had even
evolved into a separate function in many organizations, or at least a separate position in IA: audit manager/IS
audit.
The breadth of IT also began to compound the knowledge and expertise needed to perform audits and audit
projects. The 1980s saw many new technologies incorporated into accounting systems. Some had been in the
process of developing, but the proliferation of IT in the 1980s and 1990s drove the need for better IS products
as well as new technology. The emerging technologies included microcomputers or personal computers (PCs),
database management systems, electronic data interchange (EDI), bar coding, artificial neural systems (ANS)
or neural networks, expert systems (ES), decision support systems (DSS) and group decision support systems
(GDSS), executive information systems (EIS), online analytical processing (OLAP), enterprise resource
planning (ERP), and—most important of all—the Internet and World Wide Web (WWW). In addition,
changes in telecommunication technologies affected nearly all accounting information systems.
14 Chapter 1: Background
Chapter 1: Background 15
Microcomputers date back to 1975 with a group of young experts (e.g., Bill Gates) who built the first
microcomputer called the Altair. Several attempts to mass market microcomputers followed from
then-maverick companies such as Apple and Commodore, and traditional companies like Radio Shack. In
1977, Apple introduced its Apple II, followed in 1979 with Radio Shack's TRS-80. Also in 1977, Xerox
developed a microcomputer with a mouse, graphical display, and other "windows"-like features. It was not
until 1979 when VisiCalc (an electronic spreadsheet) hit the market, however, that micros really began to sell.
In the fall of 1981, IBM began to sell its version of the microcomputer—the personal computer (PC).
Early in the 1980s, IS auditors were becoming concerned about the controls in microcomputer systems (e.g.,
spreadsheets used in accounting and financial accounting packages). Microcomputer software advances
(financial accounting) had led to many installations on PCs. The widespread use of PCs dispersed the IS
function within organizations. One result of micros was a loss of control of the security of computing
activities. That is, computer processing, which had once at least been centralized at the mainframe computer
in a single room, was now distributed throughout much of the organization.
Information system auditors quickly determined the need for new tools to audit the data that were resident on
microcomputer systems. Yet the micro also provided IS auditors with the opportunity to develop new tools to
take advantage of the power of micros for audit purposes. This potential led to the birth of the need for
micro-based computer-assisted audit tools (CAATs), a major turning point because these tools enabled IS
auditors to start doing their own micro work, instead of needing an IS expert as a go-between. Thus, the
growth of PC-based CAATs was, in fact, driven by IS auditors. The PC was a greater tool for auditors than for
just spreadsheets and word processing. The automation of work papers and micro-driven analytical tools were
major innovations.
The 1980s also saw the growth of networked PCs. With networks, several applications and numerous users
have access to the same data and resources. During transmission along network lines, data often were exposed
to loss or theft (e.g., sniffers, hackers). Maintaining the security of the users connected to the network and
their physical location (nodes) was also difficult because users could be frequently added or moved on a
network. That is, the network a manager brings up in the morning may not be the same one brought up
yesterday. This volatility creates havoc for the network manager and can be a nightmare for IS auditors—it is
virtually impossible to audit an environment when the environment keeps changing, and doing it so often.
These two developments (PCs and networks) have resulted in information systems that have become more
difficult to audit. Technology continues to change and expand rapidly. Meanwhile, the structure of the
organizational system has drastically changed (exactly where are the data and controls?), and the locus of
control for data processing continues to expand. However, microcomputers (and CAATs developed for them)
have also provided a powerful tool that IS auditors can use to improve or facilitate the audit process.
Use of relational databases grew in the early 1980s. The expanding base of PCs created a new market for
application software, such as databases. Data integrity problems existed because several different applications
(and users) had access to the same information. Databases (and PCs) eliminated much of the traditional
separation of duties that had been established for mainframe systems. Information System auditing had to
address these issues.
The introduction of products such as the series of DBASE products, ACCESS, FoxBase, and so on, gave end
users the ability to perform tasks previously restricted to the IS group: that is, they could develop their own
applications. With much of IS programming suffering from large backlogs, end users saw a way to achieve
their goals much quicker. Because of this situation, databases were popular with users. This phenomenon
drove end-user computing (EUC). EUC, too, expanded the scope and exposures of information systems, again
leading to changes in IS auditing.
Chapter 1: Background 15
16 Chapter 1: Background
The proliferation of databases as the foundation of Accounting Information Systems (AIS) caused both
problems and a simplification. Systems such as DB2 (from IBM) and Oracle began to dominate the market in
the 1990s. The good news is that if an IS auditor understands database management systems concepts and
technical issues, there is a good chance the organizational data resides within one. The basic concepts among
database systems are fairly common. Also, the two most popular packages dominate IS in the larger
businesses.
EDI technology provided users with many benefits in the delivery and production of products and services.
The use of EDI, however, exposes data during telecommunications between the two systems. Because of
incompatible EDI systems, some organizations use a third party to provide EDI services and introduce another
source of exposure. Therefore, EDI (computerized) audit trails have become even more difficult to follow.
Universal product code (UPC) bar coding was first used in 1973 in grocery stores. Bar coding increased input
accuracy and permitted fast data capture. Bar coding and scanning had advantages to management beyond
inventory control. For example, Toys 'R Us uses bar coding and scanning for sales analysis: to know the hot
toy first and order the entire supply!
Quick response systems integrate EDI, bar coding, and just-in-time (JIT) inventory management. The basic
element of the JIT philosophy is to carry only enough inventory to meet customers' orders for a short time
frame (ideally one day). Wal-Mart has fine-tuned its quick response system so well that its system has become
one of its major competitive advantages. For example, the elimination of local warehouse storage at branch
locations reduced costs enough to pay for the quick response system in about six months.
The security of data has not only escaped the confines of the IS central location within an organization, but it
is now virtually open to exposure to anyone in the external environment who has enough knowledge and
criminal intent to disrupt the information traveling over phone lines and networks. The increase in users of
EDI has expanded the risks to transmission of data. Encryption and virtual private networks (VPN) became
some of the controls used for these risks and exposures.
Other major innovations in information technology provide additional opportunities for its use, sometimes as
a competitive edge, by management in the area of artificial intelligence (AI), decision support systems (DSS),
and group decision support systems (GDSS). Artificial neural systems (ANS) are a special type of AI systems.
ANS emulate the functioning of the human brain in model building and decision-making. Neural nets appear
to be well suited to problems of pattern recognition, classification, nonlinear feature detection, and nonlinear
forecasting.
One good example of an emerging technology and how it affects IS auditing is executive information systems
(EIS). EIS are computerized systems that support top management in their strategic decision-making. An EIS
must be easy to use by relatively unskilled users. Because internal auditing is supposed to review the
reliability and integrity of financial and operating information, the emergence of new EIS has had an impact
on internal auditors. Information system auditors should define the control risks and internal controls of
EIS—as well as all other information technologies. Internal controls should be "seamless" to ensure the
flexibility necessary. Thus, IS auditors can contribute to the development of EIS in a variety of ways—but
especially in defining controls, auditability, and security for the systems.
All of these emerging technologies led to constantly changing systems, with new information technologies
being implemented frequently. Many times, systems are changed with input from IS auditors regarding audit,
control, and security. Management and staff are often so enthralled with the features of the new IT that it can
be easy to overlook important control and auditing attributes. But if IS auditors do participate in the systems
16 Chapter 1: Background
Chapter 1: Background 17
development, the controls, auditability, and security probably will be adequate. CISA guidelines suggest that a
CISA be involved in every systems development life cycle (SDLC) project.
v. Telecommunications
In the mid-1960s, modems and acoustical couplers began to appear. Again, it was the growth of the PC that
propelled the use of this technology. The 1980s saw global competition begin to affect many more
organizations, driving a need for telecommunications. With this expansion of telecommunications came risks
and exposures. One problem that arose with telecommunications was computer crime. For example,
vandals—hackers and crackers—began to steal or corrupt data from long distance. With the legal system not
ready to handle these types of crimes, many organizations could do nothing even if they caught the criminal.
The nature of telecommunications and information technology makes it difficult, if not impossible, to identify
computer criminals. Using viruses, hackers also vandalized information systems.
During the last decade, the impact of viruses has grown and is now considered dramatic. [4] Viruses entered
the public limelight in the fall of 1987. But the military had been aware of viruses since 1978 (according to
the head of information security at SRI International, Donn Parker). Modern accounting systems, especially
due to the expansion of telecommunications, are vulnerable to the detrimental effects of viruses. Most auditors
are convinced viruses present a real threat to IS security and control that must be addressed by IS auditors. It
is estimated that viruses cost companies $12.3 billion in 2001.
Other advances caused significant changes in existing accounting information systems (AIS). One major
change was enterprise resource planning (ERP), in which AIS was interfaced with all, or most, of the other
systems in the organization. For example, in common ERP systems, human resource systems are interfaced
with the payroll system, and sales systems are interfaced with the accounts receivable system. In recent years,
ERP is being expanded to include customer relationship management (CRM), supply chain management
(SCM), and other functions. In addition, data needs resulted in software such as online analytical processing
(OLAP), data warehousing, data mining, and a host of extraction software to create value and draw benefits
from AIS and operational data captured over time in systems.
The most dramatic of advances has been the proliferation of the Internet and the World Wide Web (WWW).
With it have come new security problems, new risks, and new challenges for auditing. Suddenly, data is
exposed to the entire world! Organizations want to use the 24/7 access to increase sales, improve customer
relations, and achieve other business objectives. The increased risk of fraud and damage is considerable.
The growth of commerce over the Internet has been phenomenal. It has been estimated that between 2002 and
2005, the number of consumers using online account management will more than double, reaching 45% of the
U.S. adult population. On the retail sales side business-to-consumer (B2C), electronic commerce, or
e-commerce, sales grew 92% from 1999 to 2000, with a total of $29 billion. On the wholesale side
business-to-business (B2B), e-commerce transactions increased 17% from 1999 to 2000, with a total of $213
billion. In the service sector, sales increased 48% from 1999 to 2000, with a total of $37 billion. Retail sales
for 4Q 2001 were up 13% over 2000 at $10 billion. It is estimated that sales for the year of 2001 were $32.6
billion, an increase of 19% from 2001.
The Internet and WWW have changed commerce worldwide in both the nature of transactions and AIS.
Electronic commerce makes it possible to better compete on a global scale and find the best suppliers without
regard to geographic location. It also facilitates more efficient and flexible internal operations, better (closer)
relationships with suppliers, and improved customer service, with better response to customer needs and
expectations. Indeed, e-commerce has become a critical success factor for modern business, strategic needs,
and economical development. Firms are changing their organizational and commercial processes to take full
Chapter 1: Background 17
18 Chapter 1: Background
Yet the electronic systems and infrastructure commensurate with effective e-commerce present significant
exposures and risks related to abuse, misuse, and failure. Risks extend to all connected parties: merchants,
customers, finance entities, and service providers. Risks from attacks range from hackers who are on a
cyberspace joy ride to crackers who are out to kill, steal, and destroy. The risks also include viruses and
intelligent agents (e.g., distributed denial of service (dDoS) agents). To a lesser extent, it includes those
objects whose intent is to clog bandwidth: urban legends, hoax viruses, and chain letters. Those responsible
for information security (InfoSec), operational audits, and internal controls have a very difficult task
managing the risks associated with the Internet. In general, the most common adverse consequences include
the following types of exposures:
Some of these consequences can be minimized through appropriate practices of internal control within the
organization. For example, in order to minimize possible losses because of disruption of service, contingency
planning and physical security measures could be taken. However, the risks may not always be minimized
through the traditional security and/or preventative methods.
In addition, security threats have become a ubiquitous problem and an ever-evolving challenge for those
responsible for information systems. There is a seemingly endless barrage of attacks from computer criminals
with the intent to destroy systems, data, and information assets. Mailing lists such as those from BugTraq,
CERT, and SANS Institute put out a continuous stream of warnings about emerging risks, from new viruses to
vulnerabilities in operating systems and browsers. The costs of these security problems appear to outweigh
even those of Internet fraud. The Computer Security Institute and FBI conducted a study of organizations that
experienced security breaches. Respondents who could put a dollar amount on the cost of a security breach
averaged more than $2 million in financial losses.
The rate of the growth of the Internet and e-commerce may have slowed, but the scope of this exposure is
approaching 100% because it affects both suppliers (hosts/servers) and users (clients). Whether it is web
servers (hosts), e-commerce systems, extranets, or just access to the Internet (clients/browsers), firms are
exposed to a plethora of possible attacks if they are connected in any way to the Internet. Obviously, those
firms with servers (hosts) have a much greater risk. Theoretically, data can be accessed by anyone.
In order to respond to these and other critical factors within the implementation strategy of electronic
commerce, the role and responsibility of the IA is crucial in establishing auditing procedures and IS
specifications that will, at least, minimize risks.
The effects of emerging technologies have been paradoxical. On one hand, emerging technologies have
created a more difficult system to audit effectively. On the other hand, auditors have managed to use emerging
technologies as audit tools and thus become more effective and efficient. The microcomputer innovation in
the early 1980s epitomizes this phenomenon.
18 Chapter 1: Background
Chapter 1: Background 19
was new technology. Not only did the control points move away from a central location and expand in
numbers, but they became different because the technology changed. Thus general controls and application
controls were significantly different.
One current, actual example of using emerging technologies is the use of laptops and customized generalized
audit software to audit credit unions long distance using telecommunications, never interrupting daily
operations (Weber, 1994). One developing example is embedded audit modules: For example, an artificial
neural system (ANS) could be developed to "sit" in the IS and warn auditors of transactions or events that are
"outliers"—that is, fraud or irregularity is suspected. This type of warning system is possible because ANS
can "learn" to recognize errors and possible fraud by exposing the system to actual errors and frauds. This tool
would amount to 100%, real-time, on-line verification. Today several computer-assisted audit tools (CAATs)
already exist that perform a 100% verification.
Despite the existence of IDEA, ACL, Panaudit Plus and other micro-based CAATs, these tools are apparently
greatly underutilized at present. This situation is attributed to serious cost constraints within audits, the
expertise to use them effectively, combined with a misconception that CAATs are cost effective only for large
audits.
One thing the future holds for certain is more rapid change in information technology. One source says:
• The task will require ingenuity, special training, and, of course, experience to be efficiently
accomplished. Unlike the auditors of the early 1900s, today's auditor is faced with a dynamic
situation in which time is of the essence. The increased volume of data being handled, the speed with
which these data are processed and the centralization of accounting functions have by no means
reached their zenith, nor will the pace in technology diminish. The modern-day auditor must not only
meet the challenge quickly, but parallel its future growth. To do otherwise will render the role he
plays ineffective, if not futile.
Sound familiar? This statement was written decades ago (USAF, 1966)! The challenge is to use the lessons of
the past to solve problems of the present and future.
[4]See Journal of Corporate Accounting & Finance , Vol. 13, Issue 4, 2002, pp. 29–39, for more on viruses.
"Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton.
A review of relevant federal regulations follows to provide the IA department and its members a general
understanding of these laws. Each regulation has had an impact on audits.
and business
audit expenses
reports during forexaminations.
their income tax returns and who would respond if the Internal Revenue Service solicited
Chapter 1: Background 19
20 Chapter 1: Background
The Supreme Court has made it clear that the plaintiff must prove more than mere negligence to impose
liability on the CPA. Plaintiffs must prove scienter [5] ("a mental state embracing intent to deceive,
manipulate, or defraud")—Section 10(b), Rule 10(b)-5 of the 1934 SEC Act. Most criminal cases brought
against CPAs involve this section.
Perhaps the most significant fact about the SEC acts is the legal authority it gives the SEC for setting
accounting and standards. The SEC has in effect delegated that authority to the Financial Accounting
Standards Board (FASB). Because of its membership makeup and the influence the AICPA tends to have in
the rule-making process, the SEC has basically delegated rule making to the accounting profession, allowing
it to monitor and police itself generally. The SEC does issue Staff Accounting Bulletins that are authoritative
for publicly traded companies.
For IA, the SEC acts provide impetus for financial accounting responsibilities for publicly traded companies.
The acts also require all corporations that report to the SEC to maintain a system of internal control that is
evaluated as part of the annual external audit. The responsibility for this system of internal control generally
falls on the IA function.
corporation
by claiming was guilty
a lack of making If
of knowledge. anaillegal payment,
corporation triedmanagement could
that approach, thennot (supposedly)
it would escape
be guilty conviction
of having a
system of internal controls that could not uncover illegal payments; that is, the organization would be out of
compliance with a federal law.
1. SEC registrants must establish and maintain adequate books, records, and accounts.
2. SEC registrants must maintain an internal control system that provides reasonable assurance the
organization's objectives are being met:
20 Chapter 1: Background
Chapter 1: Backgroun
Background 21
Penalties for violations include fines (up to $2 million), imprisonment (up to five years), and, in some cases,
both. [6]
•
• U.S. intellectual
The acts have beenproperty is protected.
amended numerous times.
• Management is legally responsible for violations of the organization, even if executives did not know
of any illegal activities.
• The U.S. government has continually sought international agreement on terms for protection of
intellectual property globally, but without complete success (especially in areas of the Far East and
Middle East).
But it is Section 404 (Management Assessment of Internal Controls) that will have the greatest impact on
internal auditing. This section requires an annual report to management of the internal controls and their
effectiveness. Internal audit is clearly in the optimum position to deliver this required service, and the law is
therefore good news for the IA profession. Fulfilling this regulation is an excellent motivation to have an IA
department in house. The scope of this section was amplified by the NYSE when it actually required, for the
first time, an internal audit function for all NYSE-listed companies (Section 303A.7(c)). (See also Sections
Several organizations furnish professional services, certification, and continuing education that relate to IA.
The following list summarizes some of these major organizations. A summary of each organization—mostly
derived from information at their web site—follows.
Chapter 1: Background 21
22 Chapter 1: Background
CIA, CGAP,
Institute of Internal Auditors (IIA) www.theiia.org
www.theiia.org
CFSA, CCSA
Info
Inform
rmat
atio
ion
n Syste
Systems
ms Aud
Audit
it and
and Con
Contr
trol
ol Asso
Associ
ciat
atio
ion
n (I
(ISAC
SACA)
A) CI
CISA
SA www.isaca.org
Amer
Americ
ican
an In
Insti
stitu
tute
te of Ce
Cert
rtif
ifie
ied
d Pub
Public
lic Accou
Account
ntan
ants
ts (AIC
(AICPA)
PA) CPA,
CPA, CI
CITP
TP www.aicpa.org
American Accounting Association (AAA) n.a. www.aaa-edu.org
Financial Executives International (FEI) n.a. www.fei.org
Association of Government Accountants (AGA) CGFM www.agacgfm.org
The IIA focuses on the internal audit function. Its certification is the Certified Internal Auditor (CIA).
Established in 1941, the IIA serves more than 75,000 members in internal auditing, governance and internal
control, IT audit, education, and security from more than 100 countries. The world's leader in certification,
education, research, and technological guidance for the profession, the IIA serves as the profession's watchdog
and resource on significant internal auditing issues around the globe.
Presenting important conferences and seminars for professional development, producing leading-edge
educational products, certifying qualified auditing professionals, providing quality assurance reviews and
benchmarking, and conducting valuable research projects through the IIA Research Foundation are just a few
of the Institute's many activities.
The IIA also provides internal audit practitioners, executive management, boards of directors and audit
committees with standards, guidance, and information on best practices in internal auditing. It is a dynamic
international organization that meets the needs of a worldwide body of internal auditors. The history of
internal auditing has been synonymous with that of the IIA and its motto, "Progress Through Sharing."
In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards, in
the first major revision to the "Red Book" since it was introduced a quarter century ago (i.e., Standards for the
Professional Practice of Internal Auditing (SPPIA)).
The Electronic Data Processing Auditing Association (EDPAA) was formed in 1969 and later changed its
name to Information Systems Audit and Control Association (ISACA). It is dedicated to the profession of IS
22 Chapter 1: Background
Chapter 1: Background 23
With more than 26,000 members in over 100 countries, ISACA is a recognized global leader in IT
governance, control and assurance. The organization sponsors international conferences, administers the
globally respected CISA designation earned by more than 27,000 professionals worldwide, and develops
globally applicable information systems auditing and control standards. An affiliated foundation undertakes
leading-edge research in support of the profession. The IT Governance Institute, established by the association
and foundation in 1998, offers symposia, original research, presentations at both ISACA and non-ISACA
conferences, and electronic resources to assist enterprise leaders in their responsibility to make IT successful
in supporting the enterprise's mission and goals.
ISACA's vision is to be the recognized global leader in IT governance, control, and assurance.
ISACA's mission is to support enterprise objectives through the development, provision, and promotion of
research, standards, competencies, and practices for the effective governance, control, and assurance of
information, systems, and technology.
ISACA members residing in more than 160 chapters throughout more than 100 countries around the world
unite through:
• One set of standards used as guidance for IS audit and control activities worldwide
• A respected certification program that is recognized internationally in the IS audit, control, and
security fields
• A professional development program on critical managerial and technical topics
• Award-winning technical publications providing the latest research, case studies, and how-to
information, and
• A code of professional ethics to guide members' professional activities and conduct
The AICPA is the professional organization that represents external auditors. The AICPA oversees the
Certified Public Accountant (CPA) designation that is actually administered and awarded by individual states
(the examination is common to all states).
It has a strict code of ethics that it enforces. Internal auditors must be familiar with their duties, Generally
Accepted Accounting Principles (GAAP), and other financial reporting criteria in order to perform their duties
effectively.
The AICPA and its predecessors have a history dating back to 1887, when the American Association of Public
Accountants was formed. In 1916, the American Association was succeeded by the Institute of Public
Accountants, whose membership numbered 1,150. The name was changed to the American Institute of
Accountants in 1917 and remained so until 1957, when the name was again changed to the American Institute
of Certified Public Accountants. Separately, the American Society of Certified Public Accountants was
formed in 1921 and acted as a federation of state societies. The Society was merged into the Institute in 1936
Chapter 1: Background 23
24 Chapter 1: Background
and, at that time, the Institute agreed to restrict its future members to CPAs.
Fax: (941)
E-mail: 923-4093
<office@aaahq.org>
Web: www.aaa-edu.org
The American Accounting Association is dedicated to accounting education with most of its membership
comprised of accounting academics; in fact, it has fewer practitioners as a percentage over time. There is no
separate certification associated with the AAA.
The AAA promotes worldwide excellence in accounting education, research, and practice. Founded in 1916
as the American Association of University Instructors in Accounting, its present name was adopted in 1936.
The AAA provides a wealth of resources for IA in doing research and in communicating education needs back
to the classrooms. Interaction between IA and AAA should lead to a synergistic relationship.
FEI represents the financial profession and community. It has no separate certification.
FEI was founded in 1931. Over time the role of the financial executive expanded and it adopted its broader
present name in 1962. On November 6, 2000, the Financial Executives Institute became what is now Financial
Executives International.
FEI is the preeminent professional association for senior financial executives representing 15,000 individuals.
Membership driven, FEI provides peer networking opportunities, emerging issues alerts, personal and
professional development, and advocacy services to chief financial officers, controllers, treasurers, tax
executives, finance and accounting professors in academia. FEI does this principally through its strong
Internet community, its 85 chapters and its 9 technical committees. Membership is limited to individuals
holding senior management positions, but the organization allows many other finance professionals to join if
they meet certain criteria. Other typical titles held by FEI members include assistant controller, subsidiary
CFO or controller, assistant treasurer, and director of tax. FEI also has a special rate and status for academics.
As the global economy developed, FEI was the driving force in forming the International Association of
Financial Executives
supporting legislationInstitutes in 1969.
that enhances the FEI proactively
business climate.helped design
Its largest the CFO
chapters areAct and hasSanta
in Boston, a history of
Clara
Valley, New York, and Chicago. In total, FEI has 85 chapters across the United States and Canada. FEI
Canada was established in 1973 to serve the needs of its Canadian members and consists of 11 chapters.
24 Chapter 1: Background
Chapter 1: Background 25
Vision:
FEI will continue to be the association for the corporate finance profession.
The Association of Government Accountants specializes in public financial management. AGA sponsors the
CGFM (Certified Government Financial Manager) certification.
Since 1950, the AGA has been&"para">AGA has been instrumental in developing accounting and auditing
standards and in generating new concepts for the effective organization and administration of financial
management functions, including the passage of the Inspector General Act of 1978 and the Chief Financial
Officer's Act of
management. 1990.
These AGA have
studies conducts independent
led AGA research and
to be recognized as aanalysis
leading of all aspects
advocate of government
for improving financial
the quality
and effectiveness of government fiscal administration.
Since its inception in 1994, the CGFM has become the standard by which government financial management
professionals are measured. Its education, experience and ethics requirements have served to elevate the most
seasoned financial professionals. More than 13,000 individuals have received the designation so far.
The Association of Certified Fraud Examiners (ACFE) specializes in anti-fraud activities and white-collar
crime detection, and sponsors the CFE (Certified Fraud Examiner) certification.
ACFE, established in 1988, is based in Austin, Texas. The 26,000-member professional organization is
dedicated to educating qualified individuals (Certified Fraud Examiners), who are trained in the highly
specialized aspects of detecting, investigating, and deterring fraud and white-collar crime. Each member of
the association designated a Certified Fraud Examiner has earned certification after an extensive application
process and upon passing the uniform CFE examination.
Certified Fraud Examiners come from various professions, including auditors, accountants, fraud
investigators, loss prevention specialists, attorneys, educators, and criminologists. CFEs gather evidence, take
statements, write reports, and assist in investigating fraud in its varied forms. CFEs are employed by most
Chapter 1: Background 25
26 Chapter 1: Background
major corporations and government agencies, and others provide consulting and investigative services.
The association sponsors approximately 100 local chapters worldwide. CFEs in more than 100 countries on
four continents have investigated more than 1 million suspected cases of civil and criminal fraud.
Endnotes
1. Special thanks to Dr. Dale Flesher for the use of his article, "A History of Accounting and Auditing Before
EDP," The EDP Auditor Journal, Vol. III, 1993, pp. 38–47. Most of this section came from this article.
2. Interestingly enough, a similar law was passed during the Civil War but was later ruled to be
unconstitutional by the U.S. Supreme Court.
3. Some of the material from this section was taken from The Institute of Internal Auditors: 50 Years of
Progress, by Dale L. Flesher, IIA. Copyright 1991 by The Institute of Internal Auditors, Inc., 247 Maitland
Avenue, Altamonte Springs, FL 32701-4201. Reprinted with permission.
4. See Journal of Corporate Accounting & Finance , Vol. 13, Issue 4, 2002, pp. 29–39, for more on viruses.
"Stop Fraud Cold With Powerful Internal Controls" by Tommie Singleton.
5. Per case: Ernst & Ernst v. Hochfelder (First Securities Co. of Chicago) 1976.
26 Chapter 1: Background
2.1 Introduction
The internal audit function is guided by auditing standards, guidelines, principles, and the responsibilities for
auditors both individually and professionally. Individually, internal auditors have an ethical responsibility to
perform their duties with integrity. Professionally, there are standards that must be considered.
2.2 Ethics
Every company should have its own ethics officer, who answers to the chief executive officer (CEO) or, better
yet, chairman of the board. Companies should consider ethics training and an ethics system for reporting
suspicious activities or events (e.g., a toll-free phone line that goes to a special group responsible for corporate
ethics).
ethics). Companies may even hire ethics consultants when necessary (e.g., for developing international
Managers and business professionals alike should use ethical principles to evaluate their activities, behaviors,
and decisions. One area of concern for organizations today is the potential harm or risks from the use of
information technologies. Because the work of auditors is inexorably melded with technology, ethics related
to information technology (IT) should at least be considered while conducting reviews and audits. Ethical
principles for responsible use of IT include:
• Proportionality. The good achieved by technology must outweigh any harm or risk in its use.
• Informed Consent. Those affected by the technology should understand and accept the risks
associated with that use.
• Justice. The benefits and burdens of the technology should be distributed fairly.
• Minimized Risk. To the extent that any risk is judged acceptable by the preceding three guidelines,
technology should be implemented to eliminate all unnecessary risk.
The Association of Information Technology Professionals (AITP) provides the following guidelines for
becoming a responsible end user [1]:
• Act with integrity, avoid conflicts of interest, and ensure your employer is aware of any potential
conflicts.
• Protect the privacy and confidentiality of any information you are entrusted with.
• Do not misrepresent or withhold information that is germane to a situation.
• Do not attempt to use the resources of an employer for personal gain or for any purpose without
proper approval.
• Do not exploit the weakness of a computer system for personal gain or personal satisfaction.
• Set high standards for your work. Accept responsibility for your work.
• Advance the health, privacy, and general welfare of the public.
The above ethics principles can be used to govern ethical conduct by managers and users. However, more
specific standards of conduct are needed to govern ethical use of information technology. One of the
hallmarks of any profession is having and following a basic set of ethical standards. For auditors, it matters
how "doing what is right" is defined and by whom. Exactly what constitutes the ethical standards for internal
auditing as a profession? A code of ethics is necessary and appropriate for the profession of internal auditing,
founded as it is on the trust placed on its objective assurance about risk management, control, and governance.
1. Principles that are relevant to the profession and practice of internal auditing.
2. Rules of conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the principles into practical applications and are intended to guide the ethical conduct of
internal auditors.
i. Purpose
The purpose of this Code is to promote an ethical culture in the profession of internal auditing.
ii. Applicability
This Code of Ethics applies to both individuals and entities that provide internal auditing services. For the IIA,
"internal auditors" refer to IIA members, recipients of IIA professional certification (CIA, CGAP, CCSA, and
CFSA), and candidates for those certifications. For internal auditors, breaches of the Code will be evaluated,
and enforcement administered according to the IIA's bylaws and administrative guidelines.
• Integrity. The integrity of internal auditors establishes trust and thus provides the basis for reliance on
their judgment.
• Objectivity. Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined. Internal
auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced
by their own interests or by others in forming judgments.
• Confidentiality. Internal auditors respect the value and ownership of information they receive and do
not disclose information without appropriate authority, unless there is a legal or professional
obligation to do so.
• Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance
of internal auditing services.
• Integrity. Internal auditors (a) shall perform their work with honesty, diligence, and responsibility, (b)
shall observe the law and make disclosures expected by the law and the profession, (c) shall not
knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession
of internal auditing or the organization, and (d) shall respect and contribute to the legitimate and
ethical objectives to the organization.
• Objectivity. Internal auditors (a) shall not participate in any activity or relationship that may impair or
be presumed to impair their unbiased assessment; this participation includes those activities or
relationships that may be in conflict with the interests of the organization, (b) shall not accept
anything that may impair or be presumed to impair their professional judgment, and (c) shall disclose
all material facts known to them that, if not disclosed, may distort the reporting of activities under
review.
• Confidentiality. Internal auditors (a) shall be prudent in the use and protection of information
acquired in the course of their duties, and (b) shall not use information for any personal gain or in any
manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the
organization.
• Competency. Internal auditors (a) shall engage only in those services for which they have the
necessary knowledge, skills, and experience, (b) shall perform internal auditing services in
accordance with the Standards for the Professional Practice of Internal Auditing , and (c) shall
continually improve their proficiency and the effectiveness and quality of their services.
i. Purpose
The purpose of the ISACA Code is to guide the professional and personal conduct of members of the
association and/or holders of the professional certifications from ISACA.
ii. Applicability
The Code applies to members of ISACA and/or holders of Certified Information Systems Auditor (CISA)
and/or the Certified Information Security Manager (CISM) certifications. Failure to comply with the Code can
result in an investigation into one's conduct and, ultimately, in disciplinary measures.
• Support the implementation of, and encourage compliance with, appropriate standards, procedures,
and controls for information systems.
• Serve in the interest of relevant parties in a diligent, loyal and honest manner, and shall not knowingly
be a party to any illegal or improper activities.
• Maintain the privacy and confidentiality of information obtained in the course of their duties unless
disclosure is required by legal authority. Such information shall not be used for personal benefit or
released to inappropriate parties.
• Perform their duties in an independent and objective manner and avoid activities that impair, or may
appear to impair, their independence or objectivity.
• Maintain competency in their respective fields of auditing and information systems control.
• Agree to undertake only those activities that they can reasonably expect to complete with professional
competence.
• Perform their duties with due professional care.
• Inform the appropriate parties of the results of information systems audits and/or control work
performed, revealing all material facts known to them, which if not revealed could either distort
reports of operations or conceal unlawful practices.
• Support the education of clients, colleagues, the general public, management, and boards of directors
in enhancing their understanding of information systems auditing and control.
• Maintain high standards of conduct and character and not engage in acts discreditable to the
profession.
[2]The
majority of this section comes from the IIA's Code of Ethics web page at
www.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check the
web page for any changes. The document used in this manual was adopted by the IIA Board of Directors on
June 17, 2000.
[3]The majority of this section comes from the ISACA's Code of Professional Ethics web page at
www.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for any
changes. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review at
the time this chapter was written for changes related to the
t he CISM certification.
[4]At the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its new
certification—CISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changes
effective since this writing.
• Delineate basic principles that represent the practice of internal auditing as it should be
• Provide a framework for performing and promoting a broad range of value-added internal audit
activities
• Establish the basis for the measurement of internal audit performance
In December 2000, the IIA's Internal Auditing Standards Board approved the issuance of new standards in the
first major revision of the so-called "Red Book" since it was introduced a quarter century earlier. Mandatory
implementation date for these Standards was January 1, 2002. The Standards consist of Attribute Standards
(the 1000 series), Performance Standards (the 2000 series), and Implementation Standards (nnnn.Xn). While
there is one set of the two former standards, the later may be multiple sets—a set for each of the major types
of internal audit activity. Implementation Standards related to assurance include an "A" in the number (e.g.,
1130.A1), and standards related to consulting include a "C" in the number (e.g., 1130.C1).
The following is a brief summary of the main categories of the Attribute Standards and Performance
Standards from the most recent version of the SPPIA:
Attribute Standards
• 1100—Independen
1100—Independence
ce and Objectivity
• The internal audit activity should be independent, and internal auditors should be objective in
performing their work.
• 1200—Proficiency and Due Professional Care
• Engagements should be performed with proficiency and due professional care.
• 1300—Quality Assurance and Improvement Program
• The chief audit executive should develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity and continuously monitor its effectiveness. The
program should be designed to help the internal auditing activity add value and improve the
organization's operations and to provide assurance that the internal audit activity is in conformity with
the Standards and the Code of Ethics.
Performance Standards
• When the chief audit executive believes that senior management has accepted a level of residual risk
that is unacceptable to the organization, the chief audit executive should discuss the matter with senior
management. If the decision regarding residual risk is not resolved, the chief audit executive and
senior management should report the matter to the board for resolution.
Computer-based systems are pervasive tools used by management in almost all organizations. Such systems
affect control over many of the assets—including the very valuable corporate data—and operations of an
organization. Development and support of such systems may require a significant portion of an organization's
total resources. When these conditions exist, the auditor's mission may include auditing the development,
maintenance, and operation of the systems. The work of auditors, both internal and external, is governed by
standards developed by a number of professional organizations, each of which seeks to assure the quality of
auditing work being performed.
The Information Systems Audit and Control Foundation (ISACF) has determined that the specialized nature
of information systems (IS) auditing work, and the skills necessary to perform such audits, require the
development and promulgation of auditing standards that apply specifically to IS auditing.
For the purposes of these standards, IS auditing is defined as any audit that encompasses the review and
evaluation of all aspects (or any portion) of automated information processing systems, including related
non-automated processes, and the interfaces between them. IS auditors review and evaluate the development,
maintenance, and operation of components of automated systems (or such systems as a whole) and their
interfaces with the non-automated areas of the organization's operations. The objectives of such auditing
generally are to assess the extent to which such systems or components produce reliable and accurate
information and to determine if such information is in conformity with management's requirements and any
applicable statutory provisions.
ISACF has developed its Standards in order to inform (1) IS auditors of the minimum level of acceptable
performance required to meet the professional responsibilities set out in the ISACA Code of Professional
Ethics, and (2) management and other interested parties of the profession's expectations concerning the work
of practitioners. The framework for the IS Standards, Guidelines, and Procedures for IS Auditing (Standards)
provides multiple levels of guidance. First, Standards define mandatory requirements for IS auditing and
reporting. Second, Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should
consider them in determining how to achieve implementation of the Standards, use professional judgment in
their application, and be prepared to justify any departure. Last, Procedures provide examples of procedures
an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any
proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain
the same results. In determining the appropriateness of any specific procedure, group of procedures or test, IS
auditors should apply their own professional judgment to the specific circumstances presented by the
particular information systems or technology environment. The procedure documents provide information on
how to meet the standards when performing
performing IS auditing work, but do not set requirements.
The Standards, and their concomitant number, are divided into three areas: Standard Category, the Standard,
and Guideline (see Exhibit 2.1).
2.1). There are eight Standard Categories and 12 overall IS Auditing Standards. IS
Auditing Standards are brief mandatory requirements for CISA holders' reports on the audit and its findings.
IS Auditing Guidelines and Procedures are detailed guidance on how to follow those Standards in most
situations. There will be times however, when the auditor will not follow that guidance. In such a case, it will
be the auditor's responsibility to justify the way in which the work is done. The Procedure examples show the
steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are
constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on
following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be
followed. For ISACA, these Standards are effective for all information systems audits with periods of
coverage beginning July 25, 1997.
.020—Organizational Relationship
030—Professional Ethics and .010—Code of Professional Ethics .010—Irregularities and Illegal
Standards Acts
.020—Due Professional Care
.010—Audit Considerations for
Irregularities
.020—Continuing Professional
Education
050—Planning .010—Audit Planning .010—Materiality
.020—Planning
.030—Risk Assessment
.030—Audit Evidence
.040—Audit Sampling
.050—IT Governance
.060—Pervasive IS Controls
.070—Use of CAATS
.080—Use of EXPERTS
.NNN—etc.
070—Reporting .010—Report Co
Content aan
nd Fo
Form .010—Reporting
080—Follow-Up Activities .010—Follow-Up
• 010—Audit Charter
• The responsibility, authority, and accountability of the information systems audit function are to be
appropriately documented in an audit charter or engagement letter.
• 020—Independence
• In all matters related to auditing, the information systems auditor is to be independent of the auditee in
attitude and appearance. The information systems audit function is to be sufficiently independent of
the area being audited to permit objective completion of the audit.
The first three digits in a document number represent one of the eight standards categories. IS Auditing
Standards begin with 0 and Standards for IS Control Professionals begin
be gin with "5."
"5." The standards numbers are
the second three numbers in the document (12 standards to date). The third set of three digits in a document
number is the number of the guideline. Procedures are listed separately and numbered consecutively by issue
date. For example, document 050.010.030 is a guideline (see Exhibit 2.1 2.1).
). It provides guidance in the fifth
standard category (050), Planning. The Guidance applies to the first standard in that category (010), Audit
Planning. It is the third guideline listed under Audit Planning (030). Procedures are numbered consecutively
as they are issued, beginning with "1." Refer to the latest index of IS auditing standards, guidelines, and
procedures for a complete listing of those documents available online from ISACA's web site.
The AICPA has long-established Generally Accepted Auditing Standards (GAAS) that are related to internal
auditing—it is at least tangential when external auditors come to the IA's firm to conduct financial audits. The
basic Standards fall into three categories: General Standards, Standards of Field Work, and Reporting
8 Chapter 2: Auditing Standards and Responsibilities
Standards. The first two groups are similar to many of the standards from the IIA and ISACA. The AICPA
also issues Statements of Auditing Standards from time to time.
General Standards
Reporting Standards
1. The auditor must state in the report whether financial statements were prepared in accordance with
generally accepted accounting principles (GAAP).
2. The report must identify those circumstances in which GAAP were not applied.
3. The report must identify any items that do not have adequate informative disclosures.
4. The report shall contain an expression of the auditor's opinion on the financial statements as a whole.
[6]The
list illustrates the Standards for Information Systems Auditing issued by ISACA, and is not
comprehensive. For the complete list, see www.isaca.org/stand1.htm.
• Application level risks at the system and data level include such things as: system integrity risks
relating to the incomplete, inaccurate, untimely, or unauthorized processing of data, and system
Chapter 2: Auditing Standards and Responsibilities 9
maintainability risks relating to the inability to update the system when required in a manner that
continues to provide for system availability, security, and integrity.
All of the above portions of the Standards are directly related to the proper use of SDLC techniques. For
example, if system updates are done
don e online (LAN
(LAN or Internet) rather than taken offline, updated, tested, then
restored to live access, risks are greater according to SDLC standards. Many a system has been updated online
only to cause extra costs or other loss due to the extra or unnecessary problems this process created. The same
is true for the phrase from section 2.1.3
2.1.3 "integrity risks relating to incomplete . . . ." By not following SDLC
procedures in systems changes or purchases, the result can be these very risks.
The SDLC procedures for new systems include these steps: Identify the process, understand what needs to be
done, consider alternative solutions, select the best solution, test the solution, activate or implement the
solution, and maintain the solution.
Another key SDLC standard is the use of a cross-functional team in developing any major system, whether
new or a major change. The team should include: systems professionals (analyst, programmers, etc.), end
users, management, and auditors or accountants (limited to design functions, focusing on application
ap plication
controls). Another effective technique is to include different levels of the organization within the different
functions. That is, consider using a manager from IS, a mid-level person, and someone from the operational
level of IS. The same would be true for users/operations, and audit/accounting (see Exhibit 2.2 for a matrix
view of this technique). Part of the responsibility of this team or steering committee is to ensure an
appropriate linkage between the project and the strategic objectives of the firm.
The SDLC has two pre-requisite documents and steps: a preliminary feasibility study and project
authorization. The specific phases of the SDLC cycle are described in the following, and pictured in Exhibit
2.3—which
2.3 —which includes a list of the documents or reports that are involved with the phases:
A materially flawed financial application will eventually misstate the financial data, which will then be
incorrectly, and materially, reported in the financial statements. Therefore, the accuracy and integrity of these
information systems directly affects the accuracy of the client's financial data. Some of the questions internal
auditors should ask include:
• How can audit verify that SDLC activities are being applied consistently?
• How can audit verify that systems are free from material errors and fraud using SDLC principles?
• How can audit verify that the purchase or development of a system is justified?
• How can audit verify that system documentation is adequate and complete?
• How can audit verify that a library control is effective for original source code (or original copies and
licenses of commercial software) and data (backups)? That is, what controls exist to protect original
software and backup data? (See page 109 for a description of library control.)
Chapter 2: Auditing Standards and Responsibilities 11
Certification is an important element in a successful, effective internal audit department. Major benefits are
that certification is a sign of professionalism, an adequate level of knowledge (for the area under certification),
and a willingness to submit to a professional code of ethics. Another benefit of certification is the mandatory
Continuing Professional Education (CPE) credits that must be earned each year in order to maintain one's
certification. (See Section 5.1(c) i for more on certification.)
This manual also recommends an annual staff meeting or conference for training and education of the staff
auditors, in addition to other educational options. (See Section 5.5 for details.)
Most of all, the ISACF Standards state that IS auditors are to be technically competent, having the skills and
knowledge necessary to perform auditor's work
work (040.010—Competence/
(040.010—Competence/ Skills and Knowledge) and also
specify that IS auditors are to maintain their technical competence through appropriate CPE
(040.020—Continuing Professional Education). The IIA Code of Ethics states the same requirement for
" Rules of Conduct"
competence in its "Principles" and "Rules Conduct" sections. Therefore, professional development is a key
to quality audits and an effective IA function.
a. Nature
Internal auditing is an independent appraisal activity within an organization for the review of operations as a
service to management. It improves managerial control by measuring and evaluating the effectiveness of other
controls, and by maintaining a vigilant watch over risks.
The objective of internal auditing is to assist all members of the organization in the effective discharge of
responsibilities by furnishing them with analyses, appraisals, recommendations, and pertinent comments
concerning the activities reviewed. The internal auditor is concerned with any phase of business activity
where he/she may provide service to the organization. This scope involves going beyond the accounting and
financial records to obtain a full understanding of the operations under review. The attainment of this overall
objective involves such activities as:
• Reviewing and appraising the correctness, adequacy, and application of accounting, financial, and
other operating controls and promoting effective control at reasonable cost
• Ascertaining the extent of compliance with established policies, plans, and procedures
• Ascertaining the extent to which company assets are accounted for and safeguarded from losses of all
kinds
• Ascertaining the reliability of management data developed within the organization
• Ascertaining the quality of performance in carrying out assigned responsibilities
• To inform and advise management and to discharge this responsibility in a manner that is consistent
with the codes of ethics of the IIA and the ISACA (IS audits)
• To coordinate his/her activities with others so as to best achieve audit objectives and the objectives of
the organization
Corporate auditors have neither direct responsibility for, nor authority over, any of the activities that they
review. Therefore, the corporate audit review and appraisal do not in any way relieve other persons in the
organization of the responsibilities assigned to them.
d. Independence
Independence is essential to the effectiveness of corporate auditing. This independence is obtained primarily
through organizational status and objectivity:
• The organizational status of the corporate auditing function and the support accorded to it by
management are major determinants of its range and value. The head of the corporate auditing
function should be responsible to an officer whose authority is sufficient to assure both a broad range
of audit coverage and the adequate consideration of and effective action on the audit findings and
recommendations.
Objectivity is essential to the audit function. Therefore, corporate auditors should not develop and install
procedures, prepare records, or engage in any other activity that would normally be the subject of a review
Chapter 2: Auditing Standards and Responsibilities 13
and could reasonably be construed to compromise one's independence. Auditors' objectivity need not be
adversely affected by their determination and recommendation of standards or controls to be applied in the
development of the systems and procedures under review.
It is common to read in the financial section of a newspaper or other publication that a public accounting firm
has been sued or censored. Why? Usually because the firm allegedly did not follow Generally Accepted
Auditing Standards (GAAS), or the firm did not issue an accurate audit report on the financial statements, or
the firm did not ensure adequate disclosures (e.g., certain information required by the Securities and Exchange
Commission (SEC) or other regulatory body that could influence shareholders and/or the general public in
financial planning decisions).
Although similar situations specifically addressed to the internal audit profession are rare, the possibility does
exist. The SEC and other regulatory entities are looking in that direction due to the improved image of the
profession and the greater reliance upon internal auditors' work by management and the public accountants.
Don't be alarmed! Unlike the public accountants, internal auditors do not have the same contractual or
fiduciary obligations. We do have similar responsibilities. Therefore, we must perform our audits with the
same extreme care as the external auditors, and in accordance with GAAS.
The Director of Auditing reports directly to the Audit Committee of the Board of Directors of Sam Pole
Company for the purposes of audit scope. The Director's responsibility to the Committee, the entire Board of
Directors, and management is to inform them promptly of significant situations disclosed by audits so that
they can meet their obligations to the shareholders, regulatory bodies, and the general public.
e. Regulatory Issues
Due care is required in reporting comments related to regulatory bodies and federal laws. Relevant laws
include income tax, SEC, copyright laws and the Foreign Corrupt Practices Act.
In 1913, the Income Tax Act was passed (Sixteenth Amendment), and it affects internal auditors. For
example, the Internal Revenue Service can and does request copies of audit reports during their examinations
of tax returns. The company's reporting should be objective and factual to reduce further extensive tests of
expense reports. If improved controls for reporting of travel and other business expenses are recommended, it
is essential that the situations are clearly described and the number of instances noted be reflected in the
detailed section of the audit report. Also, any corrective action taken should be indicated. Otherwise, the
auditee will normally do so in the response to the audit report.
The Securities Act of 1933 and Securities Exchange Act of 1934 require all corporations that report to the
SEC, which was created by the acts, to maintain a system of internal control that is evaluated as part of the
annual external audit. The Foreign Corrupt Practices Act, passed in 1977, requires,
r equires, under
under penalty of law, that
managements ensure good systems of internal control in their companies. Copyright laws (1977 et al.) protect
intellectual property, which usually affects audit programs—that is, audit steps need to be included to audit for
unlicensed software and other potential violations of this law. (See Section 1.6 for a history of federal
regulations related to auditing.)
The company's legal responsibilities can be attained if due care is used, GAAS are followed, situations are
promptly and carefully reported, and confidentiality is maintained.
14 Chapter 2: Auditing Standards and Responsibilities
Endnotes
2. The majority of this section comes from the IIA's Code of Ethics web page at
www.theiia.org/ecm/guidance.cfm?doc_id=92 (or www.theiia.org and search for "ethics"). Please check the
web page for any changes. The document used in this manual was adopted by the IIA Board of Directors on
June 17, 2000.
3. The majority of this section comes from the ISACA's Code of Professional Ethics web page at
www.isaca.org/codeofethics.htm (or www.isaca.org and search for "ethics"). Check the web page for any
changes. The document used in this manual was adopted by ISACA on July 1, 2001. It also is under review at
the time this chapter was written for changes related to the CISM certification.
4. At the time of this writing, ISACA is revising the Code of Professional Ethics to accommodate its new
certification—CISM. Please visit the web page, www.isaca.org/codeofethics.htm, for possible changes
effective since this
this writing.
5. Much of this section was taken from ISACA's web page on Standards located at:
www.isaca.org/stand1.htm.
6. A data dictionary will include all of the fields in all of the files used by the system with details on the
characteristics of the field and places it is used in the applications.
Chapter 2: Auditing Standards and Responsibilities 15
3.1 Definition
Executives and auditors alike understand the importance of a strong internal control system in relation to
financial audits and reliable financial reports. But a sound internal control system also has the potential to
enhance corporate strategies and thus provides internal auditors with the opportunity to express their value as
business partners. Corporate objectives generally include the provision for reliable, timely information in
effective decision-making. There is a need to protect assets, to communicate internally, and to analyze events
and transactions. A strong internal control system can enhance all of these strategic objectives and assist in
operational control.
Exactly what is an internal control system? The Information Systems Control & Audit Association (ISACA)
defines it as:
• The policies, procedures, practices and organizational structures, designed to provide reasonable
assurance that business objectives will be achieved and that undesired events will be prevented, or
detected and corrected.
This definition demonstrates the link between the internal control system and business objectives. According
to the Committee on Sponsoring Organizations (COSO), internal control is:
• A process, effected by an entity's board of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and
efficiency of operations, (2) the reliability of financial reporting and (3) the compliance of applicable
laws and regulations.
According to the Institute of Internal Auditors (IIA), the control system is:
• The attitude and actions of management and the board regarding the significance of control within
the organization. The control environment provides the discipline and structure for the achievement
of the primary objectives of the system of internal control. The control environment includes the
following elements: integrity and ethical values, management's philosophy and operating style,
organizational structure, assignment of authority and responsibility, human resource policies and
practices, and competence of personnel.
The bottom line is that an effective internal control system is a critical success factor for any organization in
the long term, and that internal auditors should ensure they are inexorably melded with corporate strategies.
Internal controlsrisks,
ever-increasing have exposures,
become moreandthan accounting
threats guidelines.
to accounting They
systems, areand
data, indispensable tools forthis
assets. Therefore, themanual
will use the following definition for internal control system, and provides the basis for the discussion in this
chapter:
Chapter 3: Internal Control System 1
• Internal control system is the policies, practices, procedures, and tools designed to: (1) safeguard
corporate assets, (2) ensure accuracy and reliability of data captured and information products, (3)
promote efficiency, (4) measure compliance with corporate policies, (5) measure compliance with
regulations, and (6) manage the negative events and effects from fraud, crime, and deleterious
activities.
It goes without saying that corporate data, and the files that contain them, are an asset and do have value. The
same is true for systems and the value is proportionate to the degree the organization is dependent on
information systems (IS) or information technologies (IT) in delivering products or services. Thus the
safeguarding of corporate assets includes the data and systems of the organization—even system availability.
This chapter will attempt to provide information to strengthen the internal control system. There is a
discussion of related management policies, related regulations, risk assessment, some control activities, the
employment of proven resources (i.e., computer-assisted audit tools and techniques), related fraud and crime,
various applicable models, and some specific examples of tools and documents for internal auditors.
Management should employ the skills and abilities of professionals in designing internal controls and auditing
their effectiveness. That includes technicians in the IS function and audit professionals in the IA function. If
the company is conducting business over the Internet, that would include IS professionals such as Certified
Information System Security Professional (CISSP), Certified Information Technology Professional (CITP), or
Certified Information Systems Auditor (CISA) who understand both computer technologies and security. For
the IA function it would include Certified Internal Auditor (CIA) or CISA. Internal control professionals
should also be involved in all new systems development—CIA, CISA, or CITP. The specific tools and
techniques used to develop specific controls should be used in conjunction with the expertise of IA personnel.
Management should also encourage the use of proven resources, such as the Internal controls models
identified herein. Most of all, management should pursue an effective audit committee in which members are
qualified and independent (i.e., effective corporate governance).
2 Chapter 3: Internal Control System
An important step in building an effective internal control system is to make sure the organization has
adequate relevant policies, accompanied by an effective monitoring and reporting system to make sure
management's objectives are being met. Another step, sometimes chronologically preceding policy po licy
development, is for the organization to identify the risks to which it is subject and the corresponding loss if
that risk came to pass; that is, a thorough risk assessment. Also, the organization should use proven resources
to determine and implement the actual controls necessary to manage the risks. Exhibit 3.1 depicts a model of
an effective internal control system to illustrate these elements, and most of the detail processes described in
this chapter. Some basic assumptions constrain the implementation and effectiveness of any internal control
system, no matter how well it may be designed. It is also important to think about the evolution of intruders in
order to design effective controls. Controls are affected by laws and regulations.
But first, reasons will be given for a strong internal control system. There are business reasons, legal reasons,
and audit reasons.
The second assumption is that of reasonable assurance. There is no such thing as a perfect internal control
system. Controls can generally be compromised under the right conditions. No computer system is impervious
to attacks or malicious activities. In addition, controls have a cost and following the cost-benefit concept used
in accounting, it must be applied even to controls. After all, if it costs $1 million to implement a control and
the risk assessment shows a risk of loss of $200,000, then the control does not pass the cost-benefit test. The
result is an exposure—a weakness in the control system. Internal control does not guarantee that an entity will
meet management objectives, or even that the firm will survive. Rather, internal controls are designed to
provide management with reasonable assurance regarding the achievement of these objectives.
The third assumption is independence from the method of data processing. That is, the control objectives
should be designed without regard for the specific type of data processing. Certain control objectives may be
peculiar to information systems or information technologies, but generally, a strong control objective should
be just as applicable to a paper-based system as a computer-based system. The specific controls will vary with
different technologies, but the objectives should be process independent.
The fourth assumption deals with limitations, of which there are several. First, there will always be a
possibility of error
by a determined andintalented
any accounting
attacker.system.
There isThere will always
certainly always be
thethe possibility
possibility of circumvention
of management of controls
override of
controls. Last, there is the simple passing of time—conditions change. With changing conditions, effective
controls may become obsolete or ineffective and thus need constant re-evaluation ( raison d'être for the
internal audit function!).
Then attacks became a little more sophisticated, such as hijacking sessions, back doors, sweepers, sniffers,
and stealth diagnostics. The technical knowledge became moderate instead of the high level of technical skills
needed earlier. In fact, the term "hacker" really evolves from a complimentary term applied to those who had
a lot of technical knowledge, knowing the administrative types of functions, commands, and intricacies of
operating systems.
By 1995, attacks became even more sophisticated. They included packet spoofing, use of intelligent agents,
denial of service, and a combination of the two—distributed denial of service. Yet the level of knowledge
diminished. In fact, there is such an abundance of malicious code, and so easy to obtain, that by the end of the
twentieth century, many intruders were called "script kiddies"—so named because young teenagers were
downloading scripts files and conducting attacks, all without a prerequisite high level of technical knowledge.
Therefore, the level of risk today is much higher than 20 years ago. It is necessary for the IA function and
other security
in order personnel
to be best to understand
prepared thecorporate
to defend the profiles ofassets.
intruders
(Seeand the types
Section of popular
3.8 for tools being employed,
more details.)
4 Chapter 3: Internal Control System
The COSO report defines internal control as "a process, effected by an entity's board of directors,
management, and other personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the
reporting, and following with
compliance categories: effectiveness
applicable and efficiencyThe
laws and regulations." of operations, reliability
report emphasizes thatofthe
financial
internal
control system is a tool of, but not a substitute for, management and that controls should be built into, rather
than built onto, operating activities. Although the report defines internal control as a process, it recommends
evaluating the effectiveness of internal control as of a point in time.
COSO recognizes that people are involved with internal control as members of the board of directors
(especially the audit committee), management, and other entity personnel such as internal auditors. Objectives
are categorized by COSO as operational, financial reporting, and compliance (see Exhibit 3.3).
3.3).
COSO's "Internal Control Environment" covers factors such as integrity and ethical values of management,
competence of personnel,
personnel, management
management philosophy and operating style, how authority and responsibilities are
assigned, and the guidance provided by the board of directors.
Under "Risk
"Risk Assessment
Assessment," ," COSO addresses the risk of failing to meet financial reporting objectives, failing to
meet compliance, and failing to meet operational objectives. COSO suggests the identification of external and
internal risks to the entity and to individual activities. The cost-benefit consideration is a part of the COSO
Model, as well as the dynamic nature of risk assessment. The COSO Model considers management's analysis
of risk and their ability to override and adjust the internal control system.
Information systems are covered in the "Information and Communication" segment of the COSO Model. This
area covers the need to capture pertinent internal and external information, the potential of strategic and
integrated systems, and the need for data quality. The Communication subsection discusses conveying internal
control matters, and gathering competitive, economic, and legislative information.
COSO discusses the "Monitoring" aspect by recognizing the need for management to monitor the entire
internal control system through the internal control system itself and through special evaluations directed at
specific areas or activities. It uses an internal perspective for monitoring, and covers them in broad terms.
"Control Activities" and procedures are discussed throughout the entity in the COSO Model. This model uses
only one classification scheme for IS control procedures (by contrast, SAC uses five different schemes).
6 Chapter 3: Internal Control System
COSO emphasizes the desirability of integrating control activities with risk assessment.
The AICPA has adopted the COSO Model officially by incorporating it into Statement on Auditing Standards
(SAS) No. 78. SAS 78 revised SAS No. 55: Consideration of Internal Control in a Financial Statement Audit ,
and makes the COSO model part of external audit standards.
The CobiT Model [2] is the culmination of the evolution of ISACA's Control Objectives. In 1977, the
Electronic Data Processing Auditors Foundation (forerunner of ISAC Foundation) published the first Control
Objectives. It was a compilation of techniques and procedures for conducting IS audits covering various
information technologies. This book provided a normative model for IS auditors in performing their duties.
Control Objectives included not only objectives related to controls, but also audit procedures. The publication
matched a particular IT with certain controls that ought to be addressed when conducting IS audits in that area
or technology. Thus, Control Objectives provided IS auditors a benchmark to measure audit effectiveness and
emphasized best practices. The guidelines underwent revisions in 1980 and 1983 (second edition). The 1983
version was intended to be a complete overhaul of delineating the discharge of IS auditors' responsibilities.
Other revisions would occur in 1990 and 1992 (the fifth version of the document).
Then, in 1996, the ISAC Foundation revised the tools in Control Objectives into a new guidance publication
known as Control Objectives for Information Technology—CobiT. CobiT helps bridge the gaps between
business risks, control needs, and technical issues. It is a control model, or framework, to meet the needs of IT
Research for the first (1996) and second (1998) editions included the collection and analysis of identified
international sources and was carried out by teams in Europe (Free University of Amsterdam), the United
States (California Polytechnic University) and Australia (University of New South Wales). The researchers
were charged with the compilation, review, assessment and appropriate incorporation of international
technical standards, codes of conduct, quality standards, professional standards in auditing, and industry
practices and requirements, as they relate to the Framework and to individual control objectives. After
collection and analysis, the researchers were challenged to examine each domain and process in depth and
suggest new or modified control objectives applicable to that particular IT process. Consolidation of the
results was performed by the CobiT Steering Committee and the Director of Research of ISACF. [3]
The current edition is the third (2000) and is available on CD-ROM and online from ISACA. [4] CobiT
provides an Executive
Audit Guidelines. The Summary, a Framework
latter two are for control
reference works for theofFramework.
IT, a list of Control Objectives, and a set of
CobiT adapted its definition of control from COSO: The policies, procedures, practices, and organizational
structures are designed to provide reasonable assurance that business objectives will be achieved and that
undesired events will be prevented or detected and corrected. CobiT adapts its definition of an IT control
from SAC: a statement of the desired result or purpose to be achieved by implementing control procedures in
a particular IT activity. The role and impact of IT controls as they relate to business processes are emphasized
in CobiT. The document outlines platform and application independent IT control objectives that can be
applied internationally.
CobiT combines the principles embedded in existing reference models in three broad categories: quality,
fiduciary responsibility, and security. From these broad requirements, the report extracts seven overlapping
categories of criteria for evaluating how well IT resources are meeting business requirements for information.
These criteria are effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability
of information. CobiT also classifies IT processes into four domains: planning and organization, acquisition
and implementation, delivery and support, and monitoring. These processes follow the system development
life cycle applicable to IT processes in any IT environment. CobiT includes definitions of both internal control
Chapter 3: Internal Control System 7
and IT control objectives, four domains of processes and 32 high-level control statements for those processes,
271 control objectives references to those 32 processes, and audit guidelines linked to the control objectives.
In order to emphasize both e-business impact and electronic delivery of the new material, in 2001 the IIA
Research Foundation issued a completely revised set of guidance, Electronic Systems Assurance and Control
(eSAC). It brings executive
executive management,
management, corporate governance entities, and auditors new information to
understand, monitor, assess, and mitigate technology risks. These guidelines examine and assess risks that
accompany each organizational component, including customers, competitors, regulators, communities, and
3.4).
owners (see Exhibit 3.4 ).
The eSAC report defines the system of internal control, describes its components, provides several
classifications of controls, describes control objectives and risks, and defines the internal auditor's role. The
report provides guidance on using, managing, and protecting IT resources and discusses the effects of
end-user computing, telecommunications, and emerging technologies.
The eSAC report defines a system of internal control as: "a set of processes, functions, activities, subsystems,
and people who are grouped together or consciously segregated to ensure the effective achievement of
objectives and goals." The report emphasizes the role and impact of computer-based information systems on
the system of internal controls. It stresses the need to assess risks, to weigh costs and benefits, and to build
controls into systems rather than add them after implementation.
The system of internal controls consists of three components: the control environment, manual and automated
systems, and control procedures. The control environment includes organization structure, control framework,
policies and procedures, and external influences. Automated systems consist of systems and application
software. The eSAC report discusses the control risks associated with end-user and departmental systems, but
neither describes nor defines manual systems. Control procedures consist of general, application, and
8 Chapter 3: Internal Control System
compensating controls.
The eSAC report provides five classification schemes for internal controls in information systems: (1)
preventive, detective, and corrective, (2) discretionary and non-discretionary, (3) voluntary and mandated, (4)
manual and automated, and (5) application and general controls. These schemes focus on when the control is
applied, whether the control can be bypassed, who imposes the need for the control, how the control is
implemented, and where in the software the control is implemented.
Risks in eSAC
resources. are defined
Control as reduce
objectives fraud, errors, business
these risks interruptions,
and assure and inefficient
information and ineffective
integrity, security, use of
and compliance.
Information integrity is guarded by input, processing, output, and software quality controls. Security measures
include data, physical, and program security controls. Compliance controls ensure conformance with laws and
regulations, accounting and auditing standards, and internal policies and procedures.
The role of internal auditors is also defined in eSAC. Their responsibilities include ensuring the adequacy of
the internal control system, the reliability of data, and the efficient use of the organization's resources. Internal
auditors are also to be concerned with preventing and detecting fraud, and coordinating activities with external
auditors. The integration of audit and IS skills and an understanding of the impact of IT on the audit process
are necessary for internal auditors. Internal audit professionals now perform financial, operational, and IS
audits.
A1 The entity
entity has defined
defined and
and communica
communicated
ted performan
performance
ce objectives,
objectives, policie
policies,
s, and standard
standardss for system
system
availability.
A1.1 The system availability requirements of authorized users—and system availability objectives, policies,
and standards—are identified and documented.
A1.2 The documented system availability objectives, policies, and standards have been communicated
communicated to
authorized users.
A1.3 The documented system availability objectives, policies, and standards are consistent with the system
availability requirements specified in contractual, legal, and other service-level agreements and
applicable laws and regulations.
A1.4 Responsibility and accountability for system availability have
have been assigned.
A1.5 Documented system availability objectives, policies, and standards are communicated to entity
personnel responsible for implementing them.
Chapter 3: Internal Control System 9
A2 The entity
entity utilizes
utilizes procedur
procedures,
es, people,
people, software,
software, data,
data, and
and infrastructu
infrastructure
re to achieve
achieve system
system availabilit
availability
y
objectives in accordance with established policies and standards.
A2.1 Acquisition, implementation, configuration,
configuration, and management of system components related to system
availability are consistent with documented system availability objectives, policies, and standards.
A2.2 There are procedures to protect the system against potential rrisks
isks that might disrupt system oper
operations
ations
and impair system availability.
A2.3 Continuity provisions address minor
minor processing errors, minor destruction of records, and major
disruptions of system processing that might impair system availability.
A2.4 There are procedures to ensure that personnel responsible for the design, development,
development, implementation,
and operation of system availability features are qualified to fulfill their responsibilities.
A3 The entity
entity monitor
monitorss the system
system and
and takes action to achieve
achieve complian
compliance
ce with system availab
availability
ility
objectives, policies, and standards.
A3.1 System availability is periodically
periodically reviewed and compared with documented system availability
objectives, policies, and standards.
A3.2 There is a process to identify potential impairments to th
thee system's ongoing ability to address the
documented system availability objectives, policies, and standards and to take appropriate action.
A3.3 Environmental and technological
technological changes are monitored and their impact on system availability is
assessed on a timely basis.
Security. The system is protected against unauthorized physical and logical access.
S2 The entity in
objectives utilizes
utilizes procedu
procedures,
accordance res,established
with people,
people, software
software,, data,
policiesdaand
ta, and infra
infrastructu
structure
standards. re to
to ac
achieve
hieve system security
security
S2.1 Acquisition,
Acquisition, implement
implementation,
ation, configu
configuration
ration,, and management
management of system compone
components
nts related to system
system
security are consistent with documented system security objectives, policies, and standards.
S2.2 There are
are procedures
procedures to identify
identify and
and authenticate
authenticate users
users authorized
authorized to access
access the system.
system.
S2.3 There are
are procedures
procedures to grant
grant system access
access privileges
privileges to users
users in accordance
accordance with
with the policies
policies and
standards for granting such privileges.
S2.4 There are
are procedures
procedures to restrict
restrict access
access to computer
computer processing
processing output
output to authoriz
authorized
ed users.
S2.5 There are
are procedures
procedures to restrict
restrict access
access to files on off-line
off-line storage
storage media
media to authorized
authorized users.
users.
There are procedures to segregate incompatible functions within the system through security
authorizations.
S2.10 There are procedures
procedures to protect
protect the system against
against unauthorized physical
physical access.
S2.11 There are procedures to ensure that personnel responsible for the design, development,
implementation, and operation of system security are qualified to fulfill their responsibilities.
S3 The entity monitors
monitors the
the system
system an
and
d takes
takes ac
action
tion to achieve
achieve compliance
compliance with system security
security o
objecti
bjectives,
ves,
policies, and standards.
I1 The entity
entity has defined
defined and
and communicate
communicated
d performance
performance objectiv
objectives,
es, policies,
policies, and
and standards
standards for system
system
processing integrity.
I1.1 The system processing integrity requirements
requirements of authorized users an
and
d the system processing integrity
objectives, policies, and standards are identified and documented.
I1.2 Documented system processing integrity objectives, policies, and standards have been communicated to
authorized users.
I1.3 Documented system processing integrity objectives, policies, and standards are consistent with system
processing integrity requirements defined in contractual, legal, and other service-level agreements and
applicable laws and regulations.
I2.2 documented
The information processing
system integrity
integr
processing ity procedures
integrity related to information inputs are consistent with the
requirements
I2.3 There are procedures to ensure that system processing is complete, accurate, timely, and authorized.
I2.4 The information processing integrity
integrity procedures related to information outputs are consistent
consistent with the
documented system processing integrity requirements.
There are procedures to ensure that personnel responsible for the design, development, implementation,
I2.5
and operation of the system are qualified to fulfill their responsibilities.
There are procedures to enable tracing of information inputs from their source to their final disposition
I2.6
and vice versa.
The entity monitors the system and takes action to achieve compliance with system processing integrity
I3
objectives, policies, and standards.
System processing integrity performance is periodically reviewed and compared to the documented
I3.1 system processing integrity requirements of authorized users and contractual, legal, and other
service-level agreements.
There is a process to identify potential impairments to the system's ongoing ability to address the
I3.2
documented processing integrity objectives, policies, and standards and take appropriate action.
Chapter 3: Internal Control System 11
Environmental and technological changes are monitored and their impact on system processing integrity
I3.3
is periodically assessed on a timely basis.
Maintainability. The system can be updated when required in a manner that continues to provide for system
availability, security, and integrity.
M1 The entity
entity has defined
defined and
and communica
communicated
ted performan
performance
ce objectives,
objectives, policie
policies,
s, and standard
standardss for system
system
maintainability.
M1.1 Documented system maintainability objectives, policies, and standards address all areas affected by
system changes.
M1.2 Documented system maintainability objectives, policies, and standards are communicated
communicated to authorized
users.
M1.3 Documented system maintainability objectives, policies, and standards are consistent with the
requirements defined in contractual, legal, and other service-level agreements and applicable laws and
regulations.
M1.4 Responsibility and accountability for system maintainability have been assigned.
M1.5 Documented system maintainability performance objectives, policies, and standards are communicated
to entity personnel responsible for implementing them.
M2 The entity
entity utilizes
utilizes proced
procedures,
ures, people,
people, software,
software, data,
data, and
and infrastruc
infrastructure
ture to achieve
achieve system
maintainability objectives in accordance with established policies and standards.
M2.1 Resources available to maintain the system are consistent with the documented requirements of
authorized users and documented objectives, policies, and standards.
M2.2 Procedures to manage, schedule,
schedule, and document all planned changes to the system are applied to
modifications of system components to maintain documented system availability, security, and
integrity consistent with documented objectives, policies, and standards.
M2.3 There are procedures to ensure that only authorized,
authorized, tested, and documented
documented changes are made to the
system and related data.
M2.4 There are procedures to communicate planned and completed system changes to info
information
rmation systems
management and to authorized users.
M2.5 There are procedures
procedures to allow for and to control emergency changes.
M3 The entity
entity monitors
monitors the
the system and
and takes action
action to achieve
achieve complia
compliance
nce with maintainabil
maintainability
ity objectives
objectives,,
policies, and standards.
M3.1 System maintainability performance
performance is periodically reviewed and compared with the documented
system maintainability requirements of authorized users and contractual, legal, and other service-level
agreements.
M3.2 There is a process to identify potential impairments to the system's ongoing ability to address the
documented system maintainability objectives, policies, and standards and to take appropriate action.
M3.3 Environmental and technological changes are monitored and their impact on system processing
integrity is periodically assessed on a timely basis.
The evaluation of a system's reliability begins by understanding the basic components of the system. A system
is defined as a set of procedures used to accomplish specific results, and an information system consists of
five basic components organized to transform data inputs (raw facts) into information outputs. These five
basic components of a system are: (1) infrastructure, (2) software, (3) personnel, (4) procedures, and (5) data.
A reliable system is capable of operating without material error, fault, or failure during a specified period in a
specified environment.
Availability is defined by the system being available for operations. Security is the protection of the system
against unauthorized physical or logical access—including both the physical components and the data.
Integrity refers to system processing being complete, accurate, timely, and authorized. Maintainability refers
to the required updates of the system, and whether such updates will continue to provide for the other three
12 Chapter 3: Internal Control System
aspects above.
For each of these aspects, the CPA practitioner uses four categories of criteria: Policies, Communication,
Procedures, and Monitoring. For Policies, the CPA evaluates whether the entity had defined and documented
its policies relevant to the particular principle. Communication refers to the fact that the entity has defined and
communicated performance objectives, policies, and standards for the essential principle being evaluated
(availability, security, integrity, or maintainability). Procedures refer to the entity using procedures that are in
accordance with its established policies and standards. Monitoring is defined as the monitoring of the entity's
activities
reliabilityand
andthe surrounding
to achieve environment
compliance of the system
with objectives, to identify
policies, potentialfor
and standards impairments to the
the essen tial system's
principl
principle
e being
evaluated. To further assist the practitioner in the evaluation of these criteria, the Systems Reliability Task
Force developed a list of illustrative controls. This list is not intended to be comprehensive, so the practitioner
must tailor the list to the circumstances of the particular engagement. See Exhibit 3.5 for a list of the
illustrative controls.
e. Conclusion:
Conclusion: Co
Comparing
mparing and Contrasting the Models
Although the different control definitions contain similar concepts, the emphases are somewhat different (see
Exhibit 3.6 for a comparison table). The CobiT Model views internal control as a process that includes
policies, procedures, practices, and organizational structures that support business processes and objectives.
The eSAC report emphasizes that internal control is a system—a set of functions, subsystems, people, and
their interrelationships. The COSO Model accentuates internal control as a process—an integrated part of
ongoing business activities. SysTrust emphasizes the reliability of IS in financial reporting and business
activities.
Monitoring
Focus Overall entity Information technology Information Information systems
and overall entity technology
IC Effectiveness At a point in time For a period of time For a period of At a point in time
Evaluated time
Responsibility for Management Management Management Management
IC System
Size 353 pages in four 664 pages in five 1,193 pages in A few online pages
volumes volumes 12 modules
Source: ISACA, from web site www.isaca.org/bkr_cbt3.htm. Reprinted with permission.
The use of the COSO Model components is one way to compare and contrast the four models. The following
analysis, therefore, is based on these five components.
1. Control Environment. The eSAC report describes three components of internal control. COSO
discusses five components. CobiT incorporates the five components of the COSO report and focuses
them within the IT internal control system. CobiT further bridges the gap between the broader
business control models such as COSO and highly technical IS control models—worldwide. SysTrust
describes four principles measured by four categories.
2. Information and Communication Systems. CobiT's focus is the establishment of a reference
framework for security and control in IT. It defines a clear linkage between IS controls and business
objectives. In addition, it provides globally validated control objectives for each IT process that gives
pragmatic control guidance to all interested parties. CobiT also provides a vehicle to facilitate
communications among management, users, and auditors regarding IS controls. The eSAC report,
however, focuses on automated IS. The document examines the interrelationships among internal
control and systems software, application systems, and end-user and department systems. The
volumes of eSAC provide guidance on internal controls in these areas. COSO discusses both
information and communication, emphasizing the need to capture internal and external information,
the potential of strategic and integrated systems, and the need for data quality. Communication
focuses on conveying matters related to the internal control system.
3. Control Objectives. CobiT, eSAC, and SysTrust examine control procedures relative to an entity's
automated IS. COSO discusses the control procedures and activities used throughout the entity. CobiT
classifies controls
classification into for
schemes 32 processes
IS controlnaturally grouped
procedures. COSO into four
only hasdomains. SAC uses scheme,
one classification five different
and
emphasizes the desirability of integrating control activities with risk assessment. SysTrust classifies
58 controls into four classifications.
4. Risk Assessment. COSO identifies risk assessment as an important component of internal control.
CobiT identifies a process within the IT environment as assessing risks, falling in the planning and
organization domain and with six specific control objectives associated with it. CobiT addresses, in
depth, several components of risk assessment in an IT environment. These include business risk
assessment, the risk assessment approach, risk identification, risk measurement, risk action plan, and
risk acceptance. It also deals directly with IT types of risk such as technology, security, continuity,
and regulatory risks. Lastly, CobiT addresses risk from both a global and systems-specific
perspective. Risk assessment is an explicit component of eSAC's system of internal control, and the
document contains extensive discussions of the importance of risk assessment as foundational to
internal controls. COSO and eSAC address risk concepts in a similar fashion. For example, both
address the risks of failing to meet compliance and operational objectives. SysTrust stresses the entire
attestation is to identify weak controls or other risks in the internal control system. Only one of the
controls, however, specifically addresses risk.
14 Chapter 3: Internal Control System
5. Monitoring. In contrast to COSO, CobiT, and SysTrust, eSAC does not explicitly include monitoring
as a component of the internal control system. SysTrust uses monitoring as one of the four categories
that must be addressed in each of the four principal areas of investigation. COSO discusses
monitoring activities in broad terms, and eSAC discusses specific monitoring activities that should be
performed. CobiT, in an in-depth manner, defines specific monitoring requirements and
responsibilities within the IT function. All the documents assign management the responsibility of
ensuring the adequacy of the internal control system and its continued effectiveness.
All of the
internal models
control provide
system. tools,are
There usually explicit toolsbut
some differences, or altogether,
controls, asthere
guidance in managing
are more the
similarities
between the models. The more technology an entity uses, or the more reliance an entity had on
technology, the more it needs CobiT, eSAC, or SysTrust. If the entity conducts e-commerce and is
publicly traded, SysTrust makes a good choice. If an entity has only a modicum of technology and a
low-to-medium reliance upon IT, COSO is probably the best choice. The final choice is up to the IA
function, in matching the entity with the strengths of these individual models, or it may choose to
develop its own unique model.
[2]See www.isaca.org/cobit.htm.
[4]See www.isaca.org.
[5]An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing
integrity, (4) online privacy, and (5) confidentiality.
[6]An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing
integrity, (4) online privacy, and (5) confidentiality. These new principles will cause this chart to change
accordingly.
3.4 Regulations
Internal auditors know the importance of adhering to federal and state regulations. Some of them apply to
internal controls. (See Section 1.6,
1.6, "History of Federal Regulations Related to Auditing.")
Securities and Exchange Commission (SEC) to maintain a system of internal control that is evaluated as part
of the annual external audit. The acts give the SEC authority to oversee the setting of Generally Accepted
Accounting Principles (GAAP) for publicly traded companies. They also convey the authority to investigate
cases of suspected financial fraud and to censure companies from trading (i.e., prevent the stock from being
Chapter 3: Internal Control System 15
traded publicly). The SEC laws have a direct impact on companies that have publicly traded stock, especially
regarding the need for a system of internal control and its evaluation.
A study of 121 Certified Information Systems Auditors (CISAs) showed that software piracy is a problem in
relatively large firms—those with about 3,000 microcomputers. Although almost all (91%) indicated an
organizational policy governing unauthorized duplication of software, they estimated that more than 20% of
their firms' employees had illegally copied software in the previous 12 months. Sixty percent of the auditors
reported that their typical audit program included a specific procedure that was designed to detect pirated
software. In spite of this fact, the auditors indicated that less than one-fourth of the audits that were conducted
in the previous 12 months actually included such a test. Surprisingly, over one-third of the sample indicated
that none of their audits included a test for unauthorized software.
Unauthorized software poses a legal and financial risk to firms. Risks (or exposures, as the case may be), such
as civil and criminal penalties, exist for those who use unauthorized or pirated computer software. These risks
also include significant monetary fines. Information systems auditors, in general, and CISAs, in particular,
should be especially concerned with these risks. However, it has been reported that many managers and
auditors are unaware of the potential legal liability from software piracy. According to ISACA, IS auditors
have a responsibility regarding the risks of software piracy to: (1) be aware of such risks, (2) communicate
these risks to management, (3) review software implementation, (4) develop adequate control procedures, and
(5) incorporate appropriate techniques or tools in audit programs to detect unauthorized use of software.
ISACA Standards (Section 030.010.010, Irregularities and Illegal Acts, paragraph 2.1.1) defines irregularities
and illegal acts as "Other acts that involve noncompliance with laws and regulations, including the failure of
IT systems to meet applicable laws and regulations." The Standard further clarifies that ISACA believes it is
management's responsibility to prevent and detect irregularities and illegal acts, and not the IS auditor's,
unless evidence exists that would indicate an irregularity or illegal act has occurred. ISACA Standards assert
that IS auditors should be familiar with irregularities and illegal acts that are common to a particular industry
or have occurred in similar organizations (paragraph 4.1.5).
As a result of these frauds and related pressures brought on the U.S. Congress, the Sarbanes-Oxley Act was
passed in the summer of 2002. The subsequent rules and regulations by the Securities and Exchange
Commission (SEC) and New York Stock Exchange (NYSE) will have a dramatic affect on internal controls
for publicly traded companies. According to Section 404 (Management Assessment Of Internal Controls),
affected companies are required to: (1) state the responsibility of management for establishing and
maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an
assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and
procedures of the issuer for financial reporting. For the first time, the NYSE now requires an IA function in all
listed companies.
Because the law requires CEOs and CFOs to report on their internal control systems and sign off on—and
therefore certify—their financial statements filed with the SEC, this law will
wil l force
force top executives to assure the
adequacy of their internal control systems. The role of internal controls and the system of internal controls has
become more critical. Therefore, the material in this chapter is an important resource for IA in performing this
critical and required function. (See also Sections 1.6(e) and 9.2 for more on the Sarbanes-Oxley Act.)
Management Policy
System Development System Usage
Security
Security (especially
(especially passwords)
passwords) Privac
Privacy
y
E-Mail Business Recovery Plans
Regulations
SEC FCPA
Environmenta
Environmentall Copyright
Copyright (e.g., software
software piracy)
Risk Assessment
I nternal Threats: External Threats:
Malicious Activities Remote Access
Accidents Intruders:
Disgruntled Emp
Employees Hackers/Crackers/Script Kid
Kiddies
Ineffective Accountability Viruses
Financial
Financial Fraud/T
Fraud/Theft
heft of Assets
Assets Comp
Computer
uter Crime
Control Strategies
Pred
Predic
icti
tion
on (e.
(e.g.
g.,, moni
monito
tori
ring
ng sys
syste
tems
ms)) Prev
Preven
enti
tion
on (e.
(e.g.
g.,, mult
multi-
i-la
laye
yere
red
d fire
firewa
wall
ll))
Detection
Detection (e.g.,
(e.g., intrusion
intrusion detection
detection system)
system) Correction
Correction (e.g.,
(e.g., DRP/IRP)
DRP/IRP)
Computer—General Controls Computer—Application Controls
Policies may be developed before a risk assessment is formally conducted, but if so, they are definitely
affected by an appropriate risk assessment. Therefore policies, to some degree, will need to be flexible and
dynamic in order to accommodate evolving issues. A well-written policy, however, should state in broad
terms the organization's objectives regarding areas such as those discussed and allow the details and specifics
to evolve based on the expertise and knowledge of the internal auditors and maybe IS personnel.
One systems development life cycle (SDLC) concept that is often overlooked in actual practice is that of
taking systems off-line for upgrades, updates, and so on, and bringing them back online only after testing the
18 Chapter 3: Internal Control System
new system thoroughly. It is recommended that this concept be included as corporate policy.
c. Security Policy
Another critical policy is the security (or information security—InfoSec) policy. Internal auditors need to
assist management in establishing fundamental security objectives tied to business objectives and assets that
need protection from identified risks. One goal of the security policy is to emphasize to all
stakeholders—employees in particular—that information and data are not just computer files—they are assets
that have a value. A security policy will remind employees of the importance and value of information they
handle, and the risks or exposures that exist. Such a policy will help create a corporate culture that is security
conscious. For a good overview of why to have an InfoSec policy, and how to develop it, view Computer
Emergency Response Team's (CERT's) presentation. [8]
d. Password Policy
A significant part of the security policy is a password policy. An effective password policy is a strategic
advantage in maintaining strong internal controls and helps to minimize adverse events such as computer
crime, fraud, and other unauthorized activities. It has been shown that an effective password system in
operation prevents the majority of potential unauthorized activities. In one recent study, a researcher stated
that 80% of the fraud and malicious activities he found could have been prevented with an adequate password
system.
For example, a former AT&T employee stole thousands of dollars of materials after being terminated. He
used his password to get into the system, then cracked the purchasing agent's password, then ordered materials
and had them shipped to him at a remote location. In a similar case, a former network administrator for a
medium-size firm was terminated. He later logged onto the system with his regular password and proceeded
to destroy live data and online backup data. The company almost went bankrupt. Obviously, in both
circumstances, the passwords for the terminated employees should have been disabled immediately upon
dismissal. That simple procedure would have prevented both tragedies.
Therefore, the password policy needs to include a strong statement about authentication and authorization via
access to systems using appropriate password schemes and structures, including the immediate removal of
passwords when an employee is dismissed. (See Section 3.8(b) for more details on passwords; see Exhibit 3.8
for additional guidance in developing an effective password policy.)
Communication — Promote it, use it during employee training or orientation, and find ways to continue to
raise awareness within the organization.
Multi-faceted —
For example,
matrix of data to grant read-only,use multiple levels
read/write, of access
or no access perrequiring
data fieldmultiple
per user;passwords; use a(such
use biometrics password
as
fingerprints, voice prints), smart cards, or beeper personal identification numbers (PINs) in conjunction with
remote logins; and user-defined procedures.
Chapter 3: Internal Control System 19
= > 6 characters — The more characters, the more difficult to guess or crack. Eight characters provide an
effective length to prevent guessing, if combined with below.
Mix numbers, special characters with alphabet — The more non-alpha, the harder to guess or crack. Make
them case-sensitive, and mix upper and lower case.
Regular forced changes — At regular intervals, make employees change their passwords.
Protection of individual passwords — Prohibit the sharing of passwords or "post-its" with passwords
located near one's computer.
Limited trials
the account after Limit
—1-3 theattempts
false numbertoofprevent
attempts to access the system with invalid data to about three. Lock
hacking.
Notification of significant employee changes — Make sure the IS department is notified immediately when
an employee is terminated or reassigned where responsibilities require a change in system access. This
process prevents a disgruntled employee from perpetrating malicious activities.
e. E-Mail Policy
Internal auditors should also assist management in developing an e-mail policy that describes appropriate use
of corporate e-mail resources. In order to enforce the policy, management will likely need to audit e-mail
messages from time to time. If there is ever a need to access an employee's e-mail messages, management
should make sure that such access is stated in the e-mail policy and that all employees are aware that their
e-mail could be read by management or staff. Otherwise employees rightfully could complain, maybe even
sue successfully, for violation of privacy. The policy should address the unethical activities discussed later in
this chapter and procedures
procedures for opening attachments—because they could be viruses or other malicious codes.
It should also be signed by every employee using corporate e-mail resources.
See Exhibit 3.9 for a checklist or questionnaire about e-mail controls. Also see Section 3.6(b) for discussion
on a variety of e-mail issues that are unethical or detrimental, all of which need to be considered in the e-mail
policy.
1. Are there effective procedures and controls in place to prevent viruses from penetrating the IS of the
3.11)?
enterprise via e-mail attachments (a thorough anti-virus system—see Exhibit 3.11 )?
2. Are there effective procedures and controls in place to prevent employees from broadcasting hoax
virus warnings to the employees of the enterprise?
3. Are there effective procedures and controls in place to prevent flamming by employees?
4. Are there effective procedures and controls in place to prevent spamming? Has the enterprise
determined which states have laws regarding spamming, and have the details of applicable laws been
incorporated into policy and controls?
(most organizations, according to statistics) do not plan adequately for any of the recovery procedures.
However, the simple truth is every organization will deal with business recovery in some form or the other, to
some extent or scope. Not only can natural or man-made disasters disrupt the commercial affairs of an
organization, but system errors, system failures, hacking, or other computer attacks can also cause disruption.
For disaster recovery, the policy should include some basics of the disaster recovery
re covery plan. For example, the
ability to recover critical operations with minimal downtime should be the objective of the plan and the
foundation of the policy. The plan itself should cover backup measures for a site, hardware, system software,
application software,
include a means data, supplies,
to develop a rankingand documentation
of critical (see and
applications Exhibit 3.10
3.10).
to test ). effectiveness.
for In addition, the plan should
Site — A backup site facility, including appropriate furniture, housing, computers, and telecommunications.
Another valid option is a mutual aid pact where a similar business or branch of same company swap
availability when needed.
Hardware — Some vendors provide computers with their site, known as a "hot site" or recovery operations
center. Some do not provide hardware - known as a "cold site." When not available, make sure plan
accommodates compatible hardware (e.g., ability to lease computers).
System Software — Some hot sites provide the operating system. If not included in the site plan, make sure
copies are available at the backup site.
Application Software — Make sure copies of critical applications are available at the backup site.
Data Backups — One key strategy in backups is to store copies of data backups away from the business
campus, preferably several miles away or at the backup site. Another key is to test the restore function of data
backups before a crisis.
Critical Applications — Rank critical applications so an orderly and effective restoration of computer
systems is possible.
Team — The specific team members and their roles should be written, understood, and rehearsed. The team
leader is a critical success factor of the plan.
Supplies — A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
Documentation — An adequate set of copies of user and system documentation. Also, the steps and
elements of the plan itself should be documented with adequate detailed information.
TEST! — The most important element of an effective Disaster Recovery Plan is to test it before a crisis
occurs, and to test it periodically (e.g., once a year).
Results from one survey show data losses were due to hardware or system malfunctions (44%), human error
(32%), software malfunctions (14%), viruses (7%), and natural disasters (3%). To survive such events with
minimal losses, a business needs to formalize recovery procedures into a business recovery plan. It serves this
purpose and provides protection against other undesirable events, and usually goes beyond such ordinary
business decisions as insurance. Obviously, it is critical when disasters actually occur (e.g., hurricanes, floods,
or the attacks on the World Trade Center on September 11, 2001). A cost-benefit analysis will also raise
eyebrows to the necessity of having an appropriate set of business recovery plans. Therefore, internal auditors
should encourage management to have written policies about restoring or recovering systems and/or data
before a detrimental event occurs.
g. Privacy Policy
Information about individuals, either personal data or data about actions, is generally considered private
information. If an entity observes an employee secretively, it can be taken as intrusive; in some cases, the
legal system considers it an invasion of privacy. To protect the company from either of these injurious events,
the company should protect the private information of employees wherever possible. When data is captured to
ensure compliance with policies, employees should be asked to sign the pertinent policy to ensure their
Chapter 3: Internal Control System 21
knowledge of this type of observation, the type of data about the employee being captured, and the
ramifications for violations.
For entities that have interactions with customers or clients over the Internet, a privacy policy should be
developed for them regarding information collected by the entity (e.g., cookies). Then, this policy should be
easily found on the web site home page and accessible to all customers or prospects. It is important for
customers or potential customers to know how the entity will use their information, what the cookies will
contain, and how they will function in order to make them comfortable in conducting business online.
[8]www.cert.org/present/cert-overview-trends/module-6.pdf
.
Assessment,
auditing (3) Information
has also and on
put more focus Communication, (4)The
risk assessment. Monitoring, and (5) Control
current definition Activities.
of internal auditingLately,
by the internal
IIA
states:
• Internal auditing is an independent, objective assurance and consulting activity to add value and
improve an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Nature
of Work section (SPPIA 2100), the first standard relates to Risk Management (SPPIA 2110). It states: "The
internal audit activity should assist the organization by identifying and evaluating significant exposures to
risk and contributing to the improvement of risk management and control systems." In order to develop
effective audit planning, some type of risk analysis is necessary because it provides strategic direction for
limited resources.
One model for investigating risks is to view them as internal risks and external risks. This manual uses this
simple model for discussing some of the more common risks that exist in the average organization. See
22 Chapter 3: Internal Control System
Section 6.1(b) of this manual for more about risk assessment, especially as it relates to audit planning.
There are several groups to think about in assessing risk from internal sources. Disgruntled employees as a
group probably present the highest risk—even more than hackers external to the firm. These people can be
motivated to cause extensive harm to the organization and, depending on their knowledge and access to
systems, data, and assets, may cause very costly damage.
Second, management itself is a risky group. Because of their unique position to override controls, they can
more easily commit fraud, especially financial fraud. If management is subjected to monetary pressures (e.g.,
they have stock options, but declining profits are driving stock prices down, or their bonuses are based on
profits, etc.), they may be tempted to "cook the books." Even the normal aggressive nature of driven managers
can become a risk if not mitigated by strong personal and corporate ethics, and an effective internal control
system (e.g., audit committee). One management accountant reported his dilemma when his boss wanted him
to reverse a correct accounting transaction because it caused a department to miss its profit goals (budget
variances) for the first time in months. Such actions are indicative of ethical soft spots that can lead to fraud,
theft, or material misstatements. Because of the nature of internal audit, it is difficult to assess this risk, but
should be analyzed thoroughly by external audits during financial audits.
Another dangerous group is the one of employees with personal problems. These conditions can motivate
fraud, theft, or misuse of assets. For example, a person who has a severe deficit cash flow, for whatever reason
(e.g., gambling, excessive lifestyle, etc.), coupled with weak controls or opportunity, may be tempted to steal
assets to cover personal losses; often with the intent to "pay back" the organization shortly. Numerous
reported frauds give credence to this particular set of risky circumstances internally. It is also possible
someone in the firm will become an industrial spy.
Malicious activities include destructive activities directed at the data or information system, communications
to outsiders that would be detrimental to the organization, theft or fraudulent activities related to assets, and
other similar activities.
A sample of accidents using the internal view would include the following: inadvertent data destruction (e.g.,
erasing a hard drive), unintentional IS interruptions (e.g., infesting it with a virus or worm), errors in systems
development, and errors in accounting data.
Another area of concern is ineffective accountability. It is possible to create a strong set of appropriate internal
controls only to have them fail to operate effectively. For example, well-designed systems provide error
reports or logs where errors have been detected but not corrected. Failure to review such reports on a timely
basis and provide corrective action quickly not only fails to correct an existing error but may likely lead to
further errors. First, if the error is systematic, then obviously it will occur again when the circumstances are
duplicated. Second, if the error report has actually identified a fraudulent event, this oversight can
inadvertently
fails to enforceallow the fraud
policies when to be perpetrated
violations occur. without discovery.
Such neglect couldAencourage
similar result canviolations
further happen ifor
management
even extend
the scope of violations, since employees would know that repercussions are not forthcoming.
Chapter 3: Internal Control System 23
One other observation must be made concerning internal controls, fraud, and management. COSO made a
study of 200 randomly selected cases of alleged financial fraud investigated by the Securities and Exchange
Commission—about two-thirds of the 300 SEC probes into fraud between 1987 and 1997. In that decade,
most of the financial frauds among public companies were committed by small corporations—well below
$100 million in assets. Top senior executives were involved in most of the cases (CEO and/or CFO in 83% of
the cases). The average misstatement or misappropriation of assets was $25 million, with a median of $4.1
million. The size of the fraud relative to the size of the company is quite large. Some companies committing
fraud were experiencing net losses or were at close to break-even positions in periods before the fraud.
Pressures of financial strain or distress may have provided incentives for fraud for some companies. For
internal auditors of firms of this size, these findings provide valuable input to a risk assessment.
If the company has employed electronic commerce, there are a number of risks to consider. These risks being
unique require some special expertise regarding internal controls. It begins with security of data.
While online, there is a risk that the data used in an e-commerce transaction might be stolen. However, secure
sockets layer (SSL) and secure electronic transaction (SET) have proven to be nearly invincible, using
encryption combined with public keys to protect data while exposed online. Both serve as effective tools in
preventing theft of data while online. It is after the online transaction is consummated that credit card data has
been stolen. For example, one online storefront selling compact discs (CDs) took down its firewall to upgrade
the system. Once the upgrade was completed, the connection was restored but IS employees forgot to
reactivate the firewall. Crackers broke through the system and stole files containing thousands of credit cards,
and then held the firm hostage—threatening to post the credit
c redit card data on the
the Internet unless the firm paid the
ransom. The episode was devastating to the CD company, causing its financial collapse. This also
demonstrates the combination of risks: an accident (firewall not restarted) and crackers (stolen credit card
" Types of Criminals"
data). There are other reports of "crackers" (see "Types Criminals" in this chapter for definition and
description of cracker) stealing credit card data but always from files on the back office computers or web
servers after the transactions were completed online.
Some adverse activities have the objective of disrupting service (availability). For instance, denial of service
(DoS) and/or distributed denial of service (DDoS) attacks are examples of crimes other than theft, in which
crackers bring down an e-commerce server with technically devised computer attacks. One series of attacks
brought down eBay and Yahoo, among others, in early 2000. Yet even here, there were early warnings from
certain groups that a DDoS attack was pending.
The likelihood of these kinds of attacks depend on whether it occurs because of personal reasons (e.g.,
vengeance from disgruntled former employee or a computer whiz out to get your business) or because the
organization is high-profile (e.g., government entity, eBay, Yahoo, amazon.com, etc.). For internal auditors,
that means the level of risk is lower if the company has a low profile, is not a government entity, or has a low
level of online transactions. Nevertheless, there is a serious threat to anyone connected to the Internet today,
including desktop computers of a firm.
The highest
relatively risktoassociated
easy with thecode
spread malicious Internet is neither hackers
as attachments or crackers
to e-mail. butitviruses
And while or worms.
is virtually It is to
impossible
activate a virus by simply opening an e-mail message, Microsoft complicated that by allowing the automatic
opening of attachments in Outlook. Almost all widespread viruses depend on the features of Outlook (e.g.,
24 Chapter 3: Internal Control System
automatically open attachments) and the address book on each computer. One relatively easy and cheap way
to stop the spreading from a single infected computer is to add an e-mail address that will sort to the top with
a bogus e-mail address. The costs of damages created by viruses and worms in 2001 ran $12 billion— each of
the several successful ones perpetrated costing millions. Therefore, it is very important for internal auditors
and the internal control system to address this risk specifically and conscientiously. Anti-virus software alone
is insufficient as a control. For instance, new viruses would
w ould not be included
included in the database/definitions of an
anti-virus system. Thus, some sort of dynamic, daily warning system is necessary. Several mailing lists offer
this service, including CERT, [10 10]] SANS, [11]
11] and Zdnet, [12
12]] and IA should ensure the responsible party is
subscribed to this kind of mailing list. Exhibit 3.11 provides a model for an effective anti-virus system.
Exhibit 3.11: Anti-Virus System/Model
2. Require regular desktop and laptop updates of virus definitions and databases (use e-mail reminders
and/or policy).
3. Responsible person or group subscribes to a credible virus alert mailing list (Cnet, Zdnet, Norton
Anti-Virus Center, CERT, and others — to identify emerging viruses that cannot be detected using
existing anti-virus databases, and to be able to get the newest anti-virus definitions when a new virus
is released on the Internet).
4. Regular virus scans of PC hard desktops and laptops (part of regular anti-virus maintenance).
5. Filter e-mail servers (using routers, firewalls, or software) for potential viruses.
8. Measures to prohibit propagation of hoax viruses (e.g., policy to not forward virus warnings except
by executive designate).
There are several other problem areas or risks associated with e-mail. One is the fact that some virus warnings
via e-mail are simply hoaxes. They are a problem, but much less costly than real viruses. Yet it only takes a
minute to access one of the several hoax centers (e.g., computer incident advisory capability (CIAC), [13]
13]
Norton Anti-Virus Center [14 14]]) to authenticate the message before forwarding it to everyone you know—the
hidden purpose of the perpetrator. One suggestion regarding policy is to forbid broadcasting virus warnings
from anyone other than a designated person or group. If a person receives a message and he/she thinks it is
legitimate, that person would be required to forward the message to the enterprise anti-virus person or group.
This person or group can then authenticate any virus warnings and broadcast appropriate messages. By
centralizing broadcast warnings, the enterprise can eliminate the waste of resources associated with hoax
viruses (time to delete, clogging bandwidth with numerous bogus messages, etc.).
Another e-mail risk to consider is flaming (electronic smash mouth, trash talking, derogatory messages, and
even biased remarks). Such use of corporate e-mail should be prohibited, whether the attack is another
employee or the company. It can be a serious problem, even leading to litigation, if it involves sexual
harassment or racial slurs.
Spamming (junk e-mail) is a risk because it can clog bandwidth much like hoax viruses. Many states have
laws against spamming. But as long as the message has some mechanism to disable future messages, it is not
considered spamming, although often such mechanisms do not work. Internal auditors should investigate
Chapter 3: Internal Control System 25
spamming legislation in the states where the enterprise has servers and promote an appropriate policy
regarding the handling of spamming—received or sent. America Online (AOL) has a strict policy regarding
spam and enforces it—as such AOL serves as a good model to follow. Anti-spam software packages are
available but some have problems making a consistent distinction between spam and legitimate e-mail.
Spoofing (impersonating) can also be a risk. Spoofing refers to e-mail messages that pretend to be sent
(authorized) by someone who has no knowledge of the message. For example, an e-mail message could be
broadcast to the enterprise's employees informing them of a day off, or some other message, and give the
appearance of being authentic (such as the signature of an executive), yet be a bogus message. Exhibit 3.9
provides a questionnaire for internal auditors that could be used to audit the e-mail services of an entity.
There are objects or code agents that pose threats similar to viruses or worms—be it applets, scripts, ActiveX
elements, or other objects. Be sure the IS department has made the necessary precautions to prevent these
objects from carrying out destructive code. Crackers
Crackers and script kiddies also take advantage of security h holes
oles in
systems. These holes allow outsiders to gain unauthorized
unauthorize d access to systems
systems and then they can do a wide
variety of malicious activities, all unnoticed. Controls and procedures need to be developed to effectively
protect against such attacks and risks. See Exhibit 3.12 for a set of basic vulnerability controls, Exhibit 3.13
for a questionnaire related to vulnerabilities, and Exhibit 3.14 for a list of the Top 20 vulnerabilities. The
latter, developed by SysAdmin, Audit, Network, Security (SANS) and the FBI, documents the most often
used vulnerabilities by attackers and intruders.
5. ALWAYS test all changes, fixes, plugs OFFLINE before putting the system back
online.
Exhibit 3.14: SANS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502) [15]
15]
U4—R commands
[10]
10]See www.cert.org.
11]]See
[11 www.sans.org.
[12
12]]See www.securityresponse.symantec.com/avcenter or www.norton.com.
[13
13]]See www.ciac.org/ciac by U.S. Department of Energy.
14]]See
[14 om/avcenter/ or www.norton.com.
www.securityresponse.symantec.com/avcenter/
www.securityresponse.symantec.c
[15
15]]G
= General Vulnerabilities, W = Windows Vulnerabilities, U = UNIX Vulnerabilities. See
www.sans.org/top20.htm.
Chapter 3: Internal Control System 27
i. Prediction
The first area, prediction, is the most difficult. Profiling and background checks are specific activities that
serve to predict malicious behavior or actions. Others include systems that are capable of generating accurate
warnings regarding malicious activities. Two examples are certain mailing lists and Internet warning systems.
One good example is the early warning system of a mailing list for malicious activities such as viruses and
security vulnerabilities. When a new virus is released on the Internet, several organizations watch for them
and publish early warnings via a mailing list. These organizations include non-profit or government ones such
as CERT, some of the anti-virus manufacturers such as Norton, and technical publications such as ZDnet.
Since anti-virus software is vulnerable to a new virus, such a system is both "predictive" and preventive, and
as such is critical to protecting assets (see Exhibit 3.11 to illustrate the inclusion of a predictive step in an
anti-virus set of controls). Another type of predictive control is an Internet-wide monitoring system such as
those employed by CERT, [16] 16] BUGTRAQ, [17]17] and the Internet Storm Center (ISC). [18 18]] The latter uses a
similar approach as the virus warning systems—to monitor the Internet in a broad manner to determine if any
malicious activity is emerging. The infamous Berkley Internet Name Domain (BIND) attack is an example of
how access to the ISC serves as a predictive control.
On March 22, 2001, intrusion detection sensors around the globe logged an increase in the number of probes
to port 53—the port that supports the domain name service. Attacks on port 53 are significant only because
the software program called BIND [19] 19] uses that port, and versions of BIND that had not been recently updated
had a vulnerability that attackers could use to take over the systems. [20]20] Thousands of organizations that had
not updated their version of BIND were being infected with a worm called Lion. Lion stole password files
from infected machines and sent them to a site in China, and it installed a distributed denial of service (DDoS)
tool so that the infected machines could be used in denial of service attacks. But hundreds of intrusion
detection sensors that were logging attacks had become part of regional and industry-specific security
monitoring networks. They sent their logs to analysis sites. There the data was aggregated and charted
automatically, and posted for analysis at SANS. Analysts immediately saw a spike in the number of attacks on
DNS Port 53. Some kind of man-made, "electronic storm" (actually an electronic packet storm) was sweeping
through the Internet. The analysts determined what damage the worm did and how it was able to do it, and
then they developed a computer program to determine which computers had been infected. They tested the
program in multiple sites and they also let the FBI know of the attack. Just 14 hours after the spike in port 53
traffic was first noticed, the analysts were able to send an alert to 200,000 people warning them of the attack
28 Chapter 3: Internal Control System
in progress, telling them where to get the program to check their machines, and advising what to do to avoid
the worm. This episode demonstrates the value of sharing intrusion detection logs in real time. Only in the
regional and global aggregates was the attack obvious which allowed the expeditious response to slow and
then stop the attacks—and serve as a predictive control for many organizations.
The technology, people, and networks that found the Lion worm were all part of the SANS Institute's
Consensus Incident Database (CID) project that had been monitoring global Internet traffic since November
2000. CID's contribution the night of March 22 was sufficient to earn it a new title: Internet Storm Center.
Today Internet Storm Center gathers more than 3 million intrusion detection log entries every day. It is
rapidly expanding in a quest to do a better job of finding new storms faster, isolating the sites that are used for
attacks, and providing authoritative data on the types of attacks that are being mounted against computers in
various industries and regions around the globe. Internet Storm Center is a free service to the Internet
community. The work is supported by the SANS Institute from tuition paid by students attending SANS
security education programs. [21]
21]
Another source that can serve as a predictive control is CERT. The CERT Coordination Center (CERT/CC) is
located at the Software Engineering Institute (SEI), a federally funded research and development center at
Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Morris worm incident, which brought
10% of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency
(DARPA) charged the SEI with setting up a center to coordinate communication among experts during
security emergencies and to help prevent future incidents. Since then, the CERT/CC has helped to establish
other response teams, and their incident handling practices have been adapted by more than 200 response
teams around
problems, andthe world. CERT
predicting future focuses on The
problems. protecting systems work
organization's against potential
involves problems,
handling reacting
computer to current
security
incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems,
and developing information and training to help entities improve security at their site. The security alerts and
mailing lists are excellent sources for predictive controls.
It could be argued that the internal auditor's experience and professional judgment have predictive powers of
sorts. If the company is experiencing a high degree of pressure in the stock market (e.g., declining stock
prices, earnings per share below street predictions), and there is a weakening or soft profitability (e.g.,
declining profits, declining revenues, economic woes of some sort), and personal weaknesses in executives
(e.g., lifestyle is high or beyond means, weak personal ethics), then there is a high risk of financial fraud; that
is, it could be predicted. Most major financial frauds of the past have these factors in common.
common. For employees,
it is opportunity (exposure) combined with personal weaknesses; and the possible result is theft. Many past
employee thefts have these traits in common. Therefore, the professional judgment of auditors should be
viewed as and used as a predictive control. For financial fraud, this "control
" control"" is effective if, and only if, the
internal auditors report directly to the audit committee.
Some emerging technologies are being used to build predictive models with a relatively high degree of
accuracy. Technologies such as artificial neural networks (ANN) have been shown to be more accurate than
other modeling tools at making predictions where the data is extensive or complicated. Studies have shown
the ability of ANN to predict with a relatively high degree of accuracy such events as financial distress of a
firm (e.g., bankruptcy). Therefore it is not beyond the realm of possibility to use an ANN to build a predictive
model for control breaches, "training" it by using actual past data. However, it does take special skills to
properly build such a system.
ii. Prevention
Secondly, activities should be implemented where the objective is to prevent malicious activities. For InfoSec
and Internet resources, a multi-layered firewall is a good control. That is, a single firewall control, such as a
router with filters, is a weak control (i.e., becomes an exposure). A better control is a firewall that has multiple
layers: a combination of routers, filters, proxy servers, software, and so on, used to provide a shield that could
be compared to an onion, with all its layers of skin. Preventive controls are also necessary in software
Chapter 3: Internal Control System 29
applications to prevent errors in data. System access likewise needs preventive controls to prohibit
unauthorized access of systems and data.
iii. Detection
It is much easier to develop controls for detection, the third perspective. For InfoSec, there are some
developing, effective means of detecting general Internet attacks. For example, The Internet Storm Watcher
[22
22]] gathers information real-time from logs all over the Internet. When general attack is made, the Storm
Watcher is able to spot it much like a weather system predicts a physical storm. Monitoring systems that
measure traffic on specific ports of the Internet and then graph it can produce an outcome that can detect an
intruder hacking into a system. There are more sophisticated intrusion detection systems, but any enterprise
with risks associated with the Internet needs a detection system commensurate with its level of risk.
Artificial neural networks mentioned above also have been shown to be able to detect fraudulent events or
transactions. Studies have shown that a detective model can be built to recognize potential fraudulent
transactions after having been trained by using actual past data (i.e., actual valid transactions and actual fraud
transactions). Such a system could potentially then "sit" on top of the processing systems and filter
transactions looking for potential fraudulent ones. Once a suspicious transaction is detected, the ANN would
warn someone in IA directly, giving IA and the firm a chance to detect a fraudulent or irregular transaction as
it is being conducted, rather than detecting it weeks or months later in an audit. There is a need to make sure
such a system does not seriously impede the processing of transactions in the corporate system (i.e., IS
performance). Again, it does take special skills and knowledge, as well as a set of transactions to do the
training.
iv. Correction
The last perspective, correction, is another fruitful source of controls. For instance, logs that generate a list of
detected errors and the procedures to correct them are a critical component of applications and systems. Other
types of correction controls include disaster recovery plans, business recovery plans, and incident response
plans—all intended to correct the damage from major catastrophes.
Computer Controls
General Co
Controls Application Co
Controls
Passwords Input Controls Output Controls
Locked Do
Doors Pr
Pro
ocess
ssiing Co
Contro
trols Batch Co
Controls
Physical Controls
Inde
Indepe
pend
nden
entt Veri
Verifi
fica
cati
tion
on Acco
Accoun
unti
ting
ng Re
Reco
cord
rdss
Segreg
Segregati
ation
on of Duties
Duties Transa
Transactio
ction
n Auth
Authori
orizati
zation
on
Supervision Access Control
i. Physical Controls
2. Segregation of duties (IS processes, accounting processes, etc.) (authorization versus processing,
custody versus recordkeeping, and such that fraud requires collusion)
4. Accounting records
Transaction authorization needs physical controls (i.e., manual controls) to ensure all material transactions are
processed by the accounting system with integrity and in compliance with management policies and
objectives. Using management decision rules, certain recurring transactions become a programmed procedure,
or operate under general authority. Other decisions of a non-routine nature need specific authority.
Segregation of duties is another important type of physical control. Three good rules of thumb for developing
controls using segregation of duties controls is: (1) separate authorization of transactions from processing
them, (2) separate custody of assets from record keeping, and (3) create controls such that a successful fraud
can only be perpetrated using collusion. The latter generally can be accomplished by separating steps of the
process between different individuals. Also, make sure segregation of duties extends beyond the typical area
of basic accounting functions. For example, segregation of duties has many applications in IS processes and
database management.
• Separate systems development from computer operations. This control should both deter fraud and
increase the quality of documentation.
• Separate new systems development from maintenance, which also should increase the quality of
documentation. If this separation is not possible, systems analysis can be separated from
programming. This alternate organizational structure could lead to weaker documentation and creates
an exposure for programming, leaving it open to possible malicious code (e.g., back doors, salami
slicing).
• Separate the database administrator (DBA) from other database and systems functions, computer
operations, development, and maintenance.
• Separate data library function from computer operations, development, and maintenance. If the
enterprise stores data tapes, backups, or other centralized storage, then a data librarian serves as
custodian of the data asset. Some enterprises include original software and their licenses in the
"library" as well. Documentation of in-house software, including original source code, should also be
housed in the library. Software and data assets should be treated much like inventory assets when it
comes to controls. That is, they need to have a custodian, strict procedures for checking assets in and
out, and an adequate audit trail of transactions (where the assets go, why, and in this case, their safe
return). If a permanent librarian is not feasible, the rotation of a person on an ad hoc basis should
suffice as an adequate control.
• Use of a data control group. This group (or person) serves as a control between operations and end
users—including management. They perform tasks such as: review and test computer procedures,
monitor data processing, review and distribute computer output, serve as liaison with end users, and
Chapter 3: Internal Control System 31
review control logs from data processing. Therefore, this group, if employed, should be separated
from operations and systems development.
Other segregations may be necessary depending on the circumstances, size, and other issues pertinent to the
enterprise. (See Section 3.7(f) for more on segregation of duties.)
Supervision is a vital part of physical controls. When segregation of duties becomes impractical, supervision
is the default compensating control. This control includes formal reporting and procedures as well as
physically supervising a person or process.
Accounting records should be kept in such a way as to prevent unauthorized physical access. That is,
safeguard documents (e.g., checks) and physical accounting records (ledger cards).
Access controls (direct and indirect) are addressed in Section 3.8(b), and are a part of physical controls. Direct
controls involve physical access to assets such as inventory or cash. Indirect controls relate to documents and
processes that control such assets (e.g., credit memos, purchase orders, etc.).
Management also will assess the integrity of the computer system and data on an ongoing basis as a part of
independent verification. Internal controls should also be implemented for independent verification of data. A
classic control in this category is the comparison of physical assets with accounting records, but it also
includes controls such as reviewing management reports.
They would include controls such as locked doors for sensitive areas (e.g., data storage, mainframe room).
They should also include controls regarding the development of new systems. These controls might include:
•
Requiring
point) a written report on the testing (probably re-introduce CISA or CIA to the process at this
• Requiring full off-line testing for new applications, hardware, or systems before activation online, and
• Requiring training of new applications before implementation
Major changes to existing software systems should generally follow the same set of controls.
Access to programs and data are critical and need controls, and have already been discussed. Segregation of
duties should be used to build independence (cannot alter programs or data), and to limit opportunities for
concealment of fraud.
32 Chapter 3: Internal Control System
The next aspect of the IS controls models is application controls, which are more specific. They include input
controls, processing controls, and output controls. Examples of input controls include:
• (A) Authorization.Proper authorization procedures and controls are essential to an effective internal
control system. The fact the accounting system is a computer-based one does have some effect on
these controls. Two basic control guidelines for authorization are:
♦ Controls should make sure transactions are properly authorized in accordance with
management objectives and policies
♦ Embed controls where the computer performs the authorization
An example of the latter would be credit limits. The software should have built-in controls that verify
a customer has sufficient credit to issue an invoice without going over the credit limit, and that require
special authorization (preferably from the credit department) to allow the invoice to be processed
when the amount would put the customer over the credit limit.
• (B) Converting data into computer files. Controls should be developed to ensure the validity of data
entry from the point of data capture and/or input.
controls
• (C) Subsequent accountability.Subsequent to data entry, application controls should be employed to
make sure data has not changed and data maintenance is validated, where applicable. Examples
include:
♦
Transmittal controls
♦ Routing slips
♦ Control totals (hash, amount totals, etc.)
Examples of processing controls include the following:
♦ Batch control where applicable (not likely to apply in real-time systems)—control totals,
batch totals, hash totals, record counts
♦ Validity check test (e.g., valid data for the particular field, complimentary master record(s)
exist, etc.)
♦
Limit
♦ test (datadigit,
Self-checking is within range
where of valid(telecommunications)
applicable entries for the particular field, data is reasonable)
Example of output controls include the following:
♦ Controls to ensure reliability of computer output (e.g., error reports, printed reports, printed
checks, etc.)
♦ Controls to ensure outputs are distributed with appropriate custody to authorized personnel
only
♦ If batch methodology is employed, reconcile output control totals with processing and input
control totals
♦ Develop controls using error reports for data that does not meet certain validity checks,
including control procedures for follow-up of error reports for corrections
♦ Develop effective controls such as data control group, the computer itself, and users to
perform these control tasks (from most effective to least)
Chapter 3: Internal Control System 33
This manual stresses the activities, qualifications, and duties that make the IA shop successful and productive.
The IIA argues that an internal IA shop is a critical success factor in effective corporate governance,
especially regarding security, auditability, and controls.
d. Corporate Governance
A key control strategy is an effective corporate governance structure. This strategy begins with the IA
function and includes an effective audit committee and IT governance.
i. Audit Committee
Another key major control activity is an adequate audit committee. But having an audit committee is not the
same as having an effective audit committee. For publicly traded companies, the SEC issued a ruling that took
effect January 31, 2000, related to audit committees. The ruling [24]
24] says in part:
• The Securities and Exchange Commission is adopting new rules and amendments to its current rules
to require that companies include in their proxy statements certain disclosures about their audit
committees and reports from their audit committees containing certain disclosures. The rules are
designed to improve disclosure related to the functioning of corporate audit committees and to
enhance the reliability and credibility of financial statements of public companies.
The SEC basically requires publicly traded companies to not only have an audit committee but to include
information on its activities in SEC reports. Companies that are not publicly traded but have a large number of
stockholders are probably in need of an audit committee because of the fiduciary responsibility. A significant
responsibility of the audit committee is to deal with risks of the entity. Therefore, businesses that have a
relatively large risk of fraud, theft, security, or illegal activities should also have an audit committee. For
example, financial institutions and other businesses that handle large volumes of cash daily are prime
candidates for an audit committee because cash misappropriation is the highest of risks.
Companies need an audit committee for several reasons. The main reason is the fiduciary responsibility the
company has to the shareholders. Management should also expect the audit committee to assist them in
ensuring the integrity of financial reports and in deterring fraud. The public expects no surprises in the
financial health of the company, and it expects to be able to trust the financial reports. Audit committees
should be able to serve as guardians of the public interest.
The audit committee serves as an independent "check and balance" with the internal audit function—serving
as a watchdog over financial statements, risks, and management assertions—and liaison with external
auditors. They interact with both these groups with the objective of ensuring data integrity in financial
statements and the avoidance of fraud or illegal activities. They also look for ways to identify adverse events.
For instance, they might serve as a sounding board for employees who observe suspicious behaviors or
outright fraudulent activities. The audit committee should have a willingness to challenge the internal auditor
34 Chapter 3: Internal Control System
function as well as management when necessary. For those entities that employ outside auditors, the audit
committee should be best positioned to determine whether
wh ether or not the provision of any particular service by the
audit firm is inappropriate. In fact, they should be responsible for deciding which external auditor to hire. In
general, they become an independent source of protection of the entity's assets from a variety of risks, in
whatever fashion is appropriate. See Exhibit 3.17 for a list of audit committee oversight areas, based on a
study by the Financial Executives International (FEI).
Certain historical events remind managers, board members, auditors, and other stakeholders of the risks that
exist even for those businesses that seem to be immune to fraud. These events also show the need for effective
audit committees. Enron proved that large companies with billions of dollars in assets can go bankrupt under
the noses of well-intended board members. Enron had $10 billion book value, $60 billion market value, and
$1 billion in profits in its latest financial reports that were "not materially misstated," according to its external
auditor, Arthur Andersen. Enron had an audit committee made up of distinguished members with financial
accounting pedigrees. Yet this large firm went bankrupt once it booked a $600 million entry to revise its
earnings in late 2001.
In 1998, COSO issued a report, "Landmark Study on Fraud in Financial Reporting," covering 10 years and
200 randomly selected cases of alleged financial fraud investigated by the SEC from 1987 to 1997. The 200
randomly selected cases make up about two-thirds of all the
th e SEC probes
probes into fraud during the time period.
The results of the study provide valuable information for any organization in protecting against fraud, but it is
especially valuable in developing audit committees because of its applicability. The study develops several
3.18).
common factors about the companies (see Exhibit 3.18 ).
Smaller firms
Lack of experience in board members
Lack of independence of audit committee/board members
Absence of audit committee or infrequent audit committee meetings
Likelihood of involvement of executive managers in financial fraud
Most of the auditors explicitly named in SEC enforcement releases were non-Big Five auditors
Audit firms of all sizes were associated with companies committing financial statement fraud (i.e., you
cannot depend on your external auditors to detect fraud based on their size)
Chapter 3: Internal Control System 35
Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies
involved
involved — the average
average misstatement or misappropriation was $25 million
A model of attributes is presented based on the existing standards, SEC rules, and the COSO fraud report (see
3.19). The model attributes include independence, competence, organizational structure, leadership,
Exhibit 3.19).
and a proactive approach.
Audit committees need to be independent of management and even other board members in order to
effectively assess events, accusations, and risks. The main ingredient for an effective independence is
skepticism. Outside directors make it easier to provide both an appropriate degree of skepticism and
independence.
Members should also be competent. The entity should consider looking for outside directors, and locate
people who are well qualified in the area of financial accounting, auditing, internal controls, and risk
assessment/management. But competence should also include critical thinking skills. Audit committee
members need to be able to sort through facts, exhibits, and circumstances to ascertain possible questionable
areas. They also need to ask tough questions and foresee situations that contain high risk. Lastly, competence
also includes experience; that is, experience being a board member for other organizations. Preferably
experience also means experience as either a member of an audit committee or similar experience in auditing,
security, risk, or internal controls. Thus a member of the audit committee should probably be the most
seasoned of the members of the board. However, one recent study [25 25]] revealed just the opposite:
• Unlike their counterparts, audit committee directors, for the most part, had served on significantly
fewer other committees and for a shorter period of time on the corporate board, which implied they
were mere "babes in the woods."
The organizational
organizational structure
structure of the committee is also important. Some firms allow any employee to contact
the audit committee anonymously to report suspicious behaviors, fraud, or illegal financial activities. Such a
committee therefore serves as an ethics committee for financial reporting, fraud, and security (see item 2 in
Exhibit 3.17
3.17).
). Whatever management can do to encourage reporting of these events and behaviors should be
done. The audit committee will then have the opportunity to possibly identify fraudulent activities before they
adversely affect the firm.
Leadership refers to the chair of the audit committee. As in most committees, the chair sets the tone for the
activities, approach (proactive vs. reactive), and behaviors of the group. The chair needs to be active
(proactive), strong (a capable leader and competent audit committee member), and decisive. These attributes
identify any good leader, but are essential for the audit committee to be effective.
Lastly, the audit committee needs to be proactive. The recent study by the FEI mentioned earlier shows that
more than half of the respondents polled—chief financial officers and corporate controllers—felt that the audit
committee needed to be more proactive. The same report suggests that audit committees need to challenge
management assumptions and ask tough questions. Coca-Cola Company has a good set of such questions [26 26]]
that illustrate a proactive approach, questions the company's board asks the IA function each year:
36 Chapter 3: Internal Control System
• Are there any significant accounting judgments made by management in preparing the financial
statements that would have been made differently had the auditors themselves prepared and been
responsible for the financial statements?
• Based on the auditors' experience, and their knowledge of the Company, do the Company's financial
statements fairly present to investors, with clarity and completeness, the Company's financial position
and performance for the reporting period in accordance with GAAP and SEC disclosure
requirements?
• Based on the auditors' experience, and their knowledge of the Company, has the Company
implemented internal controls and internal audit procedures that are appropriate for the Company?
The model of attributes should empower the audit committee to serve its entity effectively in protecting the
assets, inspecting suspicious behaviors or activities, ensuring the integrity of financial reports, and generally
managing risks. There is also a list of attributes or situations to avoid—those that were common to the cases
of financial fraud in the COSO study.
study. The
The study mentioned that one consistent factor with the fraud cases was
the absence of an effective audit committee. Often board members were neither independent (e.g., related to
executives or owners) nor capable of dealing with audits and internal controls. Together, these two lists
(Exhibits 3.18 and 3.19)
3.19) will hopefully assist internal auditors in providing input into the board's decision
about its audit committee, and in providing information on how to effectively interact with the audit
committee.
One of the most effective techniques against fraud or crime is an internal audit function with a direct
connection to an audit committee on the board, where such committee members are able to understand and
respond to audit evidence, reports, or internal control weaknesses. (See Section 9.2 for additional information
on audit committees.)
Information technology governance is similar to corporate governance in its objectives and is a prime service
of ISACA. That organization defines IT governance as:
• the responsibility of the board of directors and consists of the leadership, organizational structures
and processes that ensure that the organization's IT sustains and extends the organization's strategies
and objectives.
The more an organization relies on IT, the more IT governance is necessary; or put another way, IT
Questions such as "Is IT doing the right things?" "Are they doing them the right way?" "Are they being done
well?" and "Is the enterprise actualizing benefits from IT activities?" should be answered by IT governance
processes. IT governance should also lead to a structure through which the entity's overall objectives are set,
the method of attaining those objectives is outlined, and the manner in which performance will be monitored
Chapter 3: Internal Control System 37
is described. One performance measurement system being used is Balanced Scorecard (see Chapter 9).
9).
Evidence of the need for IT governance is the number of chief executives who have criticized the benefits of
IT. [27]
27] To promote IT governance, ISACA sponsors the IT Governance Institute and provides various support
IT governance.
If the entity is connected to the Internet, logs become even more important. Logs should be used to track data
such as sites visited, files downloaded or uploaded, time spent on the Internet, etc. Sites visited could reveal
access to illegal sites, and have in the past (i.e., child pornography). Files downloaded could reveal viruses,
hacking tools, illegal software, or other types of files that are contrary to organizational policy or federal
regulations. Hacking tools might be an indication of an employee preparing to hack into the organization's
system.
Logs should be developed and implemented that will assist in safeguarding assets and ensuring compliance
with policy (e.g., computer usage). Logs are the enforcement control for policy, but the entity needs to make
sure employees are told such actions are being recorded and even have employees sign policies that have this
form of enforcement (e.g., e-mail policy).
f. Segregation of Duties
Another primary objective of internal controls is the effective use of segregation of incompatible duties. This
proven technique for designing internal controls, policies, and especially organizational structures was
developed by accountants and auditors. Three rules to observe are to separate transaction authorization from
transaction processing, record-keeping from asset custody, and any series of transaction processing steps such
that a collusion of individuals would be necessary to commit fraud. Where segregation of duties is not
feasible, management should compensate by adding adequate supervision.
For example, one large tire reseller did not segregate duties. Because the firm had several locations, it made
use of a central tire warehouse. There was no security at the warehouse, and all salespersons had a key to it.
One salesman stole tires, drove to a nearby city, sold them to an acquaintance, and covered his tracks with
credit memos and phony invoices. No one suspected him, even though 75% of all credit memos came from
one individual (proof that management must review reports). The custody of the tires should have been
segregated from record-keeping of tire transactions (i.e., the sales force), and authorization of the credit
" Physical Controls"
memos should have been separated from the processing. (See "Physical Controls" in this chapter for more
information.)
g. Investigation Procedures
Management must also consider what specific procedures should be employed to protect against internal
threats. Key positions, including executives, may require a background search.
38 Chapter 3: Internal Control System
[17
17]]See www.securityfocus.com.
[18
18]]See www.incidents.org.
19]]BIND
[19 is one of the name services on the Internet—typically on Unix, Linux, etc.-based systems, though
Windows XP does support BIND now.
[20]
20]See Internet Vulnerability U3 on
o n the Top 20 List (see Exhibit 3.
3.12).
12).
[21]
21]The information for this paragraph came
came from a web page at The Internet Storm Center's web site. The
page is located at www.incidents.org/isw/iswp.php.
[22
22]]See www.incidents.org.
www.incidents.org
23]]Obviously,
[23 the SEC may or may not have adopted this ruling. Visit the IIA site www.theiia.org or the SEC
site www.sec.gov for clarification.
[24
24]]SEC Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm.
25]]Nikos
[25 Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20,
No. 1 (March 2001).
[26
26]]Connie
McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to the
AAA, August 13, 2001.
[27]
27]For
example, Jack Welsh,
Welsh, former chairman of General Electric, said, "IT has been the longest running
disappointment in business in the last 30 years." World Economic Forum, 1997.
28]]See
[28 www.itgi.org.
i. Types of Crimes
Crimes associated with the theft of assets typically are carried out by employees. These frauds are conducted
by employees who have some pressure to steal (personal cash flow problems), accompanied with weak
personal ethics. If a weakness exists in the controls, the temptation can become too great for the employee to
resist stealing from the organization. The rationalization is often that either the employee works hard and
deserves the extra money, or he/she is "borrowing" the money and plans to repay it. One typical area for fraud
and theft is performance bonuses. Such tactics can become the impetus (pressure) mentioned earlier, and the
rationalization; and if accompanied by personal weak ethics and an exposure, the result can be fraud and theft.
Another crime is financial fraud. By its very nature, it is virtually limited to executive management.
Management can come under pressure by such circumstances as economic problems in the firm (poor
performance of stock on the open market). Because of management's position, they are always in the position
to have opportunity; that is, they can override controls. The pressure to perform can be rationalized as perform
at any cost and lead to financial fraud.
Lastly, there are those who break in from the outside (see below). Some of these attackers come to steal, kill,
and destroy. Others come to play—possibly bringing a system down and making it unavailable. But all cause
damages and bring about costs. As such they are considered computer crimes (e.g., the laws against
spamming).
Criminals can be broken down into different groups with specific profiles. The description of crimes includes
a profile of the employee or manager who might commit a crime. The following describes the outside
criminals.
DDoS (and other Internet security incidents) is a male, 13 to 15 years old, with a lot of computer intelligence
(neon hair and body piercing optional!). They usually begin malicious activities early. For example, Mixter (a
self-proclaimed "white hat") started learning computers at six and malicious activity at 14.
One way to think of the group of people who break into Internet systems is to subdivide it down by the
objectives of the person: The groups are technically known as hackers, crackers, and script kiddies. The true
"hacker" (sometimes referred to as a "white hat" [30]
30]) actually tries to do service to the Internet community.
Hackers
enjoy thelook for vulnerabilities
intellectual and
challenge of weaknesses,
their activities, and
and then communicate
are technically the "hole"
defined to the entity.
as "hackers." [31] These
31] Even people
then,
there are rouges in this group. A contract employee at Intel went beyond the scope of his work, for which Intel
dismissed the white hat employee and had him arrested.
Traditionally, "hacker" was a term that carried a positive connotation, a badge of honor regarding one's
technical expertise. Then why is the popular press always referring to the "bad guys" as hackers? Because of
the media's ignorance of the technical definitions. These people are actually "crackers" [32
32]] (sometimes
referred to as "black hats") whose intent is to steal or destroy. So although hacker and cracker are often used
interchangeably, they are in fact technically different sub-groups. It is the cracker who writes malicious code
such as DDoS.
The term "script kiddie" refers to young computer enthusiasts who usually download the malicious code (e.g.,
viruses, DDoS) generated by crackers, rather than author it, and conduct mischievous exploits on
unsuspecting entities, resulting in systems havoc. Most are not necessarily malicious, just bored. They are
similar to street gangs, having created a way to tag the Internet (viral code), having invented their own form of
graffiti (web site defacements), and having fought gang wars online (using thousands of remote PCs
controlled by Internet Relay Chat (IRC) bots). [33]
33]
40 Chapter 3: Internal Control System
One example is a female (rare among script kiddies) from Belgium who authored Sharpei, one of the first .Net
viruses. She says writing these viruses and DDoS programs is "a form of art, just like other hobbies. Also, it's
a fun way to practice programming." This statement reflects the attitude, and demonstrates the problem, with
DDoS attackers. They do not see any real harm to their victims and are in it for the personal pleasure it brings.
The most general authentication, authorization, and verification controls are password systems, firewalls, and
occasionally access cards or biometrics. The weakness of these former two security methods is that they have
been compromised, and intruders have caused great harm and significant financial losses. The latter approach,
biometrics, has the potential to provide the greatest level of security because it involves something you are,
and because they can be more reliable than the passwords or firewalls—especially stand-alone password or
firewall systems.
There is a difference between verification and identification. Verification is the process of confirming that the
person carrying the token (badge, card, password, etc., which is the claim of identity) is the rightful owner of
the token. Identification, on the other hand, is the recognition of a specific individual from among all the
individuals enrolled on the system. Ideally, access control systems would do both.
Passwords are the first line of defense in authenticating access to systems and data, and serve as a reasonably
effective preventive system. One strategy is to create multi-faceted passwords, especially where remote access
is frequent or e-commerce is employed. One current sophisticated approach is to generate password PINs over
very short time frames, sometimes less than a minute. When remote users log in, they check a beeper for the
most recent PIN and can only log in with both their password and the dynamic PIN. Another strategy is to
combine passwords with network administration
administratio n such that a matrix is developed for access. The columns are
fields, files, or other data element. The rows are users. The cells are accessibility: read-only (RO), read/write
(RW), or none. This matrix approach minimizes the exposure of data to internal users, narrowing
authorization and access. (See Exhibit 3.8 for a password model to assist in developing the access control
system.)
Although they appear to be much less expensive than biometric systems, password systems might cost an
organization. This cost usually happens in two ways: passwords that are forgotten and passwords that are
stolen. The former requires time and resources to reset passwords. The latter is a security breach and can be
much more costly if the system is compromised. Since the human brain is not a perfect storage system when it
comes to complicated and long letter-number combinations, the more sophisticated passwords might be
forgotten. In such situations, the password needs to be reset and a new password must be created. According
to Mandylion Research Labs, resetting a password security system of a company with 100 workers would cost
$3,850 per year. If the company has 1,000 authorized personnel, the same process would cost up to $38,500
per year!
For remote access, one control might be the use of call-back systems. If remote access is stationary (i.e., the
same person always accesses the system from the same phone), then this technique works well. Once a user
logs in from remote location, the system hangs up the line and calls back on a pre-determined phone number.
Where call-back systems are impractical, multi-faceted password systems should be employed—maybe
biometrics.
The most common biometric devices used for access control are fingerprint scanners, although facial and iris
scanners and voice recognition systems are increasing in use. [35]
35] Fingerprint scanners come in a variety of
Chapter 3: Internal Control System 41
formats, from stand-alone devices to readers built into keyboards and mice. They are unobtrusive,
inexpensive, and, essentially, they work. For example, the public benefits administrators in Texas and New
36]]
York claim fingerprint identification has virtually eliminated fraud in their programs. [36
But of all types of biometrics available, the most practical—the best solution—for access control appears to
be fingerprint recognition or keystroke recognition biometric systems. Keystroke recognition systems are
trained to recognize the unique features of a person entering his/her password. Because it is only software, it is
less expensive and easier to operate than fingerprinting and other biometrics. The fingerprint option should be
considered as part of a smart card plus fingerprint plus password method—versus a stand-alone fingerprint
system (if the risks warrant such a sophisticated access system). This system would provide a high level of
reliability with a high level of user acceptance, and a relatively low level of cost. They are also readily
available in the market.
Of special importance is the emerging trend toward integration of biometrics into networks and systems. More
time is being spent on integrating biometrics into existing processes and applications, where feasible and
applicable, and into network access control systems. Biometric systems are being relegated as a commodity
item, and this progression leads to a potentially enhanced level of interoperability, something the biometric
industry needs. In recent months, an increasing number of devices, such as notebook computers and computer
keyboards, now come equipped with integral biometric fingerprint readers, and some with smartcard readers
37]] This area provides a lot of promise for all concerned with
as well, plus several variants of biometric mice. [37
InfoSec.
30]]They
[30 are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is a
part of their job description and they are an employee,
emp loyee, (c) they have a contract to conduct a pen
p en test (specific
domain, specific time frame), and (d) they have an engagement letter to conduct the pen test.
31]]See
[31 technical definition of hacker at www.pcwebopedia.com/TERM/h/hacker.html.
[32]
32]See technical definition of cracker at www.pcwebopedia.com/TERM/c/crack.html. Likely a reference to
safe crackers.
[33]
33]Accordingto ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here's
How," ZD Net Reviews, May 15, 2002, online at www.zdnet.com.
[34]
34]Liu
& Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Online
www.computer.org/itpro/homepage/Jan_Feb/security3.htm.
at www.computer.org/itpro/homepage/Jan_Feb/security3.htm
[35]
35]"The
Lowdown on Biometrics," Government Computer News, 08/12/02. Online at
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567 .
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19567
[36
36]]Mark
Kellner, "Digital Security," Government Computer News, 08/12/02. Online at
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565.
[37
37]]Julian Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 58–63.
42 Chapter 3: Internal Control System
People would include the use of experts and professionals in the IA function, whether the corporation has a
separate internal audit department, outsources the function, or relies on external auditors for the function.
Regardless, management should make sure someone or some group is responsible for the internal audit
tasks—primarily the design, development, implementation, and examination of the corporate internal control
system. Management should require an appropriate certification of those to whom it entrusts its internal
controls system. Some applicable certifications include: Certified Internal Auditor (CIA from IIA), Certified
Information Systems Auditor (CISA from ISACA), Certified Information Technology Professional (CITP
from AICPA), Certified Information Systems Security Professional (CISSP from International Information
Systems Security Certification Consortium—ISC2), and Global Information Assurance Certification (GIAC
by Sans Institute).
Proven techniques include some already mentioned, such as an audit committee made up of qualified people
who are independent of owners and executive management.
a. Monitoring Systems
One of the best detective tools is a good monitoring system. Examples are intrusion detection systems, passive
logs, and traffic monitors. Intrusion detection systems are designed to detect crackers or hackers as they try to
gain unauthorized access to the company's system. Steve Gibson reported 500,000 attempts a day detected at
his site when a 15-year old hacker got mad at him. [38 38]] His intrusion detection system worked better than most
because he is an elite expert, but he wrote an open letter to hackers and admitted that his system could not
withstand a direct ongoing assault by hackers. Traffic monitors provide information to techies that will
indicate adverse activity such as a denial of service attack. They simply graph certain technical aspects of
Internet activities and traffic, and visually indicate potential problem areas. The Internet storm watcher is one
example of a broader monitoring system—monitoring activity of the Internet as a whole. Passive logs can
provide data that could help detect or correct adverse attacks after the fact.
b. Firewalls
Any server connected to the Internet should also have a firewall as a preventive scheme. A firewall is one or
more elements such as software, hardware, or techniques that inhibit unauthorized activities from external
users. A variety of firewall defenses can be assimilated, and should be done so with the level of risk in mind.
The higher the risk probability and cost, the more complex and expensive the firewall needs to be.
In the fifth step, verify data integrity, it is helpful to ask for a printout of the first 100 records along with the
data. Once the data is fully imported and ready, a review of these 100 records can establish some reasonable
reliability of the data set. The use of batch controls is very useful for this purpose, especially if the auditor can
establish those controls from the live data. In the sixth step, this understanding can generally be gained by
running some standard overview commands such as COUNT, STATISTICS, CLASSIFY, STRATIFY, and so
on, on the data set.
• Reasonableness
• Completeness
• Gap
• Duplication
• Period-to-period (trends)
• Regression analysis
• Statistical analysis
• Transaction matching
• Passwords
• Biometrics
• Intrusion detection system
• Firewalls
• Anti-virus software
• Digital certificates
• Digital signatures
• Encryption
• Proposed XBRL system
• Disaster recovery plan/business recovery plan (see Exhibit 3.10)
3.10)
• Incident response plan
38]]Steve
[38 Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-tech
topics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hacker
and his report of the incident at his corporate web site: www.grc.com.
44 Chapter 3: Internal Control System
References
Institute of Internal Auditors, Standards for the Professional Practice of Internal Auditing (SPPIA),
www.theiia.org/ecm/guide-stand.cfm?doc_id=124.
Information Systems Auditing and Assurance, James Hall, 2000, South-Western College Publishing.
Singleton, T. "An Empirical Investigation of IS Audits and Software Piracy," Information System Audit &
Control Journal, Vol. VI, 1997, pp. 32–41.
Singleton, T. "Stop Fraud Cold With Powerful Internal Controls" (Building an Internal Control Environment
to Enhance Corporate Strategies), Journal of Corporate Accounting and Finance (Wiley), Vol. 13, Issue 4
(May/June 2002), pp. 29–39.
Singleton, T. "Effective Audit Committees for Cooperatives: Part I—What, Why and How," The Cooperative
Accountant , Summer 2002, pp. 22–30.
Singleton, T. "Managing the Most Critical Internet Security Vulnerabilities: One Effective Approach,"
EDPACS, Vol. XXX, No. 2 (August 2002), pp. 1–11.
Singleton, T. "Managing Distributed Denial of Service Attacks," EDPACS, Vol. XXX, No. 5 (November
2002), pp. 7, 9–20.
Singleton, T. "Biometric Security Systems: The Best InfoSec Solution?," EDPACS, forthcoming (January or
February 2003).
Endnotes
1. See www.coso.org.
2. See www.isaca.org/cobit.htm.
5. An exposure draft exists that will change the principles to: (1) security, (2) availability, (3) processing
integrity, (4) online privacy, and (5) confidentiality.
6. See Exhibit 3.1 for a full diagram of Sections 3.5 through 3.9.
7. www.cert.org/present/cert-overview-trends/module-6.pdf .
9. See www.cert.org.
17. BIND is one of the name services on the Internet—typically on Unix, Linux, etc.-based systems, though
Windows XP does support BIND now.
21.
site Obviously,
www.sec.govthefor
SEC Vis it the IIA site www.theiia.org or the SEC
may or may not have adopted this ruling. Visit
clarification. SEC
22. SEC Release No. 34-42266, File No. S7-22-99. See URL www.sec.gov/rules/final/34-42266.htm.
23. Nikos Vafaes, "On Audit Committee Appointment," Auditing: A Journal of Practice and Theory, Vol. 20,
No. 1 (March 2001).
24. Connie McDaniel, vice president and controller of Coca-Cola Company, from a speech presented to the
AAA, August 13, 2001.
28. They are called "white hats" because (a) they have obtained prior permission to "hack," (b) hacking is a
part of their job description and they are an employee, (c)
(c ) they have a contract to conduct a pen test (s
(specific
pecific
domain, specific time frame), and (d) they have an engagement letter to conduct the pen test.
31. According to ZDNet associate editor Robert Vamosi. See "Can We Stop Script Kiddies? Yes! Here's
How," ZDNet Reviews
Reviews, May 15, 2002, online at www.zdnet.com.
32. Liu & Silverman, "A Practical Guide to Biometric Security Technology," IEEE Computer Society. Online
at www.compute r.org/itpro/homepage/Jan_Feb/security3.htm.
www.computer.org/itpro/homepage/Jan_Feb/security3.htm
34. Mark Kellner, "Digital Security," Government Computer News, 08/12/02. Online at
www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=19565.
35. Julian Ashbourn, "Biometrics: Making the Right Impression," SC Magazine, June 2002, pp. 58–63.
36. Steve Gibson is the founder of Gibson Research Corporation, frequent writer and speaker on high-tech
topics, and is considered a pioneer in the Internet and its technologies. See Gibson's open letter to the hacker
and his report of the incident at his corporate web site: www.grc.com.
Chapter 3: Internal Control System 47
4.1 Introduction
In order to achieve the goal of a world-class internal audit (IA) organization, standardized procedures must be
developed and followed by the staff.
Setting high standards will ensure that your department's work will be of sufficient quality to satisfy your
mission and enable reliance by your independent auditors. Development of each auditor's individual
professionalism can be greatly enhanced by understanding the company's expectations and being evaluated on
compliance with approved departmental procedures.
a. Strategic Objectives
Internal audit consists of people and procedures. In order to maximize the productivity of a group, the group
needs a mission and consistent procedures to attain departmental goals. This procedures manual, and this
chapter in particular, provides a place to state the department mission and document departmental procedures
to attain that mission. All organizations need a mission. They also need goals—short-term and
long-term—that can be linked directly to the mission of the organization. Other elements of management
include feedback and mentoring, resources and training, and rewards. These elements can all be documented
in a procedures manual.
i. Mission Statement
While each organization will need to personalize its own mission statement, the following is a general
statement that might apply or could be modified to apply:
• The internal audit department will enhance corporate viability and/or profitability by providing
management with expertise in developing and maintaining an effective control environment,
conducting efficient and effective audits, and building a quality IA department that will contribute to
the corporate mission.
From the mission statement, the IA department (in conjunction with management) should establish strategic
objectives to reach the mission. One example is: The department will strive to achieve world-class procedures
and quality of services by adhering to professional standards, best practices, and proven quality improvement
techniques. Another example is the actual mission statement of JPMorganChase, from the merger on
December 31, 2002:
• The General Auditor and his global team are the Corporation's independent control assessment
function, accountable for providing the Audit Committee, the Chairman, senior management, and
regulators with reasonable assurance that the system of internal
i nternal control achieves its objectives.
Auditing's mission is to foster a continuous self-checking control environment in partnership with
senior management to identify opportunities to ensure the adequacy of the risk management and
internal control processes. Auditing's primary objective is to identify emerging issues, detect control
deviations, and track management's corrective actions.
Long-term and short-term goals should be linked to the mission statement. Mission statements are critical
components of most quality improvement programs (see Section 9.4 9.4).
). Therefore, it is obvious that the first
step in establishing the internal audit department is to develop an appropriate mission statement.
The mission statement, objectives, goals, and procedures of the internal audit department need to be
documented in such a way that the resulting document can be used as a reference manual. Auditor and
manager turnover is unavoidable. An appropriate manual will allow for smooth transitions. It will also
document questions about issues such as travel and other policies. But it is also a dynamic entity, and should
be updated with a conscientious approach to being current, correct, and consistent (e.g., with professional
standards, with itself, with corporate policies and goals).
We have said that internal auditing involves people and procedures. In most cases, the procedures involve
reviewing and evaluating controls, efficiency, effectiveness, and other aspects of the business. Efficiency
generally relates to measures of operations or delivery of services, especially as a ratio of inputs to outputs.
Effectiveness is a measure of how well the organization meets its goals. Effectiveness usually focuses on
strategy and improvements to decision making.
The review process creates at least two factors for audit management to consider. The first is the difficulty in
measuring internal audit productivity, and the second factor relates to the potentially negative nature of the
auditing business. Both of these factors must be addressed in a progressive internal audit department.
Auditor productivity requires the development of a proactive spirit, a high degree of professionalism, and
measurement techniques, including budgets and time reporting. The methodology contained in this manual
includes a conscientious attempt to address all of these areas. Budgets are important. Time
reporting—although a laborious task—is necessary to properly analyze productivity. A proactive spirit and
professionalism must be instilled in all staff members through the department's professional development
program.
Auditors can reach beyond the negative aspects of the auditing business. A modern audit department
proactively seeks positive deliverables from within the work of the organization. This effort may involve the
development of preventive control procedures, and the recommendation of these to auditees before audits. The
overreaching goal of the audit program should be to improve the control environment within the company
(refer to the mission statement). It should not be to catch company units or individuals in violation of control
procedures. It is critical that the audit department develop a "work with" attitude within the organization.
Company management will periodically examine the contribution of the internal audit program. Will your
function pass this test? Unlike functions that produce products or services, audit results may be more difficult
to measure. How is productivity of the internal audit function measured? Does your audit function have the
internal system to measure and improve internal audit productivity? Other areas of organizations, and
businesses in general, are monitored and pushed to greater limits and improvements in quality; why not
internal audit?
All too frequently, audit management becomes lax. Decisions to spread out and space out audits are all too
easy. These types of issues do not exist in other functions: shipping is measured monthly, sales sometimes
daily, accounting reports are issued monthly. With audit management comes the responsibility to push for
greater volume, efficiency, and effectiveness (see definitions of each above). Audit management needs to
employ any and all tools and procedures to measure and improve productivity. All of these procedures and
methodologies should be carefully developed, documented in your procedures manual, and built into your
audit culture.
What happens if you become lax? Management does not look at internal audit every day, month, or quarter.
Over time, an impression is recorded on the effectiveness and efficiency of the internal audit function. In
many cases, change is made in dramatic fashion by changing audit management, or by eliminating, reducing,
or outsourcing the function. The fact that all appears quiet may be only a warning for an impending storm.
Measuring efficiency in internal audit is generally a simple and feasible process. Measuring the inputs—labor
hours or some other quantitative measure—is relatively simple. But outputs need to take on relevance to the
organization rather than a simple number of audits conducted, or ignoring outputs and simply quantifying
inputs. Effectiveness is quite different. Based on the definition of effectiveness, management of internal audit
should first establish a reasonable, achievable, and relevant mission statement, with appropriate
accompanying goals and strategies (both must be measurable). This mission should be compatible with the
organization, culture, management's goals and objectives, and professional responsibilities. Then effectiveness
becomes a measure of how well internal audit accomplishes the mission, as measured by how well it is
reaching its goals associated with the mission statement. This measure is the one with which corporate
management will be most concerned.
To function effectively, internal auditors and the customers of audit services should possess a similar
understanding of what makes internal auditing a value-added activity. Failure to reach this understanding
could result in the perception that internal audit is simply an obstacle to achieving production objectives. This
perception can result in underutilized audit services and ignored audit recommendations. [1] It is imperative
that IA staff members articulate the mission of the IA function to its stakeholders effectively to avoid this
unproductive environment.
Every dollar spent on internal audit is a dollar not earned on the bottom line. Why not challenge the spending,
( Chapter 9 proposes a full quality assurance program
as is the case in other areas of the company? (Chapter
administered by audit management.)
As noted earlier, internal auditing management requires a proactive approach, good personnel, personal
development programs, structured procedures, a mission, short-term and long-term objectives, quality
assurance reviews, productivity measures, and so on. However, there is no simple measurement tool such as
units booked, units shipped, financial statements produced on time with accuracy each month,
comparable-store sales versus last year, capacity utilization, and so forth.
Audit contribution is very difficult to measure! Therefore, when management is offered a simple, perhaps less
expensive approach, it will be seriously considered. Is internal audit an organization's core competency? Can
it be more efficiently and effectively implemented by the organization dedicated to internal audit as a core
competency? These are questions currently being explored by many organizations.
Clearly, there are many factors involved in the decision to outsource all or part of an internal audit function. A
major element is size and ability to maintain various specialized skill sets, such as information systems (IS)
audit. In smaller organizations, outsourcing of general IS audit may be effective and efficient. In larger
organizations, with IS audit staffs, outsourcing certain very technical audits may be the advisable course of
action. Outsourcing should be considered during the departmental planning process. That is, if there is a need
for technical competencies not immediately available in the staff (e.g., Internet, encryption, intrusion
detection), audit management should consider whether to outsource or develop the skill internally.
The Institute of Internal Auditors (IIA) issued a report entitled, "Perspective on Outsourcing Internal
Auditing." In it, the IIA takes the following view:
• The IIA's perspective is that internal auditing is best performed by an independent entity that is an
integral part of the management
m anagement structure of an organization. The IIA states unequivocally that a
competent internal auditing department that is properly organized with trained staff can perform the
internal auditing function more efficiently and effectively than a contracted audit service.
• Internal auditing by definition should be internal and integral to the organization, and the internal
auditing department should be staffed with professional internal auditors who adhere to the Standards
for the Professional Practice of Internal Auditing and the related Code of Ethics. One of the best
evidences of internal auditing competence is the Certified Internal Auditor (CIA) designation.
• Most internal auditors are degreed professionals. In fact, many hold advanced degrees and have
acquired specialized skills related to the organization for which they work. These professionals are
aware of their responsibilities with regard to the organization and the Standards.
• The key proficiency of internal auditors is internal control in its
it s broadest sense. Internal auditors
provide management and the board of directors with competent evaluations of an organization's
system of internal control and the quality of performance of assigned responsibilities regarding the
reliability and integrity of information, compliance with laws, and regulations, the safeguarding of
assets, the economical and efficient use of resources, and accomplishment of goals and objectives.
• Several common themes recur in control models, such as the Committee on Sponsoring Organizations
(COSO) of the Treadway Commission, Criteria of Control Committee of the Canadian Institute of
Chartered Accountants (CICA), and Cadbury Committee: "Internal control is management's
responsibility; tone from the top is important; controls must be built in not on; and internal
communication and people development are critical elements of the control framework." Internal
auditors' value and effectiveness are linked not only to their attunement to management's philosophy
and direction, but to their understanding of internal control and their direct knowledge of operating
systems that are often in flux.
• Internal auditors are in touch with governance issues and are intimately acquainted with their
organization's policies, procedures, operating practices, and personnel. They are able to devote their
full attention and loyalty to the organization and to identify subtle changes and ambiguities that may
signal trouble. Internal auditors can respond immediately to the concerns of senior management
because they are familiar with their organizations' culture and processes, and their status as
employees ensures confidentiality and loyalty.
• As long as internal auditing staffs are highly skilled, efficient, and responsive to management,
organizations are best served by keeping the internal auditing function internal.
The Enron fraud and disaster (bankruptcy) of 2001 also lends credence to the IIA's stance. Enron was
questioned for its outsourcing of the internal audit function, and the possible loss of independence when its
ISACA Standards provide guidance in and issues related to outsourcing. Standard #010.010.020 says in
section 2.1.1:
2.1.1: "Where any aspect of the IS function has been outsourced to a service provider, these services
should be included in the scope of the audit charter." Section 2.1.2
2.1.2 further states: "The Audit Charter should
explicitly include the right of the IS Auditor to (1) review the agreement between the service user and the
service provider (pre-effect
(pre-effect or post-effect), (2) carry out such audit work as is considered necessary regarding
the outsourced function, and (3) report findings, conclusions, and recommendations to service user
management." Thus outsourcing is something to be considered during the development of the audit charter
"Corporate Audit Charter"
(see "Corporate Charter" in this chapter).
e. Control Self-Assessment
In the 1990s, in reaction to the ever-expanding requirements for internal audit services and the need to control
overhead costs, internal audit groups have been turning to control self-assessment (CSA) reviews, also known
as self-audits. CSA reviews are performed by line managers under the direction of the internal audit program.
Most line managers are concerned about controls over their operations and have a basic knowledge of control
issues related to their function of operation. Of course, CSA is not performed by individuals independent of
the operations under review and, therefore, will only supplement, not replace, internal audit activities.
In the current marketplace, all organizations are affected by global competition, as well as demands for greater
accountability. Customer-focused organizations are attempting to reengineer systems and eliminate activities
that do not add value to customers. These programs are changing business processes very rapidly, and in some
cases, reducing the internal control systems. At the same time, the profession of internal auditing, through the
IIA and other professional organizations including the American Institute of Certified Public Accountants
(AICPA) and the Financial Executives International (FEI), have redefined internal control with a broader,
more detailed definition, adding to the work of internal audit.
In this period of rapid change, CSA has arisen as a means of raising control awareness and coverage. This
innovative approach provides the internal audit department with an opportunity to meet its audit customers'
(management's) needs while controlling auditing costs.
CSA, or self-auditing programs, are usually built around self-audit questionnaires or audit programs. CSA
programs are initiated by sending a letter about the program to line or operating managers explaining how the
program will work, what their responsibilities will be (completion of the self-audit appraisal questionnaire)
and how the information will be used by the internal audit department. The letter should point out that the
information will not only be reviewed, but will also be verified during subsequent audits.
A member of the audit department at the supervisor or manager level will review the CSA response and
follow up on noted significant control weaknesses immediately if deemed necessary. All less significant
issues will be followed up at the point of the next audit. The CSA reports will also be integrated into the audit
planning process. It is advisable to assign a supervisor or manager who is acquainted with the subject
operations and/or who will be assigned to subsequent audits. Over time, locations or operations subject to
CSA reviews can be considered for extended audit intervals or lower risk assessments in the three-year plan.
This process will have the effect of reducing the audit time and travel expenses. Of course, the quality of the
CSA document and the seriousness with which local management implements the CSA program will be
important factors.
CSA programs are relatively new methods of delivery of the internal audit service. Each organization will
develop a program that fits its organization. Another major benefit of this approach is that it allows the
internal audit function to continue to evolve from the policing role to the facilitator of controls and policies
role. Through CSA line or operations, managers assume more ownership and accountability for controls and
participate in the process of reviewing and improving control effectiveness.
We have learned that there exists the ability to link these processes and leverage work performed in one
process to benefit the auditors, or reduce their work and thereby increase their productivity in a subsequent
process. In addition, the methodology involves paying a great amount of attention to planning so that proper
objectives are set and work is directed to the higher-risk areas within the organization. An example of the
leverage is the use of information from the planning process, including the scope and auditee profile, in the
resulting audit report. Good planning leads to improved effectiveness and better quality results.
This methodology has been successfully implemented in a number of audit departments, and although at first
it may appear overly structured, the implementation has resulted in a consistently high-level, quality audit
product. There are no government or professional requirements for internal audit management to be so
structured; however, it has been our experience that operating in an unstructured environment causes an
erosion of management support and credibility over time.
Audit departments do not need to implement all of these strategies; however, they support the practice and
provide management with a clear understanding of the process. Without this process, management may
sometimes question the value of contribution of internal auditing.
L. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.
The IIA Standards suggest the charter should (1) establish the department's position in the organization; (2)
authorize access to records, locations, and personnel; and (3) define the scope of internal activities. (See
Exhibit 4.1.)
4.1.)
It is the policy of Sam Pole Company (the Corporation) to maintain an audit department as a means of
providing the Board of Directors and all levels of management with information to assist in the control of
operations and to assist senior management in reaching a conclusion concerning the overall control over assets
and the effectiveness of the system of internal controls in achieving its broad objectives. Additionally, the
Audit Department will review the effectiveness and efficiency of operations
of operations and
and organizational structures.
Complementary objectives of the corporate audit department are to develop personnel (see Chapter 5,
5,
"Personnel, Administration, and Recruiting," and Section 9.5
9.5,, "Marketing the Audit Function").
The Director of Auditing is responsible for properly managing the department so that (1) audit work fulfills
the purposes and responsibilities established herein; (2) resources are efficiently and effectively employed;
and (3) audit work conforms to the Standards for the Professional Practice of Internal Auditing .
The Director of Auditing will report to the Audit Committee for approval of audit scope, policy, and
administration. The Director will report in writing on all internal reviews conducted in the Corporation and
will attend the Committee meetings to report on significant recommendations and the operations of the
internal audit function.
(d) Independence
Independence is essential for effective operation of the internal audit function. It is the policy of the
Corporation, therefore, that all audit activities shall remain free of influence by any organizational elements.
This objective shall include such matters as scope of audit programs, frequency and timing of examinations,
and the content of audit reports.
Audit coverage will encompass, as deemed appropriate by the Director of Auditing, independent reviews and
evaluations of any and all management operations and activities to appraise:
• Measures taken to safeguard assets, including tests of existence and ownership as appropriate
• The reliability, consistency, and integrity of financial and operating information
• Compliance with policies, plans, standards, laws, and regulations that could have significant impact
on operations
• Economy and efficiency in the use of resources
• Effectiveness in the accomplishment of the mission, objectives, and goals established for the
Corporation's operations and projects
Audit activities will be coordinated, to the extent possible, with the public accountants so as to enhance audit
efficiency.
In accomplishing activities, the Directors of Auditing and their staffs are authorized to have full, free, and
unrestricted access to all Corporation functions, activities, operations, records, data files, computer programs,
The manager or head of the division, department, unit, or site audited is responsible for either planning or
taking corrective action on recommendations made or deficient conditions reported by the auditor. If the
proper corrective action is not taken, the Director of Auditing is responsible for presenting a report on
significant matters to a senior financial officer and/or the Audit Committee.
In performing their functions, the Director of Auditing and corporate audit staff members have neither direct
authority over, nor responsibility for, any of the activities reviewed. Internal auditors will not develop and
install procedures, prepare records, make management decisions, or engage in any other activity that could be
reasonably construed to compromise their independence. However, in connection with the complementary
objectives of this audit function, Internal Audit will recommend accounting and information systems policies
and procedures for approval and implementation by appropriate management. Therefore, internal audit review
and appraisal do not in any way substitute for other activities or relieve other persons in the organization of
the responsibilities assigned to them.
The Information Systems Audit & Control Association (ISACA) Standards also address audit charters.
Standard #010.010.010 states in section 2.1.1:
2.1.1:
• The IS Auditor should have a clear mandate to perform the IS audit function. This mandate is
ordinarily documented in an audit charter that should be formally accepted. Where an audit charter
exists
exists for the a
audit
udit function as a whole, wherever possible the IS audit mandate should be
incorporated.
In Section 2.2.1
2.2.1 it further states: "The audit charter should clearly address the three aspects of responsibility,
authority and accountability." Under responsibility, the first subtopic is mission statement. Other ISACA
Standards affect the development of the audit charter, such as outsourcing mentioned previously. Thus ISACA
Guidelines provide a lot of general guidance in developing the audit charter, mission statement, and other
organizational documents.
organization.
The positioning of internal audit within a company can vary. There is a great debate in the profession that
addresses the independence of internal auditing. The Sam Pole Company organization chart depicts the
Director of Auditing reporting directly to the Board of Directors, with a dotted-line responsibility to the Chief
Financial Officer (CFO) and Audit Committee. In some companies, the internal auditing function reports
directly to the CFO. This organization may be appropriate if the circumstances warrant this reporting
relationship. Whenever possible, the reporting relationship should be independent of the financial
organization.
Exhibit 4.3 is the "Sam Pole Company Audit Department Organization Chart." The chart depicts an integrated
audit department approach in which staff are available to managers of each audit discipline. This approach is
unusual and was included in this version of the manual to provide a thought-provoking example. Most
Another method for improving commitment and team spirit is to include the names of all the department
members on a departmental routing slip. This routing slip can augment the organization chart.
The Corporate Audit Department currently has three levels of professional job classifications, in addition to
the Director of Auditing. They are: Manager/Director, Senior Auditor, and Auditor. In addition, there is one
administrative position: executive secretary. Job descriptions for the current professional positions can be
found on the following pages. These job descriptions reference responsibilities for the major procedures
contained in the processes in other sections of the manual. Therefore, they document the responsibilities of
each staff member related to these methodologies.
To direct independent reviews and evaluations of any and all management operations and activities to
appraise:
• The reliability and integrity of financial and operational information
• Compliance with policies, plans, standards, laws, and regulations that could have significant impact
upon operations
• Measures taken to safeguard assets, including tests of existence and ownership as appropriate
• Economy and efficiency in the use of resources
• Effectiveness in the accomplishment of objectives and goals established for corporation operations
and projects
To coordinate activities to the extent possible with the public accountants to enhance audit efficiency.
To present to a senior officer and/or the Audit Committee, a report on significant recommendations or
deficiencies on which audited management has not taken proper corrective action.
To ensure that the department does not develop or install procedures, prepare records, make management
decisions, or engage in any other activity that could be reasonably construed to compromise its independence.
The Director must have an in-depth knowledge of the audit profession as well as the audit function at Sam
Pole Company, from both conceptual and technical viewpoints. Therefore, the Director should maintain an
expert knowledge of auditing and the auditing profession.
The Director must have excellent written and verbal communication skills as well as excellent editing skills.
He/she is responsible for monthly activity reports to senior management and updates to the Corporate Audit
Procedures Manual. The Director will perform a final review of corporate audit reports.
The Director should have excellent interpersonal skills. These skills are critical to develop and maintain
effective working relationships with all levels of management, the external auditors, consultants, and various
industry representatives.
The Director will also need to counsel managers and audit staff members as to their performance and career
development.
International:
Sam Pole Company is a dynamic company with significant operations all over the world. The Audit Director
will be involved with audits in foreign and domestic locations. This involvement will lead to travel to foreign
and domestic locations, where in some cases English may not be the first language.
CONTACTS&"para">Internally, the incumbent deals directly with all levels of management in the
company. The incumbent works with the corporate audit staff, managers, and senior officers of the
company.
Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the
Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public
Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The
incumbent has regular dealings with managers and partners of the company's external auditors to obtain
material including information that should be disseminated to the audit staff and management of the company.
The Director of Auditing develops contacts with suppliers of materials and other supplies for the functioning
This individual will have at least a four-year college degree and possess approximately 10 to 15 years of
experience in internal auditing and external auditing, including at least seven years at the manager or director
level.
The position is responsible for ensuring that the overall audit function of the company
monitors trends in the auditing field and applies them when appropriate to the practice of
auditing in the company. The position is also responsible for coordinating/initiating all
planning, quality assurance, and human resources-related functions for the Corporate Audit
Department. Furthermore, the position is responsible for the preparation and implementation
of a training plan for the department and the individual professionals therein and
coordinating the activities of internationally based auditors.
DUTIES AND RESPONSIBILITIES:
RESPONSIBILITIES:
The individual will have direct responsibility for preparing an Audit Department multi-year plan, and:
• Coordinate input from the Director of Auditing as well as audit managers in developing the plan
• Summarize input received from managers and Director of Auditing, with international plans, and
produces a draft plan for discussion
• Update drafts based on input received until final draft is approved
• Prepare six-month and one-year plans for the three-year plan
The individual will be responsible for the coordination and administration of the Audit Department, and:
• Develop and maintain the Audit Procedures Manual of the Corporate Audit Department
• Prepare the operating budget for the department for approval by the Director of Auditing
• Monitor expenses by overseeing purchases and payment of invoices, and recommending viable
alternatives to the audit management
• Prepare annual summaries of external audit fees for the Director of Auditing
• Prepare periodic reports for senior management for the Director's review; also oversee the preparation
and production of periodic and biannual audit report summaries to the Audit Committee
• Maintain a complete file on each member of the audit staff, with job descriptions, resumes, career
actions, performance appraisals, training plans, and development records; produce and analyze reports
on various personnel statistics
• Advise Corporate Audit management on training needs and availability
The individual will be responsible for developing and implementing the department's Quality Assurance
Program, and:
12 Chapter 4: Department Organization
• Maintain the department's policies regarding periodic reviews of entire assignments, summary
reviews of all assignments, and external peer review
• Schedule staff for reviews of entire engagements
• Schedule staff for summary reviews of each engagement on an availability basis
• Prepare reports for the Director of Auditing, discussing the areas where improvement is needed in the
audit process
The individual will be responsible for coordinating the activities of the internationally based auditors, and:
• Coordinate the development of the international audit plans and integrate them into domestic plans
• Monitor the activities of the internationally based auditors
• Provide guidance on company developments
Audits:
In addition to the significant administrative responsibilities discussed in the job description, the individual will
be involved in selected audits, both domestic and international.
This position is responsible for maintaining expert knowledge of the auditing profession. The incumbent must
keep abreast of new or proposed developments to the auditing function, and analyze their impact on the
company. In addition, the incumbent is an authoritative source of information to the audit group regarding the
practice of auditing.
• The incumbent must have an in-depth knowledge of the audit profession as well as the audit function
at Sam Pole Company, from both conceptual and technical viewpoints. Also the incumbent should
have a good understanding of the company's primary lines of business and organizational
structure—or if such knowledge is minimal, should be capable of quickly becoming familiar with
these activities.
• The incumbent must have excellent written and verbal communications skills as well as excellent
editing skills. In addition, the incumbent must prepare monthly activity reports to senior management
and update (as necessary) the Corporate Audit Procedures Manual. The manager must review and edit
corporate audit reports and be able to effectively communicate departmental policies and procedures
to staff.
• The incumbent must have well-developed interpersonal skills. They are critical to develop and
maintain effective working relationships with all levels of in-house management, the company's
external auditors and consultants, and various industry representatives. The incumbent also needs to
counsel audit staff members as to selected training and career development.
• The incumbent must develop and maintain ongoing contact with peers in industry for the purpose of
gathering information and exchanging ideas.
• The incumbent must gather information on proposed legislation, analyze impact to the company, and
draft statements for consideration by the Director of Auditing.
• The incumbent must interact with associations and institutions to keep abreast of developments and
trends in the auditing profession and ensure that both the Audit Department and business units are
kept informed.
International:
Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
Chapter 4: Department Organization 13
Internally, the incumbent deals directly with all levels of management in the audit function to the company, in
order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior
officers of the company including cross-relationships with Human Resources, Officer Services, and
Information Systems.
Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the
Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public
Accountants (AICPA) in order to keep abreast of trends and developments in the auditing profession. The
incumbent has regular dealings with managers and partners of the company's external auditors to obtain
material including information that should be disseminated to the audit staff and management of the company.
The Audit Manager develops contacts with suppliers of materials and other supplies for the functioning of the
Audit Department.
This individual will have a four-year college degree and possess approximately five to eight years of
experience in internal auditing.
To direct independent reviews and evaluations of any and all management operations and activities to
appraise:
To coordinate activities to the extent possible with the public accountants to enhance audit efficiency.
To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.
14 Chapter 4: Department Organization
• Scope and Procedures. Implement the department procedures for audit planning, establishing scope,
and determining appropriate audit procedures.
• Document Development/Review. Develop or review the following audit documents on audits
assigned:
• Special Investigations. Provide direction and guidance. Review results. Recommend action in
coordination with other interested company and outside parties.
• Continuing Education. Pursue regular program for continuing education for self (related to
certifications held). Pursue professional development for self, as appropriate (e.g., systems seminar in
area of emerging systems development within the company, courses to pursue certification,
management training). Review and approve suitable program for departmental staff.
• Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants.
• Professionalism. Demonstrate superior performance and direction in all attributes of professional
conduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and
corporate ethics.
International:
Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
Internally, the incumbent deals directly with all levels of management in the audit function to the company, in
order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior
officers of the company especially with the accounting functions.
Externally, the incumbent maintains close relationships with the Institute of Internal Auditors (IIA), the
Information Systems Audit and Control Association (ISACA), and the American Institute of Certified Public
Accountants (AICPA), if applicable, in order to keep abreast of trends and developments in the auditing
profession. The incumbent has regular dealings with managers and partners of the company's external auditors
to obtain material including information that should be disseminated to the audit staff and management of the
company. Contact with organizations specializing in operational and management auditing must be
maintained.
• Experience in a supervisory capacity and the ability to direct and develop others
• Experience with financial, operational, and management auditing
This individual will have primary responsibility for reviews of the company's information systems (IS)
environment:
intelligent agents
• Planning of audits of development projects (or ongoing audit involvements) to provide critical input
while the project is in process
The individual will be responsible for taking a leadership position in expanding the use of computers by the
audit staff:
The position is responsible for maintaining an expert knowledge of the IS audit profession. The individual
must keep abreast of new and proposed developments in the IS auditing field and analyze the impact on the
company. The individual should be an authoritative source of information to the audit group as regards the
practice of auditing.
• The incumbent must have a good working knowledge of the information systems development at Sam
Pole Company. Consideration should be given to attending IS Steering Committee meetings.
• The incumbent must have excellent written and verbal communication skills as well as excellent
editing skills. The individual must prepare monthly activity reports to senior management on IS
auditing activities.
To coordinate activities to the extent possible with the public accountants to enhance audit efficiency.
To exercise discretion in the review of records to ensure confidentiality of all matters that come to attention.
The position will be responsible for working on selected financial and operational audits. These will
supplement the primary area of responsibility of IS auditing.
• Scope and Procedures. Implement the Department procedures for audit planning, establishing scope,
and determining appropriate audit procedures.
• Document Development/Review. Develop or review the following audit documents on audits
assigned:
♦ Preliminary survey: Review planned survey; review survey results
♦
Audit time budget
♦ Planning memo
♦ Audit programs
• Pre-Audit Conference. Establish audit objectives to be discussed at the conference.
• Field Work. Perform or review field work, as appropriate.
• Workpapers. Perform a limited review, as appropriate, based on senior detail review of workpapers;
approve reviewed workpapers for filing.
• Interim Recommendations. Interim recommendations following field work and documentation of
auditee position.
• Status Memo. The basis of memo contents, consider appropriateness of original audit plan and scope
• Summary Memo. Review results of audit regarding attainment of objectives; review and approve
comparison of actual to budgeted hours and explanation for variance.
• Audit Management Letter. Review and follow up on all responses to the public accountants' Audit
Management Letter, including a report to the Audit Committee.
• Performance Evaluation. Prepare evaluation of senior auditors and conduct review.
• Information Systems. Have sufficient IS knowledge to be able to discuss and determine application
of IS audit resources, to judge effectiveness of computer controls, and participate in systems
development projects.
• Decision-Making Responsibility/Conclusions. Responsible for administrative and audit-related
decision making and conclusions based upon completed audits.
• Counsel/Guide/Motivate. Provide direction to immediate assistants to enable them to counsel, guide,
and motivate staff. Empower assistants to be effective. Participate directly in these activities when
appropriate.
• Auditee Relationship. At executive management level, identify and develop audit opportunities to
provide a more effective audit service to management.
Other Matters:
• Special Investigations. Provide direction and guidance. Review results. Recommend action in
coordination with other interested company and outside parties.
• Continuing Education. Pursue regular program for continuing education for self (related to
certifications held). Pursue professional development for self, as appropriate (e.g., systems seminar in
area of emerging systems development within the company, courses to pursue certification,
management training). Review and approve suitable program for departmental staff.
• Special Projects. As assigned, may participate. Direct, review, evaluate, and report work of assistants.
• Professionalism. Demonstrate superior performance and direction in all attributes of professional
conduct of self and staff, including professional codes of ethics (e.g., IIA, AICPA, ISACA) and
corporate ethics.
• SDLC/Systems Projects. Preferably ensure that a CISA (or staff member if a CISA is not available) is
a part of any systems development teams or projects.
International:
Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
Internally, the incumbent deals directly with all levels of management in the audit function to the company, in
order to provide guidance when requested. The incumbent works with the Corporate Audit staff and senior
officers of the company, especially with Information Systems.
Externally, the incumbent maintains close relationships with the Information Systems Audit and Control
Association (ISACA), the Institute of Internal Auditors (IIA), and the American Institute of Certified Public
Accountants (AICPA), where applicable, in order to keep abreast of trends and developments in the IS
auditing profession. The individual has regular dealings with managers and partners of the company's external
auditors to obtain material including information that should be disseminated to the audit staff and
management of the company. The individual maintains contact with audit software vendors to stay abreast of
developments in the field.
QUALIFICATIONS—MINIMUM KNOWLEDGE AND SKILLS:
18 Chapter 4: Department Organization
• Planning Scope and Procedures. Develop or supervise assistants in planning the scope of audits and
selection and development of appropriate audit procedures for manager approval.
• Preliminary Survey. Direct the development and preparation of the survey approach. Participate and
oversee work by assistants, if applicable.
• Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating
performance and variance.
• Planning Memo. Review assistant input and document thorough and complete approved plan for
specific audits after obtaining general guidelines from manager.
• Audit Programs Development/Changes. With manager approval, develop audit programs necessary
to promote effective audit coverage.
• Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the
auditee before the audit.
• Field Work. Perform all field work in a competent and professional manner. Provide evidential
support for all report recommendations.
• Identifying System Control Points. Document controls or perform expert review of work by
assistants.
• Workpapers. Prepare selected workpapers and review assistants' workpapers.
• Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluate
assistants' recommendations, considering materiality, pertinence to audit and documentary evidence.
• Status Memo. Prepare or review draft and finalize status memo for presentation to manager.
• Closing Conference. Prepare or review agenda of recommendations and comments. Conduct with
support from assistants.
• Report Preparation/Review. Prepare or review detailed recommendations and comments for
materiality and relativity of items, adequacy of workpaper documentation and auditee position (if
known). Responsible for completeness and accuracy of entire report subject to manager approval.
• Summary Memo. Prepare or review final summary memo based on review and evaluation of input by
assistants. Submit future audit planning recommendations.
• Performance Evaluation. Complete timely performance evaluations for assistant on audit and review
evaluations with them (if applicable).
• Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques.
• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity
of existing policies and procedures, and (2) recommend sound alternatives.
• Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective
decision making and drawing sound conclusions.
• Auditee Relationships. Ensure continuing development of effective professional relationships with
auditee personnel.
• Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently
in sensitive, confidential circumstances.
International:
Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
Internally, department management and associates; most levels of auditee management. Externally, technical
and other business professionals through societies and association memberships.
• Planning Scope and Procedures. Develop the scope for audits and selection and development of
appropriate audit procedures for senior/manager approval.
• Preliminary Survey. Develop and prepare the survey.
• Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating
performance and variance.
• Planning Memo. Provide input and document plan for specific audits after obtaining general
guidelines from senior/manager.
• Audit Programs Development/Changes. With senior approval, develop audit programs necessary to
promote effective audit coverage.
• Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the
auditee before the audit.
• Field Work. Perform all field work in a competent and professional manner. Provide evidential
support for all report recommendations.
• Identifying System Control Points. Document controls.
• Performance Evaluation. Complete timely performance evaluations for assistants on audit and
review evaluations with them (if applicable).
• Information Systems. Apply, in appropriate circumstances, knowledge of basis IS audit techniques.
• Company Audit Procedures. Demonstrate complete comprehension and ability to (1) assess validity
of existing policies and procedures, and (2) recommend sound alternatives.
• Decision-Making Responsibility/Conclusions. Demonstrate capacity and evidence for effective
decision making and drawing sound conclusions.
• Auditee Relationships. Ensure continuing development of effective professional relationships with
auditee personnel.
• Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently
in sensitive, confidential circumstances.
• Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments,
associating that understanding with company audit applications. Recommend adaptation, where
appropriate, in our audit approach.
• Continuing Education. Pursue departmental-approved program for continuing education for self.
s elf.
Pursue professional development (PD) for self, as appropriate.
• Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective
realization of the department audit plan.
• Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or
need.
• Professionalism. Demonstrate superior performance in all attributes of professional conduct,
including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage
others toward comparable performance.
International:
Sam Pole Company is a dynamic company with significant operations all over the world. Audit managers and
staff will be involved with audits in foreign and domestic locations. This involvement will include travel, for
periods of time, to foreign and domestic locations where, in some cases, English may not be the first language.
Internally, department management and associates; most levels of auditee management. Externally, technical
and other business professionals through societies and association memberships.
The individual will have direct responsibility for preparing preliminary, annual, and multi-year audit plans for
approval in the United States, for all European operations.
The individual will prepare drafts of expense budgets for one-year plans as appropriate, for approval in the
United States. The individual will maintain a copy of the Corporate Audit Policies and Procedures Manual of
the Corporate Audit Department for use in Europe.
The individual will maintain contact and develop lines of communication with auditees throughout the
European operations.
The individual will attempt to maintain knowledge of developments in the various European operations. This
process will involve monitoring periodic management reports and staying apprised of economic developments
in each country. Periodically, reports on these developments will be made to the Manager—Planning and
Control.
For All Assigned Audits:
• Planning Scope and Procedures. Develop the scope for audits and selection and development of
appropriate audit procedures for senior/manager approval.
• Preliminary Survey. Direct the development and preparation of the survey approach. Participate and
oversee work by assistants, if applicable.
• Audit Time Budget. Ensure establishing a practical budget, completing work on time, and evaluating
performance and variance.
• Planning Memo. Review assistant input and document a thorough and completely approved plan for
specific audits after obtaining general guidelines from manager.
• Audit Programs Development/Changes. With manager approval, develop audit programs necessary
to promote effective audit coverage.
• Pre-Audit Conference. Ensure that audit objectives have been clearly and completely set forth to the
auditee before the audit.
• Field Work. Perform all field work in a competent and professional manner. Provide evidential
support for all report recommendations.
• Identifying System Control Points. Perform expert review of work by assistants.
• Workpapers. Prepare selected workpapers and review assistants' workpapers.
• Interim Recommendations. Prepare recommendations for auditee consideration; review and evaluate
assistants' recommendations, considering materiality, pertinence to audit and documentary evidence.
• Status Memo. Prepare or review draft and finalize status memo for presentation to manager.
• Closing Conference. Prepare or review agenda of recommendations and comments. Conduct with
support from assistants.
• Report Preparation/Review. Prepare or review detailed recommendations and comments for
materiality and relativity of items, adequacy of workpaper documentation and auditee position (if
known). Responsible for completeness and accuracy of entire report subject to manager approval.
• Summary Memo. Prepare or review final summary memo based on review and evaluation of input by
assistants. Submit future audit planning recommendations.
• Performance Evaluation. Complete timely performance evaluations for assistants on audit and
review evaluations with them (if applicable).
• Special Investigations. Possess ability to carry out assignments discreetly, effectively, and efficiently
in sensitive, confidential circumstances.
• Awareness of the State-of-the-Art. Demonstrate clear understanding of current developments,
associating that understanding with company audit applications. Recommend adaptation, where
appropriate, in our audit approach.
• Continuing Education. Pursue departmental-approved program for continuing education for self s elf and
recommend suitable programs for the department. Pursue professional development (PD) for self, as
appropriate, and recommend programs for the department, where appropriate.
• Travel. Meet requirements and recommend improvements and alternatives to ensure timely, effective
realization of the department audit plan.
• Special Projects. Participate, as assigned. Recommend special projects, based upon experience and/or
need.
• Professionalism. Demonstrate superior performance in all attributes of professional conduct,
including professional codes of ethics (e.g., IIA, AICPA, ISACA) and corporate ethics. Encourage
others toward comparable performance.
International:
Sam Pole Company is a dynamic company with headquarters in the United States and significant operations
all over the world. All audit managers and staff are involved with audits in foreign and domestic locations.
This involvement includes travel to foreign locations, where, in some cases, language differences may be
encountered. The Senior Auditor—Europe will possess multi-language skills and/or recommend alternative
audit approaches, including use of outside accountants or other company personnel.
Internally, the incumbent deals directly with all levels of management in the European headquarters and
country operations. Requests for audit assistance by the operating units should be communicated to U.S.
headquarters and considered during the planning process. The position works closely with the Director of
Finance for European Operations.
Externally, the incumbent should be a member of the Institute of Internal Auditors (in the United Kingdom)
and other appropriate audit institutes in Europe. The incumbent will have regular dealings with managers and
partners of the company's external auditors.
• Independent thinker
• Confidentiality
• Orientation (Training)
• Days Off for Extensive Travel
• Professional Certification
a. Confidentiality
In accordance with the approved Corporate Audit Department Charter under subsection Access and
Confidentiality, "in accomplishing his activities, the Director of Auditing and his staff are authorized to have
full, free, and unrestricted access to all corporation functions, activities, operations, records, data files,
computer programs, property, and personnel."
This access exposes the staff to confidential corporate information either by examination or discussion. The
privileged permission to be informed of confidential information carries a responsibility for the Audit
Department staff's confidentiality.
Confidentiality is defined as to "hold secret." The only exception is to report to audit management and others
on a defensible need-to-know basis.
i. Policy
All information known to require or deemed to (by a reasonable person test) require confidentiality should be
kept so.
ii. Discussion
Corporate Audit Department management is forced to guard their responsibility for staff confidentiality to
protect the department's reputation and credibility. This protection includes present staff, transfers, and past
employees.
Breaches of confidentiality may be either intentional or by accident, as being overheard in public places,
elevators, or restaurants.
We are involved in and knowledgeable of a number of sensitive company situations including union
agreements, company politics, different pay scales, and special investigations that require good judgment and
limited exposure of details.
Another area of which the auditor must be constantly aware is gossip. Many people on the company grapevine
feel creditability is given to their conversation if they can include, "I heard it from an auditor." So beware of
the person who asks a lot of questions.
It should be clear to current or past employees of the Corporate Audit Department violations of confidentiality
or gossip may result in:
• Immediate termination
• Probation
• Suspension without pay
• Warning
• Lawsuit
The consequences will be at the judgment of the Director of Auditing and/or Audit Committee. A lawsuit
could result from third-party damage as defamation of character from a libelous or slanderous statement. (See
"Responsibilities of an Auditor" in this chapter.)
b. Orientation (Training)
i. Objective
Provide reasonable assurance that the new employee will become promptly productive.
ii. Responsibility
Orientation is the responsibility of the manager to whom the new employee reports.
• Introduction to audit staff personnel and other employees with whom the auditor will work
• Discussion of duties and responsibilities
• Control of work:
♦Hours of work
♦ Time reports
♦ Paycheck distribution
♦ Travel regulations
♦ Expense report preparation
♦ Supplies
• Readings:
♦ Audit manual
♦ Standards
♦ Literature on modern internal auditing
♦ Recent audit reports
♦ See recommended reading list
• One day for each seven consecutive nights in an international location may be taken off with pay.
• One day for the first 14 consecutive days of domestic (North American) travel may be taken off with
pay. For every additional seven consecutive and contiguous days thereafter, one additional day off
may be taken.
• Such days must be utilized by the end of the calendar year or they are automatically forfeited.
In order towill
Company encourage employees
assist staff to by
members attain professional recognition by passing an exam certification, the
providing:
1. The cost of registration and fees for the initial sitting for the examination.
2. Fifty percent of the cost for recognized preparation (review) courses to a maximum of $750. To avoid
misunderstanding, selected courses should be approved by the Director of Auditing prior to
registration and payment of fees. Attendance at classes is to be scheduled during non-working hours
(Monday through Friday) or, preferably, on weekends. Staff assignments to projects will consider
review course attendance, but Sam Pole work must take precedence in cases where staff members are
required to fulfill Company commitments.
3. Time for sitting for examinations will be considered authorized excused leave.
It is anticipated that the Company will benefit from the attainment of certifications through increased
professional knowledge and adherence to professional standards and codes of conduct.
Endnote
1. "Information Systems Personnel Express a Desire for Change in the Functioning of Internal Auditing,"
Dale L. Flesher and Jeffrey Zanzig, SOBIE conference proceeding, April 15, 2002.
26 Chapter 4: Department Organization
5.1 Introduction
Internal audit consists of people, information systems, and procedures. Talented people following
well-thought-out, tailored methodologies will produce consistent quality audit products. Organizations should
not lose sight of the support role of audit. Like the accounting department and other important groups in an
organization, audit does not produce the primary product or service. The audit mission (as defined in the audit
department charter), however, is crucial to the organization's success, providing independent review and
constructive advice.
In order to attract and maintain qualified staff, the corporate Audit Department has put in place a personnel
"Personal Development
development program (see "Personal Development"" in this chapter). However, the selection of the best
individuals is the first step in the process.
a. Sources of Personnel
Internal auditors are typically accountants who have an interest in auditing. In many cases, this interest is
combined with a desire to gain a good understanding of many business functions. The audit function exposes
auditors to a large number of areas in a company's operations. Therefore, it is considered an excellent training
ground. Consequently, some entry-level auditors will consider audit a stepping-stone in their career
To develop a professional-level internal audit program, most functions require a college degree for new hires.
Colleges and universities develop students' basic skills and most include an auditing course in the accounting
curriculum—a requirement in most degree programs. In addition, most colleges and universities try to
accommodate the 150-hour rule for the Certified Public Accountant (CPA) exam by offering graduate courses
in accounting. A second auditing course is normally offered for those pursuing a master's degree.
Even more importantly, many universities are forming specialty degrees in systems, public accounting, and
internal auditing. The Institute of Internal Auditors (IIA) has a "Model Curricula for Classroom Use" that was
carefully constructed considering the Certified Internal Auditor (CIA), CPA, management consulting,
computer sciences; and considering the standards of the American Assembly of Collegiate Schools of
Business (AACSB), the International Association for Management Education, and the American Accounting
Association (AAA). The IIA maintains information on its "IIA Academic Program" online including a
120-hour model curriculum, 150-hour model curriculum, and a list of Endorsed Internal Auditing Programs
all online at their web site. [1]
The first step in recruiting from colleges and universities is to identify the schools with which you may want
to work, and review their curriculum and program for compatibility. One resource might be the IIA's list of
Endorsed Internal Auditing Programs, especially if one is fairly close by. Students in these programs have
already expressed an interest in internal audit, and are being educated more precisely (i.e., probably better
qualified than other accounting students) for internal audit jobs. Once you identify a school, it is beneficial to
develop a relationship with the accounting department and its students. Recruiting activities could include:
Most schools encourage on-campus recruitment activities and have structured means to accommodate them.
For example, most schools have a department that specializes in job placement—typically called "Career
Services" or a similar name. This group is one important contact because they can facilitate conducting
interviews, screen candidates based on the audit department's criteria, and forward applicable student resumes.
Most schools today are associated with some sort of job fair, either on campus or in the local area. Many
professors or department chairs will also work with companies one-on-one. If, for example, the university is
an endorsed IIA program and if an audit department wanted to hire regularly over time, then the department
will probably be willing to partner with the audit department (company) and provide specialized services
concerning recruitment. All universities encourage professionals, such as internal auditors, to visit campus to
speak to either classes (e.g., auditing) or student clubs in accounting. These activities are opportunities to
observe first-hand potential job candidates before getting involved with interviews, etc. Schools benefit
tremendously by bringing the "real-world" professionals and their experience and views into the course.
Accounting academics will appreciate any internal auditor who contacts them to schedule speaking
engagements. All of these resources are valuable to recruitment because each one causes some of the work of
the recruitment process to be transferred to the school, saving the audit department time and resources. And
together, they can expose the audit department to the best and brightest students for entry-level jobs.
In some cases, candidates may be available within the company. Most companies have sophisticated human
resource (HR) programs that can assist audit management with hiring and career progression issues. For
instance, many firms are employing elaborate systems that gather individual skills, training, and abilities.
These systems allow easy retrieval of people who fit a certain profile. Such a system is extremely helpful in
locating people with the interest and abilities related to internal auditing, and thus if your organization is using
this type of system, the corporate audit department needs to ensure coding is compatible with its needs. Audit
functions should always attempt to hire the best possible candidates and never "settle" or accept an individual
as an accommodation to another department.
graduates and, in most cases, provide them with formal hands-on training programs in the early years of the
person's employment. Some also provide industry and computer training. Of course, large internal audit
departments are capable of organizing and providing similar professional development programs. In most
cases, however, they cannot provide the diversified experience available in public practice.
b. Recruitment Aids
Forethought
presented and
with planningstructure
company will improve
charts,recruiting results.
organization Candidates
charts, will be favorably
and a schematic impressed
of the personnel when
development
program similar to the one presented in the manual. Some audit departments develop brochures describing
functions, activities, and benefits (e.g., experience in many company operations, travel, and potential career
progression). The development of a summary of the current staff with qualifications may also add value.
Some departments that encourage career development in the audit department and within the company
develop career summaries on on current and
and preceding members of the department.
An interview questionnaire for new internal auditors should be developed and used to summarize interviews
and results. Exhibit 5.1 is a sample form.
In some notable
function throughexamples, personnel
the addition development
of a tangible programs
measurable have
product: greatly
former enhanced
audit therising
personnel reputation of the
to higher audit
level
positions in the organization.
Chapter 5: Personnel, Administration, and Recruiting 5
d. Certifications
Certifications, including Certified Internal Auditor (CIA), Certified Public Accountant (CPA), Certified
Information Systems Auditor (CISA), and Certified Management Accountant (CMA) are significant personal
achievements, and provide evidence of basic skill levels and knowledge. In today's business environment, the
Certified Fraud Examiner (CFE) and Certified Information Systems Security Professional (CISSP) have
become both valuable and relevant. Any of these certifications also add to internal audit's image. Policies can
be developed
reviewing to encourage
new-hire staff members to attain certifications, which should be seriously considered in
qualifications.
If society itself were standing still, there might be little pressure on the individual to update
his own supply of images, to bring them in line with the latest knowledge available in society.
So long as the society in which he is embedded is stable or slowly changing, the images on
which he bases his behavior can also change slowly. But to function in a fast-changing
society, to cope with swift and complex change, the individual must turn over his own stock of
images at a rate that, in some way, correlates with the pace of change. His model must be
updated. To the degree that it lags, his responses to change become inappropriate, he
becomes increasingly thwarted, ineffective. Thus, there is intense pressure on the individual
to keep up with the generalized pace. Today, change is so swift and relentless in the
techno-sciences that yesterday's truths suddenly become today's fictions, and the most highly
skilled and intelligent members of society admit difficulty in keeping up with the deluge of
new knowledge—even in extremely narrow fields. [2]
a. Introduction
In order to ensure that the Corporate Audit Department's education plan is implemented, the responsibility for
coordination has been assigned to the Manager of Policies and Control. As Coordinator of Education, the
Manager of Policies and Control will assist in the development of the departmental education plan and
individual of
objectives auditors' educational
the Professional plans. He/she
Development will work
Program andclosely
report with the stafftoand
periodically themanagers to Auditing
Director of achieve the
on the
status of the program.
b. Objectives
The Corporate Audit Department Training Program has been designed to improve and maintain the
professional competence of the corporate auditors so that they can effectively perform their function to the
fullest extent. Additionally, it is intended to provide for personal professional growth and job satisfaction. The
program, combined with on-the-job experience and training, and a comprehensive evaluation process, is
intended to provide a basis for advancement in the Audit Department, or for potential placement in key
c. Coordinator of Education
The Coordinator of Education is responsible for overseeing the educational needs of the department, and
ensuring that those needs are adequately met. The Coordinator reports to the Director of Auditing regarding
plans and resources needed to obtain and maintain an adequate level of knowledge and skills individually and
corporately in the department. Duties include:
• Assists the Director and audit managers in surveying staff and analyzing training needs.
• Recommends comprehensive, systematic training program for the Corporate Audit Department.
• Coordinates the training activities for corporate auditors and makes staff aware of all training
opportunities.
• Assists auditors in developing individual goals and training programs.
• Develops and implements evaluation programs for all training activities involving Internal Audit.
• Investigates specific training programs as requested by other members of the staff and authorized by
the Director of Auditing.
• Assists in the evaluation of training programs and review regular (quarterly) training reports on staff
members for the Director of Auditing.
• Develops policies and procedures for maintaining and using the staff library. Assures audit
management that the library is adequately stocked and keeps staff informed of new acquisitions
pertinent to their particular needs.
The core of the Corporate Audit Program is on-the-job training through effective supervision and constructive
evaluations covering areas of need. The program is two-fold: the Core Program covering new auditors, and
the Advanced, covering education for career-minded internal auditors for periods beyond two years of work
experience.
On-the-job training is supplemented with the following types of formal and informal education:
• In-house seminars and self-study training through the use of audio and visual training courses, and
online courses via the web.
• Teaching or speaking engagements to help broaden one's knowledge and communications skills.
• Attendance at various outside seminars, workshops, lectures, and conferences, etc.&"listitem">
Availability of a library of texts and reference materials covering internal auditing, as well as specific
areas of business management, taxation, finance, purchasing, construction, contracts, etc.
• Online services: Examples include Lexis/Nexis, [3] the AICPA (Auditing Standards), [4] ISACA's
K-net and CobiT, [5] and other providers of reference materials. Lexis/Nexis provides authoritative
legal, news, public records, and business information online. K-net is a global knowledge network for
IT governance, control, and assurance. CobiT is a generally applicable and accepted standard for
information technology (IT) security and control practices, providing a framework for management,
users, and information systems (IS) audit, control, and security practitioners.
• Specialized courses, when available and/or practical, specially designed to meet the internal auditor's
needs.
• Routing of selected educational material to the Internal Audit staff to maintain current knowledge in
the field.
The Core Program requires a minimum of two weeks, or 80 hours, per year of formal education or teaching.
The Advanced Program requires a minimum of one week, or 40 hours, per year. These minimum
requirements do not include self-study courses, outside professional meetings, on-the-job training, research,
and the use of the library.
e. Core Program
First Year:
During the first year of employment, attendance at various structured courses is required. The following
schedule will be followed, interfaced with on-the-job training:
• All new hires will attend an orientation program on the company and the Corporate Audit
Department.
• All entry-level auditors will attend a one- to two-week course on Introduction to Corporate Auditing
Procedures. This subject could be administered in-house by experienced corporate auditors, or
provided by outside trainers.
• All auditors will attend at a minimum a five-day Introduction to Computer Auditing course.
• All staff members will attend audio/visual courses on audit-related topics during the year.
• There will be mandatory attendance at all staff meetings and in-house internal audit seminars on a
regional and centralized basis.
Second Year:
The training program will continue into subsequent years. By the end of the second year, the following should
have been attained:
f. Advanced Program
The Advanced Program will involve specific tailoring to meet each individual's development needs. As the
internal auditor's career progresses, decisions need to be made regarding the individual's long-term objectives.
If those objectives lie in the Internal Audit area, provision should be made for the attendance at Internal Audit
management training and conferences. There may be a need for auditors to develop specific skills further. For
instance, operational auditing or IS auditing skills may be required by the department, and/or requested by
individuals in their career planning meetings. The professional development program can be tailored for each
individual, to help meet departmental, as well as individual, goals.
Included in the advanced stage of the program is an anticipation that the staff member will increase his or her
involvement with professional organizations such as the IIA, American Institute of Certified Public
Accountants (AICPA), American Management Association (AMA), Information Systems Audit and Control
Association (ISACA), and participate in their educational programs. Staff members, at this level, should be
strongly encouraged to develop their own expertise in specific areas and provide training courses to these
organizations. Committee assignments can, in some cases, be considered as continuing education endeavors.
These decisions must be made by audit management, and documented in the individual's professional
development plan.
g. Record-Keeping
Each auditor is responsible for maintaining a chronological record of his/her training or educational
accomplishments while on the Corporate Audit staff. This record will be forwarded quarterly to the
Coordinator of Education. (See Exhibit 5.3,
5.3, "Continuing Professional Education (CPE) Record.")
NAME_________________________ PERIOD________________
CPE HOURS
DATE ORGANIZATION COURSE INSTRUCTOR PREPARATION TEACHING ATTENDE
CPE
Provider
#
TOTAL
The coordinator will review the forms quarterly and submit them to the Director of Auditing for inclusion in
each Auditor's personnel file. Certain continuing education credits needed to maintain various professional
certifications should be pursued by each individual auditor and will be retained in his or her personnel file.
Individuals should keep copies of course outlines as required by various certifications for CPE requirements.
Performance evaluations will be conducted after each assignment or periodically by each level of supervision,
and also placed in the file, so that needs analysis can be made to determine what additional education is
required to maintain each staff member's proficiency.
Training records will be used as a reference in scheduling staff members to various assignments. These
assignments will help reinforce the retention of course curriculum obtained from the training programs. The
Director and Audit Managers will periodically assess the auditor's training needs, using the CPE record and/or
the section on development needs as shown on the performance evaluations. After training assessments are
made, both individual and staff training goals and programs will be further developed as required.
The results of this training program should improve the professional competence of all staff members, thus
providing the knowledge to function and cope with our fast-changing, complex environment.
NO:: 5.3
NO 5.3 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Personnel Files PAGES:
[2]Future Shock , Alvin Toffler, Bantam Book, August 1971.
[4]See www.aicpa.org.
[5]See www.isaca.org.
1. Employee resume and a copy of the original Company application (if appropriate)
appropriate)
2. Periodic performance appraisals
3. Summary of salary history and promotions
4. Corporate Audit Department Background Information Form (Exhibit
( Exhibit 5.4
5.4))
These files should be maintained by the Audit Department in addition to files maintained by the Human
Resources (HR) function. To facilitate the development and maintenance of these audit departmental files and
facilitate the gathering of specific information necessary to proactively manage the corporate audit function,
two departmental forms should be completed by all employees and updated annually. These forms are:
the person's
person's performance.
performance. It cannot be emphasized too strongly the importance of timely, constructive interim
feedback by the supervisor. Such feedback will help to shape the end-of-assignment evaluation and will
expedite its completion and review in the shortest time. The Performance Evaluation Review Form is included
as Exhibit 5.6
5.6.. The report is to be prepared for staff personnel by the in-charge senior or manager promptly at
the end of the assignment.
The completed report, signed both by the preparer and the person evaluated, will document the following:
The periodic, end-of-assignment review should be reinforced through effective interim oral or written
feedback by the supervisor during the assignment. Interim feedback is the continual process, an integral part
of the supervisor's functions. Failure to provide timely feedback is a weakness in the supervisor's
performance. The interim performance discussion should provide analysis of both strengths and areas for
improvement, emphasizing constructive actions for improving performance. Although interim evaluations
need not be in writing, the evaluation form can serve as a checklist for areas to be considered and for notes, as
both a basis for that evaluation and a reference point for the end-of-assignment evaluation.
i. Preparation
Report preparation is important, and ample time should be allotted to prepare the report.
(A) Assignment Responsibilities and Circumstances. The form is designed to obtain specific answers to
questions, amplified as appropriate by description, comment, or discussion.
Regarding the level at which the person was used on the assignment, indicate the level at which he or she
functioned rather than the actual level. Criteria should include the nature of the work, degree of supervision,
and prior staffing of the assignments.
The nature of the work, for the auditor's major responsibilities, should be described in sufficient detail. For
example: internal control (sales, cash receipts, payroll): documentation, audit program, walk-through;
inventory: observation, pricing finished stock; accrued liabilities: test for unrecorded liabilities. Unusually
difficult or simple situations should be identified.
(B) Manager/Director Approval. This approval is required on all evaluations prepared by staff-level
personnel, namely supervising senior, senior, and so forth. Approval should be indicative of Manager/Director
concurrence with the evaluation (see Manager/Director Comments section) and that it contains the appropriate
information. When prepared by staff-level personnel, it is recommended that the report be read by the
Manager prior to review with the individual. Manager/Director approval should occur after the report has been
discussed with the individual and finalized. Any Manager/Director comments should be included in the
evaluation at the time the individual signs off on the report.
(C) Comments Section. When completing this section, the auditor's experience level should be considered in
evaluating his or her performance. For example, the criteria for measuring a staff auditor's technical skills
would differ significantly from those used in evaluating a senior. It is expected that completion of all
categories will generally be appropriate except for the Development of Assistants category for evaluations of
staff auditors.
The boxes at the right margin are to be used to insert the abbreviation for the effectiveness level of each listed
qualification. Effectiveness levels are defined on the last page. It is expected that everyone will become
familiar with the definitions and use them as explained. Although the ratings "OUTSTANDING" and
"UNSATISFACTORY" should be clearly explained, specific comments should also be given for other
effectiveness levels for informative reporting to the auditor and the reader.
Areas noted for improvement should include any recommendations for the individual's development. In
discussing weaknesses, the evaluation should assess the progress made in correcting those weaknesses during
the course of the engagement. In situations when mitigating circumstances may have contributed to a
weakness, appropriate details should be provided. However, it is not appropriate, for example, to discuss
budget overruns when it clearly was not within the control of the individual. When one weakness impacts
several qualification categories, the evaluation should clarify this fact so as not to mislead the reader into
concluding that several weaknesses exist.
(D) Appraisal Section. The last page of the report summarizes the results of the performance evaluations, both
interim and end-of-assignment.
Where completing the sections dealing with Developmental Needs and Promotability, comments, reasons, and
recommendations should be expressed clearly and constructively to provide reliable source information to
audit management for future assignments and indicated training and development needs.
The Manager/Director Comments section is required for all evaluations where that level of approval is
necessary. The basis for approval may be discussions with the in-charge senior, review of work papers or
personal contact. The Manager or Director may also include other significant comments.
The Summary Evaluation section should be completed subsequent to the Comments section and should be
supported by the written comments. Because it represents a summary of the written comments, emphasis is
again placed on the need to rate individuals on the basis of their experience level and standards normally
expected at that level. In rating an individual's effectiveness level, supervisors should refer to the definitions
provided on the form. Ratings other than these should not be used. The most appropriate rating must be
chosen. Written comments should explain borderline decisions.
Performance appraisal meetings provide a very important opportunity to discuss and improve employee
performance. Such meetings are a major element in a personnel development program. At every opportunity,
the Audit Department culture should emphasize the importance placed on continuing personnel improvement
and development. The Audit Department is only as good as the personnel performing the work. To the extent
that employees' performance can be improved, the overall quality of the audit products will be improved.
It is important that adequate time be allowed to plan for and conduct a performance appraisal meeting. The
meeting should be scheduled with the employee to reduce the anxiety usually associated with performance
appraisal meetings. All attempts should be made to create a comfortable atmosphere and reduce or eliminate
interruptions. The performance meeting presents an opportunity to review progress and priorities, resolve any
problems with performance, discuss future potential development needs, and the needs to meet
them&"para">Conducting the performance review can be a challenging endeavor, and efforts should be made
to train supervisory staffs to better conduct performance review meetings. During the meetings, it is important
to create two-way communications. One objective of the meeting is to get the employee to open up. The
evaluator will be prepared with his or her comments. The meeting atmosphere should be informal and
unhurried. This objective can be accomplished by meeting in a conference room or away from a manager or
supervisor's desk, if possible. It is also important to emphasize the good work that the employee has
accomplished. There should be an emphasis on "praise" in the appraisal. It is important that the reviewer
probe and ask questions, and most importantly, listen to the answers. This approach will provide ample time
for the employee to discuss thoughts on his or her mind.
One of the objectives of the review process is to allow the employee to face up to any problems that might
exist. In some cases, the best approach to mentioning a problem is to use the self-appraisal approach. Under
the self-appraisal approach, the supervisor or manager will ask the employee to discuss his or her performance
from their perspective. It is very important to always discuss the performance—and not the individual's
personality. Any criticism should be made in a positive manner. For instance, talk about how the person can
make needed improvements.
There should be few surprises in the appraisal meeting. Problems should be discussed with the staff when they
are recognized. This method will allow the supervisor to correct the problem earlier and also demonstrate by
example the existence of the problem. When this method is not used, specific examples should be raised
during the appraisal review meeting. However, this method is not as good an alternative as actually having
mentioned the problems as they occurred.
Before the meeting is concluded, you should agree on a plan of action. Outline your thoughts on action points
prior to the performance meeting. Focus on facts and avoid general judgments. Set objectives and goals, and
agree upon completion dates.
Manual
NO:: 5.5
NO 5.5 RE
REV
V NO:
NO: DATE
DATE::
TITLE: Annual Staff Meeting/Conference PAGES:
The location of the meeting is very important to the overall success of the meeting. Meetings should be
planned outside the office for a maximum impact. In addition, it may be combined with a social or sports
activity to help build morale and camaraderie among the staff.
The program can include a State of the Department Address by the Chief Auditor. Presentations by
department managers are also very important. Each functional leader should also provide an update on their
administrative activities, including the quality assurance program and the personnel development program.
a. Group Discussions
In order to provide a form for feedback from the staff, consideration should be given to holding group
discussions. These sessions would allow staff members to discuss any topic related to their department. Plan
for a sufficient amo
amount
unt of time—a minimum of two hours—for group discussions. The staff should be broken
down by groups, and these sub-groups should be provided with private meeting space to hold these
discussions. In order to organize the group discussion, prepare a Group Discussions Instruction Sheet. Exhibit
5.7 illustrates this document for a fictional meeting. The groups should have a Group Leader and a Scribe.
The role of the Group Leader and the Scribe should be set out in the Group Discussion Instruction Sheet.
Objective
•
• To
To provide
provide afeedback
forum for
to the staff
Audit to discuss their
Management as toconcerns
what areand
the hear
mainother members'
concerns of theconcerns
staff and what
possible solutions they project
• Set the stage by informing the staff that this is their time to talk about anything related to the
Corporate Internal Audit Department's organization or activities. Tell them you have a list of some
items of potential interest you will use to generate conversation when there is none or to improve the
productivity of the conversation if it gets way off course.
Explain that there is a scribe to take notes on what is said, not who said it, and that we will provide
feedback later in the day.
Ask the group to begin and wait a few minutes. Give the group a good chance to start on their own.
Keep the meeting moving. If too much time is spent on a topic, ask to move on to another topic.
Scribe's Role
• Listen carefully and make notes of key concerns, suggestions, items of interest, etc. If you don't
understand what someone is trying to say, ask questions to clarify the issue.
Observer's Role
Potential Topics
1. How important is audit planning? Is our approach adequate? How should we approach it?
2. Should we employ management by objectives and goal setting?
3. Should we require certification of some kind (CPA, CIA, CISA, CDP) within a given time frame?
4. How much of a factor should evaluations of performance be in determining raises and promotions?
5. Other:
The Leader's role is to set the stage by informing the staff that this meeting is their time and that they could
talk about anything related to the department's organization or activities. The Leader should be provided with
a list of some potential items of interest to generate conversation if necessary. However, there should be
sufficient time allotted before this list is introduced to ensure that the staff has an opportunity to bring their
own thoughts and ideas. The role of the Scribe is to listen carefully and make notes of key concerns,
suggestions, and items of interest. Having someone perform this role frees the Group Leader to concentrate on
the Leader's role—keeping the meeting moving. The Scribe will produce a list that should be provided to
audit management. The list should not indicate who made what recommendation—anonymity adds credibility
to comments by mitigating "groupthink" problems.
In many group discussion meetings, an Observer is also involved. The Observer could be the Chief Auditor or
Audit Management. The role is to listen in on a portion of each meeting to gain an understanding of the
temperament and direction of each meeting. The Observer should not speak at any meeting. The purpose of
the meeting is not to provide answers but to develop questions of interest and proposed solutions.
Group discussions require feedback from Audit Management. The Scribe's individual meeting summaries
should be combined for review by Audit Management at a subsequent meeting or responded to at the
conclusion of the Annual Staff Meeting/Conference. The sooner the feedback is reviewed, the better. For
instance, if simple issues or ideas are brought up that could be acted upon immediately, these responses
should be included in the closing remarks of the Chief Auditor. Those issues and suggestions that require
more careful attention should be thought through and summarized in a memorandum to all participants in the
Annual Meeting.
Annual Meetings usually prove to be very productive, if proper attention is paid to planning and arrangements.
Many of these items may already have been discussed during your interview with Sam Pole. However,
orientation will give you a more detailed explanation. We encourage you to ask questions; people on the staff
will be happy to help you, or many questions can be answered by reading the procedures manual. Please ask
any questions you may have.
These welcoming remarks are often used when new personnel join the department. A sample orientation
checklist can be found in Exhibit 5.8
5.8.. A general description is provided here for each item on the orientation
checklist.
DATE INITIALS
Introduction to St
Staff _______________ _______________
Facility _______________ __
_______________
Parking _______________ __
_______________
Key Personnel/Or
Personnel/Organiz
ganization
ation Review __________
_______________
_____ _________
______________
______
_
Annual Report Issued _______________ _______________
Employee Benefits _______________ _______________
Job Description _______________ _______________
Pe
Perf
rfor
orma
manc
ncee Ev
Eval
alua
uati
tion
on Revi
Review
ew ____
______
____
____
____
____
___
_ __
____
____
____
____
____
____
___
_
Three-Month Probation _______________ _______________
Work
Workin
ing
g Hour
Hours/
s/Sal
Salar
ary/
y/Ov
Over
ertim
timee ____
______
____
____
____
____
___
_ ____
______
____
____
____
____
___
_
Vacations _______________ __
_ ______________
Sick Leave _______________ __
_ ______________
Personal L
Leeave _______________ _______________
Time Reports _______________ _______________
Travel _______________ __
_______________
_________
______________
_________
_________
_______
__ ____
_________
______
_ __________
______________
_________
__________
______
_ __________
__________
Orientation Supervisor Date Employee Signature Date
• Introduction to Staff. The person presenting the orientation will introduce you to members of the
staff in the office. That person will also identify those staff members who are not present and provide
you with a list of the staff in the Audit Department.
• Facility. You will be given a guided tour of the Corporate Audit Department and other nearby
facilities.
• Parking. Parking will depend on the division where you work. Additional parking facilities are
available at a cost to you.
When you
you are in the
the field, during your initial visit to the auditee's office, identify where you have
parked and ask about their parking requirements.
• Organization. Organization charts of the Corporate Audit Department and the Corporation are in
Chapter 4 of this manual.
• Annual Report. You will receive the current annual report of Sam Pole Corporation. Key officials are
identified in the annual report, along with major components of the Sam Pole organization. You
should study this report thoroughly.
• Employee Benefits. You will be issued employee benefit authorization cards that must be filled out
and signed. You will be issued an employee benefits manual. Read it carefully, and if you have any
questions, discuss them with Audit Department management. If we do not know the answers, we will
obtain them from the Employee Benefits office or refer you to the Human Resources Department.
The exception to this standard is when auditing outside of your home location. If 40 hours can be
accomplished Monday through Thursday by working 10-hour days, then at the discretion of audit
management, you may return home Thursday night.
• Advances. Each division may make temporary cash advances for expenses. Advances must be shown
on expense reports and accounted for monthly. Unused advances must be remitted to the company
monthly.
• Air/Rail Travel. Tickets for air/rail travel can be obtained from the travel department (and accounted
for in the same manner as cash advances) or purchased directly by the auditor and reported on the
expense report.
• Expenses. Sam Pole has issued a pamphlet, "Reporting of Travel and Business Expenses," to be used
with the exception of those items that are specifically provided for by the Corporate Audit
Department.
• Keys. The new employee will be given certain keys where appropriate. These must be signed out on
the log maintained by the secretary at your location.
• Library. The department office library contains various Sam Pole manuals. You should become
acquainted with these manuals. Other publications available for education or research are also in the
office library. You will see these, as well as checkout procedure applicable to the local offices (see
Recommended Reading List).
• Security Badges. Where badges are required, you will be evaluated on an as-needed basis before
badges will be issued to you. Necessary security codes, computer/network passwords and log-in
access, and/or badges will be arranged through the Manager of Corporate Audit.
• Professionalism. Corporate Audit is striving to make our department a world-class department. A
friendly, courteous relationship with auditees, outside auditors, and other Sam Pole employees is
paramount in establishing and maintaining good public relations. We consider ourselves professionals
and should act and dress accordingly. Dress should be in good taste. Try not to have extremes in
either direction.
• Procedures Manual. The master manual is retained in the office; in-charge auditors have a copy to be
used at the work sites. A better option would be to keep an electronic copy of the manual on the Audit
Department Intranet site for easier access (e.g., 24/7 availability to anyone). This manual was
developed for the benefit of new employees and to document procedures to be followed. It is
important to become familiar with the manual because we follow these procedures and are evaluated
accordingly.
• Safety Requirements. There are occasions when we must work in areas that require safety equipment.
Typically, the location will provide the equipment. In the division where visits to the factories are
customary, the department issues a hard hat and safety glasses.
Chapter 5: Personnel, Administration, and Recruiting 23
Endnotes
Endnotes
4. See www.aicpa.org.
5. See www.isaca.org.
24 Chapter 5: Personnel, Administration, and Recruiting
The Information Systems Audit and Control Association (ISACA) also has established a similar emphasis on
planning. One guideline states, "The information systems auditor is to plan the information systems audit
work to address the audit objectives and to comply with applicable professional auditing standards"
(ISACA—IS Audit Guideline 050.010 [Audit Planning]). Additionally, another ISACA guideline addresses
planning related to day-to-day activities: "Before beginning an audit, the IS auditor's work should be planned
in a manner appropriate for meeting the audit objectives" (ISACA—IS Audit Guideline 050.010.2.1.1).
Planning is a very basic element of all business activities. The Audit Department is no exception. The
long-term departmental operating plan will demonstrate an organized approach to systematically auditing all
company operations. In this book, a three-year operating plan has been developed. The extended cycle of
audit coverage should be discussed with management and, if appropriate, with the Audit Committee. This
process would establish the overall strategy for auditing company locations. In many companies, every aspect
of the company's operations should be audited, to some extent, on a formal rotation basis (see Section 6.3).
6.3).
Even small operations should be considered for audit visits. The audit "deterrent factor" should not be
underestimated.
( Exhibit 6.1
To accomplish the responsibility for planning for internal audit activities, a planning matrix (Exhibit 6.1)) has
been developed as a tool. It illustrates the flow and relationship of the three-year plan to the annual operating
budget, six-month audit plan, three-month audit schedule, and two-month staff schedule. By beginning with
the long-term planning exercise, the work investment naturally flows down to the planning for the shorter
periods. Here is where the chief internal audit executive looks for integration of activities to save work later
on. In formulating the three-year plan, one should consider the subsequent shorter-term plans by developing a
long term in six-month or other appropriate sub-periods to feed into the shorter-term planning process.
Coordinate audit
coverage
public with
accountants.
Basis Owner's request Audit plans: Specific Attainable audit Three-month
to provide total Second half implementation of objectives for audit schedule.
coverage of current year; first each six-month three months
principal audit half next year. period of the based upon Manager
areas over a three-year plan. six-month plan. discretion.
three-year cycle. Manpower,
traveling, Budget Management
Audit professional constraints. discretion.
management development and
decision administration Audit
regarding costs. Audit management
As required Revision:
As required
Responsibility Primary - Primary - Primary - Primary - Primary
-Manager
Manager - P&C Manager - P&C Manager - P&C Manager - P&C
Secondary - Sr.
Secondary - Sr. Secondary - Sr. Secondary - Sr. Secondary - Sr.
Audit Audit Risk Risk Risk Risk Jan.–June July–Dec. Estimated Audit Hours
Unit Unit Factor Factor Factor Profile 20xx 20xx Jan.–June July–Dec. Jan.–June July–D
Number × wt. 1 × wt. 2 × wt. 3 20xx + l 20xx + l 20xx + 2 20xx
The three-year plan optimizes staffing requirements and the cost effectiveness of the Audit Department. The
plan is based on materiality and exposure to risk for establishing priorities of the audit entities and number of
hours for the audits. The three-year plan may be developed in detailed increments of six-month time periods.
Circumstances that affect change to the plan are management requests and detailed monthly planning.
i. Auditable Units
In order to develop an audit plan, a company's auditable unit must be selected. An audit unit can be a
subsidiary operation, a department, a division, a system, or even an account. For instance, the XYZ Company
may be audited. Alternatively, the XYZ Company's sales cycle (sales, accounts receivable, and cash receipts
systems) can be audited or its accounts receivable balance can be subject to audit verification. A logical
approach for each company must be developed based on infrastructure, resources, system specifics, and
corporate strategies. In many cases, combinations of audit types will result. Often, various audit units at a
specific location will be combined to create a logical audit unit.
b. Risk Analysis
Risk analysis, or assessment, has become the preeminent method of guiding audits. External auditors have
long begun their process of financial audits with the audit formula—assessing inherent risk, control risk,
detection risk, and audit risk. In Statement on Auditing Standards No. 78, Consideration of Internal Control
in a Financial Statement Audit , the American Institute of Certified Public Accountants (AICPA)
institutionalized as guidelines the Committee of Sponsoring Organizations (COSO)
(COSO ) model of of internal control.
The five major areas of internal control include (1) control environment, (2) risk assessment, (3) information
and communication, (4) monitoring, and (5) control activities. The COSO model has also become a common
methodology used to design the internal control environment (see Chapter 3 3).
). Lately, internal auditing has
also put more focus on risk assessment. The current definition of internal auditing by the HA states:
• Internal auditing is an independent, objective assurance and consulting activity to add value and
improve an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
In 2000, the IIA basically adapted risk assessment as the cornerstone of audits in its Standards. In the Nature
of Work section (Standard 2100), the first standard relates to risk management (Standard 2110). It states: "The
internal audit activity should assist the organization by identifying and evaluating significant exposures to risk
and contributing to the improvement of risk management and control systems." In order to develop effective
audit planning, some type of risk analysis is necessary because it provides strategic direction for limited
resources.
For example, one published survey on best practices for audit efficiency concluded that correlating audit
efforts to the levels of risk and materiality helped increase audit efficiency. Thus auditors should try to limit
procedures in low-risk areas and focus their attention on trouble spots. [1]
Depending on your company's specific operations and management concerns, the various risk factors are
identified in the plan. Care must be taken to analyze the cost versus benefit of a complex risk-based audit
plan. Many risk analyses result in a potentially complex summary of mostly subjective criteria, such as results
of previous audits or the control concern level of management, and a restatement of obvious objective criteria,
such as materiality. However, a basic summary of risk analysis should be performed. Since all risks are not
equal, each risk factor is assigned a weighting factor. The following is an example:
Materiality 5
Results of Prior Audits 3
For each audit, a score for each risk factor should be developed and multiplied by the risk factor weighting.
For instance, a scale of 1 to 5 can be used with 5 representing high risk and 1 representing low risk or a good
control environment. The following is an example:
Materiality 5 5
Results of Previous Audits 3 1
From this type of analysis, a risk profile can be developed to support decisions of audit frequency or scope.
Finally, audit review and management judgment should be applied to the plan and risk assessment. All audit
managers should be encouraged to provide input and review.
Departmental budgets and plans are the direct responsibility of the Director of Auditing. Departmental
budgets and plans include the annual departmental budget, the three-year audit plan, annual audit plan, and
monthly staff assignments. Each kind of plan is discussed in more detail in subsequent sections.
The Audit Committee requests the annual departmental budget each fiscal year. The Director of Auditing
must present the departmental budget as a corporate cost center to the Chief Financial Officer (CFO) and the
corporate budget department after the Audit Committee has approved it.
The annual departmental budget covers all facets of the department's expenditures for the following calendar
year. This budget includes the number of personnel, salaries, salary raises, supplies, conferences, travel,
employment fees, benefits, and several other expenses. Once the budget is developed and approved, it
becomes difficult to substantially change the direction of the department when additional costs will be
incurred. However if circumstances warrant a scope change, discussions with the audit committee should be
scheduled.
Although the best intentions and forethought go into developing the Corporate Audit staff schedule, not all
circumstances can be anticipated. Auditees may require or request different time periods for their audit than
those scheduled. Management may request an audit not previously scheduled or change the timing of others. It
means that auditors must remain flexible.
When scheduling changes affect your plans, it may be possible to make other arrangements. Contact the
Internal Audit Manager to see what can be worked out.
www.aicpa.org/pubs/jofa/sep2000/dennis.htm.
Corporate Audit
Department Procedures
Manual
NO:: 6
NO 6..3 REV
REV NO:
NO: DATE
DATE::
TITLE: Materiality PAGES:
6.3 Materiality
A significant function of auditing is to express an opinion regarding the fair representation of financial
statements and the adequacy of the system of internal controls or other audited areas. In forming this opinion,
judgment must be exercised involving the materiality of exceptions to mathematical accuracy, auditing
procedures, compliance with Generally Accepted Accounting Principles (GAAP) and consistency in the
application of those principles.
In their pronouncements, the American Institute of Certified Public Accountants (AICPA), the Securities and
Exchange Commission (SEC), and Financial Accounting Standards Board (FASB) stress materiality.
Bulletins of committees of the AICPA relating to accounting and auditing procedure remind readers that they
apply only to "items material and significant in the relative circumstances" and that "items of little or no
consequence may be dealt with as expediency may suggest." Regulations of the SEC require that the
accountant
reflected in express an opinion
the financial as to "any
statements material
and those differences
reflected between the accounting principles and practices
in the accounts."
How is the auditor to determine what is material, significant, or of consequence? The courts and the SEC have
furnished a few guidelines, including:
A. Where a misrepresentation would be likely to affect the conduct of a reasonable man with reference to
a transaction with another person, the misrepresentation is material (Restatement of the Law of
Contracts).
B. A material fact . . . (is) a fact which if it had been correctly stated or disclosed would have deterred or
tended to deter the average prudent investor from purchasing the securities in question (Securities and
Exchange Commission. In Matter of Howard et al., 1 SEC 6).
C. The term "material," when used to qualify a requirement for the furnishing of information as to any
subject, limits the information required to those matters as to which an average prudent investor ought
reasonably to be informed before purchasing the security registered (Securities and Exchange
Commission. Regulation C, Rule 405, of Securities Act Regulations).
D. The U.S. Supreme Court held that a fact is material if there is "a substantial likelihood that the . . . fact
would have been viewed by the reasonable investor as having significantly altered the 'total mix' of
information made available"
available" ( Basic,
Basic, Inc. v. Levinson, 485 U.S. 224, 1988).
From these definitions, we may conclude that materiality depends on surrounding circumstances, the setting
in which the item appears, and the setting in which it will be used. If the probable effects of the
item—whether through omission or commission—would be to give rise to misleading inferences by the
person or class of persons whom it will logically reach, it is material, significant, consequential, and
important. For this purpose, these four words are practically synonymous, although some make a distinction
between material and significant, attaching material primarily to a dollar amount.
Clearly, there are degrees of materiality and, as a consequence, there will be borderline cases. These will
require all the good judgment that the auditor can summon. Standards that would guide an auditor in
determining whether or not a deviation would require correction, disclosure, or qualification of an opinion
would be of immense help to auditors.
Research shows that the assessment of materiality differs among individual accountants and among public
accounting firms and that it varies with the size and geographical location of the practice. In arriving at these
decisions, the auditor should keep these matters in mind:
• Relative size of the item. Failure to disclose a liability of $5,000 in the balance sheet of an enterprise
with net assets of $40,000 would result in a material misstatement. In a balance sheet showing net
assets of $3 million, it would ordinarily not be material.
• Absolute size of the item. In spite of the importance of relativity, size alone may be important. Many
accountants would consider a large amount important, even though it is only 3 to 4% of net assets, or
3 to 4% of net income before taxes.
• The nature of disclosure. The fact that a company has pledged its accounts receivable as security for
a loan is significant because it discloses that the company is using a comparatively expensive form of
financing and is therefore a material fact—even though the amount may not be material in relation to
the working capital.
• Use to be made of the report. If it is known that the report will be used for the sale of stock or for
obtaining long- or short-term credit, the effect the item might have on purchasers or long- or
short-term creditors would be considered.
• Evidence of a desire to mislead. The existence of an incentive for error would be considered. An
accidental error would have less significance than a deliberate departure from accepted procedure.
• Favorable or unfavorable effect of adjustment or disclosure. Unfavorable ones are usually given
more weight.
• Stability of income. If net pre-tax income fluctuates widely, unusual items are more important.
• Effect of future earnings. Items whose effect will continue into the future are more important than
those with only current significance.
Materiality may determine not only the need for exception or disclosure but also the extent of the audit work
necessary to sustain an informed opinion. Inventories of a manufacturing company are of greater relative
importance that those of a personal service organization, not only in size and amount but also because of the
greater number of ways in which they may be improperly handled, both physically and in the records. Where
accounts receivable consist of relatively few, but large, balances, the percentage of accounts confirmed should
normally be much higher than if they comprise a large number of small balances, even though the total may
be the same.
In summary, sound judgment is required in determining what is or is not material. No definition of materiality
need deter you from recommending adjustments of errors or omissions on the books or financial statements.
Auditees, as mentioned earlier, generally wish to have errors or deficiencies corrected.
Procedures for this review follow the general guidelines for external auditors, as specified in Statement on
Auditing Standards (SAS) No. 36: Review of Interim Financial Information. These procedures consist
primarily of inquiries and analytical review concerning significant accounting matters related to financial
information being reviewed. Additionally, the internal auditor should obtain an understanding of the entity's
systems of accounting and internal controls.
Our high-level review includes other tests outlined in greater detail than in SAS No. 36. Compliance and some
substantive tests are to be performed over certain areas of an entity; including cash, accounts receivable,
credit, travel and expense, brand sales, product costing, marketing variable, fixed assets, debts, and inventory.
b. Financial Audit
A financial audit is a study of the current financial position of an operation to evaluate the fair presentation of
the financial position as reported on the balance sheet, income statement, and the statement of cash flows. Full
financial audits of significant company operations and subsidiaries are typically performed by external,
independent auditors. In some cases, however, full financial audits may be performed by Sam Pole's internal
auditors.
The primary reason for a financial audit is to assure parties relying on financial statements that the data are
presented fairly in accordance with GAAP. A financial audit would be appropriate before tax reporting,
expansion ventures, mergers, acquisitions, disposal, economy fluctuations, and periodic presentations of
financial position.
The approach to a financial audit would be governed by the purpose of the audit. If current liquidity were of
prime importance, collectibility of trade receivables, short-term investments, turnover of inventory, and
liquidation of accounts payable would be considered. If expansion or acquisition were of prime importance,
both long- and short-term debt would be considered. If economic fluctuations called for entrenchment, then
purchasing practices, inventory stockpiling, overhead reductions, and other operating costs would be
considered. Regardless of the purpose of the audit, financial controls would always be of prime consideration
in evaluating audit risk.
In all financial audits, the general ledger, general and specific journals, voucher registers, bank reconciliation,
and account analyses would be reviewed. These records would tell the auditor where the operation's assets
were utilized and why. Depending on the purpose of the audit, a review of the following reports would be
considered:
These records and reports would tell the auditor where the operation was, where it is, and how it got there.
They would highlight efficiencies and inefficiencies in vital areas such as credit and collections, inventory
control, production scheduling, capital investments, and purchasing coordination.
Given all the above factors, the audit plan would then be devised, giving consideration to:
• Staff requirements
• Starting and concluding dates
• Auditor assignments
c. Operational/Managerial Audit
An operational audit can be defined as an extension of a financial audit. A financial audit tells where the entity
was and where it is; an operational audit tends to answer the questions why the entity is where it is and how it
got there. In this sense, the operational audit falls into the category of a management service by evaluating the
four functions of management: (1) planning, (2) organizing, (3) directing, and (4) controlling. The operational
audit can be broken down further as a functional review; for example, Purchasing as a department versus the
overall Procurement operation in coordination with production scheduling and market forecasting. There are
several reasons
returns, for performing
equipment an operational:
down time, adverse compliance
variances, proposedwith policies
product and procedures,
changes, excessive
theft, or personnel customer
turnover. The
timeliness of an operational audit is determined by the reason for the audit and the areas to be audited.
To formulate the approach to an operational audit, an auditor must first establish the scope. This step
determines the extent of the audit. The next step is to become familiar with an auditee's operation, its purpose
in the total structure of the entity, its history, its staff, and its reporting path. The reporting path is of prime
importance because this path is the communication route along which audit results and conclusions will flow.
The auditor should advise the location's management in advance of a planned visit so that suitable working
and living accommodations may be arranged.
The prime records to be obtained in an operational audit are the organizational chart of the function/operation,
applicable policy guides, and procedures directives. These will outline each employee's responsibility and
authority. The function's/operation's performance reports for at least one year prior to the audit should be
reviewed to determine trends that have developed over the past year. These records and reports could indicate
such trouble areas as segregation of duties, imbalance in reporting path, over- or under-staffing,
noncompliance with corporate policies and procedures, weaknesses in internal controls, or inadequate job
rotations. These indications could aid the auditor in determining priorities as to depth of investigation and
areas of potential improvement. Reports must be informative and timely, and directed to the proper levels of
management.
d. Compliance Audit
A compliance audit involves two different, though closely related, types of issues:
1. The nature and scope of the transaction against which the compliance is to be ascertained
2. The degree to which it is practicable, or even desirable, to determine the compliance
Therefore, a compliance audit can be defined as a rerun of a given task over a prescribed course that is
monitored by various checkpoints to reach a desired conclusion.
Reasons for a compliance audit can vary with the size and complexity of the organization, type of product,
market involvement, quantity and locations of sites or levels of standardization. A compliance audit may be
performed due to a recent history of excess customer returns, unusual buildup of inventory, increase in scrap,
increase in bad debt write-offs, proposed realignment of responsibilities, manpower turnover, or a routine
review of procedures.
e. Contract Audit
A contract audit is defined as the review and evaluation of a contract (terms, conditions, etc.) and its related
financial transactions. The terms construction and contracts are sometimes used interchangeably in the audit
profession because a construction project requires a contract. Contracts, however, cover a wide range of areas
such as repairs, maintenance, rentals, and consulting.
• Assess the adequacy of internal accounting control systems and operating procedures.
• Monitor compliance with corporate policies and procedures, contractual provisions, budgetary
guidelines, and operating safeguards and controls.
• Highlight problem/opportunity areas and make appropriate recommendations to management for the
development of new operating and control procedures.
• Contactor controls and procedures are adequate to assure that the billed costs are proper and
reasonable.
• Controls exist to assure that other charges to the project are proper and reasonable.
1. Review the contract to determine that it is in accordance with established company policies (e.g.,
competitive bidding).
2. Document and evaluate the system of internal control.
3. Review pertinent data (project expenditures) to determine test criteria.
4. Perform a review to ascertain that all expenditures (included in test) are accurate, properly supported,
5. and in agreement
If considered with terms
necessary, visitand
the conditions
contractor'sofoffice
contract.
and review records to determine that charges to
the company are proper.
Ongoing contract audits require the preparation of periodic interim reports to management advising on
situations encountered so that prompt corrective action can be taken. A formal report is also required on
completion of an assignment, and status reports to audit management should also be issued from time to time.
f. Desk Review
In a desk review, the internal auditor will obtain a package of financial and other documentary information
from the auditee and perform limited procedures. In most cases, all procedures will be performed from
corporate offices and not at the auditee location.
Several benefits result from frequent desk reviews. First, the internal auditor can determine if the auditee is
currently in compliance with previous recommendations. Second, internal auditors can expand the coverage of
their audits to nearly the entire organization without making trips to every location. A related benefit is
reduced travel time and travel expenses. Finally, the desk review is ideal for training new in ternal auditors,
auditors,
allowing them to gain an understanding of an entity's operations prior to doing a field audit.
A desk review can be combined with a control self-assessment review, see Chapter 4
4.1(e).
.1(e).
[3]
h. Information Systems Audits
Information systems (IS), or electronic data processing (EDP), audits are the examination of significant
aspects of the IS environment. The company may have several different IS environments, such as: mainframe,
mini-computer, microcomputer (PCs), local area networks (LANs), wide area networks (WANs), electronic
data interchange (EDI), and Internet hosts (servers, electronic commerce).
The nature of business systems changed dramatically in the 1990s. More and more businesses went to
real-time, online systems. The Internet expanded into the World Wide Web (WWW, web) where a geometric
growth of pure digital business transactions has occurred (i.e., electronic commerce). In general, more
accounting functions are computerized and more business transactions are now entirely in digital form.
Therefore, IS audits are becoming increasingly more important for data integrity, system availability, and
security. For those businesses that have some or all of their business transactions embedded within IS, the
availability of the system has become critical to the success of the firm. Even for external audits, the "white
box" technique [4] of financial audits is becoming more necessary and will become more and more common.
The internal auditor should have identified audit units for each of the IS environments above applicable to the
firm. The COSO model is an excellent way of identifying such units. Using both COSO and other sources, the
following is a list of major audit units to be considered for each environment, although it is not
comprehensive:
• System Control Activities: General Controls Review. Review of general control units such as
organizational structure policies and controls related to all information systems or technologies. This
review could be done in conjunction with other audits (i.e., integrated approach). An examination of
general controls might include units such as:
♦ Access Security
◊
"Top Secret," RAC-F, ACF-2
♦ System Availability/Continuity of Operations
♦ Documentation Standards
♦ Program Development and Change Control
♦ Transaction authorization
♦ Segregation of duties
♦ Compensating controls (often necessary in IS environments)
♦ Accounting records (especially audit trails)
♦ Independent verification (management's assessment of individuals, integrity of Accounting
Information System (AIS), and integrity of the data in the records)
• Detailed Examination of Operating System. Audit specific to MVS operating system, AS/400, Unix,
Linux, Novell, Windows, etc. The audit should have at least these objectives:
A Disaster Recovery Plan (DRP) is a comprehensive statement of all actions to be taken before, during, and
after a disaster, along with documented, tested procedures that will ensure the continuity of operations. [5] The
DRP starts with a written plan that also identifies the procedures for restoring operations with the DRP
elements. The procedures should rank critical applications for the restoring process so as to minimize the loss
of critical transactions during the down time. The plan also identifies the DRP team. Every organization needs
an appropriate DRP. A review of the DRP includes at least the following items:
• Backup Site. An offsite facility equipped to restore operations (e.g., hot sites, such as the recovery
operations center); cold sites, with equipment backup separate; and mutual-aid pact).
• Backup Data. An offsite receptacle for archived data, stored frequently and timely (e.g., online data
vaulting and data sets such as tapes, disk packs, etc., stored in a fireproof vault, etc.). This process
should have been tested for reliability.
• Backup Software. Backup copies of all relevant software and applications. These should be stored
offsite at the site backup or with the data backup.
•
Backup Resources.
checks) and Items such
other supplies as paper
necessary for supplies
systems (e.g., continuous
to function. Theseforms
itemsfor printing
should invoices
be stored ornear
at or
the backup site.
• Backup Documentation. Any manuals or documentation that are necessary for operations. Again,
stored at or near the backup site.
• Backup Team. The identification of the DRP team, with responsibilities for each member having
been described in the written DRP. All of the DRP recovery processes should be made the
responsibility of various team members with overlap or backups for personnel in case of the greatest
tragedy—the death of a DRP team member.
• Critical Applications. A ranking of all applications to be restored. The ranking provides a way to
prioritize DRP recovery processes.
• Tested. Has the plan been tested in a realistic manner?
Application controls can be tested and examined using the system model: input controls, processing controls,
and output controls.
A. Input Controls. Input controls would focus on maintaining the integrity of data entry and assertions
such as completeness and existence (occurrence). They are designed to ensure that the transactions
that bring data into the system are valid, accurate, and complete. Data input procedures can be either
source document-triggered (batch) or direct input (real-time). Source document input requires human
involvement and is prone to clerical errors. Direct input employs real-time editing techniques to
identify and correct errors immediately. The following is a list of some input control areas for which
to plan and investigate:
♦ Audit trail controls (building an adequate digital audit trail of internal processing activities)
♦ Logic testing (formulas, etc.)
The latter area is a real key to most systems and is extremely valuable for reviews of new or significantly
revised applications. In order to conduct a white-box-type IS audit, an in-depth understanding of the internal
logic of the application being tested is imperative. There are several techniques for testing logic directly.
These approaches use small numbers of specially and expertly crafted test transactions used to verify aspects
of the application's logic and controls. With known variables and calculated results, auditors can then conduct
precise tests, obtain computerized results, and compare them against the objective set. The following list is
indicative of the types of tests that could be run to test application logic:
C. Output Controls. Lastly, internal auditors should plan for an examination of output controls. Output
controls are intended to ensure that system output is not lost, misdirected, or corrupted, and that
privacy is not violated. The type of processing method in use influences the choice of controls
employed to protect system output. Batch systems are more susceptible to exposure and require a
greater degree of control than real-time systems. These controls are much easier to audit than
processing or input controls. The following is a list of some output control areas for which to plan and
investigate:
Another key element to IS audits is the use of computer-assisted audit tools and techniques (CAATTs). The
internal auditor should make an assessment of applicable tools and techniques for the specific unit and audit
objectives. The following is a list of possible tools and techniques, but is not fully inclusive:
i. E-Commerce Audits
Electronic commerce (e-commerce) has some special considerations beyond those identified in the IS audits
section because the IS audit is typically conducted on the "back office" system. E-commerce is the "front end"
system. The audit of e-commerce will focus on controls, access, security, and availability. The higher risks in
e-commerce at the present are viruses, hackers and crackers, and activities intended to crash the system. Some
CAATs provide auditors the ability to probe for weaknesses—to play the devil's advocate on their own
systems (e.g., SAINT). These tools are extremely beneficial in doing e-commerce audits. A review should
include the following applicable units or areas, although this list is not exhaustive:
• Non-repudiation controls
• System availability, fail-safe controls
• Anti-virus protection
j. International Audits
An international audit is a full-scope audit of a particular division or subsidiary. These are performed on a
regular basis or on request. The scope of this type of audit includes a financial section, an operational section,
an IS section, and a section addressing the unique characteristics of the location's customs and duties and
governmental affairs. Depending on staff levels, distance and capabilities, international audits may be a good
candidate for outsourcing.
James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000.
[4]This term refers to the approach where the auditor audits through the computer system rather than around it
(i.e., black box).
[5]James A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000.
[6]More than passwords, because secured access for e-commerce is usually multi-faceted. For example, a
firewall, intrusion detection system, and passwords combined for access control(s).
[8]
Online and offline: almost all credit card theft over the Internet has been from files on the system, not from
stealing them during transactions.
[10]
10]For example, SSL, SET, S-HTTP.
• Providing the quantitative support necessary at the staff level. Accurate budgeting of all audit
activities throughout the year will summarize into a viable total from which to determine the number
of auditors required.
• Adding to job control. Prompt time reporting enables the in-charge manager to effectively analyze
how much time has been spent, how matters stand against the budget, and how much further time is
required for completion.
• Supporting productivity. Time reporting provides the ability to monitor actual time spent on audits
versus administrative and other lost productive time.
The following discussion is an explanation of a basic time reporting form as well as a listing of basic reports.
Each audit assignment should be given a number indicating the year and the audit number—beginning with
001, followed by 002, etc. Task and audit type codes should be added as described below.
d. Job Number
Each assignment will have a specific job number. Job numbers assist in the identification and accumulation of
time reported by several individuals on various jobs. If you are asked to perform a task, obtain the appropriate
job number from your supervisor or get the number from the planning memo in the administrative binder for
that job.
e. Audit Codes
Audit codes relate to the type of audit. A listing of these and task codes follows. (See Exhibit 6.3.)
6.3.)
Exhibit 6.3: Time System Codes: Audit Type Codes and Task Codes
f. Task
Task Code
Codes
s
Task codes should be used to detail the specific work performed. A listing of these codes follows. (See
6.3.)
Exhibit 6.3 .) Consult your supervisor or the job budget in the planning memo for the proper task code.
g. Hours
Only total hours for the semimonthly period need to be recorded in the "hours
" hours"" column. The daily hours are
accumulated on the right side of the sheet. Hours should be reported to the half hour.
h. Productive Time
night, inall
Record thetime applicable
motel, to the
or at home. job. This
Think record includes
of reporting time spent
time as though youworking at the
were going job site,
to bill yourin theto
time office
the at
auditee. Remember, future projects will be understated if actual time spent on an audit is not recorded and
remains hidden. Record travel as work time only between the normal work hours of 8:00 A.M. and 5:00 P.M.,
or normal hours applicable to your organization. This travel time should be charged to the normal job number,
audit code, and task 24.
i. Nonproductive Time
Record travel time outside normal working hours of 8:00 A.M. to 5:00 P.M., Monday through Friday or after
a 40-hour week of flexible hours has been worked. An example is to assume you left the job at 4:00 P.M. after
you have spent seven hours on the audit at the job site. One hour should be recorded as productive time and
the remainder of the time spent traveling should be recorded as nonproductive.
Travel time is defined as the time required to commute to the airport, from departure airport to destination
airport, and the commute from destination airport to office, home, or motel. If you are traveling by
automobile, it is that time you leave the home, office, job site, etc., until you arrive at your destination. Travel
during non-work hours should be charged to the job number, audit code 99, and task 25.
Other nonproductive time—including vacation, holidays, sick leave, personal leave, training, and
seminars—has specific task codes that are self-explanatory. Time charged to the administrative category must
be explained on the back of the time report to avoid making it a catch-all task code. All nonproductive charges
go to job number 000, audit code 99, with the appropriate task.
"Administrative" is defined as work that is beneficial to all jobs, not just one. If an auditor is writing the report
for job number 01-010 in the office, it would be chargeable to job number 01-010. But, if the same person
were writing a policy statement that applies to office procedure and would affect the conduct of all jobs, then
the hours would be charged to administrative. One would normally expect very little staff time charged to the
administrative
filling out timecategory. As a general
reports, expense rule,
reports, allshould
etc., staff time should be charged
be considered to a job. However, time spent
administrative.
j. Summarizing Time
Each individual's time is entered into a time reporting application after it has been approved. Once all time
sheets are input, the data is compiled into various reports by the application. The following reports should be
considered:
a. Travel Expenses
General guidelines for travel arrangements and travel expenses:
• Airfare.Flight arrangements should be made through the travel department in accordance with
corporate policy.
• Lodging. Lodging arrangements are to be made through the travel department, but are first to be
This list serves as only a general guideline, and exceptions will occur; you will be asked, however, to explain
deviations. When in doubt, general company guidelines apply. Before leaving on a trip, any expected
exceptions must be discussed at the manager or director level.
Endnotes
2. C.T. Grant, C.M. Depree Jr., and G.H. Grant, "Earnings Management and the Abuse of Materiality,"
Journal of Accountancy , September 2000, pp. 41–43.
3. See Section 3.6 for more on IS audits. Some of the material in this section is from the following book:
James A. Hall, Information Systems Auditing and Assurance, SouthWestern College Publishing, 2000.
4. This term refers to the approach where the auditor audits through the computer system rather than around it
(i.e., black box).
5. James A. Hall, Information Systems Auditing and Assurance, South-Western College Publishing, 2000.
6. More than passwords, because secured access for e-commerce is usually multi-faceted. For example, a
firewall, intrusion detection system, and passwords combined for access control(s).
9. Digital signatures, digital certificates, call-back modems, multi-faceted access methods (e.g., a password
and a PIN generated via pager; an access ID and password, and another ID and password for access to
applications or data).
The audit process begins with the notification of the auditee and concludes with the performance evaluation of
( Exhibit 7.1)
each staff member on the project. The corporate audit performance matrix (Exhibit 7.1) summarizes the
activities contained within our sample audit process. This sample process places a heavy emphasis on
organization and implementation of all authorized department procedures. It is a structured program with a
great deal of attention to planning. The importance of structuring the audit process and following documented
department procedures cannot be overemphasized. It is through strict adherence to procedures performed by
competent staff that good audit reports will result.
Calendar of Audit entity or Audit Outline of Findings Calendar of ID of a
audit location, audit objective, significant audit documentation, checkpoints; transm
checkpoints objectives, audit audit scope developments, status and distribution of Audit
period start date, timing, timing problems, disposition copies highlig
end date, request budget need to alter audited
response hours objective or scope, scope
detailed by high-level auditor
area, budget/actual conclu
significant hours comparison detaile
audit comme
areas/audit, recom
approach (for m
staffing only)
The example included in this manual requires the audit team to formally notify the auditee and develop a
detailed audit plan and budget. The purpose of the detailed plan is to ensure that the objectives of the audit are
the most appropriate for the circumstances. Given the limitation of time for each audit, the scope and
objectives should be seriously considered not only by field staff auditors, but also by the audit management.
This process is institutionalized through the development of a proper audit planning document.
The budget will help guide the staff to put their time into the proper areas. It will also assist audit management
in explaining why audits have taken more or less time than originally planned. Budgets also help refine the
long-term planning process and provide improved credibility for the audit function. One must always keep in
mind that it is very difficult to measure audit productivity. With budgets in place, some of the management
and auditee doubts are mitigated.
One of the first steps in the audit performance process is to initiate an assignment checklist (see Exhibit 7.2).
7.2).
The checklist is used as an overall control form and should be the first paper seen on the top of a workpaper
binder set. This checklist is a guide to ensure that all critical elements of the audit performance process are
completed.
Exhibit 7.2: Sam Pole Company Corporate Audit Department Assignment Checklist
Company: ____________________________________
_______________________________________________
___________
Location: _____________________________________
________________________________________________
___________
Assignment: _____________________________________
______________________________________________
_________
Date: _____________________________________
__________________________________________________
_____________
Date
___/___/___
1. Notice to Auditee
3. Field Work
___/___/___
• Preaudit Conference
___/___/___
• Begun
___/___/___
• Status Memo
___/___/___
• Completed
___/___/___
4. Closing Conference
___/___/___
5. Senior Finalization of workpapers
___/___/___
6. Manager review (two days before outside
deadlines)
___/___/___
In order to maintain control over all audit assignments, a log is kept by the department administrator. The log
consists of a column to the left indicating the year and audit number. These are followed by columns to the
right indicating the status of the audit and the beginning of the report initiation and completion process.
Some audit departments do not notify auditees because they can improve or address areas that may come
under audit procedures. If the notice of audit provides the impetus for the auditee department to improve, that
result is accomplishing the spirit of the audit mission. What follows in Exhibit 7.3 is a sample notice to the
auditee. The manual should contain a sample so that there is a consistency within the audit function and
between all audits.
A full financial audit will be conducted, including the evaluation of internal controls and tests of transactions
supporting related account balances as well as verification of physical inventory valuations and circulation of
customer accounts receivable balances.
Please contact me if you have any questions related to our visit or if you have areas of concern that you may
wish to have reviewed.
Newley A. Pointed
Audit Manager
c. Preliminary Survey
i. Purpose
• Gain a basic understanding of the entity to be audited, especially related to risk assessment
•
Begin the planning process
These purposes relate to Generally Accepted Auditing Standards and IIA Standards. The following standards
apply to the practical aspects of the audit planning process including: adequate skills, competencies, and
knowledge; adequate resources; the underlying role of risk assessment; and the nature of the work.
• Attribute Standard No. 1210 (Proficiency). Internal auditors should possess the knowledge, skills,
and other competencies needed to perform their individual responsibilities. The internal audit activity
collectively should possess or obtain the knowledge, skills, and other competencies needed to perform
its responsibilities.
• Attribute Standard No. 1210.A1. The chief audit executive should obtain competent advice and
assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to
perform all or part of the engagement.
•
Performance
plans Standard
to determine the internalThe
No. 2010of(Planning).
the priorities chief
audit audit consistent
activity, executive should
with theestablish risk-based
organization's goals.
(Note: Subsection A1 further states that a "risk assessment should be undertaken at least annually.")
• Performance Standard No. 2030 (Resource Management). The chief audit executive should ensure
that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the
approved plan.
• Performance Standard No. 2100 (Nature of Work). The internal audit activity evaluates and
contributes to the improvement of risk management, control and governance systems.
Auditors should obtain background information about the activities to be audited. This process is
accomplished by performing, as appropriate, an on-site survey to become familiar with risks, and activities
and controls to be audited; to identify areas for audit emphasis; and to invite comments and suggestions. To
perform an audit in accordance with Generally Accepted Auditing Standards and IIA's Standards, a properly
conducted preliminary survey is required.
The comprehensiveness of the survey depends on the scope of audit. For example, if the audit is limited in
scope, then the survey will be limited. A memo should be prepared discussing:
Write a memo documenting the preliminary meeting with management. The following information should be
included in the memo:
After a memo is prepared documenting the preliminary meeting with management, the fieldwork portion of
the survey is ready to begin.
♦ Process flow
♦ Principal customers
♦ Principal supplies
♦ Current trends
The understanding should be documented in memorandum form. The purpose is to provide the reader with an
overall understanding of the entity as it relates to Sam Pole Company.
• Perform a cursory review of the accounting system by obtaining and preparing the appropriate
documents and memoranda:
• Where is it done?
• When is it done?
• How is it monitored?
• How much does it cost?
Prepare a schedule of all significant books of original entry. For computer systems' master files, and
transaction registers.
Overview systems flowcharts may be prepared for any of the accounting systems if they enhance the
understanding.
• In connection with the review of the accounting system, the following documents should be
identified, if available:
◊ Inadequate controls
◊ Inadequate planning and organizing
◊ Inadequate directing and controlling
Perhaps the easiest and most expedient means to detect common risks is a cursory internal
control review using standard internal control questionnaires. These questionnaires will
contain questions that point out unique risks for each system under review. An analysis of
answers
confinedtotothe formssystem,
a single will aidand
the (2)
auditor
if theinnature
determining: (1) if theisnature
of the weakness of thethroughout
pervasive weakness the
is
entire organization.
For example, if auditors note a lack of segregation of duties of cash, they should determine
whether it is unique to cash or pervasive throughout the whole system of internal control. If
the weaknesses are pervasive throughout the whole system, then the problem would be one of
inadequate planning and organizing. If the weaknesses are confined only to cash, then the
problem would be one of inadequate directing and controlling.
d. Planning Memo
i. Purpose
The planning memo outlines the manner in which the department audit plan is to be implemented for a
specific audit, special assignment, or other activity. Planning represents an extremely important aspect of
auditing
Statementand
onisAuditing
requiredStandards
by the IIAofand theWork
Field American
No. 1.Institute of Certified Public Accountants' (AICPA)
Before each assignment, a planning memo is required to establish coordination between internal audit staff
and management. This document will ensure that the objectives and scheduling of the audit are being
communicated and understood by all involved. Properly implemented, it ensures that the more experienced
auditors (management) consider scope and procedures prior to implementation.
ii. Objective
The planning memo serves several purposes; namely, to document audit objectives, auditee background
information, and financial highlights; to describe significant audit procedures, budgeted hours, engagement
timing and personnel assigned.
iii. Procedure
Planning memos are to be typed on interoffice stationery and addressed to the Director of Auditing. A copy is
also included in the workpapers.
The planning memo should be completed far enough in advance of an assignment for manager review and
approval. Prior to preparing the memo, the senior auditor, if circumstances warrant, may have to visit the audit
site to conduct a preliminary survey to obtain sufficient information to complete the planning memo. Only in
unusual circumstances will the planning memo be accepted after the audit has been started. If after the audit
begins, conditions change affecting the initial planning memo, an addendum should be written and forwarded
to the manager. The addendum should explain and document the reason for the changes, even if previous
approval has been obtained.
iv. Format
The format designed to be used consistently for a planning memo is shown in Exhibit 7.4.
7.4. A brief explanation
for each section f ollows:
ollows:
• Introduction—The first brief paragraph outlines what was stated in the "Notice to Auditee" (see
Matrix").
"Corporate Audit Performance Process Matrix "). It should contain the name and location of the entity
to be audited, scheduled dates to begin and complete field work, a brief description of the type of
audit, and the audit date(s).
• Objective—The deliverable product of an assignment requires a conclusion that will provide
management with either assurances or reasons for action concerning, for example, account balances,
internal controls, various functions or operational procedures, etc. Prior to the audit, we must plan for
the objective to direct our efforts toward that end result. Establishing objectives encourages an orderly
work process
directed and
toward concentration
potential of the
high-risk andaudit effort
material toward a predefined goal. Consideration should be
areas.
• Scope—Once the objective is documented, the planning memo then logically leads into the scope
section. If the objective is to state an opinion on the adequacy of a certain system, then the scope will
explain compliance, and the substantive testing necessary to arrive at an opinion. Areas of emphasis
should be defined along with significant audit steps and procedures.
• Background —Background
—Background information is necessary in order to give the reader a description of the
entity or area to be audited. It does not need to be long or detailed, but should contain the entity name,
location, and procedures or description of operations. Facts that are unusual or pertinent should be
identified. Examples include situations where the controller is new, the location is known to have had
internal control problems in the past, sales have fallen off heavily, or operating costs have increased
substantially.
• Financial Highlights—The financial highlights section includes a summary of major account
balances. Accounts outlined in the objective section are also included in order to bring these accounts
to the attention of the reader. Comparative figures for two corresponding periods should be included.
• Significant Audit Areas/Audit Approach—This section identifies and outlines the more significant
areas mentioned in the scope section. It also states the audit approach to be used in these areas. This
method will assist all parties in understanding the areas of concern and how these areas are to be
audited.
• Staff and Timing—This section lists the staff assigned to the audit, their job level, and the dates
assigned to the audit. Planning in this area is necessary to ensure that the fieldwork will be completed
within the audit budget.
• Budget —The
—The audit budget is a compromise between what audit management would like to
accomplish and that for which it can effectively allow time in meeting the overall department
objectives. Normally, total hours will be estimated in a three-year plan. An appraisal is made of the
objective and scope of work to be performed and the number of hours to complete each area of the
assignments. The hours for each area should agree with total budgeted hours.
Objective
The interim audit will be conducted to determine the adequacy of internal accounting controls (through a
review of accounting systems and a test of transactions) as a basis for the formulation of year-end balances.
A year-end review will also be conducted to determine the validity of accounting data that will be included in
your company's consolidated general ledger trial balance as of December 31, 200x.
Scope—Interim
The audit will include the documentation, review, and detail compliance testing of existing key internal
accounting controls in significant financial areas as of September 30, 200x, trial balance.
Emphasis will be on inventory, sales billing, accounts payable, and payroll. A variation analysis will be
performed of all accounts with significant changes in comparison with the 200x year-end balance. A review of
the August 31, 200x, physical inventory compilation and a follow-up of previous audit comments will also be
conducted.
Background
Sam Pole's Best Ozone Paint—located in Anytown, AZ, USA—is a key location for the company's ozone
paint manufacturing. It joined the company in 200x and experienced several startup problems.
Financial Highlights For the six months ended June 30 ($000's omitted)
Inventory—Inventory is considered to be the most significant area at Sam Pole's Best Ozone Paint
manufacturing facility. Our audit procedures will include observation of the physical inventory, testing of the
system of internal controls, testing of the inventory compilation, review, and testing of the roll forward from
the physical to September 30, 200x.
Payables—Payables are significant because of the amount of volume and its interrelationship with inventory.
Our procedures will include flowcharting and testing of the system, testing of cutoff, vouching of selected
account, reviewing and preparing reconciliations of vendor statements and examining subsequent payments.
Other Balance Sheet Accounts—Our approach to auditing these accounts will be to perform an analytical
review to compare current-year balances to prior-year and accounting for all significant changes. Substantive
audit procedures will be used on all material balances.
Other Areas
Other areas that will be given emphasis in the current audit include:
The audit will be conducted by both the Internal Audit Manager and J. Smith, a new audit senior. Field work
will begin on October 26 and will last for two weeks.
Planning 6
Supervision 2
General 4
Meetings, tours, etc. 4
Analytical review 4
Flowcharting and review of systems controls:
12
• Inventory ledger
8
• Purchasing/Accounts Payable
8
• Payroll
8
• Sales/Billing
Cycle Tests 10
Trial Balance 3
Cash 2
Accounts Receivable 4
Inventory 20
Fixed Assets 6
Other Assets 3
Accounts Payable 6
Accruals 4
Income and Expense 6
Internal Control:
4
• Questionnaire Review
Travel 4
Finalization of W/P 8
Report 16
TOTAL: 152
A formal status report is not usually required for a short period assignment. However, an informal report can
be phoned into the manager, describing significant findings, the status of the work completed, the estimate of
time of completion, and other situations affecting the audit.
Communication keeps the manager aware of current situations and assists in the decision making on that
assignment as well as scheduling other audits. It also provides documentation, as required in our corporate
audit performance process, in our project control file.
and one of the principal bases on which audit performance will be judged. Each auditor must assume
individual responsibility for improving proficiency in this respect.
A. Basic Criteria
Some basic criteria for effective writing that should be observed in the preparation of audit
recommendations are:
1. Accuracy. Recommendations in audit reports must be verified thoroughly so that there are no
factual errors. The auditor should be careful not so use data that could be misleading.
2. Objectivity. Include all significant, relevant information, even if it indicates disagreement
with the auditor's position. Do not rely on inferences and implications. Adequate background
information should be provided so that the reader can grasp the significance of the situation
being reported.
3. Readability. In preparing an audit recommendation, the auditor should be continuously
conscious of how it will be perceived by the reader. Avoid disagreeable or inflammatory tone,
sarcasm, ridicule, or oratory. Try to foresee the reader's reactions to certain words or phrases.
Be tactful. The use of correct grammar and proper punctuation is an imperative for
well-written recommendations.
4. Clarity. To the extent possible, clarity should be interpreted as requiring that every statement
cannot only be understood, but that it cannot reasonably be misunderstood.
B. General Characteristics
1. Evaluate the significance of what you are reporting.
2. Write in simple, non-technical, clear language.
3. If you refer to a form number, state its name or subject somewhere in the report.
4. If you use abbreviations, spell out their meaning when they first appear.
5. Reasonable logic is important.
6. Be concise. Avoid wordiness and inclusion of extraneous matter.
7. Do not be evasive. If you have something to say and can support it, then say it.
8. Write constructively. Stress the need for improvements in the future rather than focusing on
deficiencies in the past.
11.
12. Clearly identify opinions,
Do not generalize especially
by simply if they
saying that concern
a practice significant
"weakens matters.Specify how it
controls."
weakens controls.
C. Development Process
The following steps should be followed in order to provide for systematic development of a
recommendation after an exception is revealed:
5. If, in the auditor's opinion, the effect is significant, the auditor should proceed with the
development of the recommendation.
6. The auditor must seek to find out, through expanded testing and gathering of data, what
caused the problem or situation. Frequently, this step is the most difficult one in the
development of an audit recommendation. However, without it, you have an incomplete
recommendation and can offer management only a correction of the existing problem. You
cannot provide a statement of action that will give assurance that a situation will not recur.
If the actual cause of the problem cannot be disclosed through expanded testing and gathering of data, the
auditor should discuss the situation with responsible management. In this discussion, the auditor should seek
to obtain a response as to what would improve the condition or situation. Based on the outcome of this
discussion with the auditee, the auditor will be guided as to the statement of action that should be made for
correcting the condition. If an actual cause of the condition is revealed, the statement of action should be
directed at the correction of the cause. A discussion with the responsible management as to the problem, the
criteria, the effect, and the cause should be held to obtain their comments in order to further substantiate the
accuracy of the developed recommendation.
1. Statement of Condition. In this section, the auditor should state the circumstances surrounding
the recommendation. In a logical sequence, present the facts and specific illustrations
describing the condition. Each statement of condition must contain sufficient qualitative and
quantitative information to fully support the conclusions or main point. The statement of
condition should be brief, but not to the point where completeness is sacrificed.
2. Criteria. The criteria represent the standards against which the auditor is measuring a
questionable condition or practice. The criteria applied may vary; however, the auditor should
concentrate on the criteria that are important to the objective of the audit. Some examples of
criteria are:
g. Common
Published criteria sense
may be directly quoted, summarized, or paraphrased. If criteria are not
already set forth in writing, the auditor may have to obtain information that will serve as
evidence of criteria. If common-sense subjective judgment is to be used as a criterion, it
should be both logical and convincing to the reader.
3. Effect. Effect is the actual or potential adverse impact, which has resulted or can result from
the condition being questioned, in dollars or other terms. Some examples of effect are:
apparent lack of concern means that the recommendation is not very important. If the
effect is not significant, the recommendation should not be included in the report.
Caution should be exercised not to create an issue larger than facts actually warrant.
4. Cause. The cause is the underlying reason why questionable behavior or condition occurs.
This sensitive, and usually highly judgmental, area requires the most penetrating efforts and
insights of the auditor. As a minimum effort, the auditor should have explored the situation
thoroughly enough to be able to generate what is termed a "first-level statement of action."
That is, one that is sufficiently detailed or specific enough to enable the recipient of the
recommendation to correct the conditions. It is necessary to get as close to the real cause of
the problem as possible, or at least to one or more causes that will put the recommendation in
perspective; make the recommendation convincing and lead to a sensitive, specific statement
of corrective action. Simply stating that the problem or adverse condition exists because
someone did not comply with company policy is not very meaningful. Also, this approach
usually confines the auditor to the rather superficial statement of action to "comply with
company policy." Some examples of cause are:
a. Lack of training
b. Lack of communications
c. Unfamiliarity with requirements
d. Negligence or carelessness
f. The expression "for consideration" should not be used in presenting statements of
action. Since the Audit Department is a staff function and its service advisory, all
statements of action are "for consideration."
g. Material, thoughts, or information that were not developed in the body of the
recommendation should not be introduced in the statement of action. The statement
of action should follow logically from what is presented in the recommendation.
i. Recommendatio
Recommendation
n Worksheet
Worksheet
A form should be created for the purpose of writing up the recommendations as they are initially discovered
(see Exhibit 7.5 for an example of a worksheet format). A copy should then be given to the auditee. There are
many good reasons for following this procedure.
Recommendation No.______
Workpaper Ref.______
Audite
Auditeee _____
______
_ Audit
Audit Date
Date ____
______
__
Statement of Condition: (What is)
is ) _________________________________
Provide a copy of this completed form to auditee ASAP/Use form for the Closing Conference.
1. If recommendations are neat and well written at the time of discovery and copies given to the auditee,
valuable research and input can be obtained before the closing conference. This makes the closing
conference more productive as both sides are knowledgeable on the subject. Generally, the auditee is
blindsided at the closing conference if recommendations have not been previously presented.
2. The procedure lends itself to better written, more factual audit recommendations because the material
is fresh on the auditor's mind—preferable to writing the recommendation later in time (i.e., at the end
of the audit). Strengths and weaknesses can be reconciled to improve the quality of the
recommendations.
3. Why take many recommendations to the closing conference when a "climate for change" can be
initiated during the course of the audit? Too many recommendations presented at one time tends to
make the auditee nervous and worrisome about how the report is going to look to others. Tentative
recommendations should be provided to the auditee periodically, once a week, and not on a daily
basis.
4. If the recommendation has been resolved by the auditee during the audit, it is much more agreeable to
the auditee if only mention is made summarizing items corrected during the audit.
5. The interim communication also gives the auditor a written workpaper document to use in discussing
recommendations at the closing conference.
6. Once written recommendations are resolved to the degree possible, corrections should be made and
submitted for typing the final report.
The form is designed to be as functional as possible, but it is limited in space to encourage factual, precise
write-up of recommendations.
Subject—Identify the subject area where the exception occurred as payroll, accounts payable. For example:
Corporate Audit Job Numbers will be standardized and assigned by the audit division offices. The Corporate
Audit Recommendation Number is the sequenced number of the recommendation developed as the audit work
progresses. The Corporate Audit Recommendation Number is to be used as a control point.
must be written on that basis, the facts follow the attributes of a recommendation:
A. Statement of condition (what is)
B. Criteria (what it should be)
C. Effect (so what?)
D. Cause (reason for deviation)
Present Status—A space provided for comments by the auditee to elaborate on original intentions or reaction
to the audit recommendation. It may only be necessary to check one of the preprinted comments such as
"Recommendation Implemented During Audit."
interested parties.
7.2 Workpapers
Workpapers serve mainly to aid the auditor in conducting work and provide important support for the
auditor's opinion. Such language as "Workpapers are a record ... of tests and procedures," "Workpapers,
accordingly, may include work programs, analysis memoranda, letters of representation, confirmations,
abstracts of company documents, schedules, and commentaries prepared by the auditor," further attempt to
describe workpapers and some of their contents. Other comments, such as "Workpapers should fit the
circumstances and the auditor's needs on the engagement to which they apply," are from Statement of
Auditing Standards (SAS) No. 1, Section 338. Although SASs are written for public accountants, these
comments are also applicable to internal auditors. For external auditors to rely on our workpapers, internal
auditors must produce documents of the same quality. It is imperative that standards of compliance be
established to help ensure quality workpapers.
Before preparation, give consideration to the objectives for creating your workpapers. Only information
supporting your objectives should be included. Envision how the workpaper will look after it is completed.
Does it appear logically organized, relevant, and neat—without half erasures, with figures and comments not
crowded together? Is it complete—without loose ends that need to be addressed?
A second thought, and one that should be seriously considered, is that the IRS can and has subpoenaed
internal auditors' workpapers into court. The question is, would you be embarrassed if your workpaper was
made a document of the court? What if the court made an enlargement of your workpaper and it was
displayed on a screen for all to see?
• Control
• Retention
• Headings
• Permanent files: contents and format
• Current files: contents and format
• General organization
• Detailed workpaper section organization
• Indexing and cross referencing
• Referencing
• Standard tick marks
a. Control
For Corporate Audit purposes, workpapers are confidential documents used to support our conclusions. In
order to maintain our independence and protect confidentiality, audit bags containing workpapers must be
locked if left overnight at the auditee's office.
During working hours, workpapers should be retained in a controlled, orderly fashion. That is, they should not
be left lying around the work area or left out in the auditee's office where they can be seen, handled, or
misplaced by the auditee employees.
In the office, workpapers should be filed in secured cabinets. During work hours, care should be exercised
ensuring that visitors do not inadvertently observe confidential information lying on desks. Prior to leaving
b. Retention
The retention period for both workpapers and reports is five years. If an exception arises in which the
retention period is to be extended beyond this period, a notation indicating the destruction date should be
boldly printed on the outside cover of the workpaper binder or on the face of the report.
c. Headings
In order to standardize Corporate Audit workpaper headings, the following information should be used for all
workpapers:
Work
Workpa
pape
perr inde
index
x (red
(red pen
penci
cill only
only)) Bott
Bottom
om-R
-Rig
ight
ht (ar
(area
ea pro
provi
vide
ded)
d)
WORKPAPER "DOS" AND DON'TS"
Do
1. While the audit is in progress, prepare a to-do list of points that have not been resolved.
2. Resolve points with auditee at one time during the day.
3. For those workpapers kept by hand, be neat, write legibly, use a medium-hard lead pencil, keep
figures in proper columns. For workpapers on computer, develop a professional look with consistent
formatting.
4. If done by hand, use a ruler; single line for subtotals, double line for totals. If done by computer, use
the same guideline.
5. Avoid crowding on a single page.
6. Be accurate; be sure amounts are accurate and footings are correct. If using a computer, double-check
all formulas. It is recommended that the auditor print out the worksheet formulas and audit them
before relying upon them.
7. Head every workpaper (see headings above).
8. Identify the source of information on each workpaper, reference books or original entry, voucher
numbers, conversations with employees, and so forth. Distinguish between fact and opinion.
9. If a workpaper is "prepared by auditee," indicate so with "PBA" on the workpaper. Indicate the name
of employee performing the task.
10. Initial and date each workpaper (printed version if using a computer).
11. Indicate analysis that requires more than one workpaper by: 1 of 5, 2 of 5, etc.
12. Adequately explain all tick marks other than the standard tick marks. Summarize explanations at the
bottom of each workpaper by using a legend.
13. Use proper grammar.
14. When referring to auditee employees, spell their names and titles completely and correctly.
15. Indicate clearly the extent of tests made.
16. Write your opinions and conclusions, using care to differentiate among facts, opinions, and
explanation.
17. If memoranda are done by hand: All memoranda should be prepared on memo pad paper. Skip every
other line and write only to the right-hand margin line. If memoranda are done by computer, set
formatting according to this guideline.
20. Verify that the final figures on each workpaper agree with the lead sheets, working trial balance, and
cross-reference thereto.
21. Reference and cross-reference to other workpaper and interim recommendation worksheets.
22. Leave enough space on each workpaper to clearly identify adjusting entries and comments. If using a
spreadsheet, avoid using "comments" for substantive remarks; rather, add a column for remarks on the
worksheet.
23. Use legal size paper; set electronic document margins to the equivalent size.
24. Use red pencil; use red fonts if the workpaper is in electronic form.
Don't
7. followed.
Do not make workpapers available to anyone without prior approval from the manager.
Permanent files should be economical in content. They should not be cluttered with documents that cannot
effectively help or provide information for future audits. Exhibit 7.6 outlines the format of the permanent file.
This outline will also act as the index for the file. For example, consider A-Corporate Audit
Reports/Responses. The first report entered into the permanent folder will be indexed in A-1, the second in
A-2, and so on. Each document entered into the permanent file must include the date and initials of the
auditor. Revisions of modifications must also be initialized and dated. Use red pencil for this purpose.
The criterion for determining whether information should be included either in the permanent file or the
current file is the useful life of the information. Place information into the permanent file if the usefulness of
the information is longer than two years. The majority of information obtained during an audit usually applies
to the current year and will only be used for comparison and guidance in the subsequent year. Accordingly,
such expected useful life would be less than two years and is filed in the current file.
f. General Organization
Use the printed workpaper binder cover and back furnished by the department. Note that certain information
is to be completed on the cover of the binder: company identification, contents of the binder, the names of
auditors who worked on sections included in the binder, review signatures, and the name of the audit office
producing the file.
Acco fasteners have 2 3/4-inch centers with 2-inch capacity. If files exceed two inches, Acco fasteners of
greater capacity can be obtained.
All workpapers are to be 8 1/2 inches by 14 inches—legal size paper. If auditee documents are less than legal
size, attach the document to heavy-grade legal size paper and then file it. Do not waste memo or 17-column
paper for this purpose.
Create dividers by using heavy-grade paper and attaching a tab at the bottom of the sheet. A second method is
to use 14-column paper as a wraparound for the individual section. The section name and indexing letter
should be indicated in red at the bottom right-hand corner after the 14-column paper is folded in half.
SA-1 Flowchart
Flowchart (manual/IS)
(manual/IS)
SA-2 Narrative
Narrative description
description
SA-3 List of key reports (official report title and informal user name)
SA-4 Internal
Internal control
control questionna
questionnaire
ire
SA-5 Summary
Summary of major strengths
strengths and weaknesses
weaknesses
SA-6 Audit approach
approach memo
SA-7 Other systems
systems informatio
information
n as needed
The compliance and substantive work for each account will be organized in the following sequence in a
separate current file:
A/C Overall scope and conclusion
A/P Audit program
A Lead sheets
A-1 to Account detail (substantive testing), cycle testing (compliance testing), comments for future audits
A-nn and confirmation forms: detailed audit work supporting lead sheet balances
Note The audit procedures performed and workpapers generated should be organized in a manner
deemed to be logical and expedient in the senior's judgment.
• SA-1, Flowcharting. Include both the manual and data-processing flow of documents as you
flowchart the system. Graphically depict the inputs, processing, and outputs of each system.
• SA-2, Narrative system description. Narratives may be used to describe a system on a step-by-step
basis. The narrative system description can supplement flowcharts or stand alone if it best fits the
system.
• SA-3, Key reports listing. The key report listing should list important reports by their official title and
also by informal names used by the auditee. This listing will greatly assist the following year's audit.
• SA-4, Internal control evaluation guide. The internal control evaluation guide should be developed
to include only questions applicable to the section involved. "A," the cash section, should include the
internal control questionnaire evaluations guides only for cash.
• SA-5, Summary of major strengths and weaknesses. Once the flowchart and internal control
questionnaire have been prepared, a summary of the system's major strengths and weaknesses should
be prepared. This summary will aid in the development of the audit approach.
• SA-6, Audit approach memo. Based on the above procedures, the auditor should have a good idea of
the strengths and weaknesses of the system. The logic behind the selected audit procedures should be
written up in a memorandum and included in this section.
• A/C, Overall scope and conclusion. This workpaper will be the last item completed in the section, but
it is the first in the organization sequence. Identify the work involved to support your
conclusion—procedures such as sample size, extent of testing, and compliance with audit program. In
the conclusion section, state your opinion based on the testing performed in the scope. Make
references and cross-references to adjustments and recommendations or comments that were the result
of your work.
• A/P, Audit programs. Audit programs should include all the steps necessary to test the system and
reach a logical conclusion. Such tests will include substantive tests of account balances and
compliance tests of the system.
• A, Lead sheets. The auditor should give advance thought to the preparation of lead sheets. Minimum
information includes a comparative schedule showing account balances at the prior year audit date
and the book balance for the current audit date. Also, columns are prepared for adjustments and final
balances. These schedules should reference the working trial balance.
• A-1 to A-NN, Account detail (substantive testing). The evidential matter obtained through two
general classes of auditing procedures: (1) test of details of transactions and balances and (2)
analytical reviews of significant ratios and trends, and the investigation of unusual fluctuations and
questionable items.
• A-100 to A-NNN, Cycle testing (compliance testing). The purpose for tests of compliance is to
provide reasonable assurance that accounting control procedures are being applied as prescribed.
An index has been assigned to each major account classification. Single alpha letters are used for asset section
designations. Double alpha letters are used for liabilities or capital accounts. Numbers are used to indicate
accounts in the income statement. These sections will be preceded by "PL" before the number indicated later
in the index sample.
The first section of the indexing system is referred to as the administrative section. The index to reference this
section is "AD."
The workpaper sections will include subaccounts under the major account classification. For example, cash,
the major account, also includes subaccounts of Cash in Bank, Cash on Hand, and so on. The lead sheet
(indexed "A") for this section should show the applicable subaccount balances for the current period and the
prior period. These columns should be footed to show the total balance in the major account. The analysis of
the subaccounts should be documented on supporting schedules (i.e., A-1—Analysis of Cash in Bank,
A-2—Analysis of Cash on Hand, etc.).
Occasionally, a section within a file binder may become too large to control effectively. In that instance, the
section may be extended into another binder. The indexing for the extended file binder becomes X. For
example, if section CC Accounts Payable becomes too large, part of the file can be stored in another file
binder indexed CCX. Appropriate referencing should be indicated in the working papers.
Three separate sections have been included for the work performed on confirmations, inventory observation,
and inventory compilation. The section for confirmations is to be used when the number of confirmations sent
is too large to be practically included in the applicable account classification. The other two sections are to be
used when a physical inventory observation and a review of the inventory compilation are included within the
scope of the audit. Be sure to appropriately reference these sections in the working papers.
Ind
Index
ex Desc
Descri
ript
ptio
ion
n
Administrative
AD1
AD1 Copy
Copy of th
thee au
audi
ditt re
repo
port
rt
AD2
AD2 Assi
Assign
gnme
ment
nt che
check
ckli
list
st
AD3
AD3 Copy
Copy o
off fina
financ
ncia
iall stat
statem
emen
ents
ts
AD4
AD4 Su
Summ
mmar
ary
y memo
memo—i
—in-
n-ch
char
arge
ge
AD5 Manager
Manager commen
comments—int
ts—interpre
erpretive
tive comments,
comments, major
major problems
problems and their solutions
solutions
AD6
AD6 Work
Workin
ing
g tr
tria
iall ba
bala
lanc
nces
es
AD7
AD7 Adju
Adjust
stin
ing
g jou
journ
rnal
al en
entr
trie
iess
AD8 Analyt
Analytica
icall revie
review
w and
and inter
interim
im fina
financi
ncial
al stat
stateme
ements
nts
AD9
AD9 Aud
Audit pla
lann
nnin
ing
g memo
memo
AD 10
10 Ti
Time
me bud
budge
gett
AD11 Interim
Interim audit recomme
recommendatio
ndations
ns and comments
comments summary
summary (AUD
(AUD form 1)
AD12
AD12 Prior
Prior au
audit
dit repor
reports
ts and foll
follow-
ow-up
up
AD13
AD13 Othe
Otherr co
corr
rres
espo
pond
nden
ence
ce
AD1
AD14 As ne
need
eded
ed
Assets
A Cash
B Securities and othe
ther negotiable asset
sets
C Sales, sh
shiipping, and trade receivables
D Inter-company receivables
E (Used for other accounts)
F Inventory
G Prepaid expenses and other assets
H (Used for other accounts)
I (Used for other accounts)
M Other tangible assets
When referencing on the same page, either a circled number or a circled capital letter should be used. A
circled number is used when referencing a number to a number. A circled capital letter is used when
referencing a number (or any other section or symbol on the workpaper) to a note. All referencing should be
done in red pencil (or font if electronic).
The most common type of audit for which auditors are responsible is the financial audit. Broadly described,
the overall objective of a financial audit is to assure that the financial statements are fairly stated, that they are
in conformity with Generally Accepted Accounting Principles (GAAP), and that the accounting principles that
were applied are consistent from year to year. In order to satisfy this overall objective, it is necessary to satisfy
specific objectives that apply to the various accounts that comprise the financial statements. The following is a
listing of objectives that apply to the various audit areas (accounts) that normally are included in a financial
audit. This listing is not all-inclusive, and all of the objectives may not apply in every circumstance. They
should be used as a guide and should be included, excluded, and/or modified as dictated by the audit
situations encountered. The list provides examples of assessing the five major management assertions in
financial statements: existence or occurrence, rights and obligations, presentation and disclosure, valuation or
allocation, and completeness.
Cash
• Cash recorded properly represents cash and cash items on hand, in transit, or in banks.
• Adequate disclosure is made of restricted or committed funds and of cash not subject to immediate
withdrawal.
• All receipts are properly identified, deposited, and recorded.
• There is a proper accounting for all inter-company and inter-bank transfers.
• All bank accounts and cash on hand are subject to effective custodial accountability procedures and
physical safeguards.
Receivables
• Periodic physical inventories, or cycle counts, are taken and are valued in accordance with company
policies that are in accordance with GAAP.
• The quantities properly represent products, materials, and supplies on hand, in transit, in storage, or
on consignment that belong to the company.
• All receipts, transfers, and withdrawals of stock are properly and accurately recorded.
• All production activity and costs are properly and accurately reported and maintained in up-to-date
cost records.
• The items are priced in accordance with GAAP, consistently applied, at the lower of cost or market.
• Excess, slow-moving, obsolete, and defective items are reduced to net realizable values.
• Adequate provision for losses on purchases or sales commitments exist.
•
The
on a ending inventories
basis consistent arethe
with determined as at
inventories tothe
quantities, prices,
end of the computations,
preceding year. excess stocks, and so on,
• The physical evidence of the ownership of investments is on hand or held in custody or safekeeping
by others for account of the company.
• The basis on which the investments are stated conforms to GAAP and is consistently applied.
• All purchases or sales are initiated by authorized individuals and are properly approved.
• Income from investments is accounted for properly.
Fixed Assets
• The additions during the period under audit are proper capital charges and represent actual physical
property installed or constructed.
• Adequate cost records are maintained for all in-progress and completed projects.
• Physical inventories of recorded productive assets are taken at periodic intervals.
• Depreciation charged to income during the period is adequate but not excessive, and has been
computed on an acceptable basis consistent with that used in prior periods.
• The balance in accumulated depreciation accounts is reasonable, considering the expected useful lives
of the property units and possible net salvage values.
Other Assets
• Recorded prepaid and deferred expenses represent proper charges against future operations.
• The additions during the audit period are proper charges to those accounts and represent actual cost.
• Amortization or write-offs against revenues in the current period, and to date, are reasonable under
the circumstances, and have been computed on an acceptable basis consistent with prior periods.
• All costs are properly recorded and classified as expense, inventory, fixed assets, and other assets.
• All purchase requisitions are initiated and approved by authorized individuals.
• All material and services received agree with original purchase orders.
• All invoices processed for payment represent goods and services received and are accurate as to
terms, quantities, prices, extensions, and account distributions.
• All checks are prepared on the basis of adequate and approved documentation and are compared with
supporting data.
• All checks are properly approved, signed, and mailed.
• All disbursements are properly recorded.
• All accrued expenses relate to goods and services received as of the end of the fiscal period.
• The capital stock and surplus accounts are properly classified, described, and stated in accordance
with GAAP, and are not in conflict with the requirements of the corporate charter (or articles of
incorporation) or with the applicable statutes of the state of incorporation.
• Transactions in the capital stock and surplus accounts during the audit period are properly authorized
or approved where necessary, and are recorded in accordance with GAAP.
• Reported revenues, costs, and expenses are properly applicable to the accounting period under
examination.
• Reported revenues and applicable costs are recorded on a timely basis.
• Charges to customers are for valid claims for sales rendered in accordance with established pricing
policies.
• Costs and expenses are properly matched with revenues.
• Recognition has been given to revenues, costs, and expenses (including losses) which should be so
recognized.
• Revenues, costs, and expenses are appropriately classified and described in the statement of income.
Payroll
• Compensation costs reflect the aggregate cost of employee services during the period and are
distributed to appropriate inventory and expense accounts.
• Compensation rates are in accordance with applicable union agreements and/or approved rates.
• Additions, separations, wage rates, salaries, and other deductions are authorized and recorded on a
timely basis.
• Employee time and attendance data are properly reviewed, approved, and processed on a timely basis.
• Payroll deductions are determined in accordance with legal requirements or employee authorizations
and are paid to the government, unions, and other specified parties in a timely fashion.
• Payments for compensation and benefits are made only to bonafide employees.
• All authorized employee benefit plans and related costs are appropriately controlled and administered.
• All expenses recorded must be "ordinary," meaning "customary and usual" within the experience of
the particular community.
• All expenses recorded must be "necessary," meaning "appropriate and helpful" for the development of
the entity's business.
• Sufficient documentation must exist. Specifically, the amount, time, place, business purpose, and
business relationship of the entertained party must be recorded.
• Reimbursements to employees must be fully accountable, so as not to be considered compensatory. If
any reimbursements are compensatory, appropriate tax information must be retained.
Endnote
1. The Institute of Internal Auditors officially revised the "Red Book," or Standards for the Professional
Practice of Internal Auditing. At the end of 2001, this new version became effective for auditors and
interested parties.
Since the audit report is the most significant product issued by the Audit Department, the report format should
be carefully considered. It is the policy of Sam Pole Company to issue a summary-and-detail report for each
significant audit completed. The purpose of the summary report is to provide, in brief presentation format, the
essence of the scope and results of the audit. It also allows for a profile section to convey additional
information of interest to the Audit Committee and senior management. The thoughtful and creative use of the
profile section provides a vehicle for the Audit Department to convey information beyond the negative
reporting process that is inherent in internal auditing. To put it another way: the use of the profile section
enables us to convey information that may contribute positively to the management of the corporation. In
some instances, this information would be basic financial or operational, which helps put the audit results in
the proper context. Detailed descriptions of the summary and detailed report formats, with examples, are
contained in other sections of the manual.
The reporting process begins with the draft audit comments and follows through to the issuance of reports and
8.1,,
the report to the Audit Committee (if appropriate). The corporate audit reporting process matrix, Exhibit 8.1
summarizes the activities contained in this process.
Assign No.
Report Inclusion Issue Fin
Assign No. Draft Distribution Draft to of Auditee Report t
Comments Worksheet Draf
raft Re
Reports Auditee Comments Managem
PURPOSE Document audit
findings, Log/track
report Formalize audit
conclusions, Obtain
agreement on Incorporate
auditee Apprise Au
Committee
comments, and preparation findings, facts and responses audit results
recommendations and comments, and circumstances, into draft
for review, distribution recommendations substance, and reports
Audit
Audit workpa
workpaper
perss Audit
Audit Audit
Audit wor
workpa
kpaper
perss Audit
Audit Audit Corporate Wo
workpapers workpapers workpapers Secretary; IA IA
Manager, Au
workpapers Co
file
a. Draft Reports
The audit report process begins with a review of the tentative audit recommendations worksheets prepared
during the audit performance process. Each individual page contains comments accumulated during the audit
process. These pages will have been preliminarily reviewed by the auditee during the audit process. The
manager will review all comments in conjunction with his review of the workpapers, ensuring that all
comments are adequately supported. Within approximately one week from the completion of the audit field
work—or the closing conference of the audit team—the audit manager or his designee will draft an audit
finding and recommendation for each of the tentative audit recommendation worksheets. These comments
will then form the basis of the detailed audit report draft.
The audit manager will begin the preparation of the summary audit report. Information regarding the scope
and highlight sections will be based on information contained within the planning, status, and summary
memos as well as the detailed finding and recommendation report. The Director of Auditing will review the
draft and provide input.
b. Draft to Auditee
Various practices regarding distribution of draft audit reports to auditees exist within the internal auditing
profession. The trade-off issues involve the interest in accuracy and fair presentation versus the issue of
timeliness. Some audit departments believe that timeliness is not the most critical factor, and obtaining input
from auditees and incorporating it in the audit report provides for increased accuracy and a more level
"playing field." Still other audit departments believe that the function of the audit is to issue comments as
soon as possible, and they bypass or reduce the auditee review process. The auditee will then issue a response
and discussion of implementation plans.
The policy of Sam Pole Company is to review comments with the auditee as they are developed. Once the
audit draft has been
been developed,
developed, the draft is forwarded to the auditee for review. Auditees will have two weeks
to review the comments and prepare a paragraph detailing their actions or position on the comment.
Exhibit 8.2 provides an example of a transmittal of the report draft to audit entry, and Exhibit 8.3 is an
example of a transmittal of the report to senior financial officials.
Date: [date]
Please review the draft to confirm (or not) that the recommendations and comments agree with those
presented to and discussed with you at the closing audit conference. Also include your response in one or two
paragraphs for inclusion in the detailed audit report. Please reply to me or [ designate] by phone by [date], so
that we may proceed to issue the final report.
/S/ Manager
Enclosures
Enclosures
• To provide a framework to monitor, obtain, and evaluate such responses from audited units
• To enable the Director of Auditing to report on the adequacy of responses to, as appropriate, senior
management and the Audit Committee
Each auditor will develop and implement procedures to attain the objectives outlined above and ensure that
the total audit process is completed for both this department and the public accountants.
In cases when audited units have not responded within the prescribed period of time, standard 30-day
(overdue reports) and 60-day (delinquent reports) letters are to be issued by the affected auditor and Director
of Auditing, respectively. (See Exhibits 8.4 and 8.5
8.5.)
.)
Date: [date]
To: Financial Official, Audited Entity
From: Audit Manager
Subject: Response to Audit Report
[The Corporate Audit Department ]/[
]/[ public
public accountants] issued its report, dated _____________ on the results
of its examination [covering internal accounting controls]/[of balance sheet accounts]/ of
[______________________]
[___________________ ___] for the period ended _____________ [date].
This letter is to remind you that a written response to the audit report is due no later than 30 days following
the report transmittal date. Please advise when we can expect your response.
Audit Manager
cc: Audit Director
You will recall that ____________, our manager in _______________, reminded you one month earlier that
corporate policy requires a written response to the audit report no later than 30 days following the report
transmittal date.
In the event you have compelling reasons for not responding, please call me or _____________ immediately.
Otherwise, we expect your response within a week's time. My responsibilities to the Audit Committee and
senior management require regular reports on the adequacy and timeliness of responses to audit reports.
Audit Manager
cc: Audit Director
In addition to monitoring and accounting for responses, each manager is responsible for evaluating them to
determine that satisfactory management action has or will be taken. Evaluation of responses is to be
documented in the workpapers or, when pertinent, advised in writing to the public accountants.
Date: [date]
To: Division or Department Manager
From: Audit Director
Subject: Reports of Independent Public Accountants
Purpose
This memorandum provides additional procedures implementing the policy covering the distribution of
reports of independent accountants and, when required, management responses to them.
Policy
• Audit findings, recommendations and other matters deemed to be significant by the public
accountants are reported directly by them to the Audit Manager, Chief Financial Officer, and the
Audit Committee.
• A prompt
prompt formal written
written response to the Audit Manager, covering internal control and management
recommendations made by both the public accountants and corporate auditors. Responses are due no
later than 30 days following the date of the auditor's report and in the format as shown on attached
Exhibit 8.7
8.7..
Insert comments here or note regarding attachment of comments from public accountants.
Company: ____________________
_______________________________________
____________________________________
_________________
NO.. RECO
NO RECOMM
MMEN
ENDA
DATI
TION
ON IMPL
IMPLEM
EMEN
ENTA
TATI
TION
ON RESP
RESPON
ONSI
SIBL
BLE
E PERS
PERSON
ON TARG
TARGET
ET DATE
DATE
The following amplifies the policies covering the distribution of public accountants' reports and related
responses to ensure that they are distributed properly:
President and Comptroller, other key financial officials and the public accountants.
The additional procedures outlined above enable implementation of effective and consistent practices to
monitor and report on the results of audits by public accountants in the United States and other countries.
The audit report and the detailed recommendations and comments section have a standard format that will be
adequate for writing most reports. There may be times when it will be appropriate to deviate from the standard
format. These instances must be discussed with the manager before proceeding. Exhibit 8.8 is an example of
an audit report.
Company Location:
Audit Date: Audit Manager:
Datee Co
Dat Comp
mplet
leted:
ed: Audit
Audit O
Offi
ffice:
ce:
Auditors:
Date of Report:
The Audit Committee
This report summarizes the results of our audit of the company's accounting records and selected internal
control procedures. Detailed recommendations and comments, after review with local management, were
provided to the local accounting personnel for written responses to this office, and to other key officials, and
to the public accountants for their information.
The manufacturing plant produces approximately NNN square yards of carpet tile per month. Comparative
operating data are as follows:
2002 2003
Sales $xxx,x
$xxx,xxx
xx $xxx,x
$xxx,xxx
xx
Cost of Sales xxx,x
xx,xxx
xx xxx,x
xx,xxx
xx
Inventory xxx,x
xx,xxx
xx xxx,x
xx,xxx
xx
SALES
Backlog x,xxx x,xxx
Number of Employees xxx xxx
Scope of Audit
Our examination included a review and evaluation of accounting systems, internal control procedures, and
tests of account balances.
Conclusion
In our opinion, internal controls are adequate, and account balances, as adjusted, are fairly stated in all
material respects. Quantities of inventory on hand December 31, 200x, are fairly stated. Weaknesses outlined
in the detailed recommendations and comments provided to local management did not have a material effect
on the account balances at December 31, 200x.
Summary
The significant matters discussed in the detailed report include the following:
• A Disaster Recovery Plan should be developed for the data processing operation.
• Procedures to ensure that computer program changes are properly authorized should be developed.
• Documentation for significant computer applications is weak and should be improved.
Manager
Distribution:
Headquarters
President
Local President
Local Accountant
I. Audit Report—Su
Report—Summary
mmary II. In-Depth
In-Depth Recommend
Recommendation
ationss and Comments—De
Comments—Detail
tail
Heading Cover Page (Optional)
Salutations Heading
Lead Paragraph Lead Paragraph
Profile Categories
Scope Recommendations
Conclusion Comments
Summary Discussion Items
Manager's Signature Manager's Signature
Distribution Exhibits (Optional)
I. Audit Report—Summary
Heading. The heading is preprinted on the Corporate Audit Report preprinted form. Company/location, Audit
Date, Audit Office, and Audit Manager are all self-explanatory.
Date Audit Completed. The date of the closing conference or last day of fieldwork, whichever is later.
Auditors. All auditors who participated in the audit. Use the first two initials in all names.
Lead Paragraph. The lead or introduction paragraph indicates to the Audit Committee that this report is a
summary of the results or our audit or review. It refers to the detail section that recommendations and
comments have been discussed with local management and require a response. It also states that the detail has
been distributed to key officials and the public accountants.
It should not be necessary to restate the auditee's name or dates, because this information is included in the
heading.
Profile. "Profile" is generally preceded by "plant, company, or department," which refers to the auditee. The
profile section is intended to be informative to the reader. In some instances, the reader has not had the
opportunity to visit the auditee's facility. The profile section should be designated to be a "stage setter" for the
reader. It should help the reader visualize the entity, number of employees, production, or implications of
adjustments attributable to company size. The profile, as the situation warrants, may be excluded or contain a
narrative description or financial schedules.
The profile should not dominate the report. Instead, it should be limited in size to approximately one
informative paragraph. Comparative financial information, if included, should not leave the reader with
unanswered questions. Significant variations should be explained.
Keep in mind that the profile should not distract from the purposes of the report, which are the summary,
scope, and conclusion sections.
Scope. The scope section has two principal functions. One is to identify exactly what was done during the
audit and the second is to delineate in writing that which was not done.
The scope should clearly state the work that was limited to or restricted to the payroll system, as an example.
If internal controls were reviewed on certain systems, but not others, it must be clearly indicated. A general
statement such as, "we reviewed the plant's systems of internal controls," is not specific to the reader and
leaves the audit open for question later. To state "certain" systems were reviewed is better, but not as good as
indicating that specific systems such as payroll, accounts payable, and accounts receivable were not reviewed.
Clearly stating what was done in the audit leaves no doubt as to what was not done. In certain situations, it
may be necessary to clearly qualify the scope section by saying, "we did not review, test, etc."
Conclusion. The conclusions can only be written on the basis of the work performed in the scope section and
subject to the major exceptions contained in the summary section. No new or additional information can be
interjected into the conclusion that has not been specifically stated in these two areas (scope and summary).
The auditors should conclude or state their opinion on the fairness of the account balances, financial
statements, the adequacy of internal controls, or the reliability of systems.
Summary. The summary component summarizes the detailed recommendations and comments section of the
report. The detailed recommendations and comments section does not accompany the audit report issued to
the Audit Committee. Therefore, the summary never contains information not published in the detailed
Of the five attributes that are used as a basis for writing a recommendation, only a statement of condition and
a statement of action are used to write the points of the summary.
The summary only includes major or material exceptions resulting from the audit. Considerable thought
should be given to what is included in the summary and, second, to how it is written. Problems may arise if
the auditor overreacts or improperly states the situation. Therefore, the summary may indicate that an audit
disclosed no material weaknesses. Other recommendations and comments that are not considered "material"
should be addressed in the summary by referring to them in total as one item covered by a few sentences.
Statement of action to summary items may either be included with the summary items individually or
prepared in a trailing paragraph to the last summary item.
Discussion items may be included in the summary if material. Because discussion items are written with the
same attributes as recommendations, the statement of condition and statement of action will be included.
Discussion items are generally only used when auditees object to recommendations on the grounds that they
have no control over the subject. If auditors feel strongly that the item should be included in the report, the
discussion item approach is a way around the situation. Discussion items do not require a response from the
auditee, but still communicate the problem to management and the Audit Committee.
• Accrued payroll was understated $1 million at December 31. It was recommended that management
investigate and adjust the account. This account was adjusted January 7, 200x.
• Contract terms covering sales of real estate should be reviewed by counsel and entries properly
recorded in accordance with Generally Accepted Accounting Principles (GAAP).
• Fifty thousand dollars were lost due to weak internal controls in the data processing area. We
recommend system changes to help prevent future occurrences.
Manager's Signature. The Audit Manager is responsible for the review and signing of the audit report issued
to the Audit Committee of the Board of Directors. He may assign this responsibility to others under certain
circumstances.
Distribution. The distribution is a multi-step process. After the report is written in draft form, a copy is sent to
the Director of Auditing and the auditee simultaneously. A specific designed cover letter is used to convey the
drafts to the auditee. This cover letter indicates the draft has been sent to the auditee first for comments and
that time is of the essence.
The second step toward distribution, after review and corrections are accomplished, is to send the draft to the
Corporate Controller and Director of Auditing, or the next level of authority over the auditee.
After the drafts clear the second step and adjustments or corrections are made, it may be necessary to send a
copy to the auditee and Director of Auditing, a second time. But, pending this situation, the report is ready for
distribution. Standard distributions for the report consist of:
Audit Committee
Chief Operating Officer
Company Level
Director of Auditing
Division/Branch/Department
(as applicable)
Comptroller
Partner
Manager
This section is issued with the audit report, but is not distributed to everyone on the distribution list. See
distribution of the audit report in a prior section. Because this section may become separated from the audit
report, it must be written to stand alone as an independent document. Exhibit 8.9,8.9, "Corporate Audit Detail
Recommendations and Comments," presents an example of this report.
Corporate Audit
These detailed recommendations and comments supplement our report to the Audit Committee, in which we
concluded that account balances as adjusted were fairly stated in all material respects and controls were
adequate at December 31, 200x. These detailed recommendations and comments were reviewed with
appropriate levels of management and, in accordance with corporate policy, are subject to their written
response.
Disaster Recovery
In the event of emergency or disaster in which the AS/400 system is not available for long-term use, there are
no contingent plans in effect for the continuance of processing on the AS/400. This weakness could result in a
delay of processing transactions and have an adverse effect on business operations.
• Recommendations/Comments
• We recommend that management initiate efforts to develop a Disaster Recovery Plan. In the event
that the AS/400 System is disabled, contingency plans would then be in place to allow continued
processing at an off-site facility. A Disaster Recovery Plan should meet the following criteria:
♦ To identify a location for further processing. This site could be a cold site in which a third
party has another AS/400, which the company would have access to, or an arrangement with
IBM that would permit them to be provided with another AS/400 on short notice.
♦ A list of contacts and responsibilities in the event of emergency.
♦ A list of programs and data files needed for recovery, including a ranking of critical
applications and adequate method of creating, testing, and storing data backups.
♦ Detailed instructions on execution of a Disaster Recovery Plan.
Program change control is not formally addressed. Requests for changes to programs should be authorized by
user departments. To be properly controlled, a formal authorization form should be developed, indicating the
reason for the change, user approval to initiate the project, and final sign-off. Only properly authorized,
changed programs should be placed into production libraries.
• Recommendation
• All program change requests should be properly authorized in writing by the manager or supervisor of
the user departments. When the program change has been made, the manager or supervisor of the user
department should sign the program change form, signifying that the program has been changed
according to the original instructions. The program change form should then be filed in numerical
sequence. A copy of the program change form should also be filed with the system's documentation
such that a record of each change made to the system is kept in chronological sequence.
Documentation
Good documentation of computerized applications is necessary to document the methods and formulas
utilized in the computer operation, to provide a tool to train new personnel, to provide operators with
instructions, and to assist programmers with systems development and program modification work.
We believe documentation is an important area and should be implemented. This process may require
management support for the development of a plan to document systems by certain key target dates. We
suggest that documentation along the following lines be considered:
♦
System description
♦ System flowcharts, showing the flow of data through the system and the relationship between
processing and computer steps
♦ Input descriptions
♦ Output descriptions
♦ File descriptions
♦ Copies of authorizations and their effective dates for system changes that have been
implemented.
• Program documentation consists of:
♦Descriptions of functions
♦ Inputs and outputs
♦ Sequence of cards, tapes, disks, and files
♦ Setup instructions and operating system requirements
♦ Operating notes listing program messages, halts, and action to signal the end of jobs
♦ Control procedures to be performed by operations
♦ Recovery and restart procedures
♦ Estimated normal and maximum run-time
♦ Instructions to the operator in the event of an emergency
• User documentation consists of:
♦ Authorization (i.e., data center approval, programmer and project manager, quality assurance,
and user approval)
♦ A log to permit the tracing of transmittals through the change control cycle.
• Establishment of formal testing procedures to include:
Manager
Cover Page. An optional cover page may be developed to separate the audit report from the detailed
recommendations and comments section. If you elect to insert this page, it could contain "Detailed
Recommendations and Comments" as a title and be centered on the page.
Heading. The heading consists of the auditee name, the name of the section, "Corporate Audit Detailed
Recommendations and Comments," and the "as of" date of the audit.
Lead Paragraph. The purpose of the lead or introduction paragraph is to convey to the reader three points.
Lead Paragraph. The purpose of the lead or introduction paragraph is to convey to the reader three points.
First, this document supplements the summary audit report to the Audit Committee. Second, there is a
summarized restatement of the conclusion. Finally, a written response is required. For example:
• These detailed recommendations and comments supplement our summary audit report to the Audit
Committee of the Board of Directors in which we concluded that internal controls for the payroll and
account balances were fairly stated in all material respects as of April 30, 200x. These detailed
recommendations and comments were reviewed with appropriate levels of branch management and
are subject to their written response in accordance with corporate policy.
Categories. For purposes of organization, subtitles are used to group recommendations and comments relating
to the same subject; that is, all recommendations and comments relating to accounts payable should be
numbered under the subtitle "accounts payable." The subtitles are typed on the left margin in bold type and
underlined. To emphasize the subtitle, double spacing is used before and after the subtitle. The numbering
sequence starts with the first recommendation and is continuous to the last recommendation under that
subtitle. Numbers start over for each subtitle.
Recommendations. Use "recommendations" rather than "findings" to describe the audit exceptions because it
has a more positive connotation. Recommendations are one of the five attributes that make up a finding, as
published by the Institute of Internal Auditors. In lieu of saying, "These are our findings," inferring something
wrong was found, present a more positive image by saying, "These are our recommendations for
improvement." Do not report something was wrong merely that the auditee can improve existing conditions.
A more positive approach implies professionalism by suggesting improvements as opposed to dwelling on or
publishing problems and failings.
Comments. Comments differ from recommendations in that the five attributes—condition, criteria, effect,
cause, and recommendation—are not present. Comments are more of a remark or brief statement of fact or
opinion. To lessen the confusion, the attribute recommendation has also been renamed statement of action.
Care should be used in that generally, anything material enough for the report should be adequately supported.
Discussion Items. Discussion items are developed and written as recommendations, but differ in that the
auditee is not required to respond to these items. Discussion items are used in instances where auditees object
to an item being included in the report when they are not directly responsible for the situation. The auditors
feel strongly that the situation needs exposure in a written report. A compromise is the discussion item
approach, which could be used only as a last resort.
Manager's Signature. The manager is responsible for signing the recommendation and comments section.
Exhibits. The exhibit section is optional, but should be considered if additional information will help make the
audit recommendations and comments clear to the auditee or management. Exhibits may take the form of
photographs, flowcharts, financial schedules, adjustment schedules, or other sundry schedules of supporting
information. Like pictures, exhibits are worth a thousand words. Supporting exhibits not only add clarity, but
if properly done, add a degree of professionalism to the auditor's work.
on a detailed
inform basis prior
management to theofnext
of some the scheduled Audit
items that will beCommittee
included inmeeting. This process
the administrative will enable
section auditors
of the report to to
the
Audit Committee. It will also enable auditors to integrate the text of this material into the Audit Committee
report to save work when that report is being developed.
Communications with management is a very important element of an internal audit function. It is more
important than in some other operations because the management issues and output of the audit function are
more qualitative than quantitative. In a manufacturing or distribution operation, one can measure the output in
units and analyze it in many ways. Audit functions have a lot of control over the quantity and quality of the
work they perform. However,
However, it is difficult for management
manag ement to understand the issues involved in running a
successful audit function and
and producing quality audit reports. Audit management has a number of
opportunities to express their issues and report on activities. The formal process involves issuing audit reports
"Corporate Audit Report Process
(see "Corporate Process")
") and issuing reports to the Audit Committee (see "Report
" Report to Audit
Committee").
Committee "). In this section, we deal with the opportunity to report on a somewhat more detailed basis to
management.
As noted earlier in this section, if possible, the Report to Management should be prepared prior to Audit
Committee meetings. This sequence will enable the material developed
d eveloped for this report to be reworked for
inclusion in the report to the Audit Committee. There are no formal guidelines for what should be included in
the Report to Management. Therefore, wide latitude should be used to help explain issues and promote
progress achieved within the audit operation. Exhibit 8.10 is an example of a Report to Management. The
format is simple and self-explanatory. However, great care should be taken to include all relevant activities on
a prospective basis, as well as activities that have already taken place. In order to demonstrate the tone and
range that a Report to Management can take, a number of sample report elements have been included in the
example. In addition, the report could be patterned after other similar reports required within the organization.
Some of the sections that should be considered include: Corporate Audit Department personnel issues;
activities related to the external accounting firm; education; internal audit reports issued, pending and in
process; and budget status.
INTEROFFICE CORRESPONDENCE
INTERNAL AUDITS
• Audit Reports
• We continue to strive for timely report issuance. At this date, we have the following audit report
status:
◊ XYZ Subsidiary
◊ Tulane Contract Audit
◊ Purchasing Department Audit
♦ Pending Issuance
◊
Transportation Department
◊ ABC Subsidiary
• Physical Inventories
• In cases where reports are to be issued upon completion of location audits, inventory audit findings
will also be included. In other cases, only exception reports will be issued regarding observations and
review of compilations. We observed these physical inventories since the July status report:
♦ XYZ Subsidiary
♦ ABC Subsidiary
♦ Main Supplies Inventory
ORGANIZATION/PERSONNEL
The department is currently comprised of 37 professionals and two secretaries at September 1, which reflects
the termination of John Doe and the resignation of Jane Smith in the East and the hiring of Pay Plum
(CPA-CISA) as a semi-senior in the West. We continue to attempt further East staff reduction by transfer to
other departments. To date, the West manager is pleased with the performance of his staff. He is now
recruiting another semi-senior.
Total
tal East West International
Professionals 35 15 14 6
Secretaries 2 1 1 0
37 16 15 6
Annual performance reviews were discussed with each eligible East staff member in conjunction with salary
increases granted effective September 1. The staff generally responded receptively to constructive criticism
designed to insist on or encourage, at minimum, competent professional performance. With certain
exceptions, staff members considered salary increases equitable.
EDUCATION/TRAINING
• Other
• In a less formal, yet structured manner, individual staff members are involved with IIA self-study
courses dealing with internal audit theory and practice, and statistical sampling. This work is
monitored by our Personnel Development Coordinator.
• In order to enable staff members to prepare for the CPA examination and still fulfill audit schedule
responsibilities, we have arranged with XYZ to use their self-study guides, at no cost to Sam Pole.
Bill Clark, between audit assignments, will assist the CFO during October in assembling, reviewing, and
analyzing operating companies' 200x budget proposals. We have also offered to assist the Director of
Financial Analysis on 200x budget matters, by making Peter Daily (East) or Rod Stewart (West) available for
six weeks to two months. These opportunities have a two-fold purpose: (1) to broaden participants' exposure
and experience in Sam Pole, and (2) to add another dimension in the evaluation process from sources outside
internal audit.
We do foresee a potential problem associated with these off-staff assignments. The demand for Management
Development Program participants to work outside the department is likely to conflict with our peak workload
period—the Fall—when we experience our heaviest external audit coordination commitment. We are
developing our audit plans and schedules to attempt effective attainment of both goals.
POLICY STATEMENTS
• Compliance Program
• Results of circularization for employee acknowledgment of compliance with our code of conduct are
virtually complete. Responses received at this office disclosed no conflict or other situations that
warrant reporting. We plan to issue a brief formal report on the results of our review.
• Policy Statement Booklet
• The supply of booklets in New York is exhausted. We have submitted suggested changes to the text
of the booklet to the General Council. We also offered to assist them toward publication of the next
revision.
OTHER MATTERS
• Security
• As noted in my prior status reports and memos, we have been working with the Finance Director to
assess ways to improve the corporation's focus on security. We are considering the need for
centralizing the responsibility for all aspects of security within the company. Our recommendation
was for a high-level survey of our current practices and security plans. To further our groundwork, we
have set up a meeting with the General Council to apprise him of our activities to date and get his
input.
• Professional Activities
• As president of the New York Chapter, ISACA, John Jones presides over monthly board meetings
and plans education events for members.
• On July 24, the Chief Auditor addressed our external audit firm's seminar for internal auditors on
internal audit department practices.
• Marc John serves on the IIA Board of Governors and as Chairman of the Editorial Committee.
• Jane Paul serves on the IIA International Research Committee.
Regards,
The Report to Management should be addressed to the management reporting line of the Chief Auditor. This
report is generally not copied to the Audit Committee, but should be copied to the President or CEO, if
appropriate.
Gentlemen:
Audits in process and concluded since our report dated December xx, 200x, have not disclosed any
developments that require action by the Committee.
I look forward to meeting with you to review the contents of this report and any other matters you may wish
to discuss.
S. Jones
SECTION I
Sam Pole Company maintains systems of internal accounting controls and procedures designed to provide
reasonable assurance that all transactions are properly recorded in the books and records, that prescribed
policies and procedures are adhered to, and that the corporation's assets are protected from unauthorized use.
Based on continuing reviews of internal controls at company locations, nothing has come to our attention
since our prior report that would indicate that the existing systems of internal controls are not effective.
However, as commented on in our December report, the company must be continually alert, so that the
changing conditions in Sam Pole Company's operations— primarily reductions in the number of salaried
employees—are not accompanied by a weakening of existing internal controls, more specifically, the
segregation of duties. We plan to continually focus on such areas of potential weaknesses and report situations
where we believe action is required.
SECTION II
The following audit reports, issued since the December 5, 200x, Audit Committee meeting, are enclosed for
your review:
•
• Corporate Data Center
Sam Pole Antenna Company
• Payroll System
• Products Company
• Sales Company—Trading and Logistics
Recommendations relate to internal controls that can be improved; however, no material exceptions were
noted. In the event of significant findings, we would promptly advise the Committee and issue a preliminary
report.
Our comments and recommendations have involved matters significant to the organizational units audited.
Based on our evaluation of auditee responses, we believe that our recommendations have been or are being
given considerable management attention and action.
SECTION III
Audit Activities
Audits pertinent to annual corporate financial statement reporting centered primarily on completing interim
and year-end audits under the rotation plan with our external auditors. We also continued our reviews of
automated systems, including customer accounts receivable, salaried payroll, and accounts payable.
Supplies Inventories
At the December meeting of the Audit Committee, we reported on our management-requested special review
of supplies inventories. Since our last report. . .
Steering Committee
The Director of Auditing, while not a member, attends by invitation the Information Resource Steering
Committee meetings. Briefly, this involvement provides input to the Committee and knowledge of company
plans to the Director. As a result of attending these meetings, we are planning special audit training in the
following areas . . .
Disposition Audits
As previously reported, we have been significantly involved in disposition audits of the various units. Most
recently, we assisted in the development of data that allowed for timely ...
Professional Staff
The current field staff, meeting our authorized complement, totals 20: six in New York and fourteen in
Denver (as compared to 19 in 200x). Our current three-year plan indicates a need for approximately 21
auditors. We will adjust this plan and reevaluate staffing requirements after developing the rotation program,
based upon the company's new operating structure, with the public accountants.
High turnover has continued in Denver, due to the company's situation and increased salaries available in an
area with a high employment rate. Future recruiting, unless otherwise required, will be at the entry level.
We are pleased to report that we have promoted Mr. Sharp to manager in New York and Jane Pink to
supervising senior in Detroit. Two individuals transferred from the audit staff— one to the Controller's staff
and the other to MIS.
A responsibility of the Director, as described in the department's charter, is that audit work conform to the
Standards for the Professional Practice of Internal Auditing . The Standards call for an independent external
review at least once every three years, to appraise the quality of the department's operations. Accordingly, we
have tentatively agreed to reciprocal department reviews with IPL Corporation in 200x and 200x. Preliminary
discussions will be held in late February, with a review of our department planned for June 200x.
We have been planning this independent review of our total department performance for several years.
Initially, we had each audit group perform a high-level quality assurance review. In 200x, we had a more
in-depth review in New York and Detroit with a good appraisal (on a test basis) of the adequacy of each
other's performance. We are now looking forward to this independent peer review to see how we can improve
our operations.
Professional Certification
We have developed a professional certification policy for the internal audit department. We are strongly
encouraging certification (CPA, CIA, CISA, CMA, etc.) within the first five years or before promotion to
senior. We are providing partial company assistance to provide further incentive and yet ensure the
individual's own sincere interest. A copy of the policy for your review is enclosed in Appendix XX. (Not
shown here—see "Policies" section of the manual).
Chapter 8: Audit Reporting 21
9.1 Introduction
The internal audit (IA) function should be more than activities as prescribed by management and professional
organizations. By choice, the IA department can be a "world-class" entity—achieving excellence and
maintaining it. But that will only happen with a great deal of commitment and effort. There are a number of
methods, techniques, programs, and tools available to assist IA in attaining the highest level of excellence
possible. In order to achieve the status of a world-class entity, and to be as effective as possible, IA will need
to address issues such as corporate governance, quality assurance, continuous improvement systems, and
marketing the IA function.
Effective corporate governance is a synergy between internal auditors, the board of directors, senior
management, and external auditors. The importance of corporate governance is illustrated by a McKinsey
report that stated that investors are willing to pay a premium on shares of companies that had a corporate
governance framework in place: 12 to 14% in North America and Western Europe, 20 to 25% in Asia and
Latin America, and 30% in Eastern Europe and Africa. [2] The IIA believes that good corporate governance
principles could prevent some of the frauds that have been investigated by the Securities and Exchange
Commission (SEC).
The National Association of Corporate Directors has recommended that the SEC require public companies to
disclose the extent to which they meet endorsed standards developed by the listing exchanges. Codes of
governance in the United Kingdom, Canada, South Africa, and other countries already require disclosure of
conformity to certain recommended governance practices. In the United States, governance policies and
practices vary considerably from state to state, and from company to company.
One emerging model has been proposed by the Corporate Governance Center at Kennesaw State University in
Kennesaw, Georgia [3]; it has been endorsed by the IIA. Their model of principles includes:
1. Interaction. Sound governance requires effective interaction among the board, management, the
external auditor, and the internal auditor.
2. Board Purpose. The board of directors should understand that its purpose is to protect the interests of
the corporation's stockholders while considering the interests of other stakeholders (e.g., creditors,
employees, etc.).
3. Board Responsibilities. The board's major areas of responsibility should be monitoring the chief
executive officer (CEO), overseeing the corporation's strategy, and monitoring risks and the
corporation's control system. Directors should employ healthy skepticism in meeting these
responsibilities.
4. Independence. The major stock exchanges should define an "independent" director as one who has no
professional or personal ties (either current or former) to the corporation or its management other then
service as a director. The vast majority of the directors should be independent in both fact and
appearance so as to promote arms-length oversight.
5. Expertise. The directors should possess relevant industry, company, functional area, and governance
expertise. The directors should reflect a mix of backgrounds and perspectives. All directors should
receive detailed orientation and continuing education to assure they achieve and maintain the
necessary level of expertise.
6. Meetings and Information. The board should meet frequently for extended periods of time and
should have access to the information and personnel it needs to perform its duties.
7. Leadership. The roles of board chair and CEO should be separate.
8. Disclosure. Proxy statements and other board communications should reflect board activities and
transactions (e.g., insider trades) in a transparent and timely manner.
9. Committees. The nominating, compensation, and audit committees of the board should be composed
only of independent directors.
10. Internal Audit. All public companies should maintain an effective, full-time internal audit function
that reports directly to the audit committee.
• Internal Controls. The board of directors of all publicly traded companies should be required to
publicly disclose an assessment of the effectiveness of internal controls within their organizations.
Such disc
disclosures should address internal controls broadly, rather than being limited to accounting
controls over the recording and reporting of financial information. This recommendation includes the
suggested usage of the Committee of Sponsoring Organizations (COSO) model described in Chapter
3.
• Internal Audit Function. All publicly held companies should establish and maintain an independent,
adequately resourced, and competently staffed internal auditing function to provide management and
the audit committee with ongoing assessments of the organization's risk management processes and
the accompanying system of internal control. If an internal audit function is not present, the board of
directors should be required to disclose in the company's annual report why the function is not in
place. Consideration of the work of internal auditors is essential for the audit committee to gain a
complete understanding of an organization's operations.
• Internal Audit Independence. In establishing and providing oversight for an internal audit function,
audit committees should ensure that the function is structured in a manner that achieves organizational
independence and permits full and unrestricted access to top management, the audit committee, and
the board.
• Internal Audit Professionalism. In establishing and providing oversight for the internal auditing
function, audit committees should charge chief audit executives (CAE) with the responsibility of
ensuring that internal audit work is performed in accordance with the IIA's Standards. Internal
auditors, and especially CAEs, should demonstrate their professional competency by attaining
appropriate professional certification.
Insight into the audit committee element of corporate governance can be drawn from a study by COSO. In
1999, COSO issued a study on the SEC enforcement activities from 1987 to 1997. The study analyzed 200
randomly selected cases of alleged financial fraud investigated by the SEC during the decade, which is about
two-thirds of all the SEC probes into fraud during the time period.
period. The results of the study provide valuable
information for any organization in protecting against fraud, but prove especially valuable in developing audit
committees. The "COSO Landmark Study on Fraud in Financial Reporting" points to several common factors
about the companies in the study (see Exhibit 9.1
9.1).
).
cannot depend on your external auditors to detect fraud based on their size)
Cumulative amounts of frauds were relatively large in light of the relatively small sizes of the companies
involved-the average misstatement or misappropriation was $25 million
First, most fraud in financial reporting among public companies was committed by smaller
corporations—well below $100 million in assets. Most were not listed on the New York or American Stock
Exchanges.
Second, the boards of directors of the companies investigated were dominated by insiders and directors with
significant equity ownership. They also had little apparent experience in serving on the boards of other
companies.
Third, most audit committees of the firms investigated met only about once a year, or the company had no
audit committee at all. The absence of an active audit committee leaves a gap in the enterprise internal control
environment.
Last, the riskiest group of perpetrators was executive managers—83% of the cases appeared to involve either
the CEO or chief financial officer (CFO), and the CEO appeared to be involved in the financial frauds in 72%
of the cases. This statistic is particularly chilling because of the role executives play in the business, of their
ability to override internal controls, and of the difficulty in recognizing the involvement of executives in
financial frauds. One way to provide a control against management fraud is to have an effective, aggressive
audit committee that is willing to challenge management, when necessary, and an audit committee vigilant in
looking for signs indicative of ongoing fraud in management.
From this data, a model for audit committees can be developed. This model of attributes was developed based
on existing standards, SEC rules, and the COSO fraud report (see Exhibit 9.2).
9.2). The model attributes include
independence, competence, organizational structure, leadership, and a proactive approach.
These points are made to assist IA in providing input into audit committee members, board members, and
other responsibilities it has related to both corporate governance and quality. IA is an integral part of effective
corporate governance.
[2]Global Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online at
www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf .
[3]Corporate Governance Center, Kennesaw State University, 21st Century Governance and Financial
Reporting Principles for U.S. Public Companies , 2002. The University of Delaware also sponsors a Center for
Corporate Governance at www.be.udel.edu/ccg/staff.htm.
[4]From "Effective Audit Committees for Cooperatives: Part I — What, Why and How," The Cooperative
Accountant , Summer 2002, pp. 22–30, T. Singleton.
a. Objective
The objective of the quality control program is to ensure that all assignments are completed in accordance
with the department, IIA, and Information Systems Audit and Control Association (ISACA) standards where
applicable.
b. Responsibility
It is the responsibility of the Director of Auditing to have quality audits completed on all assignments and to
maintain a quality control program to evaluate the operations of the department. The Director of Auditing will
appoint a Quality Assurance Coordinator, who will be responsible for the quality control program, and for
keeping the Director of Auditing informed of all results.
c. Method
The program is in four parts:
• Objective.The objective is to ensure that all assignments meet minimum standards for planning
supervision, and documentation.
• Responsibility. The manager on the engagement is responsible for ensuring:
I. GENERAL
The Quality Assurance Coordinator will review all deficiencies noted with the senior and the manager
of the assignment. The manager is responsible to see that the deficiencies are corrected. Once all
deficiencies are corrected, the Quality Assurance Coordinator will sign off on the engagement
checklist.
• Objective.
The objective of this phase of the quality control program is to see that Corporate Audit
workpapers:
1. Audits and special projects would be selected to meet the following criteria:
⋅ Financial
⋅ Systems review
⋅ Special projects
⋅
2. Assignments willData center audits
be selected at random, supplemented by the Quality Assurance
Coordinator's judgment, to meet all of the above criteria.
• Method . Workpapers will be reviewed in detail using a published checklist (if appropriate). All "no"
answers will be reviewed with the manager and the senior in-charge. All noted items, or the fact that
there are no items, will be reported to the Quality Assurance Coordinator in selected assignment
review memoranda.
The Quality Assurance Coordinator will summarize all items noted in these reviews and prepare the
selected assignments review memo to the Director of Auditing.
review of documentation, interviews, and actual experience. Upon completion, the Quality Assurance
Coordinator will prepare the annual report to the Director of Auditing.
♦Obtain an outside view of the department's performance versus professional and internal
standards
♦ Obtain suggestions for improving operating efficiencies
• Responsibility. It will be the responsibility of the Director of Auditing, upon the recommendation of
the Quality Assurance Coordinator, to have a tri-annual review performed.
• Method. The method of review—public accounting, other internal auditors, or an IIA team—will be
decided upon a complete review of the alternatives. Items that must be considered are:
♦ Cost
♦ Confidentiality of records
♦ Expertise in performing reviews
♦ Knowledge of business and operating environment
d. Reports
There are several key reports. They include:
This report is a summarized one, prepared by the Director of Auditing, sent to the Audit Committee, reporting
on the quality control program and the results of the annual self-assessment.
This report is a summarized one of the quality control program for the year that includes results of the annual
self-assessment, summary of deficiencies noted, and suggestions for improvement.
This report is a summary memorandum and detailed checklist, enumerating the deficiencies and findings from
the detailed review of selected audits, prepared for each assignment selected in the annual review process
discussed below. This memo is first reviewed with the assignment manager and in-charge accountant before
being given to the Quality Assurance Coordinator.
e. Summary of Review
The Quality Assurance Coordinator prepares a summary of the detailed deficiencies noted in the ongoing
review of all workpapers. This memorandum is sent to the Director of Auditing and is discussed with the
entire staff during an annual meeting.
maintaining,
manufacturinga world-class status.toMost
and then adopted of the
service current continuous
organizations. improvement
They include: programs
Total Quality were designed
Management for
(TQM),
Six Sigma, Baldrige National Quality Program, Kaizen, Theory of Constraints, Balanced Scorecard,
Value-Based Metrics (VBM), and the International Organization for Standardization (ISO) 9000 family. Other
improvement methodologies that are not necessarily continuous include Activity-Based Costing and Business
Process Reengineering (BPR). From these systems, the ones that should be most applicable to the IA
department are Balanced Scorecard, VBM, ABC, TQM, ISO 9000, and maybe Baldrige.
• Customers. Focuses on the external environment to understand, discover, and emphasize customer
needs. Common measures include customer satisfaction, customer loyalty, and customer retention.
• Internal Business Processes. Focuses internally along a value chain comprising innovation,
operations, and post-delivery service processes. Common measures include research and development
expenditures, sales from new products, productivity, cycle time, and throughput efficiency.
• Learning and Growth. Provides the foundation, or infrastructure, needed to meet the objectives from
the other two operational perspectives. Common measures include employee satisfaction, dollars
spent on training, and voluntary turnover.
• Financial. Focuses on shareholders. Every measure in the Balanced Scorecard System should be part
of a causal link that ends in financial measures. Common measures include economic value-added
(EVA®), return on investment, and net income.
Some of the above measures and concepts do not apply to IA, or do not directly apply. The Internal Audit
department would obviously use what can apply and ignore the rest. For customers, the customer satisfaction
component is important and can be measured by a survey instrument. Customer loyalty and retention,
however, do not easily apply (i.e., captive audience exists).
In the area of internal business processes, innovation could be things such as new computer-aided audit tools
and techniques (CAATTs) applied to audits, and even Balanced Scorecard System itself being applied to IA.
Post-delivery services could include gathering empirical data, on the effectiveness of audit recommendations
from audits (i.e., were they implemented, what improvements were realized, etc.), or follow-up procedures to
audit recommendations. Applicable measures include productivity, cycle time, and efficiency. The documents
and processes recommended
recommended throughout
throughout the manual provide
provide source documents to assist in these measures,
recognizing that an appropriate Balanced Scorecard System would likely include other documents and
measures. Comparing budgeted hours for audit projects versus actual time is a good measure for efficiency
(see Exhibit 6.2 and Section 6.1(a), "Three-Year
"Three-Year Operating Plan
Plan").
").
Financial could be measured by using IA as a profit center, or even a cost center with budget variances.
Shareholders could be extended to stakeholders as a more effective scope. Stakeholders would include:
executive management (CEO, CFO, etc.), the Audit Committee, the Board of Directors in general, and
shareholders or the public. That focus is more aligned to the responsibilities of the IA function.
Altogether, the Balanced Scorecard System provides an excellent model for IA to use in pursuing world-class
quality in its processes, duties, and services. Balanced Scorecard can be adopted, fairly easily, by the IA
department.
b. Value-Based Metrics
A system similar to Balanced Scorecard is Value-Based Metrics (VBM). Like Balanced Scorecard, the VBM
approach ties measures into strategic objectives. VBM are particularly useful as the basis for incentive
compensation, resource allocation, investor relations, and other areas. The true drivers of VBM are often
non-financial. In the VBM system, VBM and targets are set that are aligned (linked) to business strategies.
The following is a sample of possible non-financial measures in VBM: innovation, growth, operating
effectiveness, operating efficiency, employee skills and training, on-time delivery of services, customer
satisfaction and retention, and value chain.
c. Activity-Based Costing
Activity-based costing (ABC) is a cost accounting theory used to allocate overhead costs to products based on
the cost of the activities that are required to produce the product or deliver the service. The allocation bases
are cost drivers&"drive" the costs.
An ABC system usually involves two stages. In the first stage, costs are allocated to activity pools according
to the type of activity carried out in each pool. For example, a pool for training would include costs associated
with the Annual Staff Conference, Continuing Professional Education/Professional Development (CPE/PD)
seminars attended by staff, and other training costs. In the second stage, costs are allocated from the activity
pools to a cost object, such as a good or service (e.g., an audit project).
Appropriate application of ABC for service entities can be effective if the entity focuses on core activities and
reducing non-core activities. For IA, the core activity would be audits.
While ABC is not a continuous improvement program, it can help to control departmental overhead on a
continual basis and keep it current.
Total Quality Management (TQM) is an applicable continuous improvement approach, which applied
appropriately, should be effective in achieving and maintaining high quality.
since
other 1947. ISOspecialists
technical standards concerned
were, before
by ISO 9000 and
the precise ISOaddressed
scope 14000, principally of concern
in the standard. Then,toinengineers andISO
1987, came
9000, followed nearly 10 years later by ISO 14000, which have brought ISO to the attention of a much wider
business community. However, both ISO 9000 and ISO 14000 are known as generic management system
standards.
Generic means that the same standards can be applied to any organization, large or small, whatever its product
— even if the "product" is actually a service — in any sector of activity, and whether it is a business
enterprise, a public administration, or a government department. Management system refers to what the
organization does to manage its processes, or activities. In a very small organization, there is probably no
"system," as such, just "our way of doing things," and "our way" is probably not written down, but all in the
manager's or owner's head. The larger the organization, and the more people involved, the more the likelihood
that there are some written procedures, instructions, forms or records. These help ensure that everyone is not
just "doing his or her thing," and that there is a minimum of order in the way the organization goes about its
business, so that time, money and other resources are utilized efficiently. To be really efficient and effective,
the organization can manage its way of doing things by systemizing it. This ensures that nothing important is
left out and that everyone is clear about who is responsible for doing what, when, how, why and where.
Management system standards provide the organization with a model to follow in setting up and operating the
management system. This model incorporates the features that experts in the field have agreed upon as
representing the state of the art. A management system that follows the model — or "conforms to the
Both ISO 9000 and ISO 14000 are actually families of standards. Both families consist of standards and
guidelines relating to management systems, and supporting standards on terminology and specific tools, such
as auditing (the process of checking that the management system conforms to the standard). ISO 9000 is
primarily concerned with "quality management." The standardized definition of "quality" in ISO 9000 refers
to all those features of a product (or service) that are required by the customer. "Quality management" means
what the organization does to ensure that its products conform to the customer's requirements.
If a business or organization has invested time, energy and money to meet the ISO criteria, it obtains an ISO
9000 certificate. While the IA department will probably not seek the certificate unless the entire organization
does, the principles of ISO 9000 can guide IA into becoming a world-class IA function.
The Baldrige National Quality Program (BNQP) is supervised by the National Institute of Standards and
Technology, and it makes awards each year. Applicants must meet stringent self-assessment criteria before
being selected for the Baldrige Award. The Award criteria, continually improved since 1988, include seven
categories:
1. Leadership
2. Strategic planning
3. Customer and market focus
4. Information and analysis
5. Human resource focus
6. Process management
7. Business results
The criteria are built on a set of core values and concepts that are embedded behaviors in well-managed
companies. Such companies use the Baldrige criteria to assess their management systems and improve
performance in their most vital areas. Although BNQP applies only to organizations as a whole, the principles
could be followed without officially applying for the Baldrige Award with successful results.
g. Conclusions
An overlap in criteria between these programs is clearly evident (e.g., customer focus). It is recommended that
IA and the Director of Audit in conjunction with corporate management consider using one of these programs,
or some other continuous improvement system, in addition to the quality assurance program in order to
establish and maintain a world-class audit function.
SAM POLE COMPANY Corporate
DepartmentAudit
Procedures
Manual
NO:: 9
NO 9..5 REV
REV NO:
NO: DATE
DATE::
TITLE: Marketing the Audit Function PAGES:
[7]Much of this section was taken from the ISO web site at www.iso.org.
Audit departments need to be addressing all of these areas of their operations. Should an audit department get
close to customers? Should IA have marketing functions? Do auditors produce products? Within the limits of
independence and objective review of operations and financial position, the answers are yes. Who are your
customers as the IA department? There are many types, and they may not all want the same products.
The objective of this section is to remind auditors to think about who their customers are, what products are
produced, and to attempt to improve the delivery of the products by using some basic marketing concepts.
a. What Is Marketing?
A conventional definition of marketing includes all the steps to place a product in the hands of a consumer.
Marketing should be involved when the product is being developed to consider whom the different customers
are and how the product should be delivered to each. For instance, the audit department produces audit
reports. Who reads the audit reports? The answer may include divisional financial managers and controllers,
divisional operations managers, corporate financial managers and the CFO, corporate managers and the CEO,
the audit committee, and the independent auditors.
auditors. These ar
aree all customers, and they may want different
products.
The audit report is discussed in Section 8.1 and includes a two-level reporting process that allows for some
product differentiation and divides the product logically to allow for different combinations for different
customers. Marketing involves studying the customers' wants and satisfaction with the product. Does the
corporate CEO want the same level of detail as the divisional controller? Th ere is a very good chance the
CEO does not.
understand more
time available forfully
everyfinancial
divisionaudit reports;
and may onlyhowever, corporate
want summary financial on
information managers may not
non-problem have
audit the same
reports.
Operations managers may not understand as fully the implications of the audit findings. Consider adding a
separate background report or glossary when applicable. To respect the time availability of customers and the
need to commit the audit department to clear reporting of results, an opinion paragraph is included in the
summary audit report. Some audit departments include a quantified score or grade for each audit. Therefore,
by considering the customer, the audit department adds value to its product by constructing products that
customers (users) want and with which they will be satisfied.
Audit Department brochures are marketing tools that can help the department improve the understanding of
the IA function and improve its image. This brochure is a form of adverting, the objective of which is to show
the product or service in a positive way while still respecting the professional image. The brochure becomes a
recruitment tool as well as an orientation tool for new Audit Committee members and corporate and other
senior management. The department brochure could include a message from the CEO and the Chief Auditor,
and sections on Audit Department objectives and services, management's requests, who to contact, staff
qualifications and organization, the role of the Audit Committee, what to do if a fraud is suspected, and other
important information.
Audit staff should be encouraged to be professionally active to develop professionally, to gain solid
knowledge of emerging developments and solutions, and to promote the audit department. High visibility in
d. Human Resources
As discussed in more detail in Chapter 5,
5, audit departments are developers of people. The department can be
used as a training ground f or
or financial and operational managers. If this approach is taken, human resource
development becomes a significant Audit Department product. To manage this program, a summary should be
kept of all audit personnel hired each year with information on promotions, transfers, and separations. From
this summary (see Exhibit 9.6),
9.6), statistics can be developed on number of personnel transferred and promoted.
Using the Audit Department as a training ground also helps address the issues of career-path opportunities for
the Audit Department. It produces a tangible additional and positive audit product for the organization. Of
course, it requires more work on the part of audit management. Planned turnover will result, and staff
scheduling becomes more complex. If the Audit Department is going to be used as a training ground, a formal
Management Development Training Program should be developed outlining the plan's objectives and
guidelines.
e. Summary
Marketing considerations are important elements in every business operation, including the audit function.
Constantly be on the look-out for opportunities to market the audit function and produce positive deliverables
and new products and services.
Endnotes
1. Much of this section comes from the IIA's "Recommendations for Improving Corporate Governance," a
position paper presented to U.S. Congress, April 8, 2002. It is available online at
ecm/guide-pc.cfm?doc_id=3602.
www.theiia.org/ ecm/guide-pc.cfm?doc_id=3602
2. Global Investor Opinion Survey: Key Findings, 2002, McKinsey. Available online at
www.mckinsey.com/practices/corporategovernance/PDF/GloballnvestorOpinionSurvey2002.pdf .
3. Corporate Governance Center, Kennesaw State University, 21st Century Governance and Financial
Reporting Principles for U.S. Public Companies , 2002. The University of Delaware also sponsors a Center for
Corporate Governance at www.be.udel.edu/ccg/staff.htm.
4. For the definitive book on Balanced Scorecard, read The Balanced Scorecard by R.S. Kaplan and D.P.
Norton, Harvard Business School Press, 1996. Parts of this section are based on this book.
6. Much of this section was taken from the ISO web site at www.iso.org.
Index
A
AICPA
Founding, 7
SysTrust, 78–83
Association of Information Technology Professionals (AI (AITP), 41
Auditing
Frauds
COSO Study (SEC fraud violations), 99, 99, 115–117
115–117,, 344–345
Equity Funding, 1973, 19–20
Ivar Kreuger, 1932, 8
McKesson & Robbins, 1938, 8–9
South Sea Bubble, 6
Ultramares, 1925, 7
Risk Assessment, 97–104,
97–104, 230
230–231
–231
Standards
AICPA—GAAS, 52
IIA—SPPIA, 46–48,
46–48, 97
97,, 227
227,, 263
263,, 265
ISACA—Standards, 48–52
SDLC, 53–57,
53–57, 90
Index 1
2 Index
2 Index
Index
C
COSO (Treadway Commission)
COSO, 13
COSO Model, 72–74,
72–74, 85
85,, 243
Computer Crimes
Criminals/Intruders, 70
70,, 92
92,, 123
Denial of Service/Distributed DoS,
DoS, 100
100, 10
106
6
Financial Fraud, 122
Misappropriation of Assets (theft)
(theft),, 122
Unethical E-Mail, 94,
94, 102
Viruses/Worms, 94,
94, 100–101
Virus Hoaxes, 94,
94, 101–102
101–102,, 106
Index 1
2 Index
2 Index
Index
E
Ethics, 41–45
IIA Code
ISACA of Ethics
Code , 42–44 Ethics , 44–45
of Professional
Index 1
2 Index
2 Index
Index
F
Federal Laws
Copyright Laws,Practices
Foreign Corrupt 30
30,, 87–88Act, 1977, 30,
30, 87
Income Tax (Sixteenth Amendment), 1913, 7, 29, 29,61
Sarbanes-Oxley Act, 2002, 31 31,, 88–89
88–89,, 342
Securities Act, 1933, 7–8,
7–8, 29
29,, 61
61,, 87
Securities Exchange Commission Act, 1934, 7–8, 7–8, 29,
29, 61,
61, 87
Index 1
2 Index
2 Index
Index
G
GAO
Yellow Book, 15
Index 1
2 Index
2 Index
Index
I
Information
CobiT, 74–75 Systems Audit & Control Association
Founding, 1969, 21–22,
21–22, 48
Institute of Internal Auditors
Founding, 1941, 10–14
SAC Study, 20–21
20–21,, 76–77
Internal Audit
Annual Staff Meeting, 214–216
Audit Recommendations, 275–283,
275–283, 311,
311, 318–320
318–320
Budget Planning, 232
Continuous Improvement
Activity-Based Costing, 358358, 630
Balanced Scorecard, 356–358
Baldrige National Quality Program, 361–3361–362
62
ISO 9000, 360–361
Total Quality Management (TQM), 360
Value-Based Metrics, 358
Coordinator of Education,
Education, 192
Corporate Audit Charter, 144–147
Corporate Audit Training Model,
Model, 193–195
193–195
CPE, 197
Department Policies
Confidentiality, 177–178
Days Off for Extensive Travel, 179 179
Orientation/Training, 178–179
178–179
Professional Certification, 180
Job Descriptions, 149–176
Marketing, 363–365
Mission Statement, 136–137
Orientation, 217–220
Outsourcing, 139–141
Performance Evaluation, 204–213
Personnel Files, 199–203
Planning Memo, 269–275
Preliminary Survey, 236–269
Professional Certification,
Certification, 185
185,, 336
Quality Assurance, 347–355
Recruiting
Aids, 184–185
Management Development ProgramsPrograms 185
185
Sources, 182–184
Reporting
Expense Reporting, 256
Time Reporting, 250–255
Scope, 314
Types
Compliance Audits, 241
Contract Audits, 241–242
Index 1
2 Index
International Audits,240
Operational Audits, 249
Workpapers, 284–294
Internal Auditing
Audit Committee, 31,
31, 114–119
114–119,, 331–336
31–336,, 342–346
Control Self-Assessment,
Self-Assessment, 141
141–142
–142
Corporate Governance,
Governance, 114–119
114–119,, 342–346
IT Governance, 119–120
Independence, 60–61
Materiality, 235–237
Responsibilities, 59–61
Internal Controls
Basic Assumptions, 69–70
69–70
Business Recovery/ Disaster
Disaster Recovery, 94–96
94–96,, 245–246
CAATTs
Authentication, 124–125
Biometrics, 124–125
124–125
Call-back Modems, 125
Computer Logs, 120
Firewalls, 126–127
Generalized Audit Softwa
Softwarre, 12
127–128
7–128
Internet Storm Watcher,
Watcher, 105–106
Intrusion Detection Systems (monitoring),
(monitoring), 126
Passwords, 92–93,
92–93, 124
CobiT, 74–75
Computer Controls, Application, 112–113,
112–113, 24 2444, 246–248
Computer Controls, General, 111–
111–112
112,, 243–244
COSO Model, 72–74
72–74, 85
85,, 243
COSO Study (SEC
(SEC f raud
raud violations), 99
99,, 115–117,
115–117, 344–345
Cost-Benefit Analysis, 71
Definitions, 65–66
Models, 68,
68, 91
PDC Model (expanded), 105–108
Physical Controls, 109–111
109–111, 244–245
Policies
Business Recovery /Disaster
/Disaster Recovery, 94–96
Computer Usage,
Usage, 92
E-Mail, 94
Password, 92–93
Privacy, 95
SDLC, 90
Security, 92
Risk Assessment, 97–104
SAC/eSAC, 76–7
76–77
7
Sarbanes-Oxley Act, 88–89
Segregation of Duties, 121
SysTrust, 78–83
2 Index
Index 3
Index 3
4 Index
4 Index
Index
S
Sarbanes-Oxley Act (2002)
Corporate Governanc
Governance,
Internal Controls e, 342
342
Requirements, 88–89
Legal Requirements, 31
SEC, 7–8
7–8,, 29
29,, 61
61,, 87
87,, 114–115
COSO Study (SEC fraud violations), 115–117,
115–117, 344–345
Sarbanes-Oxley Act, 31, 31, 88–89
Index 1
2 Index
2 Index
List of Tables
Tables
Chapter 6: Audit Planning
Sam Pole Company Corporate Audit Department Three-Year Audit Plan
2 List of Tables
2 List of Tables
List of Exhibits
Chapter 2: Audi
Auditing
ting Standards and Responsibilities
Exhibit 2.1: ISACA Auditing Standards Guidelines
Exhibit 2.2: SD
SDLC
LC Steering Committee/Cross-Functional
Committee/Cross-Functional Team Matrix
Exhibit 2.3: SDLC Guidelines
Chapter 3: Inter
Internal
nal Control System
Exhibit 3.1: Inte
Internal
rnal Control Environment Model
Exhibit 3.2: Con
Controls
trols Decision
Decision Making Overview
Exhibit 3.3: CO
COSOSO Model
Exhibit 3.4: eSA
eSAC C Model
Exhibit 3.5: Sys
SysTrust
Trust Model
Exhibit 3.6: Com
Comparison
parison of Internal
Internal Control Models
Exhibit 3.7: Inte
Internal
rnal Control System Model
Exhibit 3.8: Pas
Password
sword Policy
Exhibit 3.9: E-M
E-Mailail Questionnaire
Questionnaire
Exhibit 3.10: Disaster
Disaster Recovery
Recovery Plan
Exhibit 3.11: An
Anti-Virus
ti-Virus System/Model
System/Model
Exhibit 3.12: A Basic Vulnerability
Vulnerability Plan
Exhibit 3.13: Sa
Sample
mple Questionnaire/Inquiry
Questionnaire/Inquiry
Exhibit 3.14: SA
SANSNS Institute: Top 20 Most Critical Internet Security Vulnerabilities (ver. 2.502)
Exhibit 3.15: IS Model of Controls
Controls
Exhibit 3.16: Ph
Physical
ysical Controls
Controls
Exhibit 3.17: Audit Committee Oversight Areas—In Order of Importance
Exhibit 3.18: Co
Commonalities
mmonalities of Fra
Fraud
ud Entities from COSO Study
Exhibit 3.19: Model of Attributes for Effective Audit Committee
Chapter 4: Dep
Department
artment Organization
Chapter 5: Pers
Personnel,
onnel, Administration, and Recruiting
Exhibit 5.1: Inte
Interview
rview Questionnaire
Questionnaire for New Internal Auditors
Exhibit 5.2: Ove
Overview
rview of Corporate
Corporate Audit Training Model
Exhibit 5.3: Con
Continuing
tinuing Prof essional
essional Education (CPE) Record
Exhibit 5.4: Cor
Corporate
porate Audit Department Background Information Form
Exhibit 5.5: Cor
Corporate
porate Audit Department Interest Questionnaire Form
Exhibit 5.6: Performance Evaluation Review Form
Exhibit 5.7: Gro
Group
up Discussions Instruction
Instruction Sheet
Exhibit 5.8: Orientation Checklist
Chapter 6: Audi
Auditt Planning
Exhibit 6.1: Corporate Audit Planning, Scheduling, and Staffing
Exhibit 6.2: Sample Three-Year Audit Plan
List of Exhibits 1
2 List of Exhibits
Cha
Chapter
pter 7:
7: Audit Performance
Exhibit 7.1: Corpora
Corporate
te Audit Performance Process Matrix
Exhibit 7.2: Sam Pole
Pole Company Corporate Audit Department Assignment Checklist
Exhibit 7.3: Sample Notice to Auditee
Exhibit 7.4: Sample Planning Memo
Exhibit 7.5: Recommendati
Recommendationon Worksheet Example
Exhibit 7.6: Permanent Files Index